Skip to content

fix: go back to using root user in Dockerfile#281

Merged
jmeridth merged 1 commit intomainfrom
jm_go_back_to_root_in_container
Sep 25, 2025
Merged

fix: go back to using root user in Dockerfile#281
jmeridth merged 1 commit intomainfrom
jm_go_back_to_root_in_container

Conversation

@jmeridth
Copy link
Collaborator

@jmeridth jmeridth commented Sep 25, 2025

Pull Request

Proposed Changes

We have to do this because we have no active way to change permissions to $GITHUB_OUTPUT to a specific user when running the container

Add trivy ignore to top of Dockerfile to pass linting

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing
  • If publishing new data to the public (scorecards, security scan results, code quality results, live dashboards, etc.), please request review from @jeffrey-luszcz

Reviewer

  • Label as either fix, documentation, enhancement, infrastructure, maintenance or breaking

@jmeridth
fix: go back to using root user in Dockerfile
990af12 
We have to do this because we have no active way to change permissions to $GITHUB_OUTPUT to a specific user when running the container

Add trivy ignore to top of Dockerfile to pass linting

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth self-assigned this Sep 25, 2025
@jmeridth jmeridth requested a review from a team as a code owner September 25, 2025 14:57
Copilot AI review requested due to automatic review settings September 25, 2025 14:57
@github-actions github-actions bot added the fix label Sep 25, 2025
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reverts the Docker container to run as root user instead of a non-root user due to permission issues with writing to $GITHUB_OUTPUT. The change removes the non-root user setup that was previously implemented for security purposes.

  • Removes non-root user creation and configuration from Dockerfile
  • Adds trivy security scanner ignore directive for running as root user
  • Simplifies the container setup by removing user switching logic

Dockerfile
@@ -1,5 +1,6 @@
#checkov:skip=CKV_DOCKER_2
#checkov:skip=CKV_DOCKER_3
#trivy:ignore:AVD-DS-0002
Copy link

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running containers as root user creates security risks. Consider implementing a solution to properly set permissions on $GITHUB_OUTPUT directory instead of reverting to root user. This could involve using initContainers, volume mounts with proper permissions, or GitHub Actions workflow adjustments.

Copilot uses AI. Check for mistakes.
Dockerfile

# Run the action as a non-root user
USER appuser
&& rm -rf /var/lib/apt/lists/*
Copy link

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions permission issues with $GITHUB_OUTPUT, but there's no documentation in the code explaining why root user is required. Consider adding a comment explaining the specific permission constraint that necessitates running as root.

Copilot uses AI. Check for mistakes.
@jmeridth jmeridth merged commit b2d05c0 into main Sep 25, 2025
31 checks passed
@jmeridth jmeridth deleted the jm_go_back_to_root_in_container branch September 25, 2025 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@jmeridth jmeridth

Labels

fix release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jmeridth