Files
wehub-resource-sync 8f10353f0c
CI / lint (push) Has been cancelled
CI / js-syntax (push) Successful in 10m24s
CI / deps-audit (push) Has been cancelled
CI / test (push) Failing after 24m55s
CI / sast-bandit (push) Failing after 11m13s
CI / trivy (push) Failing after 9m32s
Docker Publish / build-and-push (push) Failing after 34m3s
chore: import upstream snapshot with attribution
2026-07-13 12:32:09 +08:00

23 lines
1.1 KiB
Bash

#!/bin/sh
set -e
# Run as the requested UID/GID so files written to the mounted appdata paths are
# owned consistently. This matches the Unraid/NAS convention (defaults there are
# nobody:users = 99:100). When PUID/PGID are unset, fall back to the image's
# original non-root app user (1001), preserving prior behaviour.
PUID="${PUID:-1001}"
PGID="${PGID:-1001}"
# Chown the only paths the app writes to before dropping privileges:
# /app/jobs registry.json, downloaded audio, and stems
# /cache torch/Demucs model weights (TORCH_HOME, XDG_CACHE_HOME)
# /app/settings.json best-effort settings persistence (created on demand)
# App code and the venv under /app stay world-readable, so a different UID can
# still import and run them. Re-chowning is also what fixes a bind mount that
# Docker created as root on first run.
chown -R "${PUID}:${PGID}" /app/jobs /cache 2>/dev/null || true
touch /app/settings.json 2>/dev/null && chown "${PUID}:${PGID}" /app/settings.json 2>/dev/null || true
# Drop to the target user and exec the CMD. gosu accepts a numeric UID:GID even
# when no matching named user exists.
exec gosu "${PUID}:${PGID}" "$@"