Switching to non-root user.

leplusorg · Apr 18, 2024 · e7afcbc · e7afcbc
1 parent 1a6a5d9
commit e7afcbc
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 4 deletions.
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -31,9 +31,6 @@ jobs:
             type=schedule
             type=ref,event=branch
             type=ref,event=pr
-            type=semver,pattern={{version}}
-            type=semver,pattern={{major}}.{{minor}}
-            type=semver,pattern={{major}}
             type=sha
       - uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
         if: github.ref == 'refs/heads/main'

diff --git a/.github/workflows/dockerrelease.yml b/.github/workflows/dockerrelease.yml
@@ -6,6 +6,8 @@ on:
     types: [published]
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -62,5 +62,6 @@ jobs:
         uses: super-linter/super-linter@92e2606383320f72e6129f8a50d8537cf9c84ed6 # v6.3.1
         env:
           VALIDATE_ALL_CODEBASE: true
+	  LINTER_RULES_PATH: .
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/maven-check-versions/Dockerfile b/maven-check-versions/Dockerfile
@@ -1,5 +1,14 @@
 FROM maven:3.9.6@sha256:db0744d1d8f99bc1050f0fae6041a81fa3981fae21c383ef3d2cbb9b08faf2e6
 
+HEALTHCHECK NONE
+
+ENTRYPOINT []
+
+ARG USER_NAME=default
+ARG USER_HOME=/home/default
+ARG USER_ID=1000
+ARG USER_GECOS=Default
+
 COPY maven-check-versions.sh /opt/
 
 ARG MAVEN_OPTS="-Dhttps.protocols=TLSv1.2 -Dmaven.repo.local=.m2/repository -Dorg.slf4j.simpleLogger.log.org.apache.maven.cli.transfer.Slf4jMavenTransferListener=WARN -Djava.awt.headless=true"
@@ -8,4 +17,17 @@ ENV MAVEN_OPTS="${MAVEN_OPTS}"
 ARG MAVEN_CLI_OPTS="--batch-mode --errors --fail-at-end --show-version -DinstallAtEnd=true -DdeployAtEnd=true"
 ENV MAVEN_CLI_OPTS="${MAVEN_CLI_OPTS}"
 
+RUN adduser \
+  --home "${USER_HOME}" \
+  --uid "${USER_ID}" \
+  --gecos "${USER_GECOS}" \
+  --disabled-password \
+  "${USER_NAME}"
+
+ENV HOME "${USER_HOME}"
+
+USER "${USER_NAME}"
+
+WORKDIR "${HOME}"
+
 CMD ["/opt/maven-check-versions.sh"]
diff --git a/maven-check-versions/docker-compose.test.yml b/maven-check-versions/docker-compose.test.yml
@@ -6,4 +6,4 @@ services:
     build:
       context: .
       dockerfile: Dockerfile
-    command: mvn -v
+    command: "sh -c '[ $(id -u) -ne 0 ] && mvn -v'"