CI: give the rootless test user some supplemental groups

[nalind]

What type of PR is this?

/kind other

What this PR does / why we need it:

Exercise preservation of supplemental groups in the tests that use buildah build and buildah from with --group-add keep-groups.

How to verify it

This should exercise more of the tests we have.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

Does this PR introduce a user-facing change?

None

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nalind

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [nalind]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[TomSweeneyRedHat]

@nalind does a test need tweaking?

 ok 822 run-exit-status on non executable
[+0647s] not ok 823 Verify /run/.containerenv exist
[+0647s] # (from function `assert' in file ./helpers.bash, line 537,
[+0647s] #  from function `expect_output' in file ./helpers.bash, line 564,
[+0647s] #  in test file ./run.bats, line 621)
[+0647s] #   `expect_output "alpine-working-container"' failed
[+0647s] # /var/tmp/go/src/github.com/containers/buildah/tests /var/tmp/go/src/github.com/containers/buildah/tests
[+0647s] # # [checking for: docker.io/library/alpine]
[+0647s] # # [restoring from cache: /tmp/bats-run-CvOu1h/suite/buildah-image-cache / docker.io/library/alpine]
[+0647s] # Getting image source signatures
[+0647s] # Copying blob sha256:9d16cba9fb961d1aafec9542f2bf7cb64acfc55245f9e4eb5abecd4cdc38d749
[+0647s] # Copying config sha256:961769676411f082461f9ef46626dd7a2d1e2b2a38e6a44364bcbecf51e66dd4
[+0647s] # Writing manifest to image destination
[+0647s] # # /var/tmp/go/src/github.com/containers/buildah/tests/./../bin/buildah from --quiet --pull=false --signature-policy /var/tmp/go/src/github.com/containers/buildah/tests/./policy.json alpine
[+0647s] # alpine-working-container
[+0647s] # # /var/tmp/go/src/github.com/containers/buildah/tests/./../bin/buildah run alpine-working-container ls -1 /run/.containerenv
[+0647s] # /run/.containerenv
[+0647s] # # /var/tmp/go/src/github.com/containers/buildah/tests/./../bin/buildah run alpine-working-container sh -c . /run/.containerenv; echo $engine
[+0647s] # buildah-1.41.0-dev
[+0647s] # # /var/tmp/go/src/github.com/containers/buildah/tests/./../bin/buildah run alpine-working-container sh -c . /run/.containerenv; echo $name
[+0647s] # alpine-working-container
[+0647s] # time="2025-06-13T09:47:28-05:00" level=error msg="seek /sys/fs/cgroup/system.slice/runc-buildah-buildah1965336133.scope/cgroup.freeze: no such device"
[+0647s] # #/vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
[+0647s] # #|     FAIL: buildah run alpine-working-container sh -c . /run/.containerenv; echo $name
[+0647s] # #| expected: 'alpine-working-container'
[+0647s] # #|   actual: 'alpine-working-container'
[+0647s] # #|         > 'time="2025-06-13T09:47:28-05:00" level=error msg="seek /sys/fs/cgroup/system.slice/runc-buildah-buildah1965336133.scope/cgroup.freeze: no such device"'
[+0647s] # #\^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

[TomSweeneyRedHat]

LGTM
A test is tweaking out, I'm not sure that it's a flake, but I'm not sure it isn't.

[nalind]

That's a flake we've been seeing since we started testing with runc. The thing that confuses me is that this should be helping us trigger the problem that #6226 aims to fix, but either I'm doing it wrong, or the test isn't noticing the problem.