BULL-3225-better-startup - POC updates to include a startup job that runs with...

BULL-3225-better-startup - POC updates to include a startup job that runs with proper user permissions.

docker/baselines/docker-compose-startup.yml

+version: "3.6"
+services:
+
+  startup:
+    image: alpine:latest
+    container_name: startup-service
+    working_dir: /local-dev
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
+    volumes:
+      - .:/local-dev  # Map the root folder to /local-dev in the container
+    command: >
+      sh -c "chmod +x /local-dev/scripts/setup.sh && /local-dev/scripts/setup.sh"
+    healthcheck:
+      test: [ "CMD", "sh", "-c", "test -d /local-dev/reports" ]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+    restart: "no"

docker/docker-compose-cosmtrek.yml

@@ -3,6 +3,7 @@ services:
   xx_project_name_xx-api:
     image: cosmtrek/air:v1.49.0
     container_name: xx_project_name_xx-api
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     working_dir: /app
     env_file:
       - .env
@@ -26,6 +27,8 @@ services:
     depends_on:
       db:
         condition: service_healthy
+      startup:
+        condition: service_healthy
     healthcheck:
       # due to the way the api authorizes requests, we expect a 401
       test: /opt/healthcheck/healthcheck.sh http://localhost:$$PORT/api/docs 401

docker/docker-compose-express.yml

@@ -6,10 +6,10 @@ services:
       context: .
       dockerfile: Dockerfile.be.dev
     container_name: xx_project_name_xx-api
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     volumes:
       - ./xx_project_name_xx-api:/app
       - /app/node_modules
-    user: node
     command: bash -c "npm run dev"
     environment:
       # container internal port (not exposed to host)
@@ -27,6 +27,8 @@ services:
     depends_on:
       db:
         condition: service_healthy
+      startup:
+        condition: service_healthy
     healthcheck:
       test: curl -f http://localhost:$$PORT/api/health
       timeout: 10s

docker/docker-compose-postgres.yml

@@ -3,6 +3,7 @@ services:
   db:
     image: postgres:11-alpine
     container_name: xx_project_name_xx-db
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: /postgres-entrypoint.sh
     command: >
       -c ssl=on
@@ -19,6 +20,9 @@ services:
       - xx_project_name_xx-net
     ports:
       - "5432:5432"
+    depends_on:
+      startup:
+        condition: service_healthy
     healthcheck:
       test: >
         pg_isready -d $$POSTGRES_DB -U $$POSTGRES_USER

docker/docker-compose-vue.yml

@@ -5,6 +5,7 @@ services:
       context: .
       dockerfile: Dockerfile.ui.dev
     container_name: xx_project_name_xx-ui
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     volumes:
       - ./xx_project_name_xx-ui:/home/node
       - /home/node/node_modules
@@ -18,6 +19,9 @@ services:
     tty: true
     networks:
       - xx_project_name_xx-net
+    depends_on:
+      startup:
+        condition: service_healthy
     healthcheck:
       test: curl -f http://localhost:$$PORT
       timeout: 10s

docker/pipeline-jobs/docker-compose-dockerfile-lint.yml

@@ -3,6 +3,7 @@ services:
   dockerfile-lint<<subProject>>:
     image: registry1.dso.mil/ironbank/opensource/hadolint/hadolint:v2.12.0
     container_name: dockerfile-lint<<subProject>>
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/dockerfile-lint/entrypoint.sh"]
     working_dir: /local-dev
     environment:

docker/pipeline-jobs/docker-compose-find-unauthorized.yml

@@ -3,6 +3,7 @@ services:
   find-unauthorized<<subProject>>:
     image: registry1.dso.mil/ironbank/opensource/python:v3.12.5
     container_name: find-unauthorized<<subProject>>
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/find-unauthorized/entrypoint.sh"]
     working_dir: /local-dev
     environment:

docker/pipeline-jobs/docker-compose-npm-lint.yml

@@ -3,6 +3,7 @@ services:
   npm-lint<<subProject>>:
     image: registry1.dso.mil/ironbank/opensource/nodejs/nodejs20:20.11
     container_name: npm-lint<<subProject>>
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/npm-lint/entrypoint.sh"]
     working_dir: /local-dev
     environment:

docker/pipeline-jobs/docker-compose-npm-unit-tests.yml

@@ -3,6 +3,7 @@ services:
   npm-unit-tests<<subProject>>:
     image: registry1.dso.mil/ironbank/opensource/nodejs/nodejs20:20.11
     container_name: npm-unit-tests<<subProject>>
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/npm-unit-tests/entrypoint.sh"]
     working_dir: /local-dev
     environment:

docker/pipeline-jobs/docker-compose-trufflehog.yml

@@ -3,6 +3,7 @@ services:
   trufflehog<<subProject>>:
     image: registry1.dso.mil/ironbank/opensource/trufflehog/trufflehog3:3.0.10
     container_name: trufflehog<<subProject>>
+    user: "${UID:-1000}:${GID:-1000}" # Default to 1000:1000 if UID/GID not set
     entrypoint: ["/local-dev/${BASE_SCRIPTS_DIR}/trufflehog/entrypoint.sh"]
     working_dir: /local-dev
     environment:

formulas/baselines/universal.yml

@@ -3,6 +3,8 @@ pipeline:
     subProject: ''
     exclusions: ''
   pipelineJobs:
+    startup:
+      composeFile: docker/baselines/docker-compose-startup.yml
     trufflehog:
       composeFile: docker/pipeline-jobs/docker-compose-trufflehog.yml
     dockerfile-lint:
@@ -26,4 +28,4 @@ getLocalDevDirs:
 
 getLocalDevFiles:
   - from: scripts/setup.sh
-    to: scripts/setup.sh
\ No newline at end of file
+    to: scripts/setup.sh