From e645abeb135068705ca319904723331bcc9e7789 Mon Sep 17 00:00:00 2001 From: HiranoMasaaki Date: Mon, 2 Mar 2026 13:06:16 +0000 Subject: [PATCH] fix: improve Docker Hub health score Add supply chain attestations (SBOM + SLSA provenance) to the Docker build workflow and run the container as a non-root user. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/docker.yml | 2 ++ docker/Dockerfile | 6 +++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 58e16ecf..4d2cbb23 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -71,5 +71,7 @@ jobs: perstack/perstack:${{ steps.version.outputs.major_minor }} ${{ steps.version.outputs.is_release == 'true' && 'perstack/perstack:latest' || '' }} perstack/perstack:sha-${{ github.sha }} + sbom: true + provenance: mode=max cache-from: type=gha cache-to: type=gha,mode=max diff --git a/docker/Dockerfile b/docker/Dockerfile index f734ba95..32fb6592 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -57,10 +57,14 @@ FROM ubuntu:24.04 RUN apt-get update && \ apt-get install -y --no-install-recommends \ ca-certificates curl jq && \ - rm -rf /var/lib/apt/lists/* + rm -rf /var/lib/apt/lists/* && \ + useradd -m -s /bin/bash perstack COPY --from=build /app/out/perstack /usr/local/bin/perstack WORKDIR /workspace +RUN chown perstack:perstack /workspace + +USER perstack ENTRYPOINT ["perstack"]