Run each instance of lava-run with its own home directory
When using docker login
in actions, docker stores credentials within
the current home directory. If we do not isolate jobs, by placing them
in different directories, we create potential bleed-through, where:
-
Credentials for old jobs may persist, and be thus inappropriately granted to future jobs.
-
Credentials may be inappropriately granted to jobs based on other currently executing jobs legitimately having those credentials.
-
Credentials may be replaced (for example downgraded) by other simultaneously running jobs which login with lower privileges.
The solution here is to assign a new HOME variable for each instance
of lava-run
, to a randomly named directory. These directories are
deleted when the job is removed from the worker.
Signed-off-by: Ed Smith ed.smith@collabora.com