drop to unprivileged user

Author: GoliathLabs

.github/workflows/publish.yml

@@ -74,7 +74,7 @@ jobs:
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: .
-          platforms: linux/amd64,linux/arm64/v8,linux/arm/v7
+          platforms: linux/amd64,linux/arm64/v8
           push: true
           cache-from: type=gha
           cache-to: type=gha,mode=max

Dockerfile

@@ -18,4 +18,9 @@ RUN set -ex; \
 COPY index.js settings.js ./
 COPY views ./views
 
+# Ensure the application directory is owned by an unprivileged user and run as that user
+RUN chown -R 1000:1000 /app
+
+USER 1000
+
 CMD ["node", "index.js"]