Fix entrypoint crash on read-only SSH mount

Add Linux install instructions for gitleaks
Add OPENCODE_MODEL and AWS_PROFILE to .env.example
2026-04-10 17:24:37 +02:00 · 2026-04-10 15:49:10 +02:00 · 2026-04-10 15:46:53 +02:00 · 2026-04-10 15:35:51 +02:00
5 changed files with 20 additions and 13 deletions
@@ -10,7 +10,7 @@ OPENCODE_PROVIDER=anthropic
 # OPENCODE_MODEL=anthropic/claude-sonnet-4-5

 # ── API Keys (set the one matching your provider) ────────────────────
-ANTHROPIC_API_KEY=
+# ANTHROPIC_API_KEY=
 # OPENAI_API_KEY=
 # GEMINI_API_KEY=

@@ -225,7 +225,7 @@ docker compose run --rm devbox bash   # interactive shell
 - **Node.js 22** — for npx-based MCP servers
 - **AWS CLI v2** — SSO and Bedrock authentication
 - **Dev tools** — git, git-lfs, ssh, ripgrep, fd, fzf, jq, curl, wget, vim, tree
- **Non-root user** — runs as `developer` (UID 1000) with sudo access
+- **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)

 ## Source

@@ -18,7 +18,7 @@ cp .env.example .env
 # Edit .env with your provider, API key, workspace path, git config

 # Install git hooks (secret scanning)
-brew install gitleaks  # one-time
+brew install gitleaks  # macOS / Linuxbrew
 ./setup-hooks.sh

 # Build and run
@@ -32,7 +32,7 @@ docker compose run --rm devbox
 - **Host filesystem access** — bind mount any directory as `/workspace`
 - **SSH key forwarding** — git push/pull to private repos
 - **MCP server support** — Node.js included for `npx`-based MCP servers
- **Non-root user** — runs as `developer` (UID 1000) with sudo
+- **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)
 - **Optional runtimes** — Python, Go via build args (Node.js always included — required for opencode v1.x)
 - **AWS CLI v2** — built-in SSO/Bedrock authentication with headless device-code flow
 - **Multi-arch** — amd64 and arm64
@@ -174,8 +174,11 @@ A [gitleaks](https://github.com/gitleaks/gitleaks) pre-commit hook prevents acci
 ### Setup

 ```bash
-brew install gitleaks   # one-time install
-./setup-hooks.sh        # installs the pre-commit hook
+# macOS / Linuxbrew
+brew install gitleaks
+
+# Debian/Ubuntu (download binary)
+curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_$(uname -s)_$(uname -m).tar.gz | sudo tar -xz -C /usr/local/bin gitleaks
 ```

 The hook runs automatically on every `git commit`. If gitleaks isn't installed, the hook prints a warning and allows the commit (no hard dependency on collaborators).
@@ -34,13 +34,16 @@ if [ -n "$TARGET_UID" ] && [ "$TARGET_UID" != "$CURRENT_UID" ]; then
 fi

 # ── SSH key permissions ──────────────────────────────────────────────
-# If SSH keys are mounted, fix permissions (bind mounts may have wrong perms)
+# If SSH keys are mounted, fix permissions (skip if read-only mount)
 if [ -d "/home/$USER_NAME/.ssh" ] && [ "$(ls -A "/home/$USER_NAME/.ssh" 2>/dev/null)" ]; then
-  chmod 700 "/home/$USER_NAME/.ssh"
-  find "/home/$USER_NAME/.ssh" -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; 2>/dev/null || true
-  find "/home/$USER_NAME/.ssh" -type f -name "*.pub" -exec chmod 644 {} \; 2>/dev/null || true
-  [ -f "/home/$USER_NAME/.ssh/known_hosts" ] && chmod 644 "/home/$USER_NAME/.ssh/known_hosts"
-  [ -f "/home/$USER_NAME/.ssh/config" ] && chmod 600 "/home/$USER_NAME/.ssh/config"
+  if touch "/home/$USER_NAME/.ssh/.perm_test" 2>/dev/null; then
+    rm -f "/home/$USER_NAME/.ssh/.perm_test"
+    chmod 700 "/home/$USER_NAME/.ssh"
+    find "/home/$USER_NAME/.ssh" -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; 2>/dev/null || true
+    find "/home/$USER_NAME/.ssh" -type f -name "*.pub" -exec chmod 644 {} \; 2>/dev/null || true
+    [ -f "/home/$USER_NAME/.ssh/known_hosts" ] && chmod 644 "/home/$USER_NAME/.ssh/known_hosts"
+    [ -f "/home/$USER_NAME/.ssh/config" ] && chmod 600 "/home/$USER_NAME/.ssh/config"
+  fi
 fi

 # ── Drop to developer user for remaining setup ──────────────────────
@@ -13,7 +13,8 @@ cat > "$HOOK_DIR/pre-commit" << 'HOOK'
 if ! command -v gitleaks >/dev/null 2>&1; then
  echo ""
  echo "⚠️  gitleaks is not installed — skipping secret scan"
-  echo "   Install: brew install gitleaks"
+  echo "   Install: brew install gitleaks  (macOS)"
+  echo "   Or: curl -sSL https://github.com/gitleaks/gitleaks/releases/latest/download/gitleaks_\$(uname -s)_\$(uname -m).tar.gz | sudo tar -xz -C /usr/local/bin gitleaks"
  echo ""
  exit 0
 fi
Author	SHA1	Message	Date
joakimp	ba41187e21	Fix entrypoint crash on read-only SSH mount Publish Docker Image / build-and-push (push) Successful in 28m27s Details	2026-04-10 17:24:37 +02:00
joakimp	4112d30a3e	Add Linux install instructions for gitleaks	2026-04-10 15:49:10 +02:00
joakimp	8d06a737f1	Add OPENCODE_MODEL and AWS_PROFILE to .env.example	2026-04-10 15:46:53 +02:00
joakimp	aaf7d66157	Update non-root user description to reflect UID auto-matching	2026-04-10 15:35:51 +02:00