diff --git a/buildkit/convert.go b/buildkit/convert.go index ac3dc5ae7..50e0995f5 100644 --- a/buildkit/convert.go +++ b/buildkit/convert.go @@ -79,6 +79,7 @@ func ConvertPlanToLLB(plan *p.BuildPlan, opts ConvertPlanOptions) (*llb.State, * WorkingDir: WorkingDir, Entrypoint: []string{"/bin/bash", "-c"}, Cmd: []string{startCommand}, + User: plan.Deploy.User, }, } diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_bun-pnpm_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_bun-pnpm_1.snap.json index d20558f26..1b928b7fd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_bun-pnpm_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_bun-pnpm_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -173,6 +174,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_config-file_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_config-file_1.snap.json index b17819c5b..f2476cc83 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_config-file_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_config-file_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "python --version \u0026\u0026 neofetch $HELLO", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -193,6 +194,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-cmake_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-cmake_1.snap.json index fe8b39054..4eae82563 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-cmake_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-cmake_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "/build/cpp-cmake" + "startCommand": "/build/cpp-cmake", + "user": "1001" }, "steps": [ { @@ -73,6 +74,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-meson_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-meson_1.snap.json index d4b9a79a4..eee74adae 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-meson_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_cpp-meson_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "/build/cpp-meson" + "startCommand": "/build/cpp-meson", + "user": "1001" }, "steps": [ { @@ -73,6 +74,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_deno-2_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_deno-2_1.snap.json index fa3c1ace3..b5c428e17 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_deno-2_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_deno-2_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -22,7 +22,8 @@ "step": "build" } ], - "startCommand": "deno run --allow-all main.ts" + "startCommand": "deno run --allow-all main.ts", + "user": "1001" }, "steps": [ { @@ -78,6 +79,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_dockerignore_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_dockerignore_1.snap.json index 94144fbc8..ee76042d5 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_dockerignore_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_dockerignore_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "sh start.sh" + "startCommand": "sh start.sh", + "user": "1001" }, "steps": [ { @@ -60,6 +61,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-api_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-api_1.snap.json index 2f58cd7e6..7ca138215 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-api_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-api_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "ASPNETCORE_URLS=http://0.0.0.0:${PORT:-3000} ./out/csharp-api", + "user": "1001", "variables": { "ASPNETCORE_CONTENTROOT": "/app/out", "ASPNETCORE_ENVIRONMENT": "Production", @@ -157,6 +158,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-cli_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-cli_1.snap.json index 2df6fa381..959ffc796 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-cli_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_dotnet-cli_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "ASPNETCORE_URLS=http://0.0.0.0:${PORT:-3000} ./out/csharp-cli", + "user": "1001", "variables": { "ASPNETCORE_CONTENTROOT": "/app/out", "ASPNETCORE_ENVIRONMENT": "Production", @@ -157,6 +158,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-ecto_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-ecto_1.snap.json index 6ea0bec78..6ee147192 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-ecto_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-ecto_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -12,6 +12,7 @@ } ], "startCommand": "/app/_build/prod/rel/friends/bin/friends start", + "user": "1001", "variables": { "ELIXIR_ERL_OPTIONS": "+fnu", "LANG": "en_US.UTF-8", @@ -163,6 +164,20 @@ "MIX_ENV": "prod", "MIX_HOME": "/root/.mix" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-latest_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-latest_1.snap.json index 78cb0c170..2414e21ea 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-latest_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-latest_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -12,6 +12,7 @@ } ], "startCommand": "/app/_build/prod/rel/friends/bin/friends start", + "user": "1001", "variables": { "ELIXIR_ERL_OPTIONS": "+fnu", "LANG": "en_US.UTF-8", @@ -167,6 +168,20 @@ "MIX_ENV": "prod", "MIX_HOME": "/root/.mix" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-phoenix_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-phoenix_1.snap.json index 87cfaf920..d9613661f 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-phoenix_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_elixir-phoenix_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -12,6 +12,7 @@ } ], "startCommand": "/app/_build/prod/rel/hello/bin/hello start", + "user": "1001", "variables": { "ELIXIR_ERL_OPTIONS": "+fnu", "LANG": "en_US.UTF-8", @@ -173,6 +174,20 @@ "MIX_ENV": "prod", "MIX_HOME": "/root/.mix" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-custom-version_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-custom-version_1.snap.json index 67e1537d2..f14c844ec 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-custom-version_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-custom-version_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -21,7 +21,8 @@ "step": "build" } ], - "startCommand": "./build/erlang-shipment/entrypoint.sh run" + "startCommand": "./build/erlang-shipment/entrypoint.sh run", + "user": "1001" }, "steps": [ { @@ -117,6 +118,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-include-source_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-include-source_1.snap.json index 7d6862447..90df27425 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-include-source_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam-include-source_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -21,7 +21,8 @@ "step": "build" } ], - "startCommand": "./build/erlang-shipment/entrypoint.sh run" + "startCommand": "./build/erlang-shipment/entrypoint.sh run", + "user": "1001" }, "steps": [ { @@ -109,6 +110,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam_1.snap.json index 7d6862447..90df27425 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_gleam_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -21,7 +21,8 @@ "step": "build" } ], - "startCommand": "./build/erlang-shipment/entrypoint.sh run" + "startCommand": "./build/erlang-shipment/entrypoint.sh run", + "user": "1001" }, "steps": [ { @@ -109,6 +110,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-cmd-dirs_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-cmd-dirs_1.snap.json index 9634ceb4a..a973e0929 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-cmd-dirs_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-cmd-dirs_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -25,7 +25,8 @@ "step": "build" } ], - "startCommand": "./out" + "startCommand": "./out", + "user": "1001" }, "steps": [ { @@ -141,6 +142,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-mod_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-mod_1.snap.json index 5234b2536..13bdfa170 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-mod_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-mod_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -25,7 +25,8 @@ "step": "build" } ], - "startCommand": "./out" + "startCommand": "./out", + "user": "1001" }, "steps": [ { @@ -141,6 +142,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-workspaces_1.snap.json index 6d5ec32e8..8bfcf331c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_go-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_go-workspaces_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -25,7 +25,8 @@ "step": "build" } ], - "startCommand": "./out" + "startCommand": "./out", + "user": "1001" }, "steps": [ { @@ -141,6 +142,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-gradle_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-gradle_1.snap.json index b5b95552e..cabbff36b 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-gradle_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-gradle_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -27,7 +27,8 @@ "step": "build" } ], - "startCommand": "java $JAVA_OPTS -jar $(ls -1 */build/libs/*jar | grep -v plain)" + "startCommand": "java $JAVA_OPTS -jar $(ls -1 */build/libs/*jar | grep -v plain)", + "user": "1001" }, "steps": [ { @@ -118,6 +119,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-maven_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-maven_1.snap.json index ae368014a..3bb3b10b2 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-maven_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-maven_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -27,7 +27,8 @@ "step": "build" } ], - "startCommand": "java $JAVA_OPTS -jar target/*jar" + "startCommand": "java $JAVA_OPTS -jar target/*jar", + "user": "1001" }, "steps": [ { @@ -118,6 +119,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-zulu-version_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-zulu-version_1.snap.json index ae368014a..3bb3b10b2 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_java-zulu-version_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_java-zulu-version_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -27,7 +27,8 @@ "step": "build" } ], - "startCommand": "java $JAVA_OPTS -jar target/*jar" + "startCommand": "java $JAVA_OPTS -jar target/*jar", + "user": "1001" }, "steps": [ { @@ -118,6 +119,20 @@ "MISE_INSTALLS_DIR": "/mise/installs", "MISE_SHIMS_DIR": "/mise/shims" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_mise-config_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_mise-config_1.snap.json index d09ac610f..0b91d04f6 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_mise-config_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_mise-config_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -166,6 +167,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-angular_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-angular_1.snap.json index 34cc84ddc..ccc888dd8 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-angular_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-angular_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -42,6 +42,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -207,6 +208,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro-server_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro-server_1.snap.json index ede8a1fec..9afe34c34 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro-server_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro-server_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -55,6 +55,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "HOST": "0.0.0.0", @@ -185,6 +186,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro_1.snap.json index c61988790..d56f735ad 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-astro_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,6 +46,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -212,6 +213,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-bunfig_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-bunfig_1.snap.json index aa04e33d6..810772420 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-bunfig_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-bunfig_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "bun index.ts", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -170,6 +171,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-no-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-no-deps_1.snap.json index 2e33cbb6c..6286ec8d8 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-no-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-no-deps_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "bun run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -162,6 +163,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-workspaces_1.snap.json index df8ecd7d9..119bbd9aa 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun-workspaces_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "bun index.ts", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -174,6 +175,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun_1.snap.json