From 0097dd280e3a9afa4c714405856fe88872158707 Mon Sep 17 00:00:00 2001
From: Iain Dillingham <iain@dillingham.me.uk>
Date: Tue, 16 Jan 2024 15:31:25 +0000
Subject: [PATCH] Run as non-root

Closes #196
---
 docker/Dockerfile          | 7 +++++++
 docker/docker-compose.yaml | 6 ++++++
 docker/justfile            | 6 +++---
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 66d73ce..dc40105 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -154,6 +154,9 @@ LABEL org.opencontainers.image.created=$BUILD_DATE
 ARG GITREF=unknown
 LABEL org.opencontainers.image.revision=$GITREF
 
+ARG USERID=10005
+ARG GROUPID=10005
+USER ${USERID}:${GROUPID}
 
 ##################################################
 #
@@ -173,3 +176,7 @@ RUN --mount=type=cache,target=/root/.cache \
 
 # Override ENTRYPOINT rather than CMD so we can pass arbitrary commands to the entrypoint script
 ENTRYPOINT ["/app/docker/entrypoints/dev.sh"]
+
+ARG USERID
+ARG GROUPID
+USER ${USERID}:${GROUPID}
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index 62ce43e..eff2ee3 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -44,11 +44,17 @@ services:
     build:
       # the dev stage in the Dockerfile
       target: actions-registry-dev
+      # pass the uid/gid as build arg
+      args:
+        - USERID=${DEV_USERID:-1000}
+        - GROUPID=${DEV_GROUPID:-1000}
     # paths relative to docker-compose.yaml file
     env_file:
       - ../.env
     volumes:
       - ..:/app
+      # provides a persistant inspectable cache for staticfiles
+      - ./staticfiles:/opt/staticfiles
     # override command
     command: python manage.py runserver 0.0.0.0:8000
 
diff --git a/docker/justfile b/docker/justfile
index efb2bbb..36a78d3 100644
--- a/docker/justfile
+++ b/docker/justfile
@@ -1,9 +1,9 @@
-export DOCKER_USERID := `id -u`
-export DOCKER_GROUPID := `id -g`
-
 # Load .env files by default
 set dotenv-load := true
 
+export DEV_USERID := `id -u`
+export DEV_GROUPID := `id -g`
+
 # enable modern docker build features
 export DOCKER_BUILDKIT := "1"
 export COMPOSE_DOCKER_CLI_BUILD := "1"