build: switch docker containers to non-root

[ab-smith]

Summary by CodeRabbit

• Chores
  • Improved application security by configuring the environment to run under restricted privileges, enhancing overall safety.
  • Added an environment variable for Matplotlib configuration to streamline the setup process.
  • Adjusted sleep duration in the GitHub Actions workflow to allow more time for migrations.
  • Introduced a new script to manage Huey task scheduling with default configurations.
  • Updated service dependencies to ensure proper startup order in Docker Compose.
  • Added new shared volume definitions for better data management in Docker Compose.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The pull request introduces several changes across multiple Dockerfiles and scripts. It creates a non-root user and group named app in the backend and frontend Dockerfiles, enhancing security by switching the execution context. The startup.sh script now exports an environment variable for Matplotlib configuration and ensures the existence of a ./db directory. A new script, huey.sh, has been added to manage the Huey task scheduler. Additionally, the docker-compose-build.yml files have been updated to define new shared volumes and adjust service dependencies. No changes were made to any exported or public entities.

Changes

File	Change Summary
backend/Dockerfile	Added commands to create a non-root user and group (groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app) and switched execution context (USER app)
backend/startup.sh	Added environment variable export for Matplotlib configuration directory (export MPLCONFIGDIR=/tmp) and ensured ./db directory exists (mkdir -p ./db)
backend/huey.sh	New file created to manage Huey task scheduler, setting defaults for HUEY_WORKERS and HUEY_INTERVAL, and ensuring ./db directory exists
enterprise/backend/Dockerfile	Added commands to create a non-root user and group (groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app) and switched execution context (USER app)
enterprise/frontend/Dockerfile	Added commands to create a non-root user and group (groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app) and switched execution context (USER app)
frontend/Dockerfile	Added commands to create a non-root user and group (groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app) and switched execution context (USER app)
docker-compose-build.yml	Modified huey service command to remove parameters for worker processes and scheduler interval
enterprise/docker-compose-build.yml	Added depends_on directive for huey service to ensure it starts after backend service

Suggested reviewers

• eric-intuitem
• nas-tabchiche

Poem

Hop along in secure delight,
A new non-root path shines so bright.
Group and user, set in command,
Docker now runs just as planned.
Keep on coding, my friend – it's a bunny-approved night!
🐰✨

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/Dockerfile (1)

42-43: Establishing a Non-Root User for Enhanced Security
Creating a dedicated system group and user (app) using groupadd -r and useradd -r -g app app is an excellent security measure. Optionally, if your application might require a home directory for the user, consider using the -m flag.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between da83269 and 7046e93.

📒 Files selected for processing (2)

• backend/Dockerfile (2 hunks)
• backend/db/readme.txt (0 hunks)

💤 Files with no reviewable changes (1)

• backend/db/readme.txt

⏰ Context from checks skipped due to timeout of 90000ms (8)

• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: startup-docker-compose-test
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: ruff (3.12)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (7)

backend/Dockerfile (7)

10-10: Clear Documentation for Dependency Installation
The comment at line 10 explicitly notes that dependencies are being installed as root, which helps clarify the intent for subsequent commands that require elevated privileges.

---

45-45: Proper Placement of WORKDIR
Moving the WORKDIR /code command after the non-root user creation ensures that directory-related operations that follow are aligned with the intended user context.

---

46-46: Securing Application Directory Permissions
The command RUN mkdir -p /code && chown -R app:app /code correctly creates the working directory and enforces the right ownership, ensuring that the non-root user can interact with it without permission issues.

---

48-48: Copying Critical Files with Correct Ownership
Using COPY --chown=app:app pyproject.toml poetry.lock ./ sets the proper ownership on these key files. This not only helps avoid permission conflicts during dependency installation but also leverages Docker’s caching layers efficiently.

---

50-51: Switching to Non-Root Execution
Transitioning to the non-root user with USER app reinforces container security by ensuring that subsequent operations and the running application do not execute with root privileges.

---

53-56: Installing Python Dependencies Securely
The RUN poetry install --no-root \ command (along with the cache cleanup) runs as the non-root user. This adheres to best practices by limiting privileges during package installation.

