test: support running in GHA

Author: eoinsha

resources/Dockerfile

@@ -10,7 +10,7 @@ FROM ghcr.io/astral-sh/uv:${UV_VERSION} AS uv
 FROM ${BUNDLING_IMAGE}
 
 COPY --from=uv /uv /uvx /bin/
-COPY *.sh /root
-RUN chmod +x /root/*.sh
-WORKDIR /root
-ENTRYPOINT [ "/root/entrypoint.sh" ]
+COPY *.sh /opt/uv-python-lambda/
+RUN chmod +x /opt/uv-python-lambda/*.sh
+WORKDIR /opt/uv-python-lambda
+ENTRYPOINT [ "/opt/uv-python-lambda/entrypoint.sh" ]

resources/entrypoint.sh

@@ -12,14 +12,15 @@ export LOCK_FILE=/uvbuild/uv-python-lambda.lock
 export UV_LINK_MODE=hardlink
 export UV_NO_INSTALLER_METADATA=1
 export UV_PYTHON_LAMBDA_NOFILE_LIMIT="${UV_PYTHON_LAMBDA_NOFILE_LIMIT:-1048576}"
+export HOME=/tmp/uv-python-lambda-home
 
 ulimit -n "$UV_PYTHON_LAMBDA_NOFILE_LIMIT"
 
 rm -f "$LOCK_FILE"
 
 mkdir -p /uvbuild/uvcache
-mkdir -p /root/.cache
-ln -sf /uvbuild/uvcache /root/.cache/uv
+mkdir -p "$HOME/.cache"
+ln -sf /uvbuild/uvcache "$HOME/.cache/uv"
 
 touch "$LOCK_FILE"
 

resources/export.sh

@@ -15,7 +15,7 @@ NAME=${0##*/}
 #
 # - Warm-cache package installs are the main fast path. They benefit from
 #   cache reuse across functions and synth runs in the same process.
-# - Hardlink mode is preferred because /root/.cache/uv and /uvbuild live on the
+# - Hardlink mode is preferred because $HOME/.cache/uv and /uvbuild live on the
 #   same mounted filesystem. Hardlinks avoid the extra copy work and file-handle
 #   churn that `copy` mode caused on large dependency trees.
 # - Workspace package handling copies only the local package directories that
@@ -26,6 +26,7 @@ export LOCK_FILE=/uvbuild/uv-python-lambda.lock
 export UV_LINK_MODE=hardlink
 export UV_NO_INSTALLER_METADATA=1
 export UV_PYTHON_LAMBDA_NOFILE_LIMIT="${UV_PYTHON_LAMBDA_NOFILE_LIMIT:-1048576}"
+export HOME=/tmp/uv-python-lambda-home
 
 # Raise the per-process FD limit inside the container. The builder
 # container itself is already started with a large nofile ulimit, this mirrors

src/bundling.ts

@@ -34,6 +34,7 @@ export const DEFAULT_ASSET_EXCLUDES = [
 
 export const DEFAULT_UV_VERSION = '0.5.27';
 
+const BUILDER_TOOL_DIR = '/opt/uv-python-lambda';
 const BUILDER_READY_LOG = 'Builder container is ready and waiting';
 const BUILDER_NOFILE_LIMIT = '1048576:1048576';
 
@@ -173,6 +174,7 @@ export class Bundling {
     const buildImage = this.createDockerImage();
     const hostUvBuildDir = path.join(cdkOutDir, this.containerBuilderKey);
     const hostRootDir = path.resolve(this.props.rootDir);
+    const builderUser = getDockerUserArg();
 
     mkdirSync(hostUvBuildDir, { recursive: true });
 
@@ -187,6 +189,10 @@ export class Bundling {
       this.containerBuilderName,
     ];
 
