Switch from root to app user for Docker

.dockerignore

@@ -49,6 +49,7 @@ coverage.xml
 *.cover
 .hypothesis/
 .pytest_cache/
+.ruff_cache
 
 # Translations
 *.mo
@@ -140,10 +141,15 @@ test.py
 # Other stuff
 .env.example
 .gitignore
+.dockerignore
 .github/
 app.json
 Procfile
 pyproject.toml
 *.md
 .*.json
-docs/
+docs/
+Dockerfile
+docker-compose.yml
+LICENSE
+PRIVACY.md

Dockerfile

@@ -1,28 +1,27 @@
 FROM python:3.10-alpine as base
 
-RUN apk add wget git cairo-dev cairo cairo-tools \
+RUN apk update && apk add git cairo-dev cairo cairo-tools \
 	# pillow dependencies
     jpeg-dev zlib-dev freetype-dev lcms2-dev openjpeg-dev tiff-dev tk-dev tcl-dev
 
 FROM base AS python-deps
 
-# Install pipenv and compilation dependencies
-RUN apk update && apk add --virtual build-dependencies build-base gcc libffi-dev
-RUN pip install pipenv
+RUN apk add --virtual build-dependencies build-base gcc libffi-dev
 
-# Install python dependencies in /.venv
 COPY Pipfile Pipfile.lock /
-RUN PIPENV_VENV_IN_PROJECT=1 pipenv install --deploy
+RUN pip install pipenv && PIPENV_VENV_IN_PROJECT=1 pipenv install --deploy
 
 FROM base AS runtime
 
-# Copy virtual env from python-deps stage
 COPY --from=python-deps /.venv /.venv
 ENV PATH="/.venv/bin:$PATH"
 
-# Install application into container
 ENV USING_DOCKER yes
-COPY . .
+COPY . /modmail
+WORKDIR /modmail
 
-# Run the application
 CMD ["python", "-m", "bot"]
+
+RUN adduser --disabled-password --gecos '' app && \
+    chown -R app /modmail && chown -R app /.venv
+USER app