index 17f80f8cd..8a4b4438e 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-bun_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "bun index.ts", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -171,6 +172,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-corepack_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-corepack_1.snap.json index e65f0589c..d9ae26d65 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-corepack_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-corepack_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -52,6 +52,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -181,6 +182,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-cra_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-cra_1.snap.json index 47fefab36..b28e08028 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-cra_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-cra_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -42,6 +42,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -207,6 +208,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-npm-native-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-npm-native-deps_1.snap.json index 709a95805..d8d7d20d4 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-npm-native-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-npm-native-deps_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -52,6 +52,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -176,6 +177,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-pnpm-mise-native-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-pnpm-mise-native-deps_1.snap.json index 53dc4584f..f31c1f731 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-pnpm-mise-native-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-latest-pnpm-mise-native-deps_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -181,6 +182,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-next_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-next_1.snap.json index 4efa3ccca..b68378597 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-next_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-next_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -55,6 +55,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -179,6 +180,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-install-in-build_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-install-in-build_1.snap.json index 64ec199cd..5b9b80403 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-install-in-build_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-install-in-build_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -169,6 +170,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-workspaces_1.snap.json index 5b678d43a..4fa7c9176 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm-workspaces_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -52,6 +52,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -188,6 +189,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm_1.snap.json index a3f01ce10..292edf1da 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-npm_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -166,6 +167,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-nuxt_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-nuxt_1.snap.json index f9a5081b1..1ac0502de 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-nuxt_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-nuxt_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "node .output/server/index.mjs", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -169,6 +170,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-oldest_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-oldest_1.snap.json index d8164a2ac..f5edc86e4 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-oldest_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-oldest_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -166,6 +167,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-engines_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-engines_1.snap.json index 24f24e8f3..5aa554f80 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-engines_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-engines_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -169,6 +170,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-workspaces_1.snap.json index 6da20a3cf..c3e25c4a1 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-pnpm-workspaces_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -193,6 +194,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-prisma_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-prisma_1.snap.json index 71b217718..26fc92be0 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-prisma_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-prisma_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -175,6 +176,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-puppeteer_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-puppeteer_1.snap.json index 007c22edf..f6c1836f5 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-puppeteer_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-puppeteer_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -51,6 +51,7 @@ } ], "startCommand": "node index.js", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -166,6 +167,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-remix_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-remix_1.snap.json index 4a89cee2f..958ea75bd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-remix_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-remix_1.snap.json @@ -27,7 +27,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -59,6 +59,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -181,6 +182,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-svelte-kit_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-svelte-kit_1.snap.json index a81ca8058..bb6d8a31c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-svelte-kit_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-svelte-kit_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -50,6 +50,7 @@ "step": "build" } ], + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -175,6 +176,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-tanstack-start_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-tanstack-start_1.snap.json index 3b19951c0..0f2689800 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-tanstack-start_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-tanstack-start_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -55,6 +55,7 @@ } ], "startCommand": "bun run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -176,6 +177,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-turborepo_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-turborepo_1.snap.json index 7215f6f59..57614056d 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-turborepo_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-turborepo_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -56,6 +56,7 @@ } ], "startCommand": "npm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -210,6 +211,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-spa_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-spa_1.snap.json index 1e558b459..d47899654 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-spa_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-spa_1.snap.json @@ -27,7 +27,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -50,6 +50,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -230,6 +231,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-ssr_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-ssr_1.snap.json index 15faeb4e3..768e75e1a 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-ssr_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react-router-ssr_1.snap.json @@ -27,7 +27,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -59,6 +59,7 @@ } ], "startCommand": "pnpm run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -194,6 +195,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react_1.snap.json index 2c8ee768b..e7129dd3c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-react_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,6 +46,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -212,6 +213,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-svelte_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-svelte_1.snap.json index 6136b3dc4..d7eec8345 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-svelte_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-svelte_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,6 +46,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -219,6 +220,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-vanilla_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-vanilla_1.snap.json index 3340b3dba..74a13fa7b 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-vanilla_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-vite-vanilla_1.snap.json @@ -23,7 +23,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,6 +46,7 @@ } ], "startCommand": "caddy run --config /Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -212,6 +213,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-1_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-1_1.snap.json index dcc94d957..4dec33b26 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-1_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-1_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -52,6 +52,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -201,6 +202,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2-node-linker_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2-node-linker_1.snap.json index db268c584..0fbc54a31 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2-node-linker_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2-node-linker_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -53,6 +53,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -172,6 +173,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2_1.snap.json index 681c2e29e..2213daaae 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-2_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -52,6 +52,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -183,6 +184,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-3_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-3_1.snap.json index 891233c63..428027359 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-3_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-3_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -53,6 +53,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -190,6 +191,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-4_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-4_1.snap.json index 6b4630925..8b5969237 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-4_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-4_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -53,6 +53,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -182,6 +183,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-workspaces_1.snap.json index a918e3214..af1d0e1d4 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_node-yarn-workspaces_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -53,6 +53,7 @@ } ], "startCommand": "yarn run start", + "user": "1001", "variables": { "CI": "true", "NODE_ENV": "production", @@ -185,6 +186,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-11-react_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-11-react_1.snap.json index 5734ac9d4..03de08567 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-11-react_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-11-react_1.snap.json @@ -27,7 +27,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,7 +46,8 @@ "step": "build" } ], - "startCommand": "/start-container.sh" + "startCommand": "/start-container.sh", + "user": "1001" }, "steps": [ { @@ -321,6 +322,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-12-react_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-12-react_1.snap.json index df49c41a1..14450a0c0 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-12-react_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-laravel-12-react_1.snap.json @@ -27,7 +27,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -46,7 +46,8 @@ "step": "build" } ], - "startCommand": "/start-container.sh" + "startCommand": "/start-container.sh", + "user": "1001" }, "steps": [ { @@ -321,6 +322,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla-82_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla-82_1.snap.json index fec0ae26d..12bc9eeda 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla-82_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla-82_1.snap.json @@ -7,9 +7,10 @@ }, "deploy": { "base": { - "step": "build" + "step": "setup:user" }, - "startCommand": "/start-container.sh" + "startCommand": "/start-container.sh", + "user": "1001" }, "steps": [ { @@ -125,6 +126,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "build" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla_1.snap.json index fef86ac20..c98aeed03 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_php-vanilla_1.snap.json @@ -1,9 +1,10 @@ { "deploy": { "base": { - "step": "build" + "step": "setup:user" }, - "startCommand": "/start-container.sh" + "startCommand": "/start-container.sh", + "user": "1001" }, "steps": [ { @@ -102,6 +103,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "build" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-bot-only_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-bot-only_1.snap.json index a4894af53..c855f3c54 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-bot-only_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-bot-only_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "python bot.