Migrate integration omnibus

.github/actions/codebuild-docker-run/action.yml

@@ -1,5 +1,8 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
+
 name: 'codebuild-docker-run'
-description: 'Run one or more commands inside a docker container'
+description: 'Run one or more commands inside a docker container within a CodeBuild environment'
 inputs:
   image:
     description: 'Docker image to pull'
@@ -18,9 +21,24 @@ inputs:
     description: 'Environment variables to set or pass to the container'
     required: false
     default: ''
+  ipv6:
+    description: 'Enables IPv6 networking in the container. Implies --privileged'
+    required: false
+    default: false
+  withCredentials:
+    description: 'Whether to passthru the CodeBuild credentials'
+    required: false
+    default: false
+  user:
+    description: 'Run the docker container as a non-root user'
+    required: false
+    default: ''
 runs:
   using: 'composite'
   steps:
+    - id: cbdruser 
+      shell: bash
+      run: echo "user=$USER" >> $GITHUB_OUTPUT
     - name: Run Docker Container (${{ inputs.image }})
       shell: bash
       env:
@@ -29,4 +47,15 @@ runs:
         INPUT_RUN: ${{ inputs.run }}
         INPUT_SHELL: ${{ inputs.shell }}
         INPUT_ENV: ${{ inputs.env }}
+        INPUT_IPV6: ${{ inputs.ipv6 }}
+        INPUT_WITH_CREDENTIALS: ${{ inputs.withCredentials }}
+        INPUT_USER: ${{ inputs.user }}
       run: ${{ github.action_path }}/codebuild-docker-run.sh
+    - if: ${{ success() || failure() }}
+      shell: bash
+      env:
+        INPUT_USER: ${{ inputs.user }}
+      run: |
+        if [[ "${INPUT_USER}z" != "z" ]]; then
+          chown -R ${{ steps.cbdruser.outputs.user }}:${{ steps.cbdruser.outputs.user }} ${{ github.workspace }}
+        fi

.github/actions/codebuild-docker-run/codebuild-docker-run.sh

@@ -1,4 +1,6 @@
 #!/usr/bin/env bash
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0 OR ISC
 
 set -ex
 
@@ -7,15 +9,13 @@ parse_env_vars() {
     local env_string="$1"
     local env_flags=""
 
-    # Return empty if INPUT_ENV is not set or empty
     if [[ -z "$env_string" ]]; then
         echo ""
         return
     fi
 
     # Process each line as a single key=value pair or just key
     while IFS= read -r line; do
-        # Skip empty lines
         [[ -z "$line" ]] && continue
 
         # Check if line contains an equals sign
@@ -24,19 +24,15 @@ parse_env_vars() {
             key="${line%%=*}"
             value="${line#*=}"
 
-            # Skip if key is empty
             [[ -z "$key" ]] && continue
 
             # Add -e flag with proper quoting
             env_flags="$env_flags -e $key=\"$value\""
         else
-            # Line is just a key name, pass current environment value
             key="$line"
 
-            # Skip if key is empty
             [[ -z "$key" ]] && continue
 
-            # Add -e flag without value (Docker will use current environment)
             env_flags="$env_flags -e $key"
         fi
     done <<< "$env_string"
@@ -47,11 +43,54 @@ parse_env_vars() {
 # Parse environment variables from INPUT_ENV
 ENV_FLAGS=$(parse_env_vars "$INPUT_ENV")
 
+DOCKER_OPTIONS="${INPUT_OPTIONS:-}"
+if [[ "${INPUT_IPV6}" == "true" && ! "${DOCKER_OPTIONS}" =~ --privileged ]]; then
+    DOCKER_OPTIONS="$DOCKER_OPTIONS --privileged"
+fi
+
+PASSTHRU_ENV_VARS=("GOPROXY" "AWS_DEFAULT_REGION" "AWS_REGION")
+
+if [[ "${INPUT_WITH_CREDENTIALS}" == true ]] &&
+    [[ ! "${ENV_FLAGS}" =~ ECS_CONTAINER_METADATA_URI_V4 ]] && 
+    [[ ! "${ENV_FLAGS}" =~ AWS_CONTAINER_CREDENTIALS_RELATIVE_URI ]]; then
+    PASSTHRU_ENV_VARS+=(ECS_CONTAINER_METADATA_URI_V4 AWS_CONTAINER_CREDENTIALS_RELATIVE_URI)
+fi
+
+for ev in "${PASSTHRU_ENV_VARS[@]}"; do
+    if [[ ! "${ENV_FLAGS}" =~ ${ev} ]]; then
+        ENV_FLAGS="${ENV_FLAGS} -e ${ev}"
+    fi
+done
+
 exec docker run -v /var/run/docker.sock:/var/run/docker.sock \
     -v ${GITHUB_WORKSPACE}:${GITHUB_WORKSPACE} \
     -w ${GITHUB_WORKSPACE} \
-    ${INPUT_OPTIONS:-} \
-    -e GOPROXY \
+    ${DOCKER_OPTIONS} \
     ${ENV_FLAGS} \
     --entrypoint=${INPUT_SHELL} ${INPUT_IMAGE} \
-    -c "${INPUT_RUN//$'\n'/;}"
+    -c "cat > /tmp/actions-run.sh <<- 'EOF' && chmod +x /tmp/actions-run.sh && /tmp/actions-run.sh
+    set -ex
+
+    if [[ \"${INPUT_IPV6}\" == \"true\" ]]; then
+        sysctl -w net.ipv6.conf.all.disable_ipv6=0
+    fi
+
+    if [[ \"${INPUT_USER}z\" != \"z\" ]]; then
+        mkdir -p /home/${INPUT_USER}
+        chown -R ${INPUT_USER}:${INPUT_USER} /home/${INPUT_USER}
+        chown -R ${INPUT_USER}:${INPUT_USER} /codebuild/output
+        export CONTAINER_PATH=\${PATH}
+        cat > /tmp/run-as.sh <<- 'EOSU' && chmod +x /tmp/run-as.sh && su -p ${INPUT_USER} /tmp/run-as.sh
+            set -ex
+            export HOME=/home/${INPUT_USER}
+            export PATH=\${CONTAINER_PATH}
+            unset CONTAINER_PATH
+            pushd ${GITHUB_WORKSPACE}
+            ${INPUT_RUN}
+            popd
+EOSU
+    else
+        ${INPUT_RUN}
+    fi
+EOF
+"