fix(docker): run as non-root user; move /data chown to compose init

Author: shubham5080

Dockerfile

@@ -16,19 +16,19 @@ COPY pyproject.toml README.md ./
 COPY src/ ./src/
 
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends gosu \
     && rm -rf /var/lib/apt/lists/* \
     && pip install --no-cache-dir -e . \
     && useradd --create-home --shell /bin/bash appuser \
     && chown -R appuser:appuser /app \
     && mkdir -p /data && chown appuser:appuser /data
 
-# Config and entrypoint (entrypoint runs as root to chown /data, then gosu to appuser).
+# Config (copied as root; chown so appuser can read).
 COPY config/ ./config/
-COPY docker-entrypoint.sh /docker-entrypoint.sh
-RUN chmod +x /docker-entrypoint.sh
+RUN chown -R appuser:appuser /app
+
+# Steady state: run as non-root. /data ownership for volumes is handled by init in compose.
+USER appuser
 
 # Default: run Discord bot. Override with run-once or other commands.
 # Example: docker compose run --rm bot --config /app/config/config.yaml run-once
-ENTRYPOINT ["/docker-entrypoint.sh"]
-CMD ["--config", "/app/config/config.yaml", "bot"]
+CMD ["ghdcbot", "--config", "/app/config/config.yaml", "bot"]

config/config.yaml

@@ -0,0 +1,75 @@
+# Docker config for shubham-orld (from shubh-olrd). Tokens from .env; data_dir must be /data.
+runtime:
+  mode: "active"
+  log_level: "INFO"
+  data_dir: "./data"
+  github_adapter: "ghdcbot.adapters.github.rest:GitHubRestAdapter"
+  discord_adapter: "ghdcbot.adapters.discord.api:DiscordApiAdapter"
+  storage_adapter: "ghdcbot.adapters.storage.sqlite:SqliteStorage"
+
+github:
+  org: "shubham-orld"
+  token: "${GITHUB_TOKEN}"
+  api_base: "https://api.github.com"
+  permissions:
+    read: true
+    write: true
+  user_fallback: false
+
+discord:
+  guild_id: "1376527316041072722"
+  token: "${DISCORD_TOKEN}"
+  permissions:
+    read: true
+    write: true
+  notifications:
+    enabled: true
+    issue_assignment: true
+    pr_review_requested: true
+    pr_review_result: true
+    pr_merged: true
+    coderabbit_reminders: true
+    coderabbit_reminder_after_hours: 1
+    channel_id: null
+
+scoring:
+  period_days: 30
+  weights:
+    issue_opened: 3
+    pr_opened: 5
+    pr_reviewed: 2
+    comment: 1
+
+role_mappings:
+  - discord_role: "Contributor"
+    min_score: 10
+  - discord_role: "Maintainer"
+    min_score: 40
+
+repo_contributor_roles:
+  castro: "Contributor-castro"
+  jisto: "Contributor-jisto"
+  pista: "Contributor-pista"
+
+merge_role_rules:
+  enabled: true
+  rules:
+    - discord_role: "apprentice"
+      min_merged_prs: 1
+    - discord_role: "testing_role"
+      min_merged_prs: 2
+
+assignments:
+  review_roles:
+    - "Maintainer"
+  issue_assignees:
+    - "Mentor"
+
+identity_mappings:
+  - github_user: "YOUR_GITHUB_USERNAME"
+    discord_user_id: "YOUR_DISCORD_USER_ID"
+
+snapshots:
+  enabled: true
+  repo_path: "shubham-orld/gitcord-data"
+  branch: "main"

docker-compose.yml

@@ -1,18 +1,29 @@
 # Gitcord - Docker Compose for mentor-friendly deployment.
 # Usage: copy .env and config, then run: docker compose up -d
 # Data (SQLite, reports, identity links) persists in named volume gitcord_data.
+# init_data ensures /data is owned by appuser (image runs as non-root); runs once then exits.
 
