Skip to content

fix: go back to using root user in Dockerfile #423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 25, 2025
Merged

fix: go back to using root user in Dockerfile #423

merged 1 commit into from
Sep 25, 2025
+2 −7

Conversation

jmeridth
Copy link
Member

Pull Request

Proposed Changes

We have to do this because we have no active way to change permissions to $GITHUB_OUTPUT to a specific user when running the container

Add trivy ignore to top of Dockerfile to pass linting

Readiness Checklist

Author/Contributor

  • If documentation is needed for this change, has that been included in this pull request
  • run make lint and fix any issues that you have introduced
  • run make test and ensure you have test coverage for the lines you are introducing
  • If publishing new data to the public (scorecards, security scan results, code quality results, live dashboards, etc.), please request review from @jeffrey-luszcz

Reviewer

  • Label as either fix, documentation, enhancement, infrastructure, maintenance or breaking

@jmeridth
fix: go back to using root user in Dockerfile
f4ce5b3 
We have to do this because we have no active way to change permissions to $GITHUB_OUTPUT to a specific user when running the container

Add trivy ignore to top of Dockerfile to pass linting

Signed-off-by: jmeridth <jmeridth@gmail.com>
@jmeridth jmeridth self-assigned this Sep 25, 2025
@jmeridth jmeridth requested a review from a team as a code owner September 25, 2025 15:01
@Copilot Copilot AI review requested due to automatic review settings September 25, 2025 15:01
@github-actions github-actions bot added the fix label Sep 25, 2025
Copilot
Copilot AI reviewed Sep 25, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reverts the Dockerfile back to using the root user instead of a non-root user to resolve permission issues with $GITHUB_OUTPUT when running the container. The change removes the user creation and permission setup logic while adding a trivy ignore directive for security scanning.

Key Changes

  • Removes non-root user creation and switches back to root user
  • Adds trivy ignore directive to suppress security warnings about running as root
  • Simplifies the Docker build process by removing user management steps

Dockerfile
@@ -1,5 +1,6 @@
#checkov:skip=CKV_DOCKER_2
#checkov:skip=CKV_DOCKER_3
#trivy:ignore:AVD-DS-0002
Copy link
Preview

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The trivy ignore directive lacks a comment explaining why this security warning is being suppressed. Consider adding a comment like # Required: Running as root needed for GitHub Actions output permissions

Suggested change
#trivy:ignore:AVD-DS-0002
#trivy:ignore:AVD-DS-0002 # Required: Running as root needed for GitHub Actions output permissions

Copilot uses AI. Check for mistakes.

Dockerfile

# Run the action as a non-root user
USER appuser
&& rm -rf /var/lib/apt/lists/*
Copy link
Preview

Copilot AI Sep 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running the container as root user increases the attack surface. Consider documenting in the README or inline comments the specific permission issues with $GITHUB_OUTPUT that prevent using a non-root user, and any mitigations in place.

Copilot uses AI. Check for mistakes.

@jmeridth jmeridth merged commit ec01409 into main Sep 25, 2025
31 checks passed
@jmeridth jmeridth deleted the jm_go_back_to_root_in_container branch September 25, 2025 15:04
@jmeridth jmeridth mentioned this pull request Sep 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@jmeridth jmeridth

Labels
fix release
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jmeridth