From 5ffa808c0f5d3636583236484f0711a7310c18bd Mon Sep 17 00:00:00 2001
From: Anthony Stirling <77850077+Frooodle@users.noreply.github.com>
Date: Wed, 1 Apr 2026 11:54:12 +0100
Subject: [PATCH] Remove gosu (#6036)

---
 .github/workflows/build.yml           |  2 +-
 docker/base/Dockerfile                |  5 ++---
 docker/embedded/Dockerfile            |  4 ++--
 docker/embedded/Dockerfile.fat        |  4 ++--
 docker/embedded/Dockerfile.ultra-lite |  2 +-
 scripts/init-without-ocr.sh           | 15 ++++-----------
 testing/test.sh                       | 16 ++++++++++++++--
 7 files changed, 26 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d5c8285d45..e431fd5f7f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -513,7 +513,7 @@ jobs:
             echo "base_image=stirling-pdf-base:pr-test" >> $GITHUB_OUTPUT
             echo "platforms=linux/amd64" >> $GITHUB_OUTPUT
           else
-            echo "base_image=ghcr.io/${{ steps.repoowner.outputs.lowercase }}/stirling-pdf-base:latest" >> $GITHUB_OUTPUT
+            echo "base_image=stirlingtools/stirling-pdf-base:latest" >> $GITHUB_OUTPUT
             echo "platforms=linux/amd64,linux/arm64/v8" >> $GITHUB_OUTPUT
           fi
 
diff --git a/docker/base/Dockerfile b/docker/base/Dockerfile
index dfd64ee705..b2e8266851 100644
--- a/docker/base/Dockerfile
+++ b/docker/base/Dockerfile
@@ -386,7 +386,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
       # Core tools
       ca-certificates tzdata tini bash fontconfig curl \
       ffmpeg poppler-utils fontforge \
-      gosu unpaper pngquant \
+      unpaper pngquant \
       # Fonts: full coverage for standard + fat variants
       fonts-dejavu \
       fonts-liberation2 \
@@ -622,8 +622,7 @@ RUN set -eux; \
         -d /home/stirlingpdfuser -s /bin/bash stirlingpdfuser 2>/dev/null \
         || useradd -m -g stirlingpdfgroup \
           -d /home/stirlingpdfuser -s /bin/bash stirlingpdfuser; \
-    fi; \
-    ln -sf /usr/sbin/gosu /usr/local/bin/su-exec
+    fi
 
 # Application directories
 RUN set -eux; \
diff --git a/docker/embedded/Dockerfile b/docker/embedded/Dockerfile
index ee04dcf7e7..548294a315 100644
--- a/docker/embedded/Dockerfile
+++ b/docker/embedded/Dockerfile
@@ -1,8 +1,8 @@
 # Stirling-PDF - Full version (embedded frontend)
 # Uses pre-built base image for fast builds
 
-ARG BASE_VERSION=1.0.0
-ARG BASE_IMAGE=ghcr.io/stirling-tools/stirling-pdf-base:${BASE_VERSION}
+ARG BASE_VERSION=1.0.1
+ARG BASE_IMAGE=stirlingtools/stirling-pdf-base:${BASE_VERSION}
 
 # Stage 1: Build the Java application and frontend
 FROM gradle:9.3.1-jdk25 AS app-build
diff --git a/docker/embedded/Dockerfile.fat b/docker/embedded/Dockerfile.fat
index dfdaaea691..766fede0f2 100644
--- a/docker/embedded/Dockerfile.fat
+++ b/docker/embedded/Dockerfile.fat
@@ -2,8 +2,8 @@
 # Extra fonts for air-gapped environments
 # Uses pre-built base image for fast builds
 
-ARG BASE_VERSION=1.0.0
-ARG BASE_IMAGE=ghcr.io/stirling-tools/stirling-pdf-base:${BASE_VERSION}
+ARG BASE_VERSION=1.0.1
+ARG BASE_IMAGE=stirlingtools/stirling-pdf-base:${BASE_VERSION}
 
 # Stage 1: Build the Java application and frontend
 FROM gradle:9.3.1-jdk25 AS app-build
diff --git a/docker/embedded/Dockerfile.ultra-lite b/docker/embedded/Dockerfile.ultra-lite
index e0d719cd70..fb2e4bae56 100644
--- a/docker/embedded/Dockerfile.ultra-lite
+++ b/docker/embedded/Dockerfile.ultra-lite
@@ -93,7 +93,7 @@ RUN echo "@main https://dl-cdn.alpinelinux.org/alpine/edge/main" | tee -a /etc/a
     bash \
     curl \
     shadow \
-    su-exec && \
+    util-linux && \
     mkdir -p $HOME /configs /logs /customFiles /pipeline/watchedFolders /pipeline/finishedFolders /tmp/stirling-pdf /tmp/stirling-pdf/heap_dumps && \
     mkdir -p /usr/share/fonts/opentype/noto && \
     # User permissions
diff --git a/scripts/init-without-ocr.sh b/scripts/init-without-ocr.sh
index 26e98c598c..c3f63a4124 100755
--- a/scripts/init-without-ocr.sh
+++ b/scripts/init-without-ocr.sh
@@ -176,13 +176,6 @@ UNOSERVER_PIDS=()
 UNOSERVER_PORTS=()
 UNOSERVER_UNO_PORTS=()
 
