From 2dface0dad27770b75a89280aedc146a224e7cbf Mon Sep 17 00:00:00 2001
From: Jasper Herzberg <jhrzbrg@outlook.com>
Date: Thu, 1 Feb 2024 10:13:47 +0100
Subject: [PATCH 1/3] build: use non-root user for API container

---
 apps/api/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index e37e5fe6..c61bf7fc 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -13,9 +13,9 @@ RUN npm --omit=dev ci
 COPY ./dist/apps/api ./
 
 # Use distroless for maximum security: https://github.com/GoogleContainerTools/distroless
-FROM gcr.io/distroless/nodejs${NODE_VERSION}-debian11
+FROM gcr.io/distroless/nodejs${NODE_VERSION}-debian12:nonroot
 
-COPY --from=builder /app /app
+COPY --chown=nonroot --from=builder /app /app
 WORKDIR /app
 
 ENV PORT=3333

From 495852771791ede5bfc630c66ec42e74d458945b Mon Sep 17 00:00:00 2001
From: Jasper Herzberg <jhrzbrg@outlook.com>
Date: Thu, 1 Feb 2024 10:38:07 +0100
Subject: [PATCH 2/3] fix: copy files as read-only for non-root

---
 apps/api/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index c61bf7fc..237d13b0 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -15,7 +15,7 @@ COPY ./dist/apps/api ./
 # Use distroless for maximum security: https://github.com/GoogleContainerTools/distroless
 FROM gcr.io/distroless/nodejs${NODE_VERSION}-debian12:nonroot
 
-COPY --chown=nonroot --from=builder /app /app
+COPY --chown=nonroot --chmod=500 --from=builder /app /app
 WORKDIR /app
 
 ENV PORT=3333

From c0d3c5188a95cd1f03aa303655b4ef06f432963b Mon Sep 17 00:00:00 2001
From: Jasper Herzberg <jhrzbrg@outlook.com>
Date: Thu, 1 Feb 2024 10:46:17 +0100
Subject: [PATCH 3/3] fix: let root own all files

---
 apps/api/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index 237d13b0..0ec9427f 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -15,7 +15,7 @@ COPY ./dist/apps/api ./
 # Use distroless for maximum security: https://github.com/GoogleContainerTools/distroless
 FROM gcr.io/distroless/nodejs${NODE_VERSION}-debian12:nonroot
 
-COPY --chown=nonroot --chmod=500 --from=builder /app /app
+COPY --chown=root:root --chmod=655 --from=builder /app /app
 WORKDIR /app
 
 ENV PORT=3333