From 96b5b7e9c9380c4b0c086a98e832164c443c6e3c Mon Sep 17 00:00:00 2001 From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com> Date: Sun, 15 Feb 2026 21:44:06 -0500 Subject: [PATCH] fix(docker): add non-root supportbot user and switch to it Create a non-root user (supportbot, uid 1000) in the Dockerfile, set its home and shell, and switch the container to run as that user. Also update ownership of /app and /data (chown -R supportbot:supportbot) so the new user can access runtime files. This improves container security by avoiding running the app as root while keeping the existing install and startup steps intact. --- .dockerignore | 10 ++++++++++ Dockerfile | 35 ++++++++++++++++++++++------------- 2 files changed, 32 insertions(+), 13 deletions(-) diff --git a/.dockerignore b/.dockerignore index a3f4ac4..adc0e25 100644 --- a/.dockerignore +++ b/.dockerignore @@ -4,12 +4,22 @@ # ignore hidden files .* +# Dockerfile +Dockerfile +*.dockerfile + # ignore directories docs/ tests/ # ignore venv when building locally +.venv/ venv/ +# python +*.egg-info/ +build/ + data/ +junit.xml sample.env diff --git a/Dockerfile b/Dockerfile index efc0df7..4793cca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,26 +14,28 @@ ENV BUILD_VERSION=${BUILD_VERSION} ENV COMMIT=${COMMIT} SHELL ["/bin/bash", "-o", "pipefail", "-c"] -# install dependencies -RUN <<_DEPS -#!/bin/bash -set -e -apt-get update -y -apt-get install -y --no-install-recommends \ - git -apt-get clean -rm -rf /var/lib/apt/lists/* -_DEPS VOLUME /data - WORKDIR /app/ -COPY . . +# Copy only necessary files for installation and runtime +COPY pyproject.toml . +COPY src/ src/ +COPY assets/ assets/ + RUN <<_SETUP #!/bin/bash set -e +# install system dependencies +apt-get update -y +apt-get install -y --no-install-recommends git +apt-get clean +rm -rf /var/lib/apt/lists/* + +# create non-root user +useradd -m -u 1000 -s /bin/bash supportbot + # write the version to the version file cat > src/common/version.py < src/common/version.py <