From 87270490def38e53855aa93686b9f3d113b4f0f6 Mon Sep 17 00:00:00 2001
From: Tyler Koenig <tyler@lerkolabs.com>
Date: Mon, 1 Jun 2026 11:46:05 -0400
Subject: [PATCH] fix(docker): non-root user, supply chain attestations, build
 cleanup

BREAKING: Container now runs as UID 1000 (uptop) instead of root.
Existing volumes with root-owned files need migration:

  docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data

- Add uptop user (UID/GID 1000) with entrypoint writability check
- Enable SBOM and provenance attestations for Docker Scout compliance
- Prune dangling images and build cache after release builds
---
 .gitea/workflows/release.yml |  8 ++++++++
 Dockerfile                   |  8 +++++---
 docker-entrypoint.sh         | 12 ++++++++++++
 3 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100755 docker-entrypoint.sh

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index dfd8712..20901a5 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -66,6 +66,8 @@ jobs:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64
+          sbom: true
+          provenance: mode=max
           tags: |
             lerkolabs/uptop:${{ github.ref_name }}
             lerkolabs/uptop:latest
@@ -80,3 +82,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           repository: lerkolabs/uptop
+
+      - name: Cleanup Docker artifacts
+        if: always()
+        run: |
+          docker image prune -f
+          docker builder prune -f --keep-storage=2GB
diff --git a/Dockerfile b/Dockerfile
index 3dbab66..edfc4dc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,12 +18,12 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 FROM alpine:3.23
 WORKDIR /app
 RUN apk add --no-cache ca-certificates && apk upgrade --no-cache
-RUN mkdir /data
+RUN addgroup -g 1000 -S uptop && adduser -u 1000 -S uptop -G uptop
+RUN mkdir /data && chown uptop:uptop /data
 
 COPY --from=builder /app/uptop .
+COPY docker-entrypoint.sh /usr/local/bin/
 
-# Set Default Configuration via ENV
-# Docker users can override these in docker-compose.yml
 ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true
 ENV UPTOP_DB_TYPE=sqlite
 ENV UPTOP_DB_DSN=/data/uptop.db
@@ -31,4 +31,6 @@ ENV UPTOP_KEYS=/data/authorized_keys
 ENV UPTOP_PORT=23234
 
 EXPOSE 23234
+USER uptop
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["./uptop"]
\ No newline at end of file
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 0000000..cef5bb2
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+if [ ! -w /data ]; then
+    echo "ERROR: /data is not writable by uptop user (UID $(id -u))." >&2
+    echo "" >&2
+    echo "If upgrading from a previous version that ran as root:" >&2
+    echo "  docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data" >&2
+    exit 1
+fi
+
+exec "$@"