docker-next: fix up Git user home directory and permission issue (#8081)

.github/workflows/docker.yml

@@ -414,7 +414,7 @@ jobs:
     secrets: inherit
 
   digitalocean-gc-pull-request:
-    if: ${{ github.event_name == 'pull_request' }}
+    if: ${{ github.event_name == 'pull_request' && github.repository == 'gogs/gogs' }}
     needs: buildx-next-pull-request
     permissions:
       contents: read

Dockerfile.next

@@ -1,4 +1,4 @@
-FROM golang:alpine3.22 AS binarybuilder
+FROM golang:alpine3.23 AS binarybuilder
 RUN apk --no-cache --no-progress add --virtual \
   build-deps \
   build-base \
@@ -11,7 +11,7 @@ COPY . .
 RUN ./docker/build/install-task.sh
 RUN TAGS="cert pam" task build
 
-FROM alpine:3.22
+FROM alpine:3.23
 
 # Create git user and group with fixed UID/GID at build time for better K8s security context support.
 # Using 1000:1000 as it's a common non-root UID/GID that works well with most volume permission setups.
@@ -32,10 +32,11 @@ ENV GOGS_CUSTOM=/data/gogs
 
 WORKDIR /app/gogs
 COPY --from=binarybuilder /gogs.io/gogs/gogs .
-
-# Create data directories and set ownership
-RUN mkdir -p /data/gogs /data/git /backup && \
-    chown -R git:git /app/gogs /data /backup
+COPY docker-next/start.sh .
+RUN chmod +x start.sh && \
+    mkdir -p /data && \
+    ln -s /data/git /home/git && \
+    chown -R git:git /app/gogs /data
 
 # Configure Docker Container
 VOLUME ["/data", "/backup"]
@@ -45,5 +46,5 @@ HEALTHCHECK CMD (curl -o /dev/null -sS http://localhost:3000/healthcheck) || exi
 # Run as non-root user by default for better K8s security context support.
 USER git:git
 
-ENTRYPOINT ["/app/gogs/gogs"]
-CMD ["web"]
+ENTRYPOINT ["/app/gogs/start.sh"]
+CMD ["/app/gogs/gogs", "web"]

docker-next/README.md

@@ -18,17 +18,27 @@ This Docker image is designed with Kubernetes security best practices in mind:
 
 ### Kubernetes Security Context example
 
+In the deployment YAML, make sure the following snippets exist:
+
 ```yaml
-securityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-  runAsGroup: 1000
-  allowPrivilegeEscalation: false
-  seccompProfile:
-    type: RuntimeDefault
-  capabilities:
-    drop:
-      - ALL
+spec:
+  template:
+    spec:
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+      containers:
+      - name: gogs
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          allowPrivilegeEscalation: false
+          seccompProfile:
+            type: RuntimeDefault
+          capabilities:
+            drop:
+              - ALL
 ```
 
 ### Custom UID/GID at build time
@@ -83,7 +93,7 @@ $ docker run --name=gogs -p 10022:2222 -p 10880:3000 -v gogs-data:/data gogs/gog
 
 Most of the settings are obvious and easy to understand, but there are some settings can be confusing by running Gogs inside Docker:
 
-- **Repository Root Path**: keep it as default value `/home/git/gogs-repositories`
+- **Repository Root Path**: either `/data/git/gogs-repositories` or `/home/git/gogs-repositories` works.
 - **Run User**: default `git` (UID 1000)
 - **Domain**: fill in with Docker container IP (e.g. `192.168.99.100`). But if you want to access your Gogs instance from a different physical machine, please fill in with the hostname or IP address of the Docker host machine.
 - **SSH Port**: Use the exposed port from Docker container. For example, your SSH server listens on `2222` inside Docker, **but** you expose it by `10022:2222`, then use `10022` for this value.

docker-next/start.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+set -ex
+
+# Create data directories at runtime (needed when /data is a mounted volume)
+mkdir -p /data/gogs /data/git
+
+# Execute the main command
+exec "$@"