-SU_EXEC_BIN=""
-if command_exists su-exec; then
-  SU_EXEC_BIN="su-exec"
-elif command_exists gosu; then
-  SU_EXEC_BIN="gosu"
-fi
-
 CURRENT_USER="$(id -un)"
 CURRENT_UID="$(id -u)"
 SWITCH_USER_WARNING_EMITTED=false
@@ -197,8 +190,8 @@ warn_switch_user_once() {
 run_as_runtime_user() {
   if [ "$CURRENT_USER" = "$RUNTIME_USER" ]; then
     "$@"
-  elif [ "$CURRENT_UID" -eq 0 ] && [ -n "$SU_EXEC_BIN" ]; then
-    "$SU_EXEC_BIN" "$RUNTIME_USER" "$@"
+  elif [ "$CURRENT_UID" -eq 0 ] && command_exists setpriv; then
+    setpriv --reuid="$RUNTIME_USER" --regid="$(id -gn "$RUNTIME_USER")" --init-groups -- "$@"
   else
     warn_switch_user_once
     "$@"
@@ -915,8 +908,8 @@ fi
 
 if [ "$CURRENT_USER" = "$RUNTIME_USER" ]; then
   "${JAVA_CMD[@]}" &
-elif [ "$CURRENT_UID" -eq 0 ] && [ -n "$SU_EXEC_BIN" ]; then
-  "$SU_EXEC_BIN" "$RUNTIME_USER" "${JAVA_CMD[@]}" &
+elif [ "$CURRENT_UID" -eq 0 ] && command_exists setpriv; then
+  setpriv --reuid="$RUNTIME_USER" --regid="$(id -gn "$RUNTIME_USER")" --init-groups -- "${JAVA_CMD[@]}" &
 else
   warn_switch_user_once
   "${JAVA_CMD[@]}" &
diff --git a/testing/test.sh b/testing/test.sh
index 9308cd71d3..4dce6c0157 100644
--- a/testing/test.sh
+++ b/testing/test.sh
@@ -88,6 +88,7 @@ capture_failure_logs() {
 capture_build_failure() {
     local build_name=$1
     local log_file="$REPORT_DIR/${build_name//[^a-zA-Z0-9_-]/_}.failure.log"
+    local build_log="$REPORT_DIR/${build_name//[^a-zA-Z0-9_-]/_}.build.log"
     local gradle_report_dirs=(
         "$PROJECT_ROOT/app/core/build/reports/tests"
         "$PROJECT_ROOT/app/common/build/reports/tests"
@@ -99,6 +100,13 @@ capture_build_failure() {
         echo "Timestamp: $(date -u +%Y-%m-%dT%H:%M:%SZ)"
         echo "---"
 
+        # Include Docker/command build output if captured
+        if [ -f "$build_log" ]; then
+            echo "--- Build output (last 100 lines) ---"
+            tail -100 "$build_log"
+            echo ""
+        fi
+
         for report_dir in "${gradle_report_dirs[@]}"; do
             if [ -d "$report_dir" ]; then
                 local txt_index="$report_dir/test/index.html"
@@ -699,12 +707,14 @@ main() {
         else
             DOCKER_CACHE_ARGS_ULTRA_LITE=""
         fi
+        local ultra_lite_build_log="$REPORT_DIR/Build-Ultra-Lite-Docker.build.log"
         if ! docker buildx build --build-arg VERSION_TAG=alpha \
             -t docker.stirlingpdf.com/stirlingtools/stirling-pdf:ultra-lite \
             -f ./docker/embedded/Dockerfile.ultra-lite \
             --load \
-            ${DOCKER_CACHE_ARGS_ULTRA_LITE} .; then
+            ${DOCKER_CACHE_ARGS_ULTRA_LITE} . 2>&1 | tee "$ultra_lite_build_log"; then
             failed_tests+=("Build-Ultra-Lite-Docker")
+            capture_build_failure "Build-Ultra-Lite-Docker"
             gha_endgroup
             exit 1
         fi
@@ -783,13 +793,15 @@ main() {
         else
             DOCKER_CACHE_ARGS_FAT=""
         fi
+        local fat_build_log="$REPORT_DIR/Build-Fat-Docker.build.log"
         if ! docker buildx build --build-arg VERSION_TAG=alpha \
             ${BASE_IMAGE_ARG} \
             -t docker.stirlingpdf.com/stirlingtools/stirling-pdf:fat \
             -f ./docker/embedded/Dockerfile.fat \
             --load \
-            ${DOCKER_CACHE_ARGS_FAT} .; then
+            ${DOCKER_CACHE_ARGS_FAT} . 2>&1 | tee "$fat_build_log"; then
             failed_tests+=("Build-Fat-Docker")
+            capture_build_failure "Build-Fat-Docker"
             gha_endgroup
             exit 1
         fi