Refactor Dockerfile: streamline uv sync commands and update user permissions for improved security

Author: ochui

Dockerfile

@@ -12,18 +12,17 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 
 WORKDIR /app
 
-# Copy uv from official image for better security and updates
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/
 
 COPY pyproject.toml uv.lock ./
 
 RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --locked --no-install-project
+    uv sync --locked --no-dev --no-install-project
 
 COPY . .
 
 RUN --mount=type=cache,target=/root/.cache/uv \
-    uv sync --locked
+    uv sync --locked --no-dev
 
 # --- Runtime stage ---
 FROM python:${PYTHON_VERSION}-slim
@@ -37,23 +36,20 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 
 WORKDIR /app
 
-RUN groupadd -r appuser && \
-    useradd -r -g appuser -u 1000 -s /sbin/nologin appuser
+RUN groupadd --system flowdacity && \
+    useradd --system --gid flowdacity --uid 1000 --create-home --shell /usr/sbin/nologin flowdacity
 
-COPY --from=builder --chown=appuser:appuser /app/.venv /app/.venv
+COPY --from=builder --chown=flowdacity:flowdacity /app/.venv /app/.venv
+COPY --from=builder --chown=flowdacity:flowdacity /app /app
 
-COPY --chown=appuser:appuser . .
+RUN chmod -R a-w /app && \
+    chmod -R u+rwX /app
 
-RUN chmod -R 555 /app/fq_server && \
-    chmod 555 /app/*.py && \
-    chmod 444 /app/default.conf /app/pyproject.toml
-
-USER appuser
+USER flowdacity
 
 EXPOSE ${PORT}
 
 HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
-    CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); httpx.get(f'http://127.0.0.1:{port}/metrics/')" || exit 1
+    CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); r = httpx.get(f'http://127.0.0.1:{port}/metrics/'); raise SystemExit(0 if r.status_code < 400 else 1)"
 
-ENTRYPOINT ["sh", "-c"]
-CMD exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}
+CMD ["sh", "-c", "exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}"]