 services:
+  init_data:
+    image: gitcord:latest
+    user: "0"
+    volumes:
+      - gitcord_data:/data
+    command: ["sh", "-c", "chown -R appuser:appuser /data"]
+
   bot:
     build: .
     image: gitcord:latest
     env_file: .env
+    depends_on:
+      init_data:
+        condition: service_completed_successfully
     volumes:
       # Mount config so you can edit YAML without rebuilding (use data_dir: /data in config).
       - ./config:/app/config:ro
       # Persist SQLite state, reports, and audit logs between restarts.
       - gitcord_data:/data
-    command: ["--config", "/app/config/config.yaml", "bot"]
+    command: ["ghdcbot", "--config", "/app/config/config.yaml", "bot"]
     restart: unless-stopped
 
 volumes:

docs/DOCKER.md

@@ -43,7 +43,7 @@ Docker support is designed for **mentor-friendly deployment** and **reproducible
 ```bash
 docker compose run --rm bot --config /app/config/config.yaml run-once
 ```
-(Do not pass `ghdcbot` — the image entrypoint is already `ghdcbot`.)
+(Do not pass `ghdcbot` — the image default command is `ghdcbot`.)
 
 ---
 
@@ -79,16 +79,16 @@ Gitcord-GithubDiscordBot/
 | `PYTHONDONTWRITEBYTECODE=1` | Avoids writing `.pyc` in the image; cleaner and slightly faster. |
 | `PYTHONUNBUFFERED=1` | Logs show up immediately in `docker compose logs`. |
 | Copy `pyproject.toml` + `src/` then `pip install -e .` | Dependency layer is cached; only code/setup changes trigger reinstall. |
-| `useradd appuser` / `USER appuser` | Process does not run as root. |
-| `ENTRYPOINT ["ghdcbot"]` | All invocations use the same binary; override with `run-once`, `bot`, etc. |
-| `CMD ["--config", "/app/config/config.yaml", "bot"]` | Default is Discord bot; overridden by `docker-compose` `command` or `docker run ... run-once`. |
+| `useradd appuser` / `USER appuser` | Process runs as non-root; no gosu/entrypoint at runtime. |
+| `CMD ["ghdcbot", "--config", "/app/config/config.yaml", "bot"]` | Default is Discord bot; override with `docker compose run ... run-once` etc. |
 
 ---
 
 ## docker-compose.yml Design
 
 | Section | Purpose |
 |--------|--------|
+| `init_data` service | Runs once as root to `chown` the volume to `appuser` so the bot (non-root) can write; then exits. Bot starts after it completes. |
 | `env_file: .env` | Loads `GITHUB_TOKEN` and `DISCORD_TOKEN`; config YAML uses `${GITHUB_TOKEN}` etc. |
 | `./config:/app/config:ro` | Host config dir mounted read-only; edit YAML on host without rebuilding. |
 | `gitcord_data:/data` | Named volume for SQLite and reports; survives `docker compose down`. |

scripts/remove-cursor-coauthor.sh

@@ -0,0 +1,21 @@
+#!/bin/bash
+# Removes "Co-authored-by: Cursor <cursoragent@cursor.com>" from all commit messages.
+# Run from repo root. Backup is created as refs/original/refs/heads/main (and others).
+
+set -e
+cd "$(git rev-parse --show-toplevel)"
+
+echo "=== Backup: creating backup-main branch (current state) ==="
+git branch backup-main 2>/dev/null || true
+
+echo "=== Rewriting all commit messages to remove Cursor co-author line ==="
+git filter-branch -f --msg-filter 'sed "/^Co-authored-by: Cursor <cursoragent@cursor.com>$/d"' -- --all
+
+echo "=== Done. Cursor co-author line removed from all commits. ==="
+echo ""
+echo "Next steps:"
+echo "  1. Check: git log --oneline -5  (messages should not contain Co-authored-by: Cursor)"
+echo "  2. Force-push to update remote: git push --force-with-lease origin main"
+echo "  3. If you had other branches, force-push them too."
+echo "  4. To restore backup if needed: git reset --hard backup-main"
+echo "  5. Remove backup refs (optional, after you're happy): git for-each-ref --format='delete %(refname)' refs/original | git update-ref --stdin"