From 00fcd5b8282678ef7236d22b39c3c3964deab450 Mon Sep 17 00:00:00 2001
From: Chris Lu <chrislusf@users.noreply.github.com>
Date: Sun, 29 Mar 2026 13:01:51 -0700
Subject: [PATCH] revert temporary docker and trivy changes (#8833)

---
 .github/workflows/container_latest.yml | 42 +-------------------------
 docker/Dockerfile.go_build             |  6 +---
 docker/Dockerfile.local                |  6 +---
 3 files changed, 3 insertions(+), 51 deletions(-)

diff --git a/.github/workflows/container_latest.yml b/.github/workflows/container_latest.yml
index f385ed200..27e131a52 100644
--- a/.github/workflows/container_latest.yml
+++ b/.github/workflows/container_latest.yml
@@ -26,7 +26,6 @@ on:
 
 permissions:
   contents: read
-  security-events: write
 
 jobs:
   setup:
@@ -150,48 +149,9 @@ jobs:
           # Remove Go build cache
           sudo rm -rf /tmp/go-build*
 
-  trivy-scan:
-    runs-on: ubuntu-latest
-    needs: [setup, build]
-    strategy:
-      matrix:
-        variant: ${{ fromJSON(needs.setup.outputs.variants) }}
-    steps:
-      - name: Configure variant
-        id: config
-        run: |
-          if [ "${{ matrix.variant }}" == "large_disk" ]; then
-            echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT
-          else
-            echo "tag_suffix=" >> $GITHUB_OUTPUT
-          fi
-      - name: Login to GHCR
-        uses: docker/login-action@v4
-        with:
-          registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_TOKEN }}
-      - name: Run Trivy vulnerability scanner
-        # Pin to SHA — mutable tags were compromised (GHSA-69fq-xp46-6x23)
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
-        with:
-          # Scan amd64 only — OS packages are identical across architectures
-          # since they all use the same alpine base, so a single-arch scan
-          # provides sufficient coverage without multiplying CI time.
-          image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64
-          format: sarif
-          output: trivy-results.sarif
-          severity: HIGH,CRITICAL
-          exit-code: '1'
-      - name: Upload Trivy scan results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v3
-        if: always()
-        with:
-          sarif_file: trivy-results.sarif
-
   create-manifest:
     runs-on: ubuntu-latest
-    needs: [setup, build, trivy-scan]
+    needs: [setup, build]
     if: github.event_name != 'pull_request'
     strategy:
       matrix:
diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build
index 3bd536b70..3b8e120ed 100644
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@@ -79,9 +79,5 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Run as non-root by default (satisfies security scanners).
-# Use `docker run --user root` if you need the entrypoint to fix
-# /data volume ownership before dropping privileges.
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local
index 051c85120..9ea378401 100644
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@@ -37,9 +37,5 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Run as non-root by default (satisfies security scanners).
-# Use `docker run --user root` if you need the entrypoint to fix
-# /data volume ownership before dropping privileges.
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]