From 1c21bfd452c96876cc0ae209ab2ec3bce7295bc3 Mon Sep 17 00:00:00 2001
From: Michael Sauter <michael.sauter@boehringer-ingelheim.com>
Date: Thu, 1 Jun 2023 10:22:33 +0200
Subject: [PATCH] Add volume instruction and mark /workspace/source as safe dir
 for Git

Needs to happen not just in ods-start, but wherever Git is used.
---
 build/package/Dockerfile.aqua-scan          | 2 ++
 build/package/Dockerfile.finish             | 1 +
 build/package/Dockerfile.go-toolset         | 5 +++++
 build/package/Dockerfile.gradle-toolset     | 3 +++
 build/package/Dockerfile.helm               | 5 +++++
 build/package/Dockerfile.node16-npm-toolset | 5 +++++
 build/package/Dockerfile.node18-npm-toolset | 5 +++++
 build/package/Dockerfile.package-image      | 1 +
 build/package/Dockerfile.python-toolset     | 5 +++++
 build/package/Dockerfile.sonar              | 2 ++
 build/package/Dockerfile.start              | 1 +
 11 files changed, 35 insertions(+)

diff --git a/build/package/Dockerfile.aqua-scan b/build/package/Dockerfile.aqua-scan
index ac91c9d1..7dd630fc 100644
--- a/build/package/Dockerfile.aqua-scan
+++ b/build/package/Dockerfile.aqua-scan
@@ -22,4 +22,6 @@ COPY --from=builder /usr/local/bin/ods-aqua-scan /usr/local/bin/ods-aqua-scan
 # Add scripts
 COPY build/package/scripts/download-aqua-scanner.sh /usr/local/bin/download-aqua-scanner
 
+VOLUME /workspace/source
+
 USER 1001
diff --git a/build/package/Dockerfile.finish b/build/package/Dockerfile.finish
index ba91388e..c33251d8 100644
--- a/build/package/Dockerfile.finish
+++ b/build/package/Dockerfile.finish
@@ -17,4 +17,5 @@ RUN cd cmd/finish && CGO_ENABLED=0 go build -o /usr/local/bin/ods-finish
 # ubi-micro cannot be used as it misses the ca-certificates package.
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.4
 COPY --from=builder /usr/local/bin/ods-finish /usr/local/bin/ods-finish
+VOLUME /workspace/source
 USER 1001
diff --git a/build/package/Dockerfile.go-toolset b/build/package/Dockerfile.go-toolset
index 45c46893..e284cc6d 100644
--- a/build/package/Dockerfile.go-toolset
+++ b/build/package/Dockerfile.go-toolset
@@ -26,4 +26,9 @@ RUN chmod +x /usr/local/bin/build-go && \
 # Add sonar-project.properties
 COPY build/package/sonar-project.properties.d/go.properties /usr/local/default-sonar-project.properties
 
+VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
+
 USER 1001
diff --git a/build/package/Dockerfile.gradle-toolset b/build/package/Dockerfile.gradle-toolset
index eb01d83a..6bb9a334 100644
--- a/build/package/Dockerfile.gradle-toolset
+++ b/build/package/Dockerfile.gradle-toolset
@@ -29,6 +29,9 @@ RUN cd /opt && \
     chmod -R g=u /workspace/source $HOME
 
 VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
 
 # Add scripts
 COPY build/package/scripts/cache-build.sh /usr/local/bin/cache-build
diff --git a/build/package/Dockerfile.helm b/build/package/Dockerfile.helm
index f275379b..8817f32c 100644
--- a/build/package/Dockerfile.helm
+++ b/build/package/Dockerfile.helm
@@ -65,4 +65,9 @@ RUN mkdir -p $HELM_PLUGINS \
     && sops --version \
     && age --version
 
+VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
+
 USER 1001
diff --git a/build/package/Dockerfile.node16-npm-toolset b/build/package/Dockerfile.node16-npm-toolset
index 7c4eae34..a38daac9 100644
--- a/build/package/Dockerfile.node16-npm-toolset
+++ b/build/package/Dockerfile.node16-npm-toolset
@@ -33,4 +33,9 @@ RUN chmod +x /usr/local/bin/build-npm && \
 # Add sonar-project.properties
 COPY build/package/sonar-project.properties.d/npm.properties /usr/local/default-sonar-project.properties
 
+VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
+
 USER 1001
diff --git a/build/package/Dockerfile.node18-npm-toolset b/build/package/Dockerfile.node18-npm-toolset
index 25a7e708..767eb4db 100644
--- a/build/package/Dockerfile.node18-npm-toolset
+++ b/build/package/Dockerfile.node18-npm-toolset
@@ -33,4 +33,9 @@ RUN chmod +x /usr/local/bin/build-npm && \
 # Add sonar-project.properties
 COPY build/package/sonar-project.properties.d/npm.properties /usr/local/default-sonar-project.properties
 
+VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
+
 USER 1001
diff --git a/build/package/Dockerfile.package-image b/build/package/Dockerfile.package-image
index cfbe67a5..b0806148 100644
--- a/build/package/Dockerfile.package-image
+++ b/build/package/Dockerfile.package-image
@@ -43,6 +43,7 @@ ENV _BUILDAH_STARTED_IN_USERNS="" BUILDAH_ISOLATION=chroot
 
 VOLUME /var/lib/containers
 VOLUME /home/build/.local/share/containers
+VOLUME /workspace/source
 
 # Install Trivy
 RUN curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
diff --git a/build/package/Dockerfile.python-toolset b/build/package/Dockerfile.python-toolset
index 9b577cfd..fcc074d6 100644
--- a/build/package/Dockerfile.python-toolset
+++ b/build/package/Dockerfile.python-toolset
@@ -21,4 +21,9 @@ RUN chmod +x /usr/local/bin/build-python && \
 # Add sonar-project.properties
 COPY build/package/sonar-project.properties.d/python.properties /usr/local/default-sonar-project.properties
 
+VOLUME /workspace/source
+# Ensure that file permissions do not prevent Git checkout into workspace.
+# See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
+RUN git config --system --add safe.directory '/workspace/source'
+
 USER 1001
diff --git a/build/package/Dockerfile.sonar b/build/package/Dockerfile.sonar
index 8d7d3a37..7ab8d108 100644
--- a/build/package/Dockerfile.sonar
+++ b/build/package/Dockerfile.sonar
@@ -45,4 +45,6 @@ COPY build/package/scripts/configure-truststore.sh /usr/local/bin/configure-trus
 
 ENV PATH=/usr/local/sonar-scanner-cli/bin:$PATH
 
+VOLUME /workspace/source
+
 USER 1001
diff --git a/build/package/Dockerfile.start b/build/package/Dockerfile.start
index d951a8cc..27e8c84d 100644
--- a/build/package/Dockerfile.start
+++ b/build/package/Dockerfile.start
@@ -39,6 +39,7 @@ COPY --from=builder /usr/local/bin/ods-start /usr/local/bin/ods-start
 COPY --from=builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs
 RUN git lfs version
 
+VOLUME /workspace/source
 # Ensure that file permissions do not prevent Git checkout into workspace.
 # See https://git-scm.com/docs/git-config/#Documentation/git-config.txt-safedirectory.
 RUN git config --system --add safe.directory '/workspace/source'