Skip to content

chore: run container as non-root user and add healthcheck#2934

Open
RinZ27 wants to merge 1 commit intosmithy-lang:mainfrom
RinZ27:chore/docker-hardening
Open

chore: run container as non-root user and add healthcheck#2934
RinZ27 wants to merge 1 commit intosmithy-lang:mainfrom
RinZ27:chore/docker-hardening

Conversation

@RinZ27
Copy link

@RinZ27 RinZ27 commented Jan 17, 2026

I've split out the Docker hardening changes as discussed in #2933.

This PR updates the Dockerfile to:

  1. Create and switch to a non-root smithy user. I also made sure to chown the /smithy directory so the new user has the right permissions to run the CLI and manage its class data sharing archive.
  2. Add a HEALTHCHECK using smithy --version to monitor container health.

I think this covers what we talked about for the container side of things. Let me know if you want any further tweaks to the setup!

@RinZ27 RinZ27 requested a review from a team as a code owner January 17, 2026 03:36
@RinZ27 RinZ27 requested a review from sugmanue January 17, 2026 03:36
@RinZ27 RinZ27 mentioned this pull request Jan 17, 2026
Open
@github-actions
Copy link
Contributor

github-actions bot commented Jan 17, 2026

This pull request does not contain a staged changelog entry. To create one, use the ./.changes/new-change command. For example:

./.changes/new-change --pull-requests "#2934" --type feature --description "chore: run container as non-root user and add healthcheck"

Make sure that the description is appropriate for a changelog entry and that the proper feature type is used. See ./.changes/README or run ./.changes/new-change -h for more information.

mtdowling
mtdowling reviewed Jan 20, 2026
View reviewed changes
@RinZ27
Copy link
Author

RinZ27 commented Jan 21, 2026
edited
Loading

@mtdowling That's a fair point. Since this is primarily a short-lived CLI tool rather than a long-running service, the healthcheck is indeed redundant overhead. I'll go ahead and remove it.

@RinZ27 RinZ27 force-pushed the chore/docker-hardening branch from cd20e38 to 0e891c9 Compare January 30, 2026 15:36
@JordonPhillips
Copy link
Contributor

JordonPhillips commented Feb 17, 2026

The health check still seems to be there

@RinZ27 RinZ27 force-pushed the chore/docker-hardening branch from 0e891c9 to 2368502 Compare February 18, 2026 02:39
@RinZ27
Copy link
Author

RinZ27 commented Feb 18, 2026
edited
Loading

My apologies for the oversight. I've updated the Dockerfile to remove the HEALTHCHECK completely, also took the opportunity to add the missing changelog entry and updated the commit message to reflect that the healthcheck is no longer included.

@JordonPhillips

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtdowling mtdowling mtdowling left review comments

@sugmanue sugmanue Awaiting requested review from sugmanue sugmanue is a code owner automatically assigned from smithy-lang/smithy

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@RinZ27 @JordonPhillips @mtdowling