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -94,6 +95,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-compiled_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-compiled_1.snap.json index 91c24bb04..c12cf5caf 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-compiled_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-compiled_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -139,6 +140,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-django_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-django_1.snap.json index 9cc1a1e6e..dfebc9eef 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-django_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-django_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -45,6 +45,7 @@ } ], "startCommand": "python manage.py migrate \u0026\u0026 gunicorn --bind 0.0.0.0:${PORT:-8000} mysite.wsgi:application", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -191,6 +192,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fastapi_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fastapi_1.snap.json index 196277fc6..fd9acc437 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fastapi_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fastapi_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "uvicorn main:app --host 0.0.0.0 --port ${PORT:-8000}", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -143,6 +144,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fasthtml_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fasthtml_1.snap.json index 2417c9f1f..b55eb2022 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fasthtml_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-fasthtml_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "uvicorn main:app --host 0.0.0.0 --port ${PORT:-8000}", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -131,6 +132,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-flask_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-flask_1.snap.json index cc190e2fc..1a65e6e30 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-flask_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-flask_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "gunicorn --bind 0.0.0.0:${PORT:-8000} main:app", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -131,6 +132,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-freethreaded_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-freethreaded_1.snap.json index d1d05e0a8..723d153fd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-freethreaded_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-freethreaded_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -98,6 +99,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest-psycopg_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest-psycopg_1.snap.json index 293427e0b..e224b8414 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest-psycopg_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest-psycopg_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -45,6 +45,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -191,6 +192,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest_1.snap.json index d1d05e0a8..723d153fd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-latest_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -98,6 +99,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-oldest_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-oldest_1.snap.json index d1d05e0a8..723d153fd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-oldest_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-oldest_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -28,6 +28,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -98,6 +99,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pdm_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pdm_1.snap.json index bdb38f494..02ae91d98 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pdm_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pdm_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -31,6 +31,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -125,6 +126,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pip_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pip_1.snap.json index 583dac0f3..76b377612 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pip_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pip_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python app.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -135,6 +136,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pipfile_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pipfile_1.snap.json index afd4441b8..01b7358c1 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pipfile_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-pipfile_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -31,6 +31,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -127,6 +128,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-poetry_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-poetry_1.snap.json index afffc0f18..e57ba6aad 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-poetry_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-poetry_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -31,6 +31,7 @@ } ], "startCommand": "poetry run python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -127,6 +128,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-psycopg-binary_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-psycopg-binary_1.snap.json index 52619b323..3a7bff69a 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-psycopg-binary_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-psycopg-binary_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -147,6 +148,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-system-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-system-deps_1.snap.json index 2021bcce6..a23450b46 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-system-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-system-deps_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -45,6 +45,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -179,6 +180,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-packaged_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-packaged_1.snap.json index f4a881574..333afc016 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-packaged_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-packaged_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python-uv-packaged", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -147,6 +148,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-tool-versions_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-tool-versions_1.snap.json index 26f4a983e..0aba2ac8c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-tool-versions_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-tool-versions_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -147,6 +148,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace-postgres_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace-postgres_1.snap.json index 4362cd82f..8ad32ee59 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace-postgres_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace-postgres_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -45,6 +45,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -185,6 +186,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace_1.snap.json index c0a16051b..5b64b9e2f 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv-workspace_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "python main.py", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -145,6 +146,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv_1.snap.json index d69325a69..46e3abb36 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_python-uv_1.snap.json @@ -7,7 +7,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -37,6 +37,7 @@ } ], "startCommand": "gunicorn --bind 0.0.0.0:${PORT:-8000} main:app", + "user": "1001", "variables": { "PIP_DEFAULT_TIMEOUT": "100", "PIP_DISABLE_PIP_VERSION_CHECK": "1", @@ -147,6 +148,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_railpack-env-configuration_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_railpack-env-configuration_1.snap.json index 85fcf609a..1303ec704 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_railpack-env-configuration_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_railpack-env-configuration_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "bash start.sh" + "startCommand": "bash start.sh", + "user": "1001" }, "steps": [ { @@ -43,6 +44,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-2_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-2_1.snap.json index 605e08df3..ff281785a 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-2_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-2_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -177,6 +178,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3-precompiled_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3-precompiled_1.snap.json index d2ced7579..a692f0611 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3-precompiled_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3-precompiled_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby --yjit app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -185,6 +186,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3_1.snap.json index 1dda028e4..bfbd3538c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-3_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby --enable-yjit app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -177,6 +178,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-execjs_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-execjs_1.snap.json index 30422a19d..7d977c600 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-execjs_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-execjs_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -173,6 +174,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-jemalloc_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-jemalloc_1.snap.json index 31adde92f..8a30a8821 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-jemalloc_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-jemalloc_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -173,6 +174,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-latest_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-latest_1.snap.json index 6d5214e1d..500d7026e 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-latest_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-latest_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -177,6 +178,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-local-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-local-deps_1.snap.json index bb0c24d7a..84d601d4c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-local-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-local-deps_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "bundle exec ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -177,6 +178,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-no-version_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-no-version_1.snap.json index 677568cbc..eeced4ebd 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-no-version_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-no-version_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "bundle exec rackup config.ru -o 0.0.0.0 -p ${PORT:-3000}", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -173,6 +174,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-api-app_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-api-app_1.snap.json index 947722a0f..f0282dc52 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-api-app_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-api-app_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -39,6 +39,7 @@ } ], "startCommand": "rake db:migrate \u0026\u0026 bundle exec bin/rails server -b 0.0.0.0 -p ${PORT:-3000}", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -186,6 +187,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-postgres_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-postgres_1.snap.json