coder
diff --git a/‎.github/workflows/ci.yaml
Lines changed: 0 additions & 2 deletions b/‎.github/workflows/ci.yaml
Lines changed: 0 additions & 2 deletions
diff --git a/‎README.md
Lines changed: 100 additions & 5 deletions b/‎README.md
Lines changed: 100 additions & 5 deletions
diff --git a/‎envbuilder.go
Lines changed: 33 additions & 3 deletions b/‎envbuilder.go
Lines changed: 33 additions & 3 deletions
diff --git a/‎git_test.go
Lines changed: 4 additions & 2 deletions b/‎git_test.go
Lines changed: 4 additions & 2 deletions
diff --git a/‎integration/integration_test.go
Lines changed: 3 additions & 3 deletions b/‎integration/integration_test.go
Lines changed: 3 additions & 3 deletions
@@ -2,8 +2,6 @@ name: ci
 
 on:
   push:
-    branches:
-      - main
 
   pull_request:
 
 
@@ -1,17 +1,112 @@
 # envbuilder
 
-Build development environments from repositories in a container on Kubernetes, Docker, or gVisor. Allow developers to customize their environment on pre-defined infrastructure.
+[![discord](https://img.shields.io/discord/747933592273027093?label=discord)](https://discord.gg/coder)
+[![release](https://img.shields.io/github/v/release/coder/envbuilder)](https://github.com/coder/envbuilder/releases/latest)
+[![godoc](https://pkg.go.dev/badge/github.com/coder/envbuilder.svg)](https://pkg.go.dev/github.com/coder/envbuilder)
+[![license](https://img.shields.io/github/license/coder/envbuilder)](./LICENSE)
 
-- Supports `devcontainer.json` and `Dockerfile`
+Build development environments from a Dockerfile on Docker, Kubernetes, and OpenShift. Allow developers to modify their environment in a tight feedback loop.
+
+- Supports [`devcontainer.json`](https://containers.dev/) and `Dockerfile`
 - Cache image layers with registries for speedy builds
-- Runs on Kubernetes, Docker, and OpenShift 
+- Runs on Kubernetes, Docker, and OpenShift
+
+<div align="center">
+  <a href="#gh-light-mode-only">
+    <img src="./scripts/diagram-light.svg">
+  </a>
+  <a href="#gh-dark-mode-only">
+    <img src="./scripts/diagram-dark.svg">
+  </a>
+</div>
 
 ## Quickstart
 
-The easiest way to play with `envbuilder` is to launch a Docker container that builds a sample image.
+The easiest way to get started is to run the `envbuilder` Docker container that clones a repository, builds the image from a Dockerfile, and runs the `$INIT_SCRIPT` in the freshly built container.
+
+> `/tmp/envbuilder` is used to persist data between commands for the purpose of this demo. You can change it to any directory you want.
 
 ```bash
 docker run -it --rm \
-    -e GIT_URL=https://github.com/vercel/next.js \
+    -v /tmp/envbuilder:/workspaces \
+    -e GIT_URL=https://github.com/coder/envbuilder-starter-devcontainer \
+    -e INIT_SCRIPT=bash \
     ghcr.io/coder/envbuilder
 ```
+
+Edit `.devcontainer/Dockerfile` to add `htop`:
+
+```bash
+$ vim .devcontainer/Dockerfile
+```
+
+```diff
+- RUN apt-get install vim sudo -y
++ RUN apt-get install vim sudo htop -y
+```
+
+Exit the container, and re-run the `docker run` command... after the build completes, `htop` should exist in the container! 🥳
+
+## Container Registry Authentication
+
+envbuilder uses Kaniko to build containers. You should [follow their instructions](https://github.com/GoogleContainerTools/kaniko#pushing-to-different-registries) to create an authentication configuration.
+
+After you have a configuration that resembles the following:
+
+```json
+{
+  "auths": {
+    "https://index.docker.io/v1/": {
+      "auth": "base64-encoded-username-and-password"
+    }
+  }
+}
+```
+
+`base64` encode the JSON and provide it to envbuilder as the `DOCKER_CONFIG_BASE64` environment variable.
+
+## Git Authentication
+
+`GIT_USERNAME` and `GIT_PASSWORD` are environment variables to provide Git authentication for private repositories.
+
+For access token-based authentication, follow the following schema (if empty, there's no need to provide the field):
+
+| Provider     | `GIT_USERNAME` | `GIT_PASSWORD` |
+| ------------ | -------------- | -------------- |
+| GitHub       | [access-token] |                |
+| GitLab       | oauth2         | [access-token] |
+| BitBucket    | x-token-auth   | [access-token] |
+| Azure DevOps | [access-token] |                |
+
+If using envbuilder inside of [Coder](https://github.com/coder/coder), you can use the `coder_git_auth` Terraform resource to automatically provide this token on workspace creation:
+
+```hcl
+resource "coder_git_auth" "github" {
+    id = "github"
+}
+
+resource "docker_container" "dev" {
+    env = [
+        GIT_USERNAME = coder_git_auth.github.access_token,
+    ]
+}
+```
+
+## Layer Caching
+
+Cache layers in a container registry to speed up builds. To enable caching, [authenticate with your registry](#container-registry-authentication) and set the `CACHE_REPO` environment variable.
+
+```bash
+CACHE_REPO=ghcr.io/coder/repo-cache
+```
+
+Each layer is stored in the registry as a separate image. The image tag is the hash of the layer's contents. The image digest is the hash of the image tag. The image digest is used to pull the layer from the registry.
+
+## devcontainer.json Support
+
+We don't support mounts, features, and many other primitives of `devcontainer.json`. We support the following:
+
+- `image`
+- `build`
+- `runArgs`
+- `workspaceFolder`
@@ -153,6 +153,7 @@ func Run(ctx context.Context, options Options) error {
 
 	logf(codersdk.LogLevelInfo, "%s - Build development environments from repositories in a container", newColor(color.Bold).Sprintf("envbuilder"))
 
