refactor: Use non-root user in docker

backend/Dockerfile

@@ -1,32 +1,44 @@
-FROM node:20-alpine AS backend_node_modules
+FROM node:20-alpine AS backend_base
+
+ARG UID=1000
+ARG GID=1000
+
+RUN deluser --remove-home node \
+    && addgroup -S -g ${GID} musare \
+    && adduser -SD -u ${UID} musare \
+    && adduser musare musare
+
+RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app \
+    && chown -R musare:musare /opt/app
+
+WORKDIR /opt/app
+
+USER musare
+
+FROM backend_base AS backend_node_modules
 
 RUN mkdir -p /opt/app
 WORKDIR /opt/app
 
-COPY backend/package.json backend/package-lock.json /opt/app/
+COPY --chown=musare:musare --link backend/package.json backend/package-lock.json /opt/app/
 
 RUN npm install
 
-FROM node:20-alpine AS musare_backend
+FROM backend_base AS musare_backend
 
 ARG CONTAINER_MODE=production
 ARG BACKEND_MODE=production
 ENV CONTAINER_MODE=${CONTAINER_MODE}
 ENV BACKEND_MODE=${BACKEND_MODE}
 
-RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app
-WORKDIR /opt/app
-
-COPY .git /opt/.git
-COPY common /opt/common
-COPY types /opt/types
-COPY backend /opt/app
-COPY --from=backend_node_modules /opt/app/node_modules node_modules
+COPY --chown=musare:musare --link .git /opt/.git
+COPY --chown=musare:musare --link common /opt/common
+COPY --chown=musare:musare --link types /opt/types
+COPY --chown=musare:musare --link backend /opt/app
+COPY --chown=musare:musare --link --from=backend_node_modules /opt/app/node_modules node_modules
 
 RUN sh -c '([[ "${BACKEND_MODE}" == "development" ]] && exit 0) || npm run build'
 
-RUN chmod u+x entrypoint.sh
-
 ENTRYPOINT sh /opt/app/entrypoint.sh
 
 EXPOSE 8080/tcp

frontend/Dockerfile

@@ -1,13 +1,27 @@
-FROM node:20-alpine AS frontend_node_modules
+FROM node:20-alpine AS frontend_base
+
+ARG UID=1000
+ARG GID=1000
+
+RUN deluser --remove-home node \
+    && addgroup -S -g ${GID} musare \
+    && adduser -SD -u ${UID} musare \
+    && adduser musare musare
+
+RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app /run/nginx \
+    && chown -R musare:musare /opt/app
 
-RUN mkdir -p /opt/app
 WORKDIR /opt/app
 
-COPY frontend/package.json frontend/package-lock.json /opt/app/
+USER musare
+
+FROM frontend_base AS frontend_node_modules
 
-RUN npm install --silent
+COPY --chown=musare:musare --link frontend/package.json frontend/package-lock.json /opt/app/
 
-FROM node:20-alpine AS musare_frontend
+RUN npm install
+
+FROM frontend_base AS musare_frontend
 
 ARG FRONTEND_MODE=production
 ARG FRONTEND_PROD_DEVTOOLS=false
@@ -31,16 +45,15 @@ ENV FRONTEND_MODE=${FRONTEND_MODE} \
     MUSARE_DEBUG_GIT_LATEST_COMMIT=${MUSARE_DEBUG_GIT_LATEST_COMMIT} \
     MUSARE_DEBUG_GIT_LATEST_COMMIT_SHORT=${MUSARE_DEBUG_GIT_LATEST_COMMIT_SHORT}
 
+USER root
 RUN apk add nginx
+USER musare
 
-RUN mkdir -p /opt/.git /opt/common /opt/types /opt/app /run/nginx
-WORKDIR /opt/app
-
-COPY .git /opt/.git
-COPY common /opt/common
-COPY types /opt/types
-COPY frontend /opt/app
-COPY --from=frontend_node_modules /opt/app/node_modules node_modules
+COPY --chown=musare:musare --link .git /opt/.git
+COPY --chown=musare:musare --link common /opt/common
+COPY --chown=musare:musare --link types /opt/types
+COPY --chown=musare:musare --link frontend /opt/app
+COPY --chown=musare:musare --from=frontend_node_modules --link /opt/app/node_modules node_modules
 
 RUN sh -c '([[ "${FRONTEND_MODE}" == "development" ]] && exit 0) || npm run prod'