add no root user

.github/workflows/docker-publish.yml

@@ -22,7 +22,7 @@ jobs:
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
-          password: ${{ secrets.USER_TOKEN }}
+          password: ${{ secrets.USER_TOKEN }}  # Requires `gh secret set USER_TOKEN` to be set
 
       - name: Build and push Docker image (latest tag)
         uses: docker/[email protected]

bioimageio_colab/generate_token.py

@@ -9,8 +9,27 @@ def main():
 
     # Save the token to a .env file
     file_path = os.path.join(os.path.dirname(os.path.dirname(__file__)), ".env")
+
+    updated_env_lines = []
+    found_token_line = False
+
+    # Read existing .env file if it exists
+    if os.path.exists(file_path):
+        with open(file_path, "r") as env_file:
+            for line in env_file:
+                if line.strip().startswith("HYPHA_TOKEN="):
+                    updated_env_lines.append(f'HYPHA_TOKEN="{token}"\n')
+                    found_token_line = True
+                else:
+                    updated_env_lines.append(line)
+
+    # If HYPHA_TOKEN line wasn't found, add it
+    if not found_token_line:
+        updated_env_lines.append(f'HYPHA_TOKEN="{token}"\n')
+
+    # Write back to the .env file
     with open(file_path, "w") as env_file:
-        env_file.write(f'HYPHA_TOKEN="{token}"')
+        env_file.writelines(updated_env_lines)
 
     # Define the permission mode for read and write for the owner only
     mode = 0o600
@@ -19,4 +38,4 @@ def main():
     os.chmod(file_path, mode)
 
 if __name__ == "__main__":
-    main()
+    main()

docker-compose.yml

@@ -5,7 +5,7 @@ services:
     build:
       context: .
       dockerfile: docker/Dockerfile
-    image: bioimageio-colab-segmentation:latest
+    image: ghcr.io/bioimage-io/bioimageio-colab:latest
     env_file:
       - .env
     command: ["--token", "${HYPHA_TOKEN}"]

docker/Dockerfile

@@ -1,6 +1,9 @@
 # Use an image with Python 3.11
 FROM python:3.11-slim
 
+# Create a non-root user
+RUN groupadd -r bioimageio_colab && useradd -r -g bioimageio_colab bioimageio_colab
+
 # Upgrade pip
 RUN pip install --upgrade pip
 
@@ -19,9 +22,17 @@ WORKDIR /app/
 # Copy the python script to the docker environment
 COPY ./bioimageio_colab/segmentation_model.py /app/segmentation_model.py
 
+# Change ownership of the application directory to the non-root user
+RUN chown -R bioimageio_colab:bioimageio_colab /app/
+
+# Switch to the non-root user
+USER bioimageio_colab
+
 # Register the segmentation model as a hypha service
 # Arguments:
 # --token <token>: Token for connecting to the Hypha server
 # --client_id <client_id>: Client ID for registering the service. Default is "model-server"
 # --service_id <service_id>: Service ID for registering the service. Default is "interactive-segmentation"
 ENTRYPOINT ["python", "segmentation_model.py"]
+
+LABEL org.opencontainers.image.source https://github.com/bioimage-io/bioimageio-colab

test/test_model_service.py

@@ -5,7 +5,7 @@
 
 
 def test_get_service():
-    client = connect_to_server({"server_url": "https://ai.imjoy.io"})
+    client = connect_to_server({"server_url": "https://ai.imjoy.io", "method_timeout": 5})
     assert client
 
     service = client.getService("bioimageio-colab/model-server:interactive-segmentation")