From 056cf6fa5bc809bc92aaeb06e810f2de14047197 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Sat, 28 Mar 2026 21:03:24 -0700
Subject: [PATCH] docker: default published images to seaweed user (#8819)

* ci: add Trivy CVE scan to container release workflow

* docker: default published images to seaweed user

* Revert "ci: add Trivy CVE scan to container release workflow"

This reverts commit bc9b7e1cf7a0694e355c5d23b5e323a07e8ba670.
---
 docker/Dockerfile.go_build | 6 +++++-
 docker/Dockerfile.local    | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build
index 3b8e120ed..3bd536b70 100644
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -79,5 +79,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local
index 9ea378401..051c85120 100644
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@@ -37,5 +37,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]