[monorepo] avoid root-owned folders (#27349)

* [server-pro] check_vulnerabilities.sh: move cache into $HOME/.cache

* [monorepo] move root-owned minio certs into docker volume

* [server-pro] check_vulnerabilities.sh: remove unused vars

* [filestore] fix image name for certs container when using sharding

GitOrigin-RevId: c6756e8f24ccc689c12d5f5be2b7f4eee7d9b989

services/filestore/docker-compose.ci.yml

@@ -4,6 +4,9 @@
 
 version: "2.3"
 
+volumes:
+  minio-certs:
+
 services:
   test_unit:
     image: ci/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
@@ -42,7 +45,7 @@ services:
       GCS_USER_FILES_BUCKET_NAME: fake-gcs-user-files
       GCS_TEMPLATE_FILES_BUCKET_NAME: fake-gcs-template-files
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     depends_on:
       certs:
         condition: service_completed_successfully
@@ -64,27 +67,27 @@ services:
     command: tar -czf /tmp/build/build.tar.gz --exclude=build.tar.gz --exclude-vcs .
     user: root
   certs:
-    image: node:22.17.0
+    build:
+      dockerfile_inline: |
+        FROM node:22.17.0
+        RUN wget -O /certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
+        RUN chmod +x /certgen
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     working_dir: /certs
     entrypoint: sh
     command:
       - '-cex'
       - |
-        if [ ! -f ./certgen ]; then
-          wget -O ./certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
-          chmod +x ./certgen
-        fi
         if [ ! -f private.key ] || [ ! -f public.crt ]; then
-          ./certgen -host minio
+          /certgen -host minio
         fi
 
   minio:
     image: minio/minio:RELEASE.2024-10-13T13-34-11Z
     command: server /data
     volumes:
-      - ./test/acceptance/certs:/root/.minio/certs
+      - minio-certs:/root/.minio/certs
     environment:
       MINIO_ROOT_USER: MINIO_ROOT_USER
       MINIO_ROOT_PASSWORD: MINIO_ROOT_PASSWORD
@@ -100,7 +103,7 @@ services:
         condition: service_started
     image: minio/mc:RELEASE.2024-10-08T09-37-26Z
     volumes:
-      - ./test/acceptance/certs:/root/.mc/certs/CAs
+      - minio-certs:/root/.mc/certs/CAs
     entrypoint: sh
     command:
       - '-cex'

services/filestore/docker-compose.yml

@@ -4,6 +4,9 @@
 
 version: "2.3"
 
+volumes:
+  minio-certs:
+
 services:
   test_unit:
     build:
@@ -32,7 +35,7 @@ services:
       - .:/overleaf/services/filestore
       - ../../node_modules:/overleaf/node_modules
       - ../../libraries:/overleaf/libraries
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     working_dir: /overleaf/services/filestore
     environment:
       ELASTIC_SEARCH_DSN: es:9200
@@ -72,27 +75,27 @@ services:
     command: npm run --silent test:acceptance
 
   certs:
-    image: node:22.17.0
+    build:
+      dockerfile_inline: |
+        FROM node:22.17.0
+        RUN wget -O /certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
+        RUN chmod +x /certgen
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     working_dir: /certs
     entrypoint: sh
     command:
       - '-cex'
       - |
-        if [ ! -f ./certgen ]; then
-          wget -O ./certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
-          chmod +x ./certgen
-        fi
         if [ ! -f private.key ] || [ ! -f public.crt ]; then
-          ./certgen -host minio
+          /certgen -host minio
         fi
 
   minio:
     image: minio/minio:RELEASE.2024-10-13T13-34-11Z
     command: server /data
     volumes:
-      - ./test/acceptance/certs:/root/.minio/certs
+      - minio-certs:/root/.minio/certs
     environment:
       MINIO_ROOT_USER: MINIO_ROOT_USER
       MINIO_ROOT_PASSWORD: MINIO_ROOT_PASSWORD
@@ -108,7 +111,7 @@ services:
         condition: service_started
     image: minio/mc:RELEASE.2024-10-08T09-37-26Z
     volumes:
-      - ./test/acceptance/certs:/root/.mc/certs/CAs
+      - minio-certs:/root/.mc/certs/CAs
     entrypoint: sh
     command:
       - '-cex'

services/history-v1/docker-compose.ci.yml

@@ -4,6 +4,9 @@
 
 version: "2.3"
 
