updated Dockerfile for custom user

Signed-off-by: Peter Siegmund <developer@mars3142.org>

.gitea/workflows/docker.yml

@@ -16,7 +16,11 @@ jobs:
         uses: docker/setup-buildx-action@v2
 
       - name: Login to Gitea Registry
-        run: echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login ${{ secrets.DOMAIN }} -u ${{ secrets.REGISTRY_USER }} --password-stdin
+        uses: docker/login-action@v2
+        with:
+          registry: ${{ secrets.DOMAIN }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
 
       - name: Extract Version
         working-directory: ./server/cinema

server/cinema/.idea/misc.xml

@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="UTF-8"?>
 <project version="4">
   <component name="ProjectRootManager">
     <output url="file://$PROJECT_DIR$/out" />

server/cinema/Dockerfile

@@ -1,13 +1,22 @@
 # Use latest stable channel SDK.
 FROM dart:stable AS build
 
+# Set user/group IDs (defaults to 1000:1000)
+ARG PUID=1000
+ARG PGID=1000
+
+# Create user and group
+RUN groupadd -g $PGID appgroup && \
+    useradd -u $PUID -g $PGID -m appuser
+
 # Resolve app dependencies.
 WORKDIR /app
 COPY pubspec.* ./
 RUN dart pub get
 
 # Copy app source code (except anything in .dockerignore) and AOT compile app.
-COPY . .
+COPY --chown=$PUID:$PGID . .
+USER appuser
 RUN dart run build_runner build --delete-conflicting-outputs && \
     APP_VERSION=$(grep 'version:' pubspec.yaml | sed 's/version: //') && \
     dart compile exe bin/server.dart -o bin/server \
@@ -16,10 +25,18 @@ RUN dart run build_runner build --delete-conflicting-outputs && \
 # Build minimal serving image from AOT-compiled `/server`
 # and the pre-built AOT-runtime in the `/runtime/` directory of the base image.
 FROM scratch
+
+# Set user/group IDs (defaults to 1000:1000)
+ARG PUID=1000
+ARG PGID=1000
+
 COPY --from=build /runtime/ /
 COPY --from=build /app/bin/server /app/bin/
 COPY assets /assets
 
+# Set user for runtime (using numeric IDs since scratch has no users)
+USER $PUID:$PGID
+
 # Start server.
 EXPOSE 3000
 CMD ["/app/bin/server"]

server/cinema/pubspec.lock

@@ -314,21 +314,13 @@ packages:
     source: hosted
     version: "0.7.2"
   json_annotation:
-    dependency: "direct main"
+    dependency: transitive
     description:
       name: json_annotation
       sha256: "1ce844379ca14835a50d2f019a3099f419082cfdd231cd86a142af94dd5c6bb1"
       url: "https://pub.dev"
     source: hosted
     version: "4.9.0"
-  json_serializable:
-    dependency: "direct dev"
-    description:
-      name: json_serializable
-      sha256: "33a040668b31b320aafa4822b7b1e177e163fc3c1e835c6750319d4ab23aa6fe"
-      url: "https://pub.dev"
-    source: hosted
-    version: "6.11.1"
   lints:
     dependency: "direct dev"
     description:
@@ -497,14 +489,6 @@ packages:
       url: "https://pub.dev"
     source: hosted
     version: "4.0.2"
-  source_helper:
-    dependency: transitive
-    description:
-      name: source_helper
-      sha256: "6a3c6cc82073a8797f8c4dc4572146114a39652851c157db37e964d9c7038723"
-      url: "https://pub.dev"
-    source: hosted
-    version: "1.3.8"
   source_map_stack_trace:
     dependency: transitive
     description: