oci-builder/Dockerfile

FROM quay.io/fedora/fedora-minimal:42

ARG RUNNER_VERSION=6.3.1
ARG GITHUB_RUN_ID

ENV BUILDAH_ISOLATION=chroot
ENV HOME=/builder
ENV REGISTRY_AUTH_FILE=/builder/.config/containers/auth.json

RUN echo ${GITHUB_RUN_ID} > /.github_run_id

RUN dnf5 -y --setopt install_weak_deps=false install podman buildah skopeo vim setpriv git nodejs22 diffutils

RUN curl -sfL https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-amd64 -o /usr/local/bin/forgejo-runner
RUN chmod +x /usr/local/bin/forgejo-runner

RUN echo "nobody:65536:65536" > /etc/subuid && echo "nobody:65536:65536" > /etc/subgid

# This is a workaround for https://github.com/containers/podman/issues/23818, apart from that it serves absolutely no purpose. I also don't know why it looks there, given HOME is elsewhere, but it doesn't seem to cause any issues.
RUN mkdir /.config && chown 65534:65534 /.config

RUN mkdir /builder /builder/.config && chown -R 65534:65534 /builder

# This works around https://github.com/redhat-actions/podman-login/pull/43, until this PR is merged at least
RUN mkdir /builder/.docker && chown -R 65534:65534 /builder/.docker

RUN find / -mindepth 1 -path /proc -prune -or -path /sys -prune -or -path /dev -prune -or -type f -perm /6000 -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;

RUN getcap -r / | awk '{ print $1 }' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""

RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap

RUN shopt -s dotglob && rm -rf /var/cache/* /tmp/* /var/tmp/*

COPY entrypoint.sh /entrypoint.sh

RUN chmod +x /entrypoint.sh

USER 65534:65534

WORKDIR /builder

CMD ["/entrypoint.sh"]