+volumes:
+  minio-certs:
+
 services:
   test_unit:
     image: ci/$PROJECT_NAME:$BRANCH_NAME-$BUILD_NUMBER
@@ -38,7 +41,7 @@ services:
       NODE_ENV: test
       NODE_OPTIONS: "--unhandled-rejections=strict"
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
       - ../../bin/shared/wait_for_it:/overleaf/bin/shared/wait_for_it
     depends_on:
       mongo:
@@ -100,27 +103,27 @@ services:
       retries: 20
 
   certs:
-    image: node:22.17.0
+    build:
+      dockerfile_inline: |
+        FROM node:22.17.0
+        RUN wget -O /certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
+        RUN chmod +x /certgen
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     working_dir: /certs
     entrypoint: sh
     command:
       - '-cex'
       - |
-        if [ ! -f ./certgen ]; then
-          wget -O ./certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
-          chmod +x ./certgen
-        fi
         if [ ! -f private.key ] || [ ! -f public.crt ]; then
-          ./certgen -host minio
+          /certgen -host minio
         fi
 
   minio:
     image: minio/minio:RELEASE.2024-10-13T13-34-11Z
     command: server /data
     volumes:
-      - ./test/acceptance/certs:/root/.minio/certs
+      - minio-certs:/root/.minio/certs
     environment:
       MINIO_ROOT_USER: MINIO_ROOT_USER
       MINIO_ROOT_PASSWORD: MINIO_ROOT_PASSWORD
@@ -136,7 +139,7 @@ services:
         condition: service_started
     image: minio/mc:RELEASE.2024-10-08T09-37-26Z
     volumes:
-      - ./test/acceptance/certs:/root/.mc/certs/CAs
+      - minio-certs:/root/.mc/certs/CAs
     entrypoint: sh
     command:
       - '-cex'

services/history-v1/docker-compose.yml

@@ -4,6 +4,9 @@
 
 version: "2.3"
 
+volumes:
+  minio-certs:
+
 services:
   test_unit:
     build:
@@ -32,7 +35,7 @@ services:
       - .:/overleaf/services/history-v1
       - ../../node_modules:/overleaf/node_modules
       - ../../libraries:/overleaf/libraries
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
       - ../../bin/shared/wait_for_it:/overleaf/bin/shared/wait_for_it
     working_dir: /overleaf/services/history-v1
     environment:
@@ -109,27 +112,27 @@ services:
       retries: 20
 
   certs:
-    image: node:22.17.0
+    build:
+      dockerfile_inline: |
+        FROM node:22.17.0
+        RUN wget -O /certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
+        RUN chmod +x /certgen
     volumes:
-      - ./test/acceptance/certs:/certs
+      - minio-certs:/certs
     working_dir: /certs
     entrypoint: sh
     command:
       - '-cex'
       - |
-        if [ ! -f ./certgen ]; then
-          wget -O ./certgen "https://github.com/minio/certgen/releases/download/v1.3.0/certgen-linux-$(dpkg --print-architecture)"
-          chmod +x ./certgen
-        fi
         if [ ! -f private.key ] || [ ! -f public.crt ]; then
-          ./certgen -host minio
+          /certgen -host minio
         fi
 
   minio:
     image: minio/minio:RELEASE.2024-10-13T13-34-11Z
     command: server /data
     volumes:
-      - ./test/acceptance/certs:/root/.minio/certs
+      - minio-certs:/root/.minio/certs
     environment:
       MINIO_ROOT_USER: MINIO_ROOT_USER
       MINIO_ROOT_PASSWORD: MINIO_ROOT_PASSWORD
@@ -145,7 +148,7 @@ services:
         condition: service_started
     image: minio/mc:RELEASE.2024-10-08T09-37-26Z
     volumes:
-      - ./test/acceptance/certs:/root/.mc/certs/CAs
+      - minio-certs:/root/.mc/certs/CAs
     entrypoint: sh
     command:
       - '-cex'