Skip to content

Commit fd44be5

Browse files
committed
fix: permission issues and ci
1 parent a9f8352 commit fd44be5

File tree

3 files changed

+25
-17
lines changed

3 files changed

+25
-17
lines changed

.github/workflows/publish.yml

Lines changed: 3 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -113,22 +113,14 @@ jobs:
113113
username: ${{ secrets.DOCKER_USERNAME }}
114114
password: ${{ secrets.DOCKER_TOKEN }}
115115

116-
- name: Extract metadata
117-
id: meta
118-
uses: docker/metadata-action@v5
119-
with:
120-
images: ${{ secrets.DOCKER_USERNAME }}/isoman
121-
tags: |
122-
type=semver,pattern={{version}}
123-
type=raw,value=latest
124-
125116
- name: Build and push Docker image
126117
uses: docker/build-push-action@v5
127118
with:
128119
context: .
129120
push: true
130-
tags: ${{ steps.meta.outputs.tags }}
131-
labels: ${{ steps.meta.outputs.labels }}
121+
tags: |
122+
${{ secrets.DOCKER_USERNAME }}/isoman:${{ steps.version.outputs.version }}
123+
${{ secrets.DOCKER_USERNAME }}/isoman:latest
132124
cache-from: type=gha
133125
cache-to: type=gha,mode=max
134126
build-args: |

Dockerfile

Lines changed: 10 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,8 @@ RUN CGO_ENABLED=0 GOOS=linux go build \
5555
# ============================================
5656
FROM alpine:3.19
5757

58-
# Install ca-certificates for HTTPS downloads
59-
RUN apk --no-cache add ca-certificates tzdata
58+
# Install ca-certificates for HTTPS downloads and su-exec for privilege dropping
59+
RUN apk --no-cache add ca-certificates tzdata su-exec
6060

6161
# Create non-root user
6262
RUN addgroup -g 1000 isoman && \
@@ -70,12 +70,16 @@ COPY --from=backend-builder /app/server ./server
7070
# Copy frontend dist from builder
7171
COPY --from=frontend-builder /app/ui/dist ./ui/dist
7272

73+
# Copy entrypoint script
74+
COPY backend/docker-entrypoint.sh /entrypoint.sh
75+
7376
# Create data directory with proper permissions
7477
RUN mkdir -p /data/isos /data/db && \
75-
chown -R isoman:isoman /app /data
78+
chown -R isoman:isoman /app /data && \
79+
chmod +x /entrypoint.sh
7680

77-
# Switch to non-root user
78-
USER isoman
81+
# Set entrypoint (runs as root, then drops to isoman user)
82+
ENTRYPOINT ["/entrypoint.sh"]
7983

8084
# Expose port
8185
EXPOSE 8080
@@ -90,5 +94,5 @@ ENV GIN_MODE=release
9094
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
9195
CMD wget --no-verbose --tries=1 --spider http://localhost:8080/health || exit 1
9296

93-
# Run the server
97+
# Run the server (passed to entrypoint)
9498
CMD ["./server"]

backend/docker-entrypoint.sh

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#!/bin/sh
2+
set -e
3+
4+
# Create directories if they don't exist
5+
mkdir -p /data/isos /data/db
6+
7+
# Fix ownership - only if needed and don't follow symlinks
8+
# Only change ownership of the directories themselves, not recursively
9+
chown isoman:isoman /data /data/isos /data/db
10+
11+
# Switch to isoman user and execute the main command
12+
exec su-exec isoman "$@"

0 commit comments

Comments
 (0)