dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore (#827)

Browse Source 
* fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore

- Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`:
  API keys should never be baked into image layers, even as empty strings.
  Added comments documenting runtime secret passing patterns.

- Added explicit UID/GID (1000:1000) for the `deepseek` user:
  Makes filesystem ownership unambiguous when mounting volumes and
  avoids the default auto-assigned UID shifting between hosts.

- Added `.dockerignore`:
  Prevents accidental inclusion of .env files, local runtime state,
  documentation, dev configs, and build artifacts into the build
  context, keeping the image smaller and avoiding secret leaks.

* fix(docker): keep nested build inputs in context

---------

Co-authored-by: Hunter Bown <hmbown@gmail.com>
This commit is contained in:
Ziang Xie
2026-05-06 17:21:34 +08:00
committed by GitHub
parent 719594636c
commit 6e2b854fdb
2 changed files with 73 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+8 -5
View File
@@ -7,6 +7,11 @@
# The image ships both binaries (deepseek dispatcher + deepseek-tui runtime)
# in a minimal runtime layer. No MCP servers or heavy toolchains are included
# — keep it slim.
#
# API keys MUST be passed at runtime (never baked into the image):
# docker run --rm -it -e DEEPSEEK_API_KEY deepseek-tui
# Or mount an env file:
# docker run --rm -it --env-file .env deepseek-tui
ARG RUST_VERSION=1.88
@@ -50,8 +55,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
libdbus-1-3 \
&& rm -rf /var/lib/apt/lists/*
# Non-root user.
RUN useradd --create-home --shell /bin/bash deepseek
# Non-root user with explicit UID/GID for filesystem ownership clarity.
RUN groupadd --gid 1000 deepseek \
&& useradd --create-home --shell /bin/bash --uid 1000 --gid 1000 deepseek
USER deepseek
WORKDIR /home/deepseek
@@ -61,8 +67,5 @@ COPY --from=builder --chown=deepseek:deepseek /out/deepseek-tui /usr/local/bin/d
# The dispatcher expects to find its companion binary next to it.
# Both are in /usr/local/bin — no further path setup needed.
ENV DEEPSEEK_API_KEY=""
ENV DEEPSEEK_NO_COLOR=""
ENTRYPOINT ["deepseek"]
CMD []