Merge pull request #247 from keboola/mcp-v18-update

Copied PR: Make sure app is running with correct user
release notes
Bump version to 1.18.2 in pyproject.toml.
Harden Docker image: run as non-root user with configurable UID/GID; fix COPY --chown to use UID/GID; set USER in Dockerfile.
CI: add push-only job to build the Docker image and run a simple e2e smoke test via tests/docker/ci.sh against the HTTP-compat endpoint.
No functional changes to server runtime or API.
plans for customer communication
If customers use the Docker image: note the switch to non-root user. Advise verifying file/volume permissions and ownership when bind mounting or writing to host volumes.
Otherwise, no customer-facing changes required.
impact analysis
Worst case: container fails to read/write mounted volumes due to permissions, causing startup/runtime errors.
CI-only job uses secrets for smoke test; failures block push CI but do not affect runtime package.
No API/transport behavior changes; ports unchanged.
change type
Improvement/Security hardening + CI enhancement

justification
Improve container security by dropping root.
Add automated Docker build + smoke test to catch regressions before release.
deployment plan
Merge PR; tag main. Existing workflow will run build, integration tests, and Docker smoke test. Publish pipeline remains unchanged.
rollback plan
Revert PR; retag/release prior version.
post release support plan

Author: mariankrotil

.github/workflows/ci.yml

@@ -147,6 +147,42 @@ jobs:
           path: ./integtest-results.xml
           reporter: 'java-junit'
 
+  build_docker_image_and_do_basic_test:
+    name: Build Docker image and do basic test
+    needs:
+      - build
+      - integration_tests
+    runs-on: ubuntu-latest
+    # run this job only for push events (not pull requests)
+    if: github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_PUSH_USER }}
+          password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }}
+
+      - name: Build Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: linux/amd64
+          tags: "keboola/mcp-server:ci"
+          push: false
+          load: true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Run simple e2e test
+        run: |
+          STORAGE_API_TOKEN=${{ secrets.INTEGTEST_STORAGE_TOKEN }} STORAGE_API_URL=${{ vars.INTEGTEST_STORAGE_API_URL }} ./tests/docker/ci.sh
+
   deploy_to_pypi:
     needs:
       - build

Dockerfile

@@ -22,14 +22,23 @@ RUN --mount=type=cache,target=/root/.cache/uv     uv pip install ddtrace~=3.0
 
 FROM python:3.12-slim-bookworm
 
+ARG APP_USER_NAME=app
+ARG APP_USER_UID=1000
+ARG APP_USER_GID=1000
+
+RUN groupadd --gid ${APP_USER_GID} ${APP_USER_NAME} \
+  && useradd --uid ${APP_USER_UID} --gid ${APP_USER_GID} ${APP_USER_NAME}
+
 WORKDIR /app
 ENV LOG_CONFIG=/app/logging-json.conf
 
-COPY --from=uv --chown=app:app /app/.venv /app/.venv
+COPY --from=uv --chown=${APP_USER_UID}:${APP_USER_GID} /app/.venv /app/.venv
 COPY logging-json.conf /app/logging-json.conf
 
 # Place executables in the environment at the front of the path
 ENV PATH="/app/.venv/bin:$PATH"
 
+USER $APP_USER_NAME
+
 # when running the container, add KBC_STORAGE_API_URL environment variable and a bind mount to the host's db file
 ENTRYPOINT ["python", "-m", "keboola_mcp_server", "--log-level", "DEBUG"]

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "keboola-mcp-server"
-version = "1.18.1"
+version = "1.18.2"
 description = "MCP server for interacting with Keboola Connection"
 readme = "README.md"
 requires-python = ">=3.10"

tests/docker/ci.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+CONTAINER_NAME="keboola-mcp-server-test-docker"
+IMAGE_NAME="keboola/mcp-server:ci"
+
+cleanup() {
+    docker stop "$CONTAINER_NAME" >/dev/null 2>&1 || true
+    docker rm "$CONTAINER_NAME" >/dev/null 2>&1 || true
+}
+trap cleanup EXIT
+
+main() {
+    # Start container
+    echo "Starting container..."
+    docker run -d \
+        --name "$CONTAINER_NAME" \
+        -p "8080:8000" \
+        "$IMAGE_NAME" \
+        --transport http-compat \
+        --api-url "$STORAGE_API_URL" \
+        --storage-token "$STORAGE_API_TOKEN" \
+        --host "0.0.0.0" \
+        --port 8000 >/dev/null
+
+    # Give server time to start
+    sleep 5
+
+    # Wait and test MCP initialize
+    echo "Testing MCP initialize..."
+    for i in $(seq 1 30); do
+        response=$(curl -s -w "\n%{http_code}" -X POST \
+           -H "Content-Type: application/json" \
+           -H "Accept: application/json, text/event-stream" \
+           -d '{"jsonrpc": "2.0", "id": 1, "method": "initialize", "params": {"protocolVersion": "2024-11-05", "capabilities": {}, "clientInfo": {"name": "ci-docker-test", "version": "1.0.0"}}}' \
+           "http://localhost:8080/mcp" 2>/dev/null)
+
+        http_code=$(echo "$response" | tail -n1)
+        body=$(echo "$response" | sed '$d')
+
+        if [ "$http_code" = "200" ] && [ -n "$body" ]; then
+            echo "✓ MCP server initialized successfully"
+            echo "Response body:"
+            if command -v jq >/dev/null 2>&1; then
+                echo "$body" | grep "^data: " | sed 's/^data: //' | jq '.'
+            else
+                echo "$body"
+            fi
+            echo "✓ Test passed"
+            exit 0
+        fi
+        sleep 1
+    done
+
+    echo "✗ Server failed to respond"
+    docker logs "$CONTAINER_NAME" 2>&1 | tail -10
+    exit 1
+}
+
+main "$@"