index 57e2da071..866f43d5c 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-postgres_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-rails-postgres_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -39,6 +39,7 @@ } ], "startCommand": "rake db:migrate \u0026\u0026 bundle exec bin/rails server -b 0.0.0.0 -p ${PORT:-3000}", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -189,6 +190,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-sinatra_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-sinatra_1.snap.json index ec94218b9..3f210f7a4 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-sinatra_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-sinatra_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "RACK_ENV=production bundle exec puma", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -173,6 +174,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-vanilla_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-vanilla_1.snap.json index 2d86115d2..85eb03e91 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-vanilla_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-vanilla_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -38,6 +38,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -177,6 +178,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-with-node_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-with-node_1.snap.json index 916c18d29..ee7f7ab78 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-with-node_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_ruby-with-node_1.snap.json @@ -19,7 +19,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -62,6 +62,7 @@ } ], "startCommand": "ruby app.rb", + "user": "1001", "variables": { "BUNDLE_GEMFILE": "/app/Gemfile", "GEM_HOME": "/usr/local/bundle", @@ -284,6 +285,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces-glob_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces-glob_1.snap.json index 397cec3bf..05c335b65 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces-glob_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces-glob_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -25,6 +25,7 @@ } ], "startCommand": "./bin/binary", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -124,6 +125,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces_1.snap.json index f036ebaf3..de2f015a5 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-cargo-workspaces_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -25,6 +25,7 @@ } ], "startCommand": "./bin/binary", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -120,6 +121,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-toolchain_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-toolchain_1.snap.json index 81dceb18f..cda2989dc 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-toolchain_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-toolchain_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -29,6 +29,7 @@ } ], "startCommand": "./bin/rust-custom-toolchain", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -144,6 +145,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-version_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-version_1.snap.json index d098c6d85..62e264da2 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-version_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-custom-version_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -29,6 +29,7 @@ } ], "startCommand": "./bin/rust-custom-version", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -144,6 +145,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-multiple-bins_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-multiple-bins_1.snap.json index a08c64a80..dded713a5 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-multiple-bins_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-multiple-bins_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -29,6 +29,7 @@ } ], "startCommand": "./bin/bin1", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -150,6 +151,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-rocket_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-rocket_1.snap.json index f5a6b05a8..213ea3c03 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-rocket_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-rocket_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -29,6 +29,7 @@ } ], "startCommand": "./bin/rocket", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -148,6 +149,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-system-deps_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-system-deps_1.snap.json index 4f21a536c..6535fcb29 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-system-deps_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_rust-system-deps_1.snap.json @@ -15,7 +15,7 @@ }, "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -29,6 +29,7 @@ } ], "startCommand": "./bin/rust-open-ssl", + "user": "1001", "variables": { "ROCKET_ADDRESS": "0.0.0.0" } @@ -144,6 +145,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_secrets_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_secrets_1.snap.json index 4a8d6b104..19c3be1f5 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_secrets_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_secrets_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -17,7 +17,8 @@ "step": "usesSecrets" } ], - "startCommand": "./run.sh" + "startCommand": "./run.sh", + "user": "1001" }, "secrets": [ "MY_SECRET", @@ -81,6 +82,20 @@ "variables": { "NOT_SECRET": "not secret" } + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-bash-arrays_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-bash-arrays_1.snap.json index 85fcf609a..1303ec704 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-bash-arrays_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-bash-arrays_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "bash start.sh" + "startCommand": "bash start.sh", + "user": "1001" }, "steps": [ { @@ -43,6 +44,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-platform-arch_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-platform-arch_1.snap.json index 7e14448f3..bd77df73d 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-platform-arch_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-platform-arch_1.snap.json @@ -11,7 +11,7 @@ }, "deploy": { "base": { - "step": "packages:apt:runtime" + "step": "setup:user" }, "inputs": [ { @@ -21,7 +21,8 @@ "step": "build" } ], - "startCommand": "zsh