diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..40f4971c5149d55499a898b90ab5a98960a777f4
--- /dev/null
+++ b/.github/workflows/dev-build.yaml
@@ -0,0 +1,77 @@
+name: Publish AnythingLLM Development Docker image (amd64)
+
+concurrency:
+ group: build-${{ github.ref }}
+ cancel-in-progress: true
+
+on:
+ push:
+ branches: ['1915-docker-perms'] # master branch only. Do not modify.
+ paths-ignore:
+ - '**.md'
+ - 'cloud-deployments/*'
+ - 'images/**/*'
+ - '.vscode/**/*'
+ - '**/.env.example'
+ - '.github/ISSUE_TEMPLATE/**/*'
+ - 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced
+ - 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images.
+ - 'docker/vex/*' # CVE exceptions we know are not in risk
+
+jobs:
+ push_multi_platform_to_registries:
+ name: Push Docker multi-platform image to multiple registries
+ runs-on: ubuntu-latest
+ permissions:
+ packages: write
+ contents: read
+ steps:
+ - name: Check out the repo
+ uses: actions/checkout@v4
+
+ - name: Check if DockerHub build needed
+ shell: bash
+ run: |
+ # Check if the secret for USERNAME is set (don't even check for the password)
+ if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then
+ echo "DockerHub build not needed"
+ echo "enabled=false" >> $GITHUB_OUTPUT
+ else
+ echo "DockerHub build needed"
+ echo "enabled=true" >> $GITHUB_OUTPUT
+ fi
+ id: dockerhub
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Log in to Docker Hub
+ uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
+ # Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR
+ if: steps.dockerhub.outputs.enabled == 'true'
+ with:
+ username: ${{ secrets.DOCKER_USERNAME }}
+ password: ${{ secrets.DOCKER_PASSWORD }}
+
+ - name: Extract metadata (tags, labels) for Docker
+ id: meta
+ uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+ with:
+ images: |
+ ${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }}
+ tags: |
+ type=raw,value=dev
+
+ - name: Build and push multi-platform Docker image
+ uses: docker/build-push-action@v6
+ with:
+ context: .
+ file: ./docker/Dockerfile
+ push: true
+ sbom: true
+ provenance: mode=max
+ platforms: linux/amd64
+ tags: ${{ steps.meta.outputs.tags }}
+ labels: ${{ steps.meta.outputs.labels }}
+ cache-from: type=gha
+ cache-to: type=gha,mode=max
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 5c24fa93880cead75a898ca21d937be3e7d7054a..f040368318e81bf48fb7bfffe0552fc74599ccb4 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -154,6 +154,10 @@ USER anythingllm
FROM backend-build AS production-build
WORKDIR /app
COPY --chown=anythingllm:anythingllm --from=frontend-build /app/frontend/dist /app/server/public
+USER root
+RUN chown -R anythingllm:anythingllm /app/server && \
+ chown -R anythingllm:anythingllm /app/collector
+USER anythingllm
# No longer needed? (deprecated)
# WORKDIR /app/server