---

57-57: Copying the Application Code with Correct Ownership
The command COPY --chown=app:app . . ensures that all application files are copied with the appropriate ownership, maintaining consistency and avoiding permission issues later in the container lifecycle.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/ciso_assistant/settings.py (1)

108-115: Well-implemented directory existence check.

The added code ensures the db directory exists and creates it if needed, which is essential when running as a non-root user. This is a more reliable approach than the previous method of using a readme.txt file to create the directory upon checkout. The implementation properly uses the parents=True and exist_ok=True parameters to make the operation idempotent and includes appropriate logging.

This change supports the PR objective of switching the backend to a non-root user, which is a security best practice. By ensuring directories exist programmatically, you're preventing potential issues when running with reduced privileges.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ee19072 and 852fa54.

📒 Files selected for processing (1)

• backend/ciso_assistant/settings.py (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: test (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: build (3.12)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/startup-tests.yml (1)

139-148: Dynamic Polling: Enhance Failure Handling in Migration Wait Loop

The new "Wait for migrations" step is a great improvement, replacing a fixed sleep with dynamic polling. However, note that if the maximum attempts (30) are reached without a successful response from the backend, the loop simply exits—potentially allowing subsequent steps to run even though migrations haven’t completed. I recommend adding explicit error handling after the loop to exit with a clear error message if the backend remains unresponsive.

For example, you could add the following diff after the loop:

-until docker compose exec backend curl -f http://backend:8000/api/build || [ $attempt -eq $max_attempts ]
-do
-  attempt=$((attempt+1))
-  echo "Waiting for migrations... ($attempt/$max_attempts)"
-  sleep 10
-done
+until docker compose exec backend curl -f http://backend:8000/api/build || [ $attempt -eq $max_attempts ]
+do
+  attempt=$((attempt+1))
+  echo "Waiting for migrations... ($attempt/$max_attempts)"
+  sleep 10
+done
+if [ $attempt -eq $max_attempts ]; then
+  echo "ERROR: Migrations did not complete after $max_attempts attempts."
+  exit 1
+fi

This change makes sure that if the backend remains unresponsive after the designated attempts, the workflow will clearly fail rather than proceeding with potentially unstable conditions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 852fa54 and 06b4dfa.

📒 Files selected for processing (2)

• .github/workflows/startup-tests.yml (1 hunks)
• backend/ciso_assistant/settings.py (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/ciso_assistant/settings.py

⏰ Context from checks skipped due to timeout of 90000ms (8)

• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: test (3.12)
• GitHub Check: build (3.12)
• GitHub Check: startup-functional-test (3.12)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docker-compose-build.yml (1)

12-12: AUTH_TOKEN_TTL Environment Variable Added
The addition of AUTH_TOKEN_TTL=7200 to the backend's environment is a clear configuration change. Ensure that the backend application is updated to read and enforce this token expiry configuration and that it’s documented accordingly.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3e216b7 and 2e03d8e.

📒 Files selected for processing (2)

• backend/Dockerfile (1 hunks)
• docker-compose-build.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: test (3.12)
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: build (3.12)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (4)

docker-compose-build.yml (4)

15-20: Backend Healthcheck Configuration
The new healthcheck block for the backend service, which uses a curl command to verify the /api/build endpoint, is an effective way to ensure service readiness. Please verify that the /api/build endpoint exists and reliably indicates the backend's healthy state within the specified timeout and retry parameters.

---

28-30: Updated Dependency Condition for Huey Service
The adjustment in the depends_on section for the huey service to rely on the backend's healthy state (using condition: service_healthy) strengthens the startup sequence and prevents race conditions. Verify that the backend’s healthcheck consistently reflects its operability.

---

55-57: Updated Dependency Condition for Frontend Service
By requiring the backend service to be healthy before starting the frontend, this update improves the reliability of service interdependencies. Make sure that any potential delays in backend startup do not negatively impact the frontend's availability beyond acceptable tolerances.

