Skip to content

Update internal repo to support non-root user scenario #3713

Description

@aaronburtle

Related to: #3514

Background

Public PR #3520 restructured the sample Dockerfile into a multi-target build with two runtime variants:

  • runtime (default / last stage) — runs as root, backwards-compatible with today's published image.
  • runtime-nonroot (opt-in via --target runtime-nonroot) — runs as USER $APP_UID (UID 1654), satisfies scanners (e.g. Checkmarx One) that require a non-root Config.User.

The public Dockerfile is only a customer sample. The image we actually publish is built from the internal repo, which has its own Dockerfile + release pipeline YAML — both need updating to publish the second tag.

Tasks

  • Update the internal Dockerfile to match Add non-root variant to Dockerfile for dual image publishing #3520 (multi-stage runtime-baseruntime / runtime-nonroot, USER $APP_UID, non-recursive chown $APP_UID:$APP_UID /App/logs).
  • Update the pipeline to build + push both images: root (:<version>, :latest) and non-root (--target runtime-nonroot:<version>-nonroot, :latest-nonroot).
  • Run signing, SBOM/manifest, and registry push for both tags.
  • Point the container scan gate at the -nonroot image.
  • Update release notes / image README with the two variants and non-root consumer caveats.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions