From ae2f789a1390d3020fa8837937a80753a3e79f46 Mon Sep 17 00:00:00 2001
From: prdai <prdai@users.noreply.github.com>
Date: Fri, 22 May 2026 17:25:38 +0530
Subject: [PATCH] fix(docker): use ARG for POSTGRES_PASSWORD to avoid baking it
 into image layers

Closes #448. Hardcoded passwords in ENV and RUN instructions persist in
image layers and can be inspected via `docker history`. Switched to a
build-time ARG so the value is not retained in the final image, with
`postgres` as the development default. Override with:

    docker build --build-arg POSTGRES_PASSWORD=... .

Runtime connectors continue to read POSTGRES_PASSWORD from the
deployment environment (e.g. Choreo config), so behavior is unchanged.
---
 .../choreo/development/docker/postgres/Dockerfile   | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/deployment/choreo/development/docker/postgres/Dockerfile b/deployment/choreo/development/docker/postgres/Dockerfile
index 905f65b2..60c55e06 100644
--- a/deployment/choreo/development/docker/postgres/Dockerfile
+++ b/deployment/choreo/development/docker/postgres/Dockerfile
@@ -22,15 +22,15 @@ RUN groupadd -g 10014 choreo && \
 ARG GITHUB_BACKUP_REPO=LDFLK/data-backups
 ARG BACKUP_VERSION=0.0.4
 ARG BACKUP_ENVIRONMENT=development
+# Superuser password is only needed at build time to seed the DB. ARG keeps
+# the value out of the runtime image (ENV would persist it in image layers).
+# Override at build time: docker build --build-arg POSTGRES_PASSWORD=... .
+ARG POSTGRES_PASSWORD=postgres
 
 # Place data outside /var/lib/postgresql/ entirely so that the base image's
 # VOLUME ["/var/lib/postgresql/data"] and Choreo's runtime volume management
 # cannot hide the baked-in files.
 ENV PGDATA=/opt/pgdata
-# Set superuser password so the entrypoint never fails on uninitialized-DB check.
-# Must match the password set during build-time data ingestion below.
-# FIXME: https://github.com/LDFLK/OpenGIN/issues/448 - Hardcoded password. Use build args instead.
-ENV POSTGRES_PASSWORD=postgres
 
 # Create directory and set permissions
 RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA"
@@ -52,9 +52,8 @@ RUN echo "Initializing database in $PGDATA..." && \
     echo "Starting PostgreSQL..." && \
     pg_ctl -D "$PGDATA" -o "-c listen_addresses='localhost'" -w start && \
     \
-    # Set default password to match docker-compose config
-    # FIXME: https://github.com/LDFLK/OpenGIN/issues/448 - Hardcoded password.
-    psql -U postgres -c "ALTER USER postgres WITH PASSWORD 'postgres';" && \
+    # Set superuser password from the POSTGRES_PASSWORD build arg.
+    psql -U postgres -c "ALTER USER postgres WITH PASSWORD '${POSTGRES_PASSWORD}';" && \
     \
     # Create temp workspace
     temp_dir=$(mktemp -d) && \