fix: docker security warnings

fmenezes · fmenezes · commit 8ecf40de3c14 · 2025-05-16T10:49:49.000+01:00
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -3,6 +3,7 @@ on:
   schedule:
     - cron: "0 1 * * *" # Every day at 1:00 AM
   workflow_dispatch: # Run the action manually
+  pull_request: # TODO: Remove this before merging
 permissions:
   contents: read
   issues: write
@@ -37,6 +38,7 @@ jobs:
           tags: ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:latest, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}, ${{ vars.DOCKERHUB_IMAGE_REPOSITORY }}:${{ steps.set-properties.outputs.VERSION }}-${{ steps.set-properties.outputs.DATE }}
           file: Dockerfile
           push: true
+          provenance: true
           build-args: |
             VERSION=${{ steps.set-properties.outputs.VERSION }}
       - uses: mongodb-js/devtools-shared/actions/setup-bot-token@main
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,7 @@
 FROM node:22-alpine
+RUN groupadd -g 1000 mcp && \
+    useradd -m -u 1000 -g mcp mcp
+USER mcp
 ARG VERSION=latest
 RUN npm install -g mongodb-mcp-server@${VERSION}
 ENTRYPOINT ["mongodb-mcp-server"]
