fix(docker): non-root user, supply chain attestations, build cleanup

BREAKING: Container now runs as UID 1000 (uptop) instead of root. Existing volumes with root-owned files need migration: docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data - Add uptop user (UID/GID 1000) with entrypoint writability check - Enable SBOM and provenance attestations for Docker Scout compliance - Prune dangling images and build cache after release builds
2026-06-01 11:46:05 -04:00
parent f80e519349
commit 87270490de
3 changed files with 25 additions and 3 deletions
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+if [ ! -w /data ]; then
+    echo "ERROR: /data is not writable by uptop user (UID $(id -u))." >&2
+    echo "" >&2
+    echo "If upgrading from a previous version that ran as root:" >&2
+    echo "  docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data" >&2
+    exit 1
+fi
+
+exec "$@"