docs: add 2026.06.1 changelog entry

Merge pull request 'fix(docker): non-root user, supply chain attestations, build cleanup' (#44 ) from fix/docker-compliance into main
Reviewed-on: #44
2026-06-01 19:27:04 -04:00 · 2026-06-01 22:48:33 +00:00 · 2026-06-01 15:56:45 -04:00 · 2026-06-01 15:33:52 -04:00 · 2026-06-01 11:46:05 -04:00
4 changed files with 43 additions and 3 deletions
@@ -66,6 +66,8 @@ jobs:
          context: .
          push: true
          platforms: linux/amd64,linux/arm64
+          sbom: true
+          provenance: mode=max
          tags: |
            lerkolabs/uptop:${{ github.ref_name }}
            lerkolabs/uptop:latest
@@ -80,3 +82,9 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}
          repository: lerkolabs/uptop
+
+      - name: Cleanup Docker artifacts
+        if: always()
+        run: |
+          docker image prune -f
+          docker builder prune -f --keep-storage=2GB
@@ -1,5 +1,20 @@
 # Changelog

+## [2026.06.1] — 2026-06-01
+
+### Changed
+- Container runs as non-root user `uptop` (UID/GID 1000) instead of root (#44)
+- SSH host key relocated to `/data/.ssh/id_ed25519` for non-root compatibility (#44)
+- Release workflow prunes dangling images and build cache after Docker push (#44)
+
+### Added
+- SBOM and provenance attestations on Docker images for supply chain compliance (#44)
+- Entrypoint script with volume writability check and migration guidance (#44)
+
+### Breaking
+- Existing Docker volumes with root-owned files require migration before upgrading:
+  `docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data`
+
 ## [2026.05.5] — 2026-05-29

 ### Added
@@ -18,17 +18,20 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 FROM alpine:3.23
 WORKDIR /app
 RUN apk add --no-cache ca-certificates && apk upgrade --no-cache
-RUN mkdir /data
+RUN addgroup -g 1000 -S uptop && adduser -u 1000 -S uptop -G uptop
+RUN mkdir -p /data/.ssh && chown -R uptop:uptop /data

 COPY --from=builder /app/uptop .
+COPY --chmod=755 docker-entrypoint.sh /usr/local/bin/

-# Set Default Configuration via ENV
-# Docker users can override these in docker-compose.yml
 ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true
 ENV UPTOP_DB_TYPE=sqlite
 ENV UPTOP_DB_DSN=/data/uptop.db
 ENV UPTOP_KEYS=/data/authorized_keys
+ENV UPTOP_SSH_HOST_KEY=/data/.ssh/id_ed25519
 ENV UPTOP_PORT=23234

 EXPOSE 23234
+USER uptop
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["./uptop"]
@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+if [ ! -w /data ]; then
+    echo "ERROR: /data is not writable by uptop user (UID $(id -u))." >&2
+    echo "" >&2
+    echo "If upgrading from a previous version that ran as root:" >&2
+    echo "  docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data" >&2
+    exit 1
+fi
+
+mkdir -p /data/.ssh
+
+exec "$@"
Author	SHA1	Message	Date
lerko	a08d6ce2c5	docs: add 2026.06.1 changelog entry CI / test (push) Successful in 2m34s Details CI / lint (push) Successful in 40s Details CI / vulncheck (push) Successful in 35s Details Release / release (push) Successful in 2m11s Details Release / docker (push) Successful in 20m32s Details	2026-06-01 19:27:04 -04:00
lerko	24d4fb5e55	Merge pull request 'fix(docker): non-root user, supply chain attestations, build cleanup' (#44 ) from fix/docker-compliance into main CI / test (push) Successful in 2m26s Details CI / lint (push) Successful in 46s Details CI / vulncheck (push) Successful in 41s Details Release / docker (push) Has been cancelled Details Release / release (push) Has been cancelled Details Reviewed-on: #44	2026-06-01 22:48:33 +00:00
lerko	8d34524aa0	fix(docker): create .ssh dir explicitly, ensure entrypoint is executable CI / test (pull_request) Successful in 2m31s Details CI / lint (pull_request) Successful in 1m6s Details CI / vulncheck (pull_request) Successful in 1m6s Details	2026-06-01 15:56:45 -04:00
lerko	b254f6ea05	fix(docker): move SSH host key path into /data for non-root user CI / test (pull_request) Successful in 2m26s Details CI / lint (pull_request) Successful in 40s Details CI / vulncheck (pull_request) Successful in 41s Details	2026-06-01 15:33:52 -04:00
lerko	87270490de	fix(docker): non-root user, supply chain attestations, build cleanup CI / test (pull_request) Successful in 2m29s Details CI / lint (pull_request) Successful in 46s Details CI / vulncheck (pull_request) Successful in 41s Details BREAKING: Container now runs as UID 1000 (uptop) instead of root. Existing volumes with root-owned files need migration: docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data - Add uptop user (UID/GID 1000) with entrypoint writability check - Enable SBOM and provenance attestations for Docker Scout compliance - Prune dangling images and build cache after release builds	2026-06-01 11:46:05 -04:00