fix(gh-cli): use numeric USER 1000 so kubelet runAsNonRoot validates (#5)

xnoto · web-flow · commit 4584b75d5804 · 2026-04-29T19:20:22.000-06:00
## Summary Pods running this image with `securityContext.runAsNonRoot: true` fail to start: `container has runAsNonRoot and image has non-numeric user (gh), cannot verify user is non-root`. Kubelet can only validate non-root from a numeric UID in the image config. The `gh` user is already created with UID 1000 in the same `RUN`; just switch the `USER` directive to `1000`. ## Pairs with - `kustomize-cluster` PR — `bootstrap/ci-token-sync-job.yaml` Job uses this image and sets `runAsNonRoot: true`. ## Test plan - [x] Image still runs as the `gh` user (UID 1000, same shell, same `WORKDIR /home/gh`) - [x] After merge + image rebuild: `ci-token-sync` Job in argocd ns runs to completion 🤖 Generated with [Claude Code](https://claude.com/claude-code)
diff --git a/gh-cli/Containerfile b/gh-cli/Containerfile
@@ -10,7 +10,7 @@ RUN apk add --no-cache github-cli bash \
     && adduser -D -u 1000 gh \
     && rm -rf /var/cache/apk/* /tmp/* /root/.cache
 
-USER gh
+USER 1000
 WORKDIR /home/gh
 
 ENTRYPOINT ["/bin/bash"]
