✨ Make exporter docker image run on non-root user

docker/images/Dockerfile.exporter

@@ -1,70 +1,76 @@
 FROM ubuntu:22.04
 LABEL maintainer="Andrey Antukh <niwi@niwi.nz>"
 
-ARG DEBIAN_FRONTEND=noninteractive
-
 ENV LANG=en_US.UTF-8 \
     LC_ALL=en_US.UTF-8 \
-    NODE_VERSION=v16.17.0
+    NODE_VERSION=v18.12.1 \
+    DEBIAN_FRONTEND=noninteractive \
+    PATH=/opt/node/bin:$PATH
 
 RUN set -ex; \
+    useradd -U -M -u 1001 -s /bin/false -d /opt/penpot penpot; \
     mkdir -p /etc/resolvconf/resolv.conf.d; \
-    echo "nameserver 8.8.8.8" > /etc/resolvconf/resolv.conf.d/tail; \
+    echo "nameserver 127.0.0.11" > /etc/resolvconf/resolv.conf.d/tail; \
     apt-get -qq update; \
-    apt-get -qqy --no-install-recommends install curl tzdata locales ca-certificates fontconfig xz-utils; \
+    apt-get -qqy --no-install-recommends install \
+      curl \
+      tzdata \
+      locales \
+      ca-certificates \
+      fontconfig \
+      xz-utils \
+    ; \
+    rm -rf /var/lib/apt/lists/*; \
     echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen; \
-    locale-gen; \
-    rm -rf /var/lib/apt/lists/*;
+    locale-gen;
 
 RUN set -ex; \
     apt-get -qq update; \
     apt-get -qqy install \
-        imagemagick \
-        ghostscript \
-        netpbm \
-        poppler-utils \
-        potrace \
-        gconf-service \
-        libasound2 \
-        libatk1.0-0 \
-        libatk-bridge2.0-0 \
-        libatomic1 \
-        libcairo2 \
-        libcups2 \
-        libdbus-1-3 \
-        libexpat1 \
-        libfontconfig1 \
-        libgcc1 \
-        libgconf-2-4 \
-        libgdk-pixbuf2.0-0 \
-        libglib2.0-0 \
-        libgtk-3-0 \
-        libnspr4 \
-        libpango-1.0-0 \
-        libpangocairo-1.0-0 \
-        libx11-6 \
-        libx11-xcb1 \
-        libxcb1 \
-        libxcb-dri3-0 \
-        libxcomposite1 \
-        libxcursor1 \
-        libxdamage1 \
-        libxext6 \
-        libxfixes3 \
-        libxi6 \
-        libxrandr2 \
-        libxrender1 \
-        libxshmfence1 \
-        libxss1 \
-        libxtst6 \
-        fonts-liberation \
-        libnss3 \
-        libgbm1 \
+      imagemagick \
+      ghostscript \
+      netpbm \
+      poppler-utils \
+      potrace \
+      gconf-service \
+      libasound2 \
+      libatk1.0-0 \
+      libatk-bridge2.0-0 \
+      libatomic1 \
+      libcairo2 \
+      libcups2 \
+      libdbus-1-3 \
+      libexpat1 \
+      libfontconfig1 \
+      libgcc1 \
+      libgconf-2-4 \
+      libgdk-pixbuf2.0-0 \
+      libglib2.0-0 \
+      libgtk-3-0 \
+      libnspr4 \
+      libpango-1.0-0 \
+      libpangocairo-1.0-0 \
+      libx11-6 \
+      libx11-xcb1 \
+      libxcb1 \
+      libxcb-dri3-0 \
+      libxcomposite1 \
+      libxcursor1 \
+      libxdamage1 \
+      libxext6 \
+      libxfixes3 \
+      libxi6 \
+      libxrandr2 \
+      libxrender1 \
+      libxshmfence1 \
+      libxss1 \
+      libxtst6 \
+      fonts-liberation \
+      libnss3 \
+      libgbm1 \
     ; \
     rm -rf /var/lib/apt/lists/*;
 
-ENV PATH="/usr/local/nodejs/bin:$PATH"
-
 RUN set -eux; \
     ARCH="$(dpkg --print-architecture)"; \
     case "${ARCH}" in \
@@ -83,19 +89,22 @@ RUN set -eux; \
          ;; \
     esac; \
     curl -LfsSo /tmp/nodejs.tar.xz ${BINARY_URL}; \
-    mkdir -p /usr/local/nodejs; \
-    cd /usr/local/nodejs; \
+    mkdir -p /opt/node; \
+    cd /opt/node; \
     tar -xf /tmp/nodejs.tar.xz --strip-components=1; \
-    chown -R root /usr/local/nodejs; \
-    /usr/local/nodejs/bin/npm install -g yarn; \
-    rm -rf /tmp/nodejs.tar.xz;
+    chown -R root /opt/node; \
+    npm install -g yarn; \
+    rm -rf /tmp/nodejs.tar.xz; \
+    mkdir -p /opt/penpot; \
+    chown -R penpot:penpot /opt/penpot;
 
-WORKDIR /opt/app
+ADD --chown=penpot:penpot ./bundle-exporter/ /opt/penpot/exporter
 
-ADD ./bundle-exporter/ /opt/app/
+WORKDIR /opt/penpot/exporter
+USER penpot:penpot
 
 RUN set -ex; \
     yarn; \
-    npx playwright install chromium;
+    yarn run playwright install chromium;
 
-CMD ["/usr/local/nodejs/bin/node", "app.js"]
+CMD ["node", "app.js"]