fix(ci): drop runtime UID on dev and dashboard compose services#2156
Merged
imran-siddique merged 1 commit intoMay 12, 2026
Merged
Conversation
The `test` service in docker-compose.yml already runs as
`${HOST_UID:-1000}:${HOST_GID:-1000}`, but `dev` and `dashboard` did
not. Both services bind-mount the repo at `/workspace` and target the
`dev` Docker stage, which does not declare a USER — so anything those
containers wrote back to the bind mount (a new file from `pip install
-e`, a dashboard artifact, a `git` operation inside the container)
landed on the host as root.
Apply the same `${HOST_UID:-1000}:${HOST_GID:-1000}` pattern to both
services so file ownership stays consistent with the `test` service
and with the host user.
The default of `1000:1000` matches the typical first-created Linux
user; hosts with different IDs can override via `HOST_UID` /
`HOST_GID` env vars before `docker compose up`.
🤖 AI Agent: docs-sync-checker — Docs SyncDocs Sync
|
🤖 AI Agent: code-reviewer — View detailsTL;DR: 0 blockers, 0 warnings. No issues found. Clean change. |
🤖 AI Agent: security-scanner — View detailsNo security issues found. |
🤖 AI Agent: test-generator — View detailsTest coverage looks good. No gaps identified. |
🤖 AI Agent: breaking-change-detector — View detailsNo breaking changes detected. |
|
🟡 Contributor Check: MEDIUM
Automated check by AGT Contributor Check. |
PR Review Summary
Verdict: ✅ Ready for human review |
MohammadHaroonAbuomar
pushed a commit
to MohammadHaroonAbuomar/agt-acs
that referenced
this pull request
Jun 1, 2026
…osoft#2156) The `test` service in docker-compose.yml already runs as `${HOST_UID:-1000}:${HOST_GID:-1000}`, but `dev` and `dashboard` did not. Both services bind-mount the repo at `/workspace` and target the `dev` Docker stage, which does not declare a USER — so anything those containers wrote back to the bind mount (a new file from `pip install -e`, a dashboard artifact, a `git` operation inside the container) landed on the host as root. Apply the same `${HOST_UID:-1000}:${HOST_GID:-1000}` pattern to both services so file ownership stays consistent with the `test` service and with the host user. The default of `1000:1000` matches the typical first-created Linux user; hosts with different IDs can override via `HOST_UID` / `HOST_GID` env vars before `docker compose up`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
testservice indocker-compose.ymlalready runs as${HOST_UID:-1000}:${HOST_GID:-1000}, butdevanddashboarddid not. All three services bind-mount the repo at/workspace, and thedevDocker stage does not declare aUSER— so any file thedevordashboardcontainer wrote back to the bind mount (a new file frompip install -e, a dashboard artifact, agitoperation inside the container) landed on the host as root.Change
Apply the same
${HOST_UID:-1000}:${HOST_GID:-1000}pattern to both services so file ownership stays consistent with thetestservice and with the host user.docker-compose.yml:11 —devservice getsuser:docker-compose.yml:42 —dashboardservice getsuser:The default of
1000:1000matches the typical first-created Linux user; hosts with different IDs can override viaHOST_UID/HOST_GIDenv vars beforedocker compose up.Verification
docker compose configparses cleanly.docker compose run dev touch /workspace/foo && ls -l fooon the host shows host-user ownership (was: root).Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Infrastructure/CI].