.gitea/workflows/release.yml

@@ -66,6 +66,8 @@ jobs:
           context: .
           push: true
           platforms: linux/amd64,linux/arm64
+          sbom: true
+          provenance: mode=max
           tags: |
             lerkolabs/uptop:${{ github.ref_name }}
             lerkolabs/uptop:latest
@@ -80,3 +82,9 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
           repository: lerkolabs/uptop
+
+      - name: Cleanup Docker artifacts
+        if: always()
+        run: |
+          docker image prune -f
+          docker builder prune -f --keep-storage=2GB

Dockerfile

@@ -18,17 +18,20 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 FROM alpine:3.23
 WORKDIR /app
 RUN apk add --no-cache ca-certificates && apk upgrade --no-cache
-RUN mkdir /data
+RUN addgroup -g 1000 -S uptop && adduser -u 1000 -S uptop -G uptop
+RUN mkdir -p /data/.ssh && chown -R uptop:uptop /data
 
 COPY --from=builder /app/uptop .
+COPY --chmod=755 docker-entrypoint.sh /usr/local/bin/
 
-# Set Default Configuration via ENV
-# Docker users can override these in docker-compose.yml
 ENV LIPGLOSS_RENDERER_HAS_DARK_BACKGROUND=true
 ENV UPTOP_DB_TYPE=sqlite
 ENV UPTOP_DB_DSN=/data/uptop.db
 ENV UPTOP_KEYS=/data/authorized_keys
+ENV UPTOP_SSH_HOST_KEY=/data/.ssh/id_ed25519
 ENV UPTOP_PORT=23234
 
 EXPOSE 23234
+USER uptop
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["./uptop"]

docker-entrypoint.sh

@@ -0,0 +1,14 @@
+#!/bin/sh
+set -e
+
+if [ ! -w /data ]; then
+    echo "ERROR: /data is not writable by uptop user (UID $(id -u))." >&2
+    echo "" >&2
+    echo "If upgrading from a previous version that ran as root:" >&2
+    echo "  docker run --rm -v <your_volume>:/data alpine chown -R 1000:1000 /data" >&2
+    exit 1
+fi
+
+mkdir -p /data/.ssh
+
+exec "$@"