From a413e34c6671e9de62245d7ea0227bbbbc2410c2 Mon Sep 17 00:00:00 2001
From: Matt Norton <matt@carrotmanmatt.com>
Date: Fri, 20 Mar 2026 01:35:03 +0000
Subject: [PATCH] Update Dockerfile to use non-root user

This follows standard security best practices to NOT run applications inside docker containers as the root user if possible

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>
---
 Dockerfile | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8a5d9553c..ec798b53d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -11,7 +11,7 @@ WORKDIR /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     --mount=type=bind,source=uv.lock,target=uv.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-    uv sync --frozen --no-install-project --no-group dev
+    uv sync --locked --no-install-project --no-group dev
 
 COPY LICENSE /app/
 COPY config.py main.py messages.json /app/
@@ -22,13 +22,17 @@ COPY cogs/ /app/cogs/
 
 FROM python:3.13-slim-trixie
 
+RUN groupadd --system --gid 999 nonroot && useradd --system --gid 999 --uid 999 --create-home nonroot
+
 LABEL org.opencontainers.image.source=https://github.com/CSSUoB/TeX-Bot-Py-V2
 LABEL org.opencontainers.image.licenses=Apache-2.0
 
-COPY --from=builder --chown=app:app /app /app
+COPY --from=builder --chown=nonroot:nonroot /app /app
 
 ENV LANG=C.UTF-8 PATH="/app/.venv/bin:$PATH"
 
 WORKDIR /app
 
+USER nonroot
+
 ENTRYPOINT ["python", "-m", "main"]