fix: add support for anyuid to Dockerfile

[Cschlaefli]

This change updates the Containerfile to support arbitrary userids to enable running in Openshift.

It does this by adding group write permissions to /app and setting both /app and /data to use the root group by default.

This should not have any impact on existing environments running as sourcebot user since all of the directories changed are owned by the sourcebot user.

Summary by CodeRabbit

• Chores
  • Updated container directory access permissions to enable multi-user group-based access on the application directory, while maintaining sourcebot-specific ownership on the data directory.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Modified Dockerfile permission setup for /app and /data directories. Replaced direct chown of /data with a multi-step approach: /app now receives recursive chown to sourcebot, chgrp to root group (0), and chmod for group write permissions; /data receives chown to sourcebot only.

Changes

Cohort / File(s)	Summary
Dockerfile permission model update Dockerfile	Changed /app and /data ownership/permission configuration: introduced multi-step setup for /app with group-wide write access (chgrp -R 0, chmod -R g=u), changed /data from sourcebot:sourcebot to sourcebot ownership only, enabling broader group access on /app while maintaining sourcebot-only ownership on /data

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the permission changes (chgrp -R 0, chmod -R g=u) are intentional and don't introduce unintended security implications
• Confirm that removing sourcebot:sourcebot group ownership from /data and replacing with sourcebot-only ownership aligns with intended security posture
• Ensure the root group (GID 0) write permissions on /app are necessary for the intended multi-user access pattern

Possibly related PRs

• feat: Support running Docker container as non-root #599: Both PRs modify Dockerfile ownership and permission handling for /app and container runtime user access patterns.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding support for arbitrary user IDs (anyuid) to the Dockerfile by modifying permission models for /app and /data directories.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brendan-kellam]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 84cf524 and 3b62158.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: build

🔇 Additional comments (1)

Dockerfile (1)

252-253: Inconsistency: /data setup doesn't match stated PR intent or /app setup.

The review identifies a potential discrepancy: if the PR description states "both /app and /data to use the root group by default," but only /app receives chgrp -R 0 and chmod -R g=u permissions, then /data lacks group-write access needed in OpenShift anyuid mode.

Line 253 only runs chown -R sourcebot /data without group or permission changes. In anyuid execution contexts, this prevents non-sourcebot users (running with arbitrary UID) from writing to /data.

If /data requires write access: apply the same permission setup as /app.
If /data is intentionally read-only: clarify in PR description.