Skip to content

Commit 2655c1f

Browse files
pikespeakclaude
pikespeak
and
claude
committed
fix(docker): set file ownership for non-root Chainguard build
All COPY commands now use --chown=node:node so pnpm can create node_modules in workspace package directories. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 8c2fe05 commit 2655c1f

1 file changed

Lines changed: 12 additions & 16 deletions

File tree

Dockerfile

Lines changed: 12 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
# Usage: docker run --rm -v $(pwd):/repo ottersight/cli scan /repo
1+
# Usage: docker run --rm -v $(pwd):/repo ghcr.io/ottersight/cli scan /repo
22
#
33
# Multi-stage build:
44
# 1. Copy Syft + Grype binaries from official Anchore images (no curl|sh supply chain risk)
@@ -16,20 +16,16 @@ FROM anchore/grype:latest AS grype
1616
FROM cgr.dev/chainguard/node:latest-dev AS builder
1717
WORKDIR /app
1818

19-
# Copy scanner package sources (CLI depends on @ottersight/scanner)
20-
COPY packages/scanner/package.json packages/scanner/
21-
COPY packages/scanner/tsup.config.ts packages/scanner/
22-
COPY packages/scanner/tsconfig.json packages/scanner/
23-
COPY packages/scanner/src/ packages/scanner/src/
24-
25-
# Copy CLI package sources
26-
COPY packages/cli/package.json packages/cli/
27-
COPY packages/cli/tsup.config.ts packages/cli/
28-
COPY packages/cli/tsconfig.json packages/cli/
29-
COPY packages/cli/src/ packages/cli/src/
30-
31-
# Copy root workspace config for pnpm workspaces
32-
COPY package.json pnpm-workspace.yaml pnpm-lock.yaml ./
19+
# Copy all source files with correct ownership (Chainguard runs as node user)
20+
COPY --chown=node:node packages/scanner/package.json packages/scanner/
21+
COPY --chown=node:node packages/scanner/tsup.config.ts packages/scanner/
22+
COPY --chown=node:node packages/scanner/tsconfig.json packages/scanner/
23+
COPY --chown=node:node packages/scanner/src/ packages/scanner/src/
24+
COPY --chown=node:node packages/cli/package.json packages/cli/
25+
COPY --chown=node:node packages/cli/tsup.config.ts packages/cli/
26+
COPY --chown=node:node packages/cli/tsconfig.json packages/cli/
27+
COPY --chown=node:node packages/cli/src/ packages/cli/src/
28+
COPY --chown=node:node package.json pnpm-workspace.yaml pnpm-lock.yaml ./
3329

3430
# Install deps and build (pnpm is pre-installed in chainguard node:latest-dev)
3531
# Scanner must be built first so dist/index.d.ts exists for CLI typecheck
@@ -57,7 +53,7 @@ COPY --from=syft /syft /usr/local/bin/syft
5753
COPY --from=grype /grype /usr/local/bin/grype
5854

5955
# Volume mount point for user's repo — convention: mount local directory at /repo
60-
# docker run --rm -v $(pwd):/repo ottersight/cli scan /repo
56+
# docker run --rm -v $(pwd):/repo ghcr.io/ottersight/cli scan /repo
6157
VOLUME ["/repo"]
6258

6359
# Entrypoint: node runs the CLI script directly (no shell needed)

0 commit comments

Comments
 (0)