+    if (builderUser) {
+      dockerArgs.push('--user', builderUser);
+    }
+
     for (const [name, value] of this.getBuilderEnvironmentEntries()) {
       dockerArgs.push('--env', `${name}=${value}`);
     }
@@ -215,14 +221,19 @@ export class Bundling {
 
     const containerOutputDir = this.getContainerFunctionOutputDir();
     const command = ['docker', 'exec'];
+    const builderUser = getDockerUserArg();
+
+    if (builderUser) {
+      command.push('--user', builderUser);
+    }
 
     for (const [name, value] of this.getBuilderEnvironmentEntries()) {
       command.push('-e', `${name}=${value}`);
     }
 
     command.push(
       this.containerBuilderName,
-      '/root/export.sh',
+      `${BUILDER_TOOL_DIR}/export.sh`,
       '--output',
       containerOutputDir,
     );
@@ -334,3 +345,14 @@ function getBuilderEnvironment(
     ...environment,
   };
 }
+
+function getDockerUserArg() {
+  if (
+    typeof process.getuid !== 'function' ||
+    typeof process.getgid !== 'function'
+  ) {
+    return undefined;
+  }
+
+  return `${process.getuid()}:${process.getgid()}`;
+}

test/bundling.test.ts

@@ -3,12 +3,44 @@ import { Architecture, Runtime } from 'aws-cdk-lib/aws-lambda';
 import { Bundling, DEFAULT_UV_VERSION } from '../src/bundling';
 import type { ICommandHooks } from '../src/types';
 
+type BundlingModule = typeof import('../src/bundling');
+
 function decodeCommands(value: string) {
   return JSON.parse(Buffer.from(value, 'base64').toString('utf8')) as string[];
 }
 
+function getExpectedDockerUserArg() {
+  if (
+    typeof process.getuid !== 'function' ||
+    typeof process.getgid !== 'function'
+  ) {
+    throw new Error('process.getuid() and process.getgid() are required');
+  }
+
+  return `${process.getuid()}:${process.getgid()}`;
+}
+
+function loadBundlingModule(ensureBuilderContainerMock: jest.Mock) {
+  let loadedModule: BundlingModule | undefined;
+
+  jest.isolateModules(() => {
+    jest.doMock('../src/build-container', () => ({
+      BUILDER_LABEL: 'com.fourtheorem.uv-python-lambda.builder',
+      ensureBuilderContainer: ensureBuilderContainerMock,
+    }));
+    loadedModule = require('../src/bundling') as BundlingModule;
+  });
+
+  if (!loadedModule) {
+    throw new Error('Failed to load bundling module');
+  }
+
+  return loadedModule;
+}
+
 describe('Bundling', () => {
   afterEach(() => {
+    jest.resetModules();
     jest.restoreAllMocks();
   });
 
@@ -104,6 +136,23 @@ describe('Bundling', () => {
     expect(command).toContain('UV_PYTHON_LAMBDA_NOFILE_LIMIT=1048576');
   });
 
+  test('runs export commands as the host user when uid and gid are available', () => {
+    const bundling = new Bundling({
+      rootDir: '/tmp/project-user',
+      runtime: Runtime.PYTHON_3_12,
+      architecture: Architecture.X86_64,
+      workspacePackage: 'app',
+    });
+
+    const command = Reflect.get(bundling, 'createBundlingCommand').call(
+      bundling,
+    ) as string[];
+
+    expect(command).toContain('--user');
+    expect(command).toContain(getExpectedDockerUserArg());
+    expect(command).toContain('/opt/uv-python-lambda/export.sh');
+  });
+
   test('builds the builder image with the default uv version', () => {
     const fromBuildSpy = jest
       .spyOn(DockerImage, 'fromBuild')
@@ -188,4 +237,34 @@ describe('Bundling', () => {
       Reflect.get(overriddenBundling, 'containerBuilderKey'),
     );
   });
+
+  test('starts the builder container as the host user when uid and gid are available', () => {
+    const ensureBuilderContainerMock = jest.fn();
+    const bundlingModule = loadBundlingModule(ensureBuilderContainerMock);
+    const fromBuildSpy = jest
+      .spyOn(DockerImage, 'fromBuild')
+      .mockReturnValue({ image: 'mock-image' } as DockerImage);
+
+    const bundling = new bundlingModule.Bundling({
+      rootDir: '/tmp/project-run-user',
+      runtime: Runtime.PYTHON_3_12,
+      architecture: Architecture.X86_64,
+    });
+
+    Reflect.get(bundling, 'ensureBuilderReady').call(
+      bundling,
+      '/tmp/cdk-run-user',
+    );
+
+    expect(fromBuildSpy).toHaveBeenCalled();
+    expect(ensureBuilderContainerMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        args: expect.arrayContaining([
+          '--user',
+          getExpectedDockerUserArg(),
+          'mock-image',
+        ]),
+      }),
+    );
+  });
 });