fix(docker): add user creation and permissions in Dockerfile (#442)

Co-authored-by: Copilot <copilot@github.com>
Reviewed-on: #442

.gitea/workflows/ci.yml

@@ -16,14 +16,6 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Run Hadolint
-        uses: hadolint/hadolint-action@v3.3.0
-        with:
-          dockerfile: Dockerfile
-          output-file: hadolint.out
-          format: sonarqube
-          no-fail: true
-
       - name: Setup Python
         uses: actions/setup-python@v6
         with:
@@ -53,44 +45,6 @@ jobs:
         run: |
           uv run coverage run -m pytest -v --junitxml=testresults.xml
           uv run coverage report
-          uv run coverage xml -q -o coverage.xml
-          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
 
       - name: Minimize uv cache
         run: uv cache prune --ci
-
-      - name: SonarQube Scan
-        uses: SonarSource/sonarqube-scan-action@v7.1.0
-        env:
-          SONAR_HOST_URL: ${{ vars.SONAR_URL }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-
-      # - name: Set up environment for Snyk
-      #   run: |
-      #     uv pip freeze > requirements.txt
-      #     mv pyproject.toml pyproject.toml.bak
-      #     mv uv.lock uv.lock.bak
-
-      # - name: Snyk SAST Scan
-      #   uses: snyk/actions/python@master
-      #   env:
-      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      #   with:
-      #     # command: snyk
-      #     args: snyk code test #--all-projects --exclude=.archive
-
-      # - name: Snyk Vulnerability Scan
-      #   uses: snyk/actions/python@master
-      #   continue-on-error: true # Sometimes vulns aren't immediately fixable
-      #   env:
-      #     SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
-      #     DEBUG: "*snyk*"
-      #   with:
-      #     # command: snyk
-      #     args: snyk test #--all-projects --exclude=.archive
-      
-      # - name: Reverse set up environment for Snyk
-      #   run: |
-      #     rm -f requirements.txt
-      #     mv pyproject.toml.bak pyproject.toml
-      #     mv uv.lock.bak uv.lock

.gitea/workflows/sonar.yml

@@ -0,0 +1,61 @@
+name: Sonar
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  ci:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v6.0.2
+        with:
+          fetch-depth: 0
+
+      - name: Run Hadolint
+        uses: hadolint/hadolint-action@v3.3.0
+        with:
+          dockerfile: Dockerfile
+          output-file: hadolint.out
+          format: sonarqube
+          no-fail: true
+
+      - name: Setup Python
+        uses: actions/setup-python@v6
+        with:
+          python-version: "3.14"
+
+      - name: uv cache
+        uses: actions/cache@v5
+        with:
+          path: /tmp/.uv-cache
+          key: uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+          restore-keys: |
+            uv-${{ runner.os }}-${{ hashFiles('uv.lock') }}
+            uv-${{ runner.os }}
+
+      - name: Install dependencies
+        run: uv sync
+      
+
+      - name: Lint
+        run: |
+          uv run pylint --recursive=yes --output-format=parseable --output=lintreport.txt app/ tests/
+          cat lintreport.txt
+
+      - name: Unit Test
+        run: |
+          uv run coverage run -m pytest -v --junitxml=testresults.xml
+          uv run coverage report
+          uv run coverage xml -q -o coverage.xml
+          sed -i 's@${{ gitea.workspace }}@/github/workspace@g' coverage.xml
+
+      - name: Minimize uv cache
+        run: uv cache prune --ci
+
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v7.1.0
+        env:
+          SONAR_HOST_URL: ${{ vars.SONAR_URL }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

Dockerfile

@@ -2,6 +2,8 @@ FROM python:3.13.12-slim
 LABEL maintainer="Luke Tainton <luke@tainton.uk>"
 USER root
 
+RUN useradd -r -s /sbin/nologin -M user
+
 ENV PYTHONPATH="/run:/usr/local/lib/python3.13/lib-dynload:/usr/local/lib/python3.13/site-packages:/usr/local/lib/python3.13"
 ENV UV_PROJECT_ENVIRONMENT="/usr/local/"
 
@@ -9,7 +11,7 @@ WORKDIR /run
 
 RUN mkdir -p /.local && \
     chmod -R 777 /.local && \
-    pip install -U pip uv==0.9.21
+    pip install --no-cache-dir -U pip uv==0.9.21
 
 COPY pyproject.toml /run/pyproject.toml
 COPY uv.lock /run/uv.lock
@@ -24,3 +26,6 @@ ARG version="dev"
 ENV APP_VERSION=$version
 
 COPY app /run/app
+
+RUN chown -R user:user /run
+USER user

tests/test_config_1.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 
 """Provides test cases for app/utils/config.py."""
@@ -27,7 +25,7 @@ def test_config() -> None:
         os.environ[config_var] = value
 
     # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover
+    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
 
     assert config.admin_emails == config_vars["ADMIN_EMAIL"].split(",")
     assert config.admin_first_name == config_vars["ADMIN_FIRST_NAME"]

tests/test_config_2.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 # ruff: noqa: E402 pylint: disable=wrong-import-position
 
 """Provides test cases for app/utils/config.py."""
@@ -24,7 +22,7 @@ def test_config_no_admin_vars() -> None:
         os.environ[config_var] = value
 
     # needs to be imported AFTER environment variables are set
-    from app.utils.config import config  # pragma: no cover
+    from app.