add securityContext of ReadOnlyRootFilesystem to steps

Signed-off-by: Hasan Awad <[email protected]>

test again

Fix test

Author: hasanawad94

cmd/git/main.go

@@ -27,6 +27,7 @@ const (
 	typeUndef credentialType = iota
 	typePrivateKey
 	typeUsernamePassword
+	writeableDir = "/writeable-workspace"
 )
 
 var useNoTagsFlag = false
@@ -309,7 +310,7 @@ func clone(ctx context.Context) error {
 				return err
 			}
 
-			sshPrivateKeyFile, err := os.CreateTemp(os.TempDir(), "ssh-private-key")
+			sshPrivateKeyFile, err := os.CreateTemp(writeableDir, "ssh-private-key")
 			if err != nil {
 				return err
 			}
@@ -393,7 +394,7 @@ func clone(ctx context.Context) error {
 
 			repoURL.User = url.UserPassword(string(username), string(password))
 
-			credHelperFile, err := os.CreateTemp(os.TempDir(), "cred-helper-file")
+			credHelperFile, err := os.CreateTemp(writeableDir, "cred-helper-file")
 			if err != nil {
 				return err
 			}

pkg/config/config.go

@@ -187,8 +187,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
@@ -215,8 +216,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 
@@ -274,8 +276,9 @@ func NewDefaultConfig() *Config {
 						"ALL",
 					},
 				},
-				RunAsUser:  nonRoot,
-				RunAsGroup: nonRoot,
+				RunAsUser:              nonRoot,
+				RunAsGroup:             nonRoot,
+				ReadOnlyRootFilesystem: ptr.To(true),
 			},
 		},
 

pkg/config/config_test.go

@@ -142,8 +142,9 @@ var _ = Describe("Config", func() {
 								"ALL",
 							},
 						},
-						RunAsUser:  nonRoot,
-						RunAsGroup: nonRoot,
+						RunAsUser:              nonRoot,
+						RunAsGroup:             nonRoot,
+						ReadOnlyRootFilesystem: ptr.To(true),
 					},
 				}))
 			})
@@ -243,8 +244,9 @@ var _ = Describe("Config", func() {
 								"ALL",
 							},
 						},
-						RunAsUser:  nonRoot,
-						RunAsGroup: nonRoot,
+						RunAsUser:              nonRoot,
+						RunAsGroup:             nonRoot,
+						ReadOnlyRootFilesystem: ptr.To(true),
 					},
 				}))
 			})

pkg/reconciler/buildrun/resources/sources/git.go

@@ -22,6 +22,7 @@ const (
 	commitSHAResult    = "commit-sha"
 	commitAuthorResult = "commit-author"
 	branchName         = "branch-name"
+	workspaceSource    = "source"
 )
 
 // AppendGitStep appends the Git step and results and volume if needed to the TaskSpec
@@ -67,6 +68,13 @@ func AppendGitStep(
 		ComputeResources: cfg.GitContainerTemplate.Resources,
 		SecurityContext:  cfg.GitContainerTemplate.SecurityContext,
 		WorkingDir:       cfg.GitContainerTemplate.WorkingDir,
+		VolumeMounts: []corev1.VolumeMount{
+			{
+				Name:      workspaceSource,
+				MountPath: "/writeable-workspace",
+				ReadOnly:  false,
+			},
+		},
 	}
 
 	// Check if a revision is defined