Fix docker push for non-forks (#1499)

* fix fork check * minor docker tweaks * remove caching * try not chowinng * fix chowns * revert build.sh * fix entrypoint user * change message * remove free disk space * chown the entrypoint * remove comments * empty commit
2025-12-26 05:48:36 +08:00 · 2024-05-01 22:15:12 -04:00 · 2024-05-01 22:15:12 -04:00 · cfef3ee5c4
commit cfef3ee5c4
parent 435f47ca0e
3 changed files with 11 additions and 38 deletions
--- a/.github/workflows/ghcr.yml
+++ b/.github/workflows/ghcr.yml
@ -42,29 +42,13 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - name: Free Disk Space (Ubuntu)
-        uses: jlumbroso/free-disk-space@main
-        with:
-          # this might remove tools that are actually needed,
-          # if set to "true" but frees about 6 GB
-          tool-cache: true
-
-          # all of these default to true, but feel free to set to
-          # "false" if necessary for your workflow
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          docker-images: false
-          swap-storage: true
-
      - name: Build and push ${{ matrix.image }}
-        if: github.event.pull_request.head.repo.full_name == github.repository
+        if: "!github.event.pull_request.head.repo.fork"
        run: |
          ./containers/build.sh ${{ matrix.image }} ${{ github.repository_owner }} --push

      - name: Build ${{ matrix.image }}
-        if: github.event.pull_request.head.repo.full_name != github.repository
+        if: "github.event.pull_request.head.repo.fork"
        run: |
          ./containers/build.sh ${{ matrix.image }} ${{ github.repository_owner }}

--- a/containers/app/Dockerfile
+++ b/containers/app/Dockerfile
@ -5,7 +5,7 @@ WORKDIR /app

 COPY ./frontend/package.json frontend/package-lock.json ./
 RUN npm install -g npm@10.5.1
-RUN npm install
+RUN npm ci

 COPY ./frontend ./
 RUN npm run make-i18n && npm run build
@ -43,7 +43,7 @@ RUN mkdir -p $WORKSPACE_BASE
 RUN apt-get update -y \
    && apt-get install -y curl ssh sudo

-RUN useradd -m -u $SANDBOX_USER_ID -s /bin/bash opendevin && \
+RUN useradd -l -m -u $SANDBOX_USER_ID -s /bin/bash opendevin && \
    usermod -aG sudo opendevin && \
    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 RUN chown -R opendevin:opendevin /app
@ -53,30 +53,19 @@ ENV VIRTUAL_ENV=/app/.venv \
    PATH="/app/.venv/bin:$PATH" \
    PYTHONPATH='/app'

-COPY --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
-# change ownership of the virtual environment to the sandbox user
+COPY --chown=opendevin --from=backend-builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
 USER root
 RUN chown -R opendevin:opendevin ${VIRTUAL_ENV}
 USER opendevin

-COPY ./opendevin ./opendevin
-COPY ./agenthub ./agenthub
+COPY --chown=opendevin ./opendevin ./opendevin
+COPY --chown=opendevin ./agenthub ./agenthub
 RUN python opendevin/download.py # No-op to download assets
 RUN playwright install --with-deps chromium

-COPY --from=frontend-builder /app/dist ./frontend/dist
+COPY --chown=opendevin --from=frontend-builder /app/dist ./frontend/dist
+
+COPY --chown=opendevin ./containers/app/entrypoint.sh /app/entrypoint.sh

 USER root
-RUN chown -R opendevin:opendevin /app
-# make group permissions the same as user permissions
-RUN chmod -R g=u /app
-USER opendevin
-
-# change ownership of the app directory to the sandbox user
-COPY ./containers/app/entrypoint.sh /app/entrypoint.sh
-
-# run the script as root
-USER root
-RUN chown opendevin:opendevin /app/entrypoint.sh
-RUN chmod 777 /app/entrypoint.sh
 CMD ["/app/entrypoint.sh"]
--- a/containers/app/entrypoint.sh
+++ b/containers/app/entrypoint.sh
@ -1,7 +1,7 @@
 #!/bin/bash
 # check user is root
 if [ "$(id -u)" -ne 0 ]; then
-  echo "Please run as root"
+  echo "The OpenDevin entrypoint.sh must run as root"
  exit 1
 fi