start.sh" + "startCommand": "zsh start.sh", + "user": "1001" }, "steps": [ { @@ -71,6 +72,20 @@ } ], "name": "packages:apt:runtime" + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "step": "packages:apt:runtime" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-script_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-script_1.snap.json index cdb24bc51..fc0c5eba4 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-script_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_shell-script_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -11,7 +11,8 @@ "step": "build" } ], - "startCommand": "sh start.sh" + "startCommand": "sh start.sh", + "user": "1001" }, "steps": [ { @@ -43,6 +44,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-config_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-config_1.snap.json index aef72bcec..1f8470e6d 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-config_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-config_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -17,7 +17,8 @@ "step": "build" } ], - "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261" + "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001" }, "steps": [ { @@ -70,6 +71,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index-fallback_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index-fallback_1.snap.json index 2b4cee270..94fd06947 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index-fallback_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index-fallback_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -17,7 +17,8 @@ "step": "build" } ], - "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261" + "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001" }, "steps": [ { @@ -70,6 +71,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index_1.snap.json b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index_1.snap.json index 9eab035bc..ae5184919 100755 --- a/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index_1.snap.json +++ b/core/__snapshots__/TestGenerateBuildPlanForExamples_staticfile-index_1.snap.json @@ -1,7 +1,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -17,7 +17,8 @@ "step": "build" } ], - "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261" + "startCommand": "caddy run --config Caddyfile --adapter caddyfile 2\u003e\u00261", + "user": "1001" }, "steps": [ { @@ -70,6 +71,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } \ No newline at end of file diff --git a/core/config/config.go b/core/config/config.go index 241c6e456..cf32b4dec 100644 --- a/core/config/config.go +++ b/core/config/config.go @@ -19,6 +19,7 @@ type DeployConfig struct { StartCmd string `json:"startCommand,omitempty" jsonschema:"description=The command to run in the container"` Variables map[string]string `json:"variables,omitempty" jsonschema:"description=The variables available to this step. The key is the name of the variable that is referenced in a variable command"` Paths []string `json:"paths,omitempty" jsonschema:"description=The paths to prepend to the $PATH environment variable"` + User string `json:"user,omitempty" jsonschema:"description=The user to run the container as. Set to root to disable non-root user. Defaults to 1001"` } type StepConfig struct { diff --git a/core/generate/__snapshots__/context_test.snap b/core/generate/__snapshots__/context_test.snap index 0959cf610..fd770bb60 100755 --- a/core/generate/__snapshots__/context_test.snap +++ b/core/generate/__snapshots__/context_test.snap @@ -3,7 +3,7 @@ { "deploy": { "base": { - "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + "step": "setup:user" }, "inputs": [ { @@ -17,6 +17,7 @@ } ], "startCommand": "echo hello", + "user": "1001", "variables": { "HELLO": "world" } @@ -94,6 +95,20 @@ "secrets": [ "*" ] + }, + { + "commands": [ + { + "cmd": "groupadd -g 1001 railpack \u0026\u0026 useradd -u 1001 -g railpack -m -s /bin/bash railpack \u0026\u0026 chown -R 1001:1001 /app", + "customName": "create non-root user" + } + ], + "inputs": [ + { + "image": "ghcr.io/railwayapp/railpack-runtime:mise-2026.3.17" + } + ], + "name": "setup:user" } ] } diff --git a/core/generate/context.go b/core/generate/context.go index 0ea8e6562..280091138 100644 --- a/core/generate/context.go +++ b/core/generate/context.go @@ -213,6 +213,9 @@ func (c *GenerateContext) applyConfig() { c.Deploy.AptPackages = plan.SpreadStrings(c.Config.Deploy.AptPackages, c.Deploy.AptPackages) c.Deploy.DeployInputs = plan.Spread(c.Config.Deploy.Inputs, c.Deploy.DeployInputs) c.Deploy.Paths = plan.SpreadStrings(c.Config.Deploy.Paths, c.Deploy.Paths) + if c.Config.Deploy.User != "" { + c.Deploy.User = c.Config.Deploy.User + } maps.Copy(c.Deploy.Variables, c.Config.Deploy.Variables) } diff --git a/core/generate/deploy_builder.go b/core/generate/deploy_builder.go index bc06801b8..98c62a276 100644 --- a/core/generate/deploy_builder.go +++ b/core/generate/deploy_builder.go @@ -11,6 +11,7 @@ type DeployBuilder struct { Variables map[string]string Paths []string AptPackages []string + User string } func NewDeployBuilder() *DeployBuilder { @@ -21,6 +22,7 @@ func NewDeployBuilder() *DeployBuilder { Variables: map[string]string{}, Paths: []string{}, AptPackages: []string{}, + User: "1001", } } @@ -66,10 +68,26 @@ func (b *DeployBuilder) Build(p *plan.BuildPlan, options *BuildStepOptions) { baseLayer = plan.NewStepLayer(runtimeAptStep.Name) } + // Create non-root user unless explicitly set to "root" + if b.User != "" && b.User != "root" { + userStep := plan.NewStep("setup:user") + userStep.Inputs = []plan.Layer{baseLayer} + userStep.AddCommands([]plan.Command{ + plan.NewExecCommand( + "groupadd -g 1001 railpack && useradd -u 1001 -g railpack -m -s /bin/bash railpack && chown -R 1001:1001 /app", + plan.ExecOptions{CustomName: "create non-root user"}, + ), + }) + userStep.Secrets = []string{} + p.Steps = append(p.Steps, *userStep) + baseLayer = plan.NewStepLayer(userStep.Name) + } + p.Deploy.Base = baseLayer p.Deploy.Inputs = append(p.Deploy.Inputs, b.DeployInputs...) p.Deploy.StartCmd = b.StartCmd p.Deploy.Variables = b.Variables p.Deploy.Paths = b.Paths + p.Deploy.User = b.User } diff --git a/core/plan/plan.go b/core/plan/plan.go index e43dbe21b..74b57c68a 100644 --- a/core/plan/plan.go +++ b/core/plan/plan.go @@ -33,6 +33,9 @@ type Deploy struct { // The paths to prepend to the $PATH environment variable Paths []string `json:"paths,omitempty"` + + // The user to run the container as. Defaults to non-root + User string `json:"user,omitempty"` } func NewBuildPlan() *BuildPlan {