From 4525ac687b4219c2e72d8f3c6dc812ce137a4111 Mon Sep 17 00:00:00 2001
From: LIESLEN <sebastien.lentz@arcelormittal.com>
Date: Thu, 14 Aug 2025 13:54:31 +0200
Subject: [PATCH] feat: add Docker publish workflow for multi-architecture
 builds fix: Dockerfile: make image arbitrary-UID friendly for OpenShift
 (group 0 + g+rwX, SGID, no fixed USER)

---
 .github/workflows/docker-publish.yml | 54 ++++++++++++++++++++++++++++
 Dockerfile                           |  9 +++++
 2 files changed, 63 insertions(+)
 create mode 100644 .github/workflows/docker-publish.yml

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
new file mode 100644
index 0000000000..ba1dea9953
--- /dev/null
+++ b/.github/workflows/docker-publish.yml
@@ -0,0 +1,54 @@
+name: Docker publish (multi-arch)
+
+on:
+  push:
+    branches: ["fix/**", "feat/**", "docker/**"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      IMAGE: ghcr.io/${{ github.repository_owner }}/open-webui
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=sha
+            type=raw,value=uidfix,enable=${{ startsWith(github.ref, 'refs/heads/fix/') }}
+
+      - name: Login to GHCR (skip on PR)
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build (PR) / Build & Push (branch)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
index 5747680e86..e6eb4ff27c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -170,6 +170,15 @@ EXPOSE 8080
 
 HEALTHCHECK CMD curl --silent --fail http://localhost:${PORT:-8080}/health | jq -ne 'input.status == true' || exit 1
 
+# Minimal, atomic permission hardening for OpenShift (arbitrary UID):
+# - Group 0 owns /app and /root
+# - Directories are group-writable and have SGID so new files inherit GID 0
+RUN set -eux; \
+    chgrp -R 0 /app /root || true; \
+    chmod -R g+rwX /app /root || true; \
+    find /app -type d -exec chmod g+s {} + || true; \
+    find /root -type d -exec chmod g+s {} + || true
+
 USER $UID:$GID
 
 ARG BUILD_HASH