Allow specifying read-only flag to container.valid_volumes
in config.yml
#79
Labels
No labels
Kind/Breaking
Kind/Bug
Kind/Documentation
Kind/Enhancement
Kind/Feature
Kind/Security
Kind/Testing
Priority
Critical
Priority
High
Priority
Low
Priority
Medium
Reviewed
Confirmed
Reviewed
Duplicate
Reviewed
Invalid
Reviewed
Won't Fix
Status
Abandoned
Status
Blocked
Status
Need More Info
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference: forgejo/runner#79
Loading…
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Feature request
Summary
In order to mount certain volumes in containers, those volumes first need to be allowlisted in the
config.yml
file.It would be nice if read-only restrictions could also be applied.
Use-case
I need to have the spawned containers accept certain self-signed certificates within my infrastructure. On the forgejo-runner container I'm able to do this by mapping
/etc/ssl/certs/:/etc/ssl/certs/:ro
. In the workflow yaml file it seems that this can be configured through options although the path needs to be allowlisted in the runner'sconfig.yml
first.For security reasons I'd like to allow sharing the host ca-certificates but write access should be prohibited.
Workaround
Less optimal, but I can work around the issue by embedding the ca-certificates inside custom container images.