From f72130c6bf7494544f76daf7707e4c2de8a41f9d Mon Sep 17 00:00:00 2001 From: Mathias Beaulieu-Duncan Date: Mon, 2 Feb 2026 10:34:15 -0500 Subject: [PATCH] Add USER 65532 to generated Dockerfile for non-root compliance The FROM scratch + ADD pattern loses apko's OCI config metadata including the run-as user. Adding USER 65532 to the Dockerfile restores the non-root default that Docker Scout checks for. Co-Authored-By: Claude Opus 4.5 --- .gitea/workflows/publish.yaml | 1 + .gitea/workflows/rebuild.yaml | 1 + .gitea/workflows/update-check.yaml | 1 + 3 files changed, 3 insertions(+) diff --git a/.gitea/workflows/publish.yaml b/.gitea/workflows/publish.yaml index b603561..d3b5c45 100644 --- a/.gitea/workflows/publish.yaml +++ b/.gitea/workflows/publish.yaml @@ -117,6 +117,7 @@ jobs: /tmp/image.tar echo 'FROM scratch' > /tmp/Dockerfile echo 'ADD image.tar /' >> /tmp/Dockerfile + echo 'USER 65532' >> /tmp/Dockerfile - name: Build and push with buildx (SBOM + provenance) uses: docker/build-push-action@v5 diff --git a/.gitea/workflows/rebuild.yaml b/.gitea/workflows/rebuild.yaml index dc7852c..e37da6f 100644 --- a/.gitea/workflows/rebuild.yaml +++ b/.gitea/workflows/rebuild.yaml @@ -109,6 +109,7 @@ jobs: /tmp/image.tar echo 'FROM scratch' > /tmp/Dockerfile echo 'ADD image.tar /' >> /tmp/Dockerfile + echo 'USER 65532' >> /tmp/Dockerfile - name: Build and push with buildx (SBOM + provenance) uses: docker/build-push-action@v5 diff --git a/.gitea/workflows/update-check.yaml b/.gitea/workflows/update-check.yaml index 1d13d78..a228280 100644 --- a/.gitea/workflows/update-check.yaml +++ b/.gitea/workflows/update-check.yaml @@ -199,6 +199,7 @@ jobs: /tmp/image.tar echo 'FROM scratch' > /tmp/Dockerfile echo 'ADD image.tar /' >> /tmp/Dockerfile + echo 'USER 65532' >> /tmp/Dockerfile - name: Build and push with buildx (SBOM + provenance) uses: docker/build-push-action@v5