feat: add support for running the action inside container#71
Conversation
Add a test-linux-docker job to both .github/workflows/ci.yaml and .github/workflows/integration-tests.yaml. The job runs in an ubuntu:24.04 container (--privileged) with a 10-minute timeout, verifies Twingate status and attempts to access a secure resource via curl. In CI it invokes the local action (./) with the SERVICE_KEY secret; in integration-tests it exercises the published action twingate/github-action@main (passing service-key and debug) to validate behavior in a Docker environment.
Use runtime environment variable instead of parse-time context expression to resolve action path correctly inside Docker containers. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SUDO variable to linux-helpers.sh that's empty when root - Replace hardcoded sudo with $SUDO in all Linux steps - Auto-install curl and gnupg if missing in container environments Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
liorr
changed the title
There was a problem hiding this comment.
Pull request overview
This PR adds support for running the Twingate GitHub Action inside Docker containers, specifically testing with ubuntu:24.04 containers. The changes enable the action to work in minimal container environments that run as root and may be missing standard tools like curl and gpg.
Changes:
- Added SUDO variable to linux-helpers.sh that adapts to whether the action is running as root
- Updated all script path references from
${{ github.action_path }}to"$GITHUB_ACTION_PATH"for better container compatibility - Added prerequisite installation step to install curl and gpg if missing in minimal containers
- Added
test-linux-dockerjob to both CI and integration test workflows using ubuntu:24.04 containers with--privilegedmode
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
| scripts/linux-helpers.sh | Added SUDO variable that is empty when running as root, otherwise "sudo", enabling the action to work in both container and regular runner environments |
| action.yml | Updated script sourcing to use GITHUB_ACTION_PATH environment variable, replaced all sudo references with $SUDO variable, and added prerequisite installation step for minimal containers |
| .github/workflows/ci.yaml | Added test-linux-docker job to test the action in ubuntu:24.04 container with --privileged mode |
| .github/workflows/integration-tests.yaml | Added test-linux-docker job to test the published action in ubuntu:24.04 container with --privileged mode |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
action.yml
Outdated
| if [ -n "$MISSING_DEPS" ]; then | ||
| echo "Installing missing dependencies:$MISSING_DEPS" | ||
| apt-get update | ||
| apt-get install -y $MISSING_DEPS |
There was a problem hiding this comment.
The MISSING_DEPS variable should be quoted in the apt-get install command to prevent word splitting issues. While it will likely work in this context, using "$MISSING_DEPS" is a safer practice that prevents potential issues if package names contain special characters.
| apt-get install -y $MISSING_DEPS | |
| apt-get install -y "$MISSING_DEPS" |
action.yml
Outdated
| command -v gpg >/dev/null 2>&1 || MISSING_DEPS="$MISSING_DEPS gnupg" | ||
|
|
||
| if [ -n "$MISSING_DEPS" ]; then | ||
| echo "Installing missing dependencies:$MISSING_DEPS" |
There was a problem hiding this comment.
Missing space after colon in the echo message. The output will be "Installing missing dependencies:curl gnupg" instead of "Installing missing dependencies: curl gnupg". Add a space after the colon for proper formatting.
| echo "Installing missing dependencies:$MISSING_DEPS" | |
| echo "Installing missing dependencies: $MISSING_DEPS" |
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add "Print client logs" step to test-linux-docker jobs for debugging - Add SUDO logic to prerequisites step for non-root environments - Fix spacing in echo message Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When journalctl isn't available, Twingate logs to this file instead. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if [ -n "$MISSING_DEPS" ]; then | ||
| # Use sudo if not running as root and sudo is available | ||
| SUDO="" | ||
| if [ "$(id -u)" -ne 0 ] && command -v sudo >/dev/null 2>&1; then | ||
| SUDO="sudo" | ||
| fi | ||
|
|
||
| echo "Installing missing dependencies: $MISSING_DEPS" | ||
| $SUDO apt-get update | ||
| $SUDO apt-get install -y $MISSING_DEPS | ||
| fi |
There was a problem hiding this comment.
If dependencies are missing and the environment is non-root without sudo installed, this step will attempt apt-get without privileges and fail, but with a confusing error. Add an explicit check for this case (e.g., detect id -u != 0 and no sudo) and fail fast with a clear message (or document that the action requires root/sudo in containers).
| journalctl -u twingate | ||
| elif [ -f /var/log/twingated.log ]; then | ||
| cat /var/log/twingated.log |
There was a problem hiding this comment.
In container environments journalctl may exist but still exit non-zero (e.g., no systemd/journald). Because run steps use bash -e, a non-zero journalctl here will fail the job even though this is a best-effort log dump. Consider appending || true (and --no-pager) to the journalctl/cat commands to ensure the step never fails.
| journalctl -u twingate | |
| elif [ -f /var/log/twingated.log ]; then | |
| cat /var/log/twingated.log | |
| journalctl -u twingate --no-pager || true | |
| elif [ -f /var/log/twingated.log ]; then | |
| cat /var/log/twingated.log || true |
| env: | ||
| TEST_URL: http://business.prod.beamreachinc.int/ | ||
| run: | | ||
| curl -v $TEST_URL |
There was a problem hiding this comment.
This Docker integration test uses curl -v without --fail, so HTTP 4xx/5xx responses won't fail the step. Add --fail (as used in the existing test-linux job) to ensure the job actually validates access to the protected resource.
| curl -v $TEST_URL | |
| curl -v --fail $TEST_URL |
| journalctl -u twingate | ||
| elif [ -f /var/log/twingated.log ]; then | ||
| cat /var/log/twingated.log |
There was a problem hiding this comment.
Similar to CI, journalctl may be present in the container but still fail if systemd/journald isn't running. With bash -e, that would fail the whole job even though this is an if: always() diagnostics step. Make the journalctl/cat calls non-fatal (e.g., ... || true) so log collection never causes a failure.
| journalctl -u twingate | |
| elif [ -f /var/log/twingated.log ]; then | |
| cat /var/log/twingated.log | |
| journalctl -u twingate || true | |
| elif [ -f /var/log/twingated.log ]; then | |
| cat /var/log/twingated.log || true |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Summary
test-linux-dockerjob to CI workflow to test the action inside a Docker containertest-linux-dockerjob to integration tests workflow for the published actionubuntu:24.04container with--privilegedmode to support systemdTest plan
test-linux-dockerjob passes in CI workflow🤖 Generated with Claude Code