From 6e2b854fdb331504e6808ebc97f8c53d22ca3c0f Mon Sep 17 00:00:00 2001 From: Ziang Xie Date: Wed, 6 May 2026 17:21:34 +0800 Subject: [PATCH] fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore (#827) * fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore - Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`: API keys should never be baked into image layers, even as empty strings. Added comments documenting runtime secret passing patterns. - Added explicit UID/GID (1000:1000) for the `deepseek` user: Makes filesystem ownership unambiguous when mounting volumes and avoids the default auto-assigned UID shifting between hosts. - Added `.dockerignore`: Prevents accidental inclusion of .env files, local runtime state, documentation, dev configs, and build artifacts into the build context, keeping the image smaller and avoiding secret leaks. * fix(docker): keep nested build inputs in context --------- Co-authored-by: Hunter Bown --- .dockerignore | 65 +++++++++++++++++++++++++++++++++++++++++++++++++++ Dockerfile | 13 +++++++---- 2 files changed, 73 insertions(+), 5 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..0cf18d18 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,65 @@ +# Build artifacts +/target/ +*.pdb +*.dll +*.so +*.dylib +*.rlib + +# Sensitive environment files +.env +.env.* + +# Development +/node_modules/ +/.vscode/ +/.idea/ +*.swp +*.swo +*~ +.DS_Store + +# Git +/.git/ +/.gitignore +/.gitattributes + +# CI/CD +/.github/ + +# Python +__pycache__/ +*.py[cod] +.pytest_cache/ +venv/ +.venv/ + +# Logs +*.log + +# Generated +/outputs/ +/tmp/ + +# Local runtime state +/.deepseek/ + +# Claude Code artifacts +/.claude/ +/.ace-tool/ + +# Documentation (not needed at runtime) +/docs/ +/website/ +/*.md +!/README.md + +# Assets (screenshots, etc.) +/assets/ + +# Scripts +/scripts/ + +# Development configs +/.devcontainer/ +/config.example.toml diff --git a/Dockerfile b/Dockerfile index 5453bd3f..79c386f5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,11 @@ # The image ships both binaries (deepseek dispatcher + deepseek-tui runtime) # in a minimal runtime layer. No MCP servers or heavy toolchains are included # — keep it slim. +# +# API keys MUST be passed at runtime (never baked into the image): +# docker run --rm -it -e DEEPSEEK_API_KEY deepseek-tui +# Or mount an env file: +# docker run --rm -it --env-file .env deepseek-tui ARG RUST_VERSION=1.88 @@ -50,8 +55,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ libdbus-1-3 \ && rm -rf /var/lib/apt/lists/* -# Non-root user. -RUN useradd --create-home --shell /bin/bash deepseek +# Non-root user with explicit UID/GID for filesystem ownership clarity. +RUN groupadd --gid 1000 deepseek \ + && useradd --create-home --shell /bin/bash --uid 1000 --gid 1000 deepseek USER deepseek WORKDIR /home/deepseek @@ -61,8 +67,5 @@ COPY --from=builder --chown=deepseek:deepseek /out/deepseek-tui /usr/local/bin/d # The dispatcher expects to find its companion binary next to it. # Both are in /usr/local/bin — no further path setup needed. -ENV DEEPSEEK_API_KEY="" -ENV DEEPSEEK_NO_COLOR="" - ENTRYPOINT ["deepseek"] CMD []