From 60aa601e923e96a0f3fb45c74d85dc6d2b4d55d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Tue, 19 May 2026 18:03:05 +0200 Subject: [PATCH] fix(docker): chown copied files to prowler pin uv sync --locked (#11234) --- .github/workflows/bump-version.yml | 33 ++++++++++++++++++++++++++++++ Dockerfile | 12 +++++------ api/uv.lock | 2 +- uv.lock | 2 +- 4 files changed, 41 insertions(+), 8 deletions(-) diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml index 034261758c..11c2691fdf 100644 --- a/.github/workflows/bump-version.yml +++ b/.github/workflows/bump-version.yml @@ -139,6 +139,17 @@ jobs: sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_VERSION}\"|" api/pyproject.toml sed -i "s| version: ${CURRENT_API_VERSION}| version: ${NEXT_API_VERSION}|" api/src/backend/api/specs/v1.yaml + - name: Regenerate lockfiles after version bump + run: | + set -e + # The bumps above edit pyproject.toml / api/pyproject.toml but leave + # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in + # the container builds. Refresh both with the uv version the images + # pin (plain `uv lock`, no --upgrade: only the version line changes). + pip install --no-cache-dir "uv==0.11.14" + uv lock + (cd api && uv lock) + - name: Bump UI version (.env) run: | set -e @@ -240,6 +251,17 @@ jobs: sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${FIRST_API_PATCH_VERSION}\"|" api/pyproject.toml sed -i "s| version: ${CURRENT_API_VERSION}| version: ${FIRST_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml + - name: Regenerate lockfiles after version bump + run: | + set -e + # The bumps above edit pyproject.toml / api/pyproject.toml but leave + # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in + # the container builds. Refresh both with the uv version the images + # pin (plain `uv lock`, no --upgrade: only the version line changes). + pip install --no-cache-dir "uv==0.11.14" + uv lock + (cd api && uv lock) + - name: Bump UI version (.env) run: | set -e @@ -341,6 +363,17 @@ jobs: sed -i "s|version = \"${CURRENT_API_VERSION}\"|version = \"${NEXT_API_PATCH_VERSION}\"|" api/pyproject.toml sed -i "s| version: ${CURRENT_API_VERSION}| version: ${NEXT_API_PATCH_VERSION}|" api/src/backend/api/specs/v1.yaml + - name: Regenerate lockfiles after version bump + run: | + set -e + # The bumps above edit pyproject.toml / api/pyproject.toml but leave + # uv.lock / api/uv.lock stale, which makes `uv sync --locked` fail in + # the container builds. Refresh both with the uv version the images + # pin (plain `uv lock`, no --upgrade: only the version line changes). + pip install --no-cache-dir "uv==0.11.14" + uv lock + (cd api && uv lock) + - name: Bump UI version (.env) run: | set -e diff --git a/Dockerfile b/Dockerfile index eb5debf888..44abbdf098 100644 --- a/Dockerfile +++ b/Dockerfile @@ -76,11 +76,11 @@ USER prowler WORKDIR /home/prowler # Copy necessary files -COPY prowler/ /home/prowler/prowler/ -COPY dashboard/ /home/prowler/dashboard/ -COPY pyproject.toml uv.lock /home/prowler/ -COPY README.md /home/prowler/ -COPY prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py +COPY --chown=prowler:prowler prowler/ /home/prowler/prowler/ +COPY --chown=prowler:prowler dashboard/ /home/prowler/dashboard/ +COPY --chown=prowler:prowler pyproject.toml uv.lock /home/prowler/ +COPY --chown=prowler:prowler README.md /home/prowler/ +COPY --chown=prowler:prowler prowler/providers/m365/lib/powershell/m365_powershell.py /home/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py # Install Python dependencies ENV HOME='/home/prowler' @@ -89,7 +89,7 @@ ENV PATH="${HOME}/.local/bin:${PATH}" RUN pip install --no-cache-dir --upgrade pip && \ pip install --no-cache-dir uv==0.11.14 -RUN uv sync --compile-bytecode && \ +RUN uv sync --locked --compile-bytecode && \ rm -rf ~/.cache/uv # Install PowerShell modules diff --git a/api/uv.lock b/api/uv.lock index fe7cd1e89f..03993172d9 100644 --- a/api/uv.lock +++ b/api/uv.lock @@ -4494,7 +4494,7 @@ dependencies = [ [[package]] name = "prowler-api" -version = "1.28.0" +version = "1.29.0" source = { virtual = "." } dependencies = [ { name = "cartography" }, diff --git a/uv.lock b/uv.lock index 87e5e7b094..a738a4db8d 100644 --- a/uv.lock +++ b/uv.lock @@ -3241,7 +3241,7 @@ wheels = [ [[package]] name = "prowler" -version = "5.27.0" +version = "5.28.0" source = { editable = "." } dependencies = [ { name = "alibabacloud-actiontrail20200706" },