release: apply startup permission self-heal to published image

Resinat · Resinat · commit 4fd5796a9114 · 2026-03-01T08:45:43.000Z
diff --git a/.github/Dockerfile.release b/.github/Dockerfile.release
@@ -4,7 +4,7 @@ FROM alpine:3.21
 ARG TARGETOS
 ARG TARGETARCH
 
-RUN apk add --no-cache ca-certificates tzdata \
+RUN apk add --no-cache ca-certificates tzdata su-exec \
   && addgroup -S resin \
   && adduser -S -G resin -h /var/lib/resin resin \
   && mkdir -p /var/cache/resin /var/lib/resin /var/log/resin \
@@ -13,9 +13,11 @@ RUN apk add --no-cache ca-certificates tzdata \
 # Copy the pre-built binaries from the GitHub Actions host into the image
 # Buildx provides TARGETOS (linux) and TARGETARCH (amd64 or arm64)
 COPY release-bin/${TARGETOS}/${TARGETARCH}/resin-${TARGETOS}-${TARGETARCH} /usr/local/bin/resin
+COPY docker/entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
-USER resin
 EXPOSE 2260
 VOLUME ["/var/cache/resin", "/var/lib/resin", "/var/log/resin"]
 
-ENTRYPOINT ["/usr/local/bin/resin"]
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
+CMD ["/usr/local/bin/resin"]
diff --git a/Dockerfile b/Dockerfile
@@ -30,6 +30,8 @@ RUN CGO_ENABLED=0 go build -trimpath -tags "with_quic with_wireguard with_grpc w
   -o /out/resin ./cmd/resin
 
 FROM alpine:3.21
+# NOTE: Keep this runtime stage in sync with .github/Dockerfile.release.
+# GHCR release images are built from .github/Dockerfile.release, not this file.
 RUN apk add --no-cache ca-certificates tzdata su-exec \
   && addgroup -S resin \
   && adduser -S -G resin -h /var/lib/resin resin \
