Put a regular user step first.

task/buildkit-rootless-daemonless/0.1/buildkit-rootless-daemonless.yaml

@@ -25,6 +25,7 @@ spec:
     - name: buildkit-cache
       description: For preserving buildkit type=cache mounts between builds.
       optional: true
+      # mountPath: /home/user/.local/share/foo
       mountPath: /home/user/.local/share/buildkit
   params:
     - name: OUTPUT
@@ -61,11 +62,24 @@ spec:
       description: Full URL to the docker image.
       type: array
   volumes:
+    - name: buildkitd
+      emptyDir: {}
     - name: buildkitd-toml
       emptyDir: {}
     - name: metadata-out
       emptyDir: {}
   steps:
+    - name: run-as-user
+      image: $(params.BUILDER_IMAGE)
+      workingDir: "$(workspaces.source.path)"
+      script: |
+        #!/usr/bin/env sh
+        set -euo pipefail
+        echo "yo"
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 1000
+        runAsGroup: 1000
     - name: setup-cache-ownership
       image: $(params.BUILDER_IMAGE)
       workingDir: "$(workspaces.source.path)"
@@ -75,7 +89,7 @@ spec:
         chown 1000:1000 /home/user/.local/share/buildkit
         chmod 0777 /home/user/.local/share/buildkit
       securityContext:
-        runAsNonRoot: false
+        # runAsNonRoot: false
         runAsUser: 0
         runAsGroup: 0
     - name: write-config
@@ -101,6 +115,8 @@ spec:
         EOF
         chmod +x /home/user/.config/buildkit/entrypoint.sh
       volumeMounts:
+        - name: buildkitd
+          mountPath: /home/user/.local/share/buildkittwo
         - name: buildkitd-toml
           mountPath: /home/user/.config/buildkit
       securityContext:
@@ -124,6 +140,8 @@ spec:
         - /home/user/.metadata/build.json
         - $(params.EXTRA_ARGS)
       volumeMounts:
+        - name: buildkitd
+          mountPath: /home/user/.local/share/buildkittwo
         - name: buildkitd-toml
           mountPath: /home/user/.config/buildkit
           readOnly: true