hack 17

sigh

justfile

@@ -114,8 +114,10 @@ compile-env *args: fill-out-dev-env-template
     declare tmp_link
     tmp_link="$(mktemp -p "$(pwd)/sterile" -d --suffix=dataplane-compile-env.link)"
     declare -r tmp_link
+    mkdir -p FAKE_HOME;
     cleanup() {
       rm -r "${tmp_link}"
+      rm -r FAKE_HOME
     }
     trap cleanup EXIT
     declare tmp_targetdir
@@ -125,16 +127,16 @@ compile-env *args: fill-out-dev-env-template
     ln -s /lib "${tmp_link}/lib"
     ln -s /sysroot "${tmp_link}/sysroot"
     ln -s /nix "${tmp_link}/nix"
-    mkdir I_HATE_YOU;
     docker run \
       --rm \
+      --read-only \
       --name dataplane-compile-env \
       --tmpfs "/tmp:uid=$(id -u),gid=$(id -g),nodev,noexec,nosuid" \
-      --mount "type=bind,source=$(pwd)/I_HATE_YOU,destination=/home/runner,bind-propagation=rprivate" \
-      --mount type=bind,source="$(pwd),destination=/work,bind-propagation=rprivate" \
-      --mount type=bind,source="${tmp_link},destination=/work/compile-env,bind-propagation=rprivate" \
-      --mount type=bind,source="$(pwd)/dev-env-template/etc/passwd,destination=/etc/passwd" \
-      --mount type=bind,source="$(pwd)/dev-env-template/etc/group,destination=/etc/group" \
+      --mount "type=bind,source=$(pwd)/FAKE_HOME,destination=/home/runner,bind-propagation=rprivate" \
+      --mount type=bind,source="$(pwd),destination=/work,bind-propagation=rprivate,readonly" \
+      --mount type=bind,source="${tmp_link},destination=/work/compile-env,bind-propagation=rprivate,readonly" \
+      --mount type=bind,source="$(pwd)/dev-env-template/etc/passwd,destination=/etc/passwd,readonly" \
+      --mount type=bind,source="$(pwd)/dev-env-template/etc/group,destination=/etc/group,readonly" \
       --mount type=bind,source="${tmp_targetdir},destination=/work/target,bind-propagation=rprivate" \
       --user "$(id -u):$(id -g)" \
       --workdir /work \