fix(docker): non-root user, supply chain attestations, build cleanup #44

Open

lerko wants to merge 1 commits from fix/docker-compliance into main

pull from: fix/docker-compliance

merge into: lerkolabs:main

lerkolabs:main

Conversation 0 Commits 1 Files Changed 3

+25 -3

lerko commented 2026-06-01 15:46:25 +00:00

Owner

Copy Link

Copy Source

Summary

• Non-root user: Container runs as uptop (UID/GID 1000) instead of root. Entrypoint checks /data writability and exits with migration instructions if volume permissions need fixing.
• Supply chain attestations: SBOM and provenance (mode=max) attached to pushed images for Docker Scout compliance.
• Build cleanup: Prune dangling images and build cache (keeps 2GB) after each release build to prevent runner bloat.

Breaking Change

Existing Docker volumes with root-owned files will fail on startup. Fix before upgrading:

docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data

New installs are unaffected — fresh volumes inherit UID 1000 from the image.

Test plan

• Build image locally: docker build -t uptop:test .
• Run fresh (no existing volume): container starts normally as uptop user
• Run with root-owned volume: container exits with clear migration error
• Run migration command, restart: container starts normally
• Verify id inside container shows uptop, not root

## Summary - **Non-root user**: Container runs as `uptop` (UID/GID 1000) instead of root. Entrypoint checks `/data` writability and exits with migration instructions if volume permissions need fixing. - **Supply chain attestations**: SBOM and provenance (`mode=max`) attached to pushed images for Docker Scout compliance. - **Build cleanup**: Prune dangling images and build cache (keeps 2GB) after each release build to prevent runner bloat. ## Breaking Change Existing Docker volumes with root-owned files will fail on startup. Fix before upgrading: ```bash docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data ``` New installs are unaffected — fresh volumes inherit UID 1000 from the image. ## Test plan - [ ] Build image locally: `docker build -t uptop:test .` - [ ] Run fresh (no existing volume): container starts normally as uptop user - [ ] Run with root-owned volume: container exits with clear migration error - [ ] Run migration command, restart: container starts normally - [ ] Verify `id` inside container shows uptop, not root

lerko added 1 commit 2026-06-01 15:46:25 +00:00

fix(docker): non-root user, supply chain attestations, build cleanup ... 87270490de

BREAKING: Container now runs as UID 1000 (uptop) instead of root.
Existing volumes with root-owned files need migration:

  docker run --rm -v <volume>:/data alpine chown -R 1000:1000 /data

- Add uptop user (UID/GID 1000) with entrypoint writability check
- Enable SBOM and provenance attestations for Docker Scout compliance
- Prune dangling images and build cache after release builds

Some checks are pending

Hide all checks

CI / test (pull_request) Successful in 2m29s

Required

Details

CI / lint (pull_request) Successful in 46s

Required

Details

CI / vulncheck (pull_request) Successful in 41s

Required

Details

CI / test (push)

Required

CI / lint (push)

Required

CI / vulncheck (push)

Required

Some required checks are missing.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin fix/docker-compliance:fix/docker-compliance

git checkout fix/docker-compliance

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

lerko (Tyler Koenig)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: lerkolabs/uptop#44