set a non-root user for containers (#2496)

* change root user in dockerfile * build container on push/pr * grab docker build params from env * consolidate container build * rm unused container build workflow/script * cleanup ci * set user for earthly container build * rm ci docker build for develop branch * checkout full repo for docker builds * read earthly push from env * cleanup ci * rm unsupported option for actions/checkout@v3 * check dockerfile in ci * add dockerfile build to earthfile * authenticate to GH only on schedule builds * accurate name for dev container builder script * add note to the dockerfile about earthfile * document dev build process more clearly
2023-01-04 23:15:12 +01:00
parent e748d8f765
commit 2c6fd67276
10 changed files with 134 additions and 121 deletions
--- a/7
+++ b/7
@@ -25,7 +25,6 @@ crosscompiler:
 code:
  FROM --platform=linux/amd64 +crosscompiler
  COPY . /build
-  #GIT CLONE --branch=$version git@github.com:owncast/owncast.git /build

 build:
  ARG EARTHLY_GIT_HASH # provided by Earthly
@@ -110,13 +109,19 @@ docker:
  ARG TARGETPLATFORM
  FROM --platform=$TARGETPLATFORM alpine:3.15.5
  RUN apk update && apk add --no-cache ffmpeg ffmpeg-libs ca-certificates unzip && update-ca-certificates
+  RUN addgroup -g 101 -S owncast && adduser -u 101 -S owncast -G owncast
  WORKDIR /app
  COPY --platform=$TARGETPLATFORM +package/owncast.zip /app
  RUN unzip -x owncast.zip && mkdir data
+  RUN chown -R owncast:owncast /app
+  USER owncast
  ENTRYPOINT ["/app/owncast"]
  EXPOSE 8080 1935
  SAVE IMAGE --push $image:$tag

+dockerfile:
+  FROM DOCKERFILE -f Dockerfile .
+
 unit-tests:
  FROM --platform=linux/amd64 bdwyertech/go-crosscompile
  COPY . /build