Get GitHub Docker Actions working (securely)

[dwinchell]

Success Criteria:

• There is a green test (throwaway) pipeline that uses a Docker Action and our self-hosted runner on OpenShift
• The GitHub runner still uses a ubi8-based base image
• The GitHub runner starts containers using podman
• The started, "child" containers run "rootless" but "think" they are the root user.

Notes:

• See the "kubernoodles" project on github (Natalie from GitHub created it and in our prior convo suggested we look at it)

[jthompkins]

When time permits we should revisit with new information regarding cluster role / scc link in mind. Possibly did not have a cluster role for the nonrootbuilder-docker?

[dwinchell]

• There's an issue about this in the kubernoodles project
• If needed we can ask to open a ticket about this with GitHub

[aktech]

Disclaimer: This doesn't answers the actual question, but suggests an alternative:

You can achieve this easily with https://cirun.io/ It creates on demand runners for GitHub Actions on your cloud and manages the complete lifecycle. You simply connect your cloud provider and define what runners you need in a simple yaml file and that's it. It also works on OpenStack.

See https://docs.cirun.io/reference/examples.html#aws for example.