---

63-65: Updated Dependency Condition for Caddy Service
Setting the caddy service’s depends_on condition to wait for a healthy backend should help ensure proper reverse proxy configuration. It is advisable to monitor the startup order in a staging environment to confirm that all services become available as expected without undue delays.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/startup.sh (1)

2-2: Ensure db Directory Creation and Permissions

The addition of mkdir -p ./db on line 2 correctly ensures that the db directory exists before the script attempts to read or create the Django secret key. Since the PR objective is to run the backend as a non‑root user, please verify that the directory is created with appropriate ownership and access permissions for that non‑root user. If needed, consider adding commands (e.g., using chown or chmod) to enforce the desired permissions.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2e03d8e and 08e8cb8.

📒 Files selected for processing (2)

• backend/startup.sh (1 hunks)
• docker-compose-build.yml (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• docker-compose-build.yml

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: startup-docker-compose-test
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: test (3.12)
• GitHub Check: build (3.12)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

backend/startup.sh (1)

11-17: Permissions Check for Secret Key File Creation

Since the backend will now run as a non-root user, ensure that the db directory (and the file db/django_secret_key) has the correct write permissions. Failure to adjust these permissions might result in runtime errors when the script attempts to create or update the Django secret key.

🧰 Tools

🪛 Shellcheck (0.10.0)

[warning] 15-15: Declare and assign separately to avoid masking return values.

(SC2155)

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 54c4d12 and d22abf7.

📒 Files selected for processing (2)

• backend/Dockerfile (1 hunks)
• backend/startup.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: build (3.12)
• GitHub Check: test (3.12)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: startup-docker-compose-test
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

backend/startup.sh (2)

2-5: Environment Variable Addition for Matplotlib

The addition of export MPLCONFIGDIR=/tmp is clear and appropriately placed at the top of the script. This ensures that Matplotlib uses a writable configuration directory when running under the non-root user. Please verify that the /tmp directory has the proper write permissions for your non-root setup.

---

34-42: Gunicorn Command Execution under Non-Root Context

The command for launching Gunicorn is correctly structured. Given the switch to a non-root backend, double-check that all relevant file permissions and port settings (e.g., binding to port 8000) are correctly configured for non-root execution.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

frontend/Dockerfile (1)

25-26: Non-root User Creation on Alpine Image: Consider Using Alpine-Native Commands

The changes correctly introduce a non-root user by creating a group and user with UID and GID 1001, which enhances container security. However, since this image is based on Alpine Linux, the default tools are usually addgroup and adduser rather than groupadd and useradd. Verify that these commands are available in your environment, or consider switching to the Alpine-native commands.

Example diff if you choose to migrate:

- RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app
+ RUN addgroup -g 1001 app && adduser -D -u 1001 -G app app

enterprise/frontend/Dockerfile (1)

27-29: Consistent Non-root User Setup for Alpine-based Image: Evaluate Alpine Commands

The updated lines correctly switch the execution context to a non-root user (UID/GID 1001) to improve security. As with the frontend Dockerfile, note that Alpine images typically use addgroup and adduser. Please confirm that groupadd and useradd are available in the node:22-alpine image, or consider using the Alpine-standard commands.

Example diff:

- RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app
+ RUN addgroup -g 1001 app && adduser -D -u 1001 -G app app

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d22abf7 and b0fb5ac.

📒 Files selected for processing (3)

• enterprise/backend/Dockerfile (1 hunks)
• enterprise/frontend/Dockerfile (1 hunks)
• frontend/Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: test (3.12)
• GitHub Check: build (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (1)

enterprise/backend/Dockerfile (1)

56-57: Secure Non-root User Implementation on Debian-based Image

The changes correctly create and switch to a non-root user (UID/GID 1001) in a Debian-based environment. Since the base image (python:3.12-slim) uses standard Debian utilities, the use of groupadd and useradd is appropriate and aligns with best practices.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/startup-tests.yml (1)

280-282: Updated Sleep Duration in Enterprise Docker Compose Test

The sleep duration in the "Config the Docker app" step for the enterprise job has been increased to 180 seconds. This should allow sufficient time for migrations when running under the non-root Docker configuration. Consider verifying if differing wait times between similar jobs (e.g., the non-enterprise job uses 120 seconds) are intentional. If these delays might be subject to further tuning or if the wait period becomes a recurring parameter across jobs, you might consider parameterizing the sleep duration to simplify future adjustments.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2327bcf and ff43c2c.

