Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(ci): drop runtime UID on dev and dashboard compose services#2156

Merged
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/ci-compose-runtime-uid
May 12, 2026
Merged

fix(ci): drop runtime UID on dev and dashboard compose services#2156
imran-siddique merged 1 commit into
microsoft:mainfrom
aegis-initiative:fix/ci-compose-runtime-uid

Conversation

@finnoybu

Copy link
Copy Markdown
Contributor

Summary

The test service in docker-compose.yml already runs as ${HOST_UID:-1000}:${HOST_GID:-1000}, but dev and dashboard did not. All three services bind-mount the repo at /workspace, and the dev Docker stage does not declare a USER — so any file the dev or dashboard container wrote back to the bind mount (a new file from pip install -e, a dashboard artifact, a git operation inside the container) landed on the host as root.

Change

Apply the same ${HOST_UID:-1000}:${HOST_GID:-1000} pattern to both services so file ownership stays consistent with the test service and with the host user.

  • docker-compose.yml:11 — dev service gets user:
  • docker-compose.yml:42 — dashboard service gets user:

The default of 1000:1000 matches the typical first-created Linux user; hosts with different IDs can override via HOST_UID / HOST_GID env vars before docker compose up.

Verification

  • Diff is two added blocks, no other compose keys touched.
  • docker compose config parses cleanly.
  • After this change, docker compose run dev touch /workspace/foo && ls -l foo on the host shows host-user ownership (was: root).

Surfaced during independent audit conducted by @finnoybu (Ken Tannenbaum, AEGIS Initiative); [LOW, Infrastructure/CI].

The `test` service in docker-compose.yml already runs as
`${HOST_UID:-1000}:${HOST_GID:-1000}`, but `dev` and `dashboard` did
not. Both services bind-mount the repo at `/workspace` and target the
`dev` Docker stage, which does not declare a USER — so anything those
containers wrote back to the bind mount (a new file from `pip install
-e`, a dashboard artifact, a `git` operation inside the container)
landed on the host as root.

Apply the same `${HOST_UID:-1000}:${HOST_GID:-1000}` pattern to both
services so file ownership stays consistent with the `test` service
and with the host user.

The default of `1000:1000` matches the typical first-created Linux
user; hosts with different IDs can override via `HOST_UID` /
`HOST_GID` env vars before `docker compose up`.
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: docs-sync-checker — Docs Sync

Docs Sync

  • docker-compose.yml -- CHANGELOG missing entry for behavioral changes regarding user ownership in dev and dashboard services.

@github-actions github-actions Bot added the size/XS Extra small PR (< 10 lines) label May 12, 2026
@github-actions

Copy link
Copy Markdown
🤖 AI Agent: code-reviewer — View details

TL;DR: 0 blockers, 0 warnings. No issues found. Clean change.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: security-scanner — View details

No security issues found.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: test-generator — View details

Test coverage looks good. No gaps identified.

@github-actions

Copy link
Copy Markdown
🤖 AI Agent: breaking-change-detector — View details

No breaking changes detected.

@github-actions

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label May 12, 2026
@github-actions

Copy link
Copy Markdown

PR Review Summary

Check Status Details
🔍 Code Review ✅ Passed No issues found
🛡️ Security Scan ✅ Passed No issues found
🔄 Breaking Changes ✅ Passed No issues found
📝 Docs Sync ✅ Completed Analysis complete
🧪 Test Coverage ✅ Completed Analysis complete

Verdict: ✅ Ready for human review

@imran-siddique imran-siddique merged commit 1ca41a0 into microsoft:main May 12, 2026
13 of 14 checks passed
MohammadHaroonAbuomar pushed a commit to MohammadHaroonAbuomar/agt-acs that referenced this pull request Jun 1, 2026
…osoft#2156)

The `test` service in docker-compose.yml already runs as
`${HOST_UID:-1000}:${HOST_GID:-1000}`, but `dev` and `dashboard` did
not. Both services bind-mount the repo at `/workspace` and target the
`dev` Docker stage, which does not declare a USER — so anything those
containers wrote back to the bind mount (a new file from `pip install
-e`, a dashboard artifact, a `git` operation inside the container)
landed on the host as root.

Apply the same `${HOST_UID:-1000}:${HOST_GID:-1000}` pattern to both
services so file ownership stays consistent with the `test` service
and with the host user.

The default of `1000:1000` matches the typical first-created Linux
user; hosts with different IDs can override via `HOST_UID` /
`HOST_GID` env vars before `docker compose up`.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-review:MEDIUM Contributor check flagged MEDIUM risk size/XS Extra small PR (< 10 lines)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants