Skip to content

Update Dockerfile to use non-root user#735

Merged
CarrotManMatt merged 6 commits intomainfrom
container-non-root-user
Mar 25, 2026
Merged

Update Dockerfile to use non-root user#735
CarrotManMatt merged 6 commits intomainfrom
container-non-root-user

Conversation

@CarrotManMatt
Copy link
Copy Markdown
Member

@CarrotManMatt CarrotManMatt commented Mar 20, 2026

This follows standard security best practices to NOT run applications inside docker containers as the root user if possible

@CarrotManMatt
Update Dockerfile to use non-root user
a413e34 
This follows standard security best practices to NOT run applications inside docker containers as the root user if possible

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>
@CarrotManMatt CarrotManMatt self-assigned this Mar 20, 2026
@CarrotManMatt CarrotManMatt added the deployment Changes to the deployment or CI/CD configuration label Mar 20, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Mar 20, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

@CarrotManMatt CarrotManMatt added the sync Request bots to automatically keep this PR up to date with it's base branch label Mar 20, 2026
@MattyTheHacker MattyTheHacker requested a review from Copilot March 24, 2026 13:31
Copilot AI reviewed Mar 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the container build to run the application as a non-root user in the final runtime image, aligning the Docker image with common container security best practices.

Changes:

  • Create a dedicated nonroot system user/group in the runtime stage and switch execution to that user.
  • Change ownership of /app contents when copying from the builder stage to match the non-root user.
  • Adjust the uv sync invocation in the builder stage (lock/frozen behavior).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CarrotManMatt
Revert sync command argument
c1ca74d 
The dependencies should be synced with `--frozen` not `--locked` because they are already locked in the `uv.lock` file and the `pyproject.toml` does not need checking.

See https://docs.astral.sh/uv/reference/cli/#uv-sync

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>
@CarrotManMatt CarrotManMatt enabled auto-merge (squash) March 25, 2026 14:18
@CarrotManMatt CarrotManMatt merged commit 55b5604 into main Mar 25, 2026
13 checks passed
@CarrotManMatt CarrotManMatt deleted the container-non-root-user branch March 25, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@MattyTheHacker MattyTheHacker MattyTheHacker approved these changes

Assignees

@CarrotManMatt CarrotManMatt

Labels

deployment Changes to the deployment or CI/CD configuration sync Request bots to automatically keep this PR up to date with it's base branch

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CarrotManMatt @MattyTheHacker