edx · Copilot · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026 · Feb 18, 2026
diff --git a/dockerfiles/codejail-service.Dockerfile b/dockerfiles/codejail-service.Dockerfile
@@ -131,6 +131,13 @@ RUN useradd --no-create-home --shell /bin/false --uid $APP_UID --gid $APP_GID $A
 # Cloning git repo
 ADD https://github.com/${CODEJAIL_SERVICE_REPO}.git#${CODEJAIL_SERVICE_VERSION} /app
 
+# Ensure the repository is owned by the app user
+RUN chown -R ${APP_USER}:${APP_USER} /app
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 WORKDIR /app
 
 RUN python${APP_PY_VER} -m venv /venv && \
@@ -183,6 +190,12 @@ RUN apt-get update && \
 RUN /venv/bin/pip-sync requirements/dev.txt
 RUN python${APP_PY_VER} -m compileall /venv /app
 
+# Dev mode may run as root or as app user, configure git for root
+RUN git config --global --add safe.directory /app
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
+
 
 ##### Production target #####
 
@@ -193,3 +206,9 @@ RUN python${APP_PY_VER} -m compileall /venv /app
 
 # Drop to unprivileged user for running service
 USER ${APP_USER}
+
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /app
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
diff --git a/dockerfiles/commerce-coordinator.Dockerfile b/dockerfiles/commerce-coordinator.Dockerfile
@@ -71,9 +71,21 @@ RUN mkdir -p /edx/var/log
 
 RUN curl -L https://github.com/edx/commerce-coordinator/archive/refs/heads/main.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/commerce-coordinator
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 # Code is owned by root so it cannot be modified by the application user.
 # So we copy it before changing users.
 USER app
 
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /edx/app/commerce-coordinator
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 # Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
 CMD gunicorn --workers=2 --name commerce-coordinator -c /edx/app/commerce-coordinator/commerce_coordinator/docker_gunicorn_configuration.py --log-file - --max-requests=1000 commerce_coordinator.wsgi:application
diff --git a/dockerfiles/course-discovery.Dockerfile b/dockerfiles/course-discovery.Dockerfile
@@ -69,6 +69,16 @@ WORKDIR ${DISCOVERY_CODE_DIR}
 # Cloning git repo
 RUN curl -L https://github.com/openedx/course-discovery/archive/refs/heads/master.tar.gz | tar -xz --strip-components=1
 
+# Create discovery user for running the app
+RUN useradd -m --shell /bin/false discovery
+
+# Ensure the repository is owned by the discovery user
+RUN chown -R discovery:discovery ${DISCOVERY_CODE_DIR}
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 RUN npm install --production && ./node_modules/.bin/bower install --allow-root --production && ./node_modules/.bin/webpack --config webpack.config.js --progress
 
 # Expose canonical Discovery port
@@ -85,6 +95,12 @@ RUN pip install -r ${DISCOVERY_CODE_DIR}/requirements/production.txt
 
 RUN DISCOVERY_CFG=minimal.yml OPENEDX_ATLAS_PULL=true make pull_translations
 
+USER discovery
+# Configure git safe.directory as the discovery user
+RUN git config --global --add safe.directory ${DISCOVERY_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD gunicorn --bind=0.0.0.0:8381 --workers 2 --max-requests=1000 -c course_discovery/docker_gunicorn_configuration.py course_discovery.wsgi:application
 
 FROM app AS dev
@@ -104,6 +120,12 @@ RUN DISCOVERY_CFG=minimal.yml OPENEDX_ATLAS_PULL=true make pull_translations
 # Devstack related step for backwards compatibility
 RUN touch ${DISCOVERY_APP_DIR}/discovery_env
 
+USER discovery
+# Configure git safe.directory as the discovery user
+RUN git config --global --add safe.directory ${DISCOVERY_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD while true; do python ./manage.py runserver 0.0.0.0:8381; sleep 2; done
 
 ###########################################################

diff --git a/dockerfiles/credentials.Dockerfile b/dockerfiles/credentials.Dockerfile
@@ -112,6 +112,13 @@ RUN mkdir -p /edx/var/log
 # Cloning git repo. This line is after the python requirements so that changes to the code will not bust the image cache
 ADD https://github.com/${CREDENTIALS_SERVICE_REPO}.git#${CREDENTIALS_SERVICE_VERSION} /edx/app/credentials/credentials
 
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/credentials/credentials
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 # Fetch the translations into the image once the Makefile is in place
 RUN make pull_translations
 
@@ -128,6 +135,11 @@ RUN chown -R app:app /edx/app/credentials/credentials/credentials/static
 # Code is owned by root so it cannot be modified by the application user. So we copy it before changing users.
 USER app
 
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /edx/app/credentials/credentials
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 # Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
 CMD gunicorn --workers=2 --name credentials -c /edx/app/credentials/credentials/credentials/docker_gunicorn_configuration.py --log-file - --max-requests=1000 credentials.wsgi:application
 
@@ -150,4 +162,9 @@ RUN make pull_translations
 # Devstack related step for backwards compatibility, used in devstack's docker-compose.yml
 RUN touch ../credentials_env
 
+# Configure git safe.directory for root user in dev
+RUN git config --global --add safe.directory /edx/app/credentials/credentials
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD while true; do python ./manage.py runserver 0.0.0.0:18150; sleep 2; done
diff --git a/dockerfiles/ecommerce.Dockerfile b/dockerfiles/ecommerce.Dockerfile
@@ -46,6 +46,13 @@ RUN nodeenv ${ECOMMERCE_NODEENV_DIR} --node=16.14.0 --prebuilt && npm install -g
 # Set working directory to the root of the repo
 WORKDIR ${ECOMMERCE_CODE_DIR}
 
+# Create ecommerce user for running the app
+RUN useradd -m --shell /bin/false ecommerce
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 # Install JS requirements
 RUN curl -L -o package.json https://raw.githubusercontent.com/edx/ecommerce/2u/main/package.json
 RUN curl -L -o package-lock.json.txt https://raw.githubusercontent.com/edx/ecommerce/2u/main/package-lock.json
@@ -69,6 +76,15 @@ RUN pip install -r ${ECOMMERCE_CODE_DIR}/requirements/production.txt
 # every time any bit of code is changed.
 RUN curl -L https://github.com/edx/ecommerce/archive/refs/heads/2u/main.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the ecommerce user
+RUN chown -R ecommerce:ecommerce ${ECOMMERCE_CODE_DIR}
+
+USER ecommerce
+# Configure git safe.directory as the ecommerce user
+RUN git config --global --add safe.directory ${ECOMMERCE_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD gunicorn --bind=0.0.0.0:18130 --workers 2 --max-requests=1000 -c ecommerce/docker_gunicorn_configuration.py ecommerce.wsgi:application
 
 FROM app AS dev
@@ -88,6 +104,15 @@ RUN touch ${ECOMMERCE_APP_DIR}/ecommerce_env
 # every time any bit of code is changed.
 RUN curl -L https://github.com/openedx/ecommerce/archive/refs/heads/2u/main.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the ecommerce user
+RUN chown -R ecommerce:ecommerce ${ECOMMERCE_CODE_DIR}
+
 RUN curl -L -o ${ECOMMERCE_CODE_DIR}/ecommerce/settings/devstack.py https://raw.githubusercontent.com/edx/devstack/master/py_configuration_files/ecommerce.py
 
+USER ecommerce
+# Configure git safe.directory as the ecommerce user
+RUN git config --global --add safe.directory ${ECOMMERCE_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD while true; do python ./manage.py runserver 0.0.0.0:18130; sleep 2; done
diff --git a/dockerfiles/edx-analytics-dashboard.Dockerfile b/dockerfiles/edx-analytics-dashboard.Dockerfile
@@ -66,6 +66,13 @@ RUN pip install  --no-cache-dir -r requirements/production.txt
 
 RUN curl -L https://github.com/edx/edx-analytics-dashboard/archive/refs/heads/master.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user (when running with app user)
+RUN chown -R app:app ${INSIGHTS_CODE_DIR}
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 RUN curl -L -o ${INSIGHTS_CODE_DIR}/analytics_dashboard/settings/devstack.py https://raw.githubusercontent.com/edx/devstack/master/py_configuration_files/analytics_dashboard.py
 
 RUN nodeenv ${INSIGHTS_NODEENV_DIR} --node=18.20.2 --prebuilt \
@@ -85,12 +92,22 @@ ENV DJANGO_SETTINGS_MODULE="analytics_dashboard.settings.devstack"
 # Backwards compatibility with devstack
 RUN touch "${INSIGHTS_APP_DIR}/insights_env"
 
+# Configure git safe.directory (needed for git operations at runtime)
+RUN git config --global --add safe.directory ${INSIGHTS_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD while true; do python ./manage.py runserver 0.0.0.0:8110; sleep 2; done
 
 FROM app AS prod
 
 ENV DJANGO_SETTINGS_MODULE="analytics_dashboard.settings.production"
 
+# Configure git safe.directory (needed for git operations at runtime)
+RUN git config --global --add safe.directory ${INSIGHTS_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD gunicorn \
   --pythonpath=/edx/app/insights/edx_analytics_dashboard/analytics_dashboard \
   --timeout=300 \

diff --git a/dockerfiles/edx-analytics-data-api.Dockerfile b/dockerfiles/edx-analytics-data-api.Dockerfile
@@ -81,8 +81,20 @@ RUN pip install -r ${ANALYTICS_API_CODE_DIR}/requirements/production.txt
 
 RUN curl -L https://github.com/edx/edx-analytics-data-api/archive/refs/heads/master.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user (when running with app user)
+RUN chown -R app:app ${ANALYTICS_API_CODE_DIR}
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 # exec /edx/app/analytics_api/venvs/analytics_api/bin/gunicorn -c /edx/app/analytics_api/analytics_api_gunicorn.py  analyticsdataserver.wsgi:application
 
+# Configure git safe.directory (needed for git operations at runtime)
+RUN git config --global --add safe.directory ${ANALYTICS_API_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD ["gunicorn" , "-b", "0.0.0.0:8100", "--pythonpath", "/edx/app/analytics_api/analytics_api","analyticsdataserver.wsgi:application"]
 
 FROM base AS dev
@@ -98,9 +110,21 @@ RUN curl -L https://github.com/edx/edx-analytics-data-api/archive/refs/heads/mas
 
 RUN curl -L -o ${ANALYTICS_API_CODE_DIR}/analyticsdataserver/settings/devstack.py https://raw.githubusercontent.com/edx/devstack/master/py_configuration_files/analytics_data_api.py
 
+# Ensure the repository is owned by the app user (when running with app user)
+RUN chown -R app:app ${ANALYTICS_API_CODE_DIR}
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 ENV DJANGO_SETTINGS_MODULE "analyticsdataserver.settings.devstack"
 
 # Devstack related step for backwards compatibility
 RUN touch /edx/app/${ANALYTICS_API_SERVICE_NAME}/${ANALYTICS_API_SERVICE_NAME}_env
 
+# Configure git safe.directory (needed for git operations at runtime)
+RUN git config --global --add safe.directory ${ANALYTICS_API_CODE_DIR}
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 CMD while true; do python ./manage.py runserver 0.0.0.0:8110; sleep 2; done
diff --git a/dockerfiles/edx-exams.Dockerfile b/dockerfiles/edx-exams.Dockerfile
@@ -93,6 +93,13 @@ RUN mkdir -p /edx/var/log
 # bust the image cache
 RUN curl -L https://github.com/edx/edx-exams/archive/refs/heads/main.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/edx-exams
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 FROM app as devstack
 
 ENV DJANGO_SETTINGS_MODULE edx_exams.settings.devstack
@@ -109,5 +116,10 @@ ENV DJANGO_SETTINGS_MODULE edx_exams.settings.production
 # So we copy it before changing users.
 USER app
 
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /edx/app/edx-exams
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 # Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
 CMD gunicorn --workers=2 --name edx-exams -c /edx/app/edx-exams/edx_exams/docker_gunicorn_configuration.py --log-file - --max-requests=1000 edx_exams.wsgi:application
diff --git a/dockerfiles/edx-notes-api.Dockerfile b/dockerfiles/edx-notes-api.Dockerfile
@@ -84,6 +84,13 @@ RUN pip install --no-cache-dir -r requirements/pip.txt
 
 RUN curl -L https://github.com/openedx/edx-notes-api/archive/refs/heads/master.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/notes
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 RUN mkdir -p /edx/var/log
 
 EXPOSE 8120
@@ -106,5 +113,10 @@ ENV DJANGO_SETTINGS_MODULE="notesserver.settings.yaml_config"
 
 USER app
 
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /edx/app/notes
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
 # Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
 CMD gunicorn --workers=2 --name notes -c /edx/app/notes/notesserver/docker_gunicorn_configuration.py --log-file - --max-requests=1000 notesserver.wsgi:application
diff --git a/dockerfiles/edx-platform.Dockerfile b/dockerfiles/edx-platform.Dockerfile
@@ -317,15 +317,25 @@ FROM app-deps AS base
 # static directories throughout the file tree.
 COPY --from=translations /edx/app/edxapp/edx-platform /edx/app/edxapp/edx-platform
 
-# Setting edx-platform directory as safe for git commands
-RUN git config --global --add safe.directory /edx/app/edxapp/edx-platform
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/edxapp/edx-platform
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
 
 
 # Production target, for use in all deployed environments (stage, prod, edge).
 FROM base AS production
 
 USER app
 
+# Setting edx-platform directory as safe for git commands (as app user)
+RUN git config --global --add safe.directory /edx/app/edxapp/edx-platform
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
+
 ENV EDX_PLATFORM_SETTINGS='docker-production'
 ENV SERVICE_VARIANT="${SERVICE_VARIANT}"
 ENV SERVICE_PORT="${SERVICE_PORT}"
@@ -336,6 +346,14 @@ EXPOSE ${SERVICE_PORT}
 # Development target, e.g. for use in devstack.
 FROM base AS development
 
+# Setting edx-platform directory as safe for git commands (inherited from app user in base)
+USER app
+RUN git config --global --add safe.directory /edx/app/edxapp/edx-platform
+USER root
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
+
 RUN apt-get update && \
     apt-get -y install --no-install-recommends \
         # wget is used in Makefile for common_constraints.txt

diff --git a/dockerfiles/enterprise-access.Dockerfile b/dockerfiles/enterprise-access.Dockerfile
@@ -104,14 +104,31 @@ RUN mkdir -p /edx/var/log
 # Clone the source code
 RUN curl -L https://github.com/edx/enterprise-access/archive/refs/heads/main.tar.gz | tar -xz --strip-components=1
 
+# Ensure the repository is owned by the app user
+RUN chown -R app:app /edx/app/enterprise-access
+
+# Copy the entrypoint script that configures git safe.directory at runtime
+COPY dockerfiles/git-safe-entrypoint.sh /usr/local/bin/git-safe-entrypoint.sh
+RUN chmod +x /usr/local/bin/git-safe-entrypoint.sh
+
 # Change user to app
 USER app
 
+# Configure git safe.directory as the app user
+RUN git config --global --add safe.directory /edx/app/enterprise-access
+
+# Use entrypoint to handle runtime UID changes in Kubernetes
+ENTRYPOINT ["/usr/local/bin/git-safe-entrypoint.sh"]
+
 # Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
 CMD gunicorn --workers=2 --name enterprise-access -c /edx/app/enterprise-access/enterprise_access/docker_gunicorn_configuration.py --log-file - --max-requests=1000 enterprise_access.wsgi:application
 
 FROM app AS devstack
 USER root
+
+# Configure git safe.directory as root in devstack
+RUN git config --global --add safe.directory /edx/app/enterprise-access
+
 RUN pip install -r requirements/dev.txt
 
 CMD gunicorn --workers=2 --name enterprise-access -c /edx/app/enterprise-access/enterprise_access/docker_gunicorn_configuration.py --log-file - --max-requests=1000 enterprise_access.wsgi:application