+	var cloned bool
 	if options.GitURL != "" {
 		endStage := startStage("📦 Cloning %s to %s...",
 			newColor(color.FgCyan).Sprintf(options.GitURL),
@@ -188,7 +189,8 @@ func Run(ctx context.Context, options Options) error {
 			options.GitURL = gitURL.String()
 		}
 
-		cloned, err := CloneRepo(ctx, CloneRepoOptions{
+		var err error
+		cloned, err = CloneRepo(ctx, CloneRepoOptions{
 			Path:     options.WorkspaceFolder,
 			Storage:  options.Filesystem,
 			RepoURL:  options.GitURL,
@@ -292,9 +294,8 @@ func Run(ctx context.Context, options Options) error {
 
 	build := func() (v1.Image, error) {
 		endStage := startStage("🏗️ Building image...")
-		defer endStage("🏗️ Built image!")
 		// At this point we have all the context, we can now build!
-		return executor.DoBuild(&config.KanikoOptions{
+		image, err := executor.DoBuild(&config.KanikoOptions{
 			// Boilerplate!
 			CustomPlatform:    platforms.Format(platforms.Normalize(platforms.DefaultSpec())),
 			SnapshotMode:      "redo",
@@ -319,6 +320,11 @@ func Run(ctx context.Context, options Options) error {
 			},
 			SrcContext: buildParams.BuildContext,
 		})
+		if err != nil {
+			return nil, err
+		}
+		endStage("🏗️ Built image!")
+		return image, err
 	}
 
 	if options.DockerConfigBase64 != "" {
@@ -436,6 +442,30 @@ func Run(ctx context.Context, options Options) error {
 
 	unsetOptionsEnv()
 
+	// We only need to do this if we cloned!
+	// Git doesn't store file permissions as part of the repository.
+	if cloned {
+		endStage := startStage("🔄 Updating the ownership of the workspace...")
+		// By default, we clone the Git repository into the workspace folder.
+		// It will have root permissions, because that's the user that built it.
+		//
+		// We need to change the ownership of the files to the user that will
+		// be running the init script.
+		filepath.Walk(options.WorkspaceFolder, func(path string, info os.FileInfo, err error) error {
+			if err != nil {
+				return err
+			}
+			return os.Chown(path, uid, gid)
+		})
+		endStage("👤 Updated the ownership of the workspace!")
+	}
+
+	// Remove the Docker config secret file!
+	err = os.Remove(filepath.Join(os.Getenv("DOCKER_CONFIG"), "config.json"))
+	if err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove docker config: %w", err)
+	}
+
 	logf(codersdk.LogLevelInfo, "=== Running the init command %q as the %q user...", options.InitScript, user.Username)
 	cmd := exec.CommandContext(ctx, "/bin/sh", "-c", options.InitScript)
 	cmd.Env = os.Environ()
 
@@ -44,12 +44,13 @@ func TestCloneRepo(t *testing.T) {
 		srv := httptest.NewServer(gittest.NewServer(serverFS))
 
 		clientFS := memfs.New()
-		err = envbuilder.CloneRepo(context.Background(), envbuilder.CloneRepoOptions{
+		cloned, err := envbuilder.CloneRepo(context.Background(), envbuilder.CloneRepoOptions{
 			Path:    "/workspace",
 			RepoURL: srv.URL,
 			Storage: clientFS,
 		})
 		require.NoError(t, err)
+		require.True(t, cloned)
 
 		file, err := clientFS.OpenFile("/workspace/README.md", os.O_RDONLY, 0644)
 		require.NoError(t, err)
@@ -63,11 +64,12 @@ func TestCloneRepo(t *testing.T) {
 		t.Parallel()
 		clientFS := memfs.New()
 		gittest.NewRepo(t, clientFS)
-		err := envbuilder.CloneRepo(context.Background(), envbuilder.CloneRepoOptions{
+		cloned, err := envbuilder.CloneRepo(context.Background(), envbuilder.CloneRepoOptions{
 			Path:    "/",
 			RepoURL: "https://example.com",
 			Storage: clientFS,
 		})
 		require.NoError(t, err)
+		require.False(t, cloned)
 	})
 }
@@ -322,7 +322,7 @@ func createGitServer(t *testing.T, opts gitServerOptions) string {
 // cleanOldEnvbuilders removes any old envbuilder containers.
 func cleanOldEnvbuilders() {
 	ctx := context.Background()
-	cli, err := client.NewClientWithOpts(client.FromEnv)
+	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	if err != nil {
 		panic(err)
 	}
@@ -348,7 +348,7 @@ func cleanOldEnvbuilders() {
 func runEnvbuilder(t *testing.T, env []string) (string, error) {
 	t.Helper()
 	ctx := context.Background()
-	cli, err := client.NewClientWithOpts(client.FromEnv)
+	cli, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		cli.Close()
@@ -392,7 +392,7 @@ func runEnvbuilder(t *testing.T, env []string) (string, error) {
 		scanner := bufio.NewScanner(logsReader)
 		for scanner.Scan() {
 			t.Logf("%q", strings.TrimSpace(scanner.Text()))
-			if strings.HasPrefix(scanner.Text(), "error: ") {
+			if strings.HasPrefix(scanner.Text(), "Error: ") {
 				errChan <- errors.New(scanner.Text())
 				return
 			}