From 5f96a832e753ca2732b0108c22e5e7cd226e9c29 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Wed, 22 Apr 2026 09:42:02 -0700 Subject: [PATCH] fix(canvas): drop node:20-alpine default user before creating canvas uid 1000 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit publish-canvas-image has been failing on every main push since 2026-04-21 at `addgroup -g 1000 canvas` because node:20-alpine already ships a `node` user/group at uid/gid 1000. Same collision workspace-server/Dockerfile.tenant already fixes with `deluser --remove-home node` before `addgroup`. Copying that pattern here so the workflow goes green again and canvas images publish to ghcr. No runtime behaviour change — canvas still runs as non-root uid 1000. Co-Authored-By: Claude Opus 4.7 (1M context) --- canvas/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/canvas/Dockerfile b/canvas/Dockerfile index f871bd07..14b28e7f 100644 --- a/canvas/Dockerfile +++ b/canvas/Dockerfile @@ -21,6 +21,10 @@ EXPOSE 3000 ENV PORT=3000 ENV HOSTNAME="0.0.0.0" # Non-root runtime — node image defaults to root, explicitly drop. -RUN addgroup -g 1000 canvas && adduser -u 1000 -G canvas -s /bin/sh -D canvas +# node:20-alpine ships with a `node` user at uid/gid 1000; remove it before +# claiming 1000 for `canvas` so `addgroup -g 1000` doesn't collide. +RUN deluser --remove-home node 2>/dev/null || true; \ + delgroup node 2>/dev/null || true; \ + addgroup -g 1000 canvas && adduser -u 1000 -G canvas -s /bin/sh -D canvas USER canvas CMD ["node", "server.js"]