📒 Files selected for processing (3)

• .github/workflows/startup-tests.yml (1 hunks)
• enterprise/frontend/Dockerfile (1 hunks)
• frontend/Dockerfile (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• enterprise/frontend/Dockerfile
• frontend/Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms (10)

• GitHub Check: startup-functional-test (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: startup-docker-compose-test
• GitHub Check: build (3.12)
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: test (3.12)
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

backend/huey.sh (2)

3-7: Comment: Update Misleading Comment

The comment on line 6 refers to “Gunicorn configuration”, which is misleading given that the environment variables and subsequent command are related to Huey. Please update the comment to reflect that these are default values for the Huey task scheduler.

-# Set default values for Gunicorn configuration
+# Set default values for Huey configuration

---

10-12: Comment: Verify Execution Context with Non-Root User

The script executes poetry run python manage.py run_huey with parameters derived from the environment. Since the PR objective is to switch containers to non-root, please verify that the non-root user (e.g. app) has the necessary permissions to execute this command and access required files (like the ./db directory created earlier).

docker-compose-build.yml (1)

29-33: Comment: Inconsistent Huey Command Usage

The huey service’s entrypoint (line 33) now invokes

poetry run python manage.py run_huey

without passing environment-variable–derived parameters. Given that a new script (huey.sh) was introduced to manage these defaults, it seems more consistent to have the container execute that script. Consider updating the entrypoint to call the huey.sh script (which resides in the build context) rather than directly calling manage.py run_huey. For example:

-    entrypoint:
-      - /bin/sh
-      - -c
-      - |
-        poetry run python manage.py run_huey
+    entrypoint: ["/bin/bash", "./huey.sh"]

This change would ensure that the default values for HUEY_WORKERS and HUEY_INTERVAL are applied as intended.

enterprise/docker-compose-build.yml (1)

33-37: Comment: Evaluate Consistency in Huey Service Entrypoint

Similar to the previous file, the huey service here (lines 33-37) directly runs

poetry run python manage.py run_huey

which bypasses the huey.sh script that sets and applies the default values for HUEY_WORKERS and HUEY_INTERVAL. For consistency and to leverage the script’s defaults, consider modifying the entrypoint to call huey.sh. For instance:

-    entrypoint:
-      - /bin/sh
-      - -c
-      - |
-        poetry run python manage.py run_huey
+    entrypoint: ["/bin/bash", "./huey.sh"]

Before applying this change, please verify that the path to huey.sh is correct within the image built via ./enterprise/backend/Dockerfile.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ff43c2c and 5e1540f.

📒 Files selected for processing (4)

• backend/huey.sh (1 hunks)
• backend/startup.sh (1 hunks)
• docker-compose-build.yml (1 hunks)
• enterprise/docker-compose-build.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• backend/startup.sh

⏰ Context from checks skipped due to timeout of 90000ms (11)

• GitHub Check: CodeQL
• GitHub Check: startup-functional-test (3.12)
• GitHub Check: startup-docker-compose-test
• GitHub Check: enterprise-startup-functional-test (3.12)
• GitHub Check: functional-tests (3.12, chromium)
• GitHub Check: build (3.12)
• GitHub Check: enterprise-startup-docker-compose-test
• GitHub Check: enterprise-functional-tests (3.12, chromium)
• GitHub Check: test (3.12)
• GitHub Check: Analyze (python)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

docker-compose-build.yml (1)

15-20: Comment: Confirm Dockerfile Changes for Non-Root Execution

Although this diff does not show Dockerfile modifications, the PR objective specifies switching to non-root containers. Please double-check that the referenced Dockerfile (in ./backend/Dockerfile) is updated accordingly (i.e. creates and switches to a non-root user) so that all services, including backend and huey, run securely.

enterprise/docker-compose-build.yml (1)

23-24: Comment: Service Dependency Clarification

Adding the depends_on directive for the huey service (lines 23-24) helps control the startup order. This is a good practice to ensure that the backend service is available before starting huey.