fix: run CI jobs in rootless podman containers
Use container: directive per job instead of nested podman run. Each job specifies its execution image directly: - test: python:3.13-alpine - secrets: ghcr.io/gitleaks/gitleaks:latest - build: quay.io/podman/stable (--privileged for nested builds) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
user
@@ -7,37 +7,35 @@ on:
|
||||
jobs:
|
||||
test:
|
||||
runs-on: linux
|
||||
container: python:3.13-alpine
|
||||
steps:
|
||||
- run: apk add --no-cache git
|
||||
- run: |
|
||||
git clone --depth 1 \
|
||||
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
||||
"${{ github.server_url }}/${{ github.repository }}.git" .
|
||||
- run: |
|
||||
podman run --rm \
|
||||
-v "$PWD:/app:ro" \
|
||||
-w /app \
|
||||
python:3.13-alpine \
|
||||
sh -c "pip install --no-cache-dir -r requirements.txt ruff pytest && \
|
||||
ruff check src/ tests/ && \
|
||||
PYTHONPATH=src pytest tests/ -v"
|
||||
- run: pip install --no-cache-dir -r requirements.txt ruff pytest
|
||||
- run: ruff check src/ tests/
|
||||
- run: PYTHONPATH=src pytest tests/ -v
|
||||
|
||||
secrets:
|
||||
runs-on: linux
|
||||
container: ghcr.io/gitleaks/gitleaks:latest
|
||||
steps:
|
||||
- run: |
|
||||
git clone \
|
||||
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
||||
"${{ github.server_url }}/${{ github.repository }}.git" .
|
||||
- run: |
|
||||
podman run --rm \
|
||||
-v "$PWD:/scan:ro" \
|
||||
ghcr.io/gitleaks/gitleaks:latest \
|
||||
detect --source /scan -v
|
||||
- run: gitleaks detect --source . -v
|
||||
|
||||
build:
|
||||
needs: [test, secrets]
|
||||
runs-on: linux
|
||||
container:
|
||||
image: quay.io/podman/stable
|
||||
options: --privileged
|
||||
steps:
|
||||
- run: dnf install -y git
|
||||
- run: |
|
||||
git clone --depth 1 \
|
||||
-c "http.extraHeader=Authorization: token ${{ github.token }}" \
|
||||
|
||||
Reference in New Issue
Block a user