Merge pull request 'fix(dockerfile-tenant): chown /org-templates to canvas user (!external resolver mkdir EACCES)' (#223) from fix/dockerfile-tenant-org-templates-chown into main

2026-05-10 02:48:07 +00:00 · 2026-05-10 02:48:07 +00:00 · 34cdd8cc43
commit 34cdd8cc43
parent 428c5da8aa e3cc4474ee
1 changed files with 9 additions and 1 deletions
--- a/workspace-server/Dockerfile.tenant
+++ b/workspace-server/Dockerfile.tenant
@ -115,8 +115,16 @@ COPY --from=canvas-builder /canvas/.next/static ./.next/static
 COPY --from=canvas-builder /canvas/public ./public

 COPY workspace-server/entrypoint-tenant.sh /entrypoint.sh
+# /org-templates must be writable by the canvas user — the !external
+# resolver mkdirs <orgBaseDir>/.external-cache/<repo>/<sha>/ on first
+# import to cache cross-repo subtree fetches (org_external.go,
+# internal#77 / task #222). Without this chown the resolver fails with
+# "mkdir cache root: permission denied" and POST /org/import returns
+# 400 "org template expansion failed" for any template that uses
+# !external (e.g. molecule-dev → dev-lead). Caught on staging-cplead-2
+# 2026-05-10 — see internal incident debrief.
 RUN chmod +x /entrypoint.sh && \
-    chown -R canvas:canvas /canvas /platform /memory-plugin /migrations
+    chown -R canvas:canvas /canvas /platform /memory-plugin /migrations /org-templates

 EXPOSE 8080
 # entrypoint.sh starts as root to fix volume perms, then drops to