fix: permission issues and ci

Author: aloks98

.github/workflows/publish.yml

@@ -113,22 +113,14 @@ jobs:
           username: ${{ secrets.DOCKER_USERNAME }}
           password: ${{ secrets.DOCKER_TOKEN }}
 
-      - name: Extract metadata
-        id: meta
-        uses: docker/metadata-action@v5
-        with:
-          images: ${{ secrets.DOCKER_USERNAME }}/isoman
-          tags: |
-            type=semver,pattern={{version}}
-            type=raw,value=latest
-
       - name: Build and push Docker image
         uses: docker/build-push-action@v5
         with:
           context: .
           push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: |
+            ${{ secrets.DOCKER_USERNAME }}/isoman:${{ steps.version.outputs.version }}
+            ${{ secrets.DOCKER_USERNAME }}/isoman:latest
           cache-from: type=gha
           cache-to: type=gha,mode=max
           build-args: |

Dockerfile

@@ -55,8 +55,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build \
 # ============================================
 FROM alpine:3.19
 
-# Install ca-certificates for HTTPS downloads
-RUN apk --no-cache add ca-certificates tzdata
+# Install ca-certificates for HTTPS downloads and su-exec for privilege dropping
+RUN apk --no-cache add ca-certificates tzdata su-exec
 
 # Create non-root user
 RUN addgroup -g 1000 isoman && \
@@ -70,12 +70,16 @@ COPY --from=backend-builder /app/server ./server
 # Copy frontend dist from builder
 COPY --from=frontend-builder /app/ui/dist ./ui/dist
 
+# Copy entrypoint script
+COPY backend/docker-entrypoint.sh /entrypoint.sh
+
 # Create data directory with proper permissions
 RUN mkdir -p /data/isos /data/db && \
-    chown -R isoman:isoman /app /data
+    chown -R isoman:isoman /app /data && \
+    chmod +x /entrypoint.sh
 
-# Switch to non-root user
-USER isoman
+# Set entrypoint (runs as root, then drops to isoman user)
+ENTRYPOINT ["/entrypoint.sh"]
 
 # Expose port
 EXPOSE 8080
@@ -90,5 +94,5 @@ ENV GIN_MODE=release
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
 
-# Run the server
+# Run the server (passed to entrypoint)
 CMD ["./server"]

backend/docker-entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+# Create directories if they don't exist
+mkdir -p /data/isos /data/db
+
+# Fix ownership - only if needed and don't follow symlinks
+# Only change ownership of the directories themselves, not recursively
+chown isoman:isoman /data /data/isos /data/db
+
+# Switch to isoman user and execute the main command
+exec su-exec isoman "$@"