fix: use runtime user: directive instead of build-arg UID/GID

claude · claude · commit 2f8d840acbd8 · 2026-03-10T03:26:17.000Z
Build args require rebuilding the image to change UID/GID and don't work with pre-built images from GHCR. Switch to compose user: directive which overrides at runtime via PUID/PGID environment variables. This works with both local builds and pulled images. https://claude.ai/code/session_0153nX7vQSjEFPpZTgZdDmu5
diff --git a/Dockerfile b/Dockerfile
@@ -46,12 +46,7 @@ FROM alpine:3.20
 RUN apk add --no-cache ca-certificates tzdata
 
 # Create non-root user for runtime security.
-# PUID/PGID let you match the host directory owner when using bind mounts.
-# Build with: docker build --build-arg PUID=$(id -u) --build-arg PGID=$(id -g) .
-ARG PUID=1000
-ARG PGID=1000
-RUN addgroup -g "$PGID" chronicle \
-    && adduser -D -H -s /sbin/nologin -G chronicle -u "$PUID" chronicle
+RUN adduser -D -H -s /sbin/nologin chronicle
 
 # Copy the compiled binary.
 COPY --from=builder /chronicle /usr/local/bin/chronicle
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -19,12 +19,10 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-      args:
-        # Match container UID/GID to the host user that owns the bind-mount
-        # directory. Override in .env or shell: PUID=$(id -u) PGID=$(id -g)
-        PUID: ${PUID:-1000}
-        PGID: ${PGID:-1000}
     container_name: chronicle
+    # Match the host directory owner for bind-mount permissions.
+    # Set PUID/PGID as environment variables (default: 1000).
+    user: "${PUID:-1000}:${PGID:-1000}"
     ports:
       - "8080:8080"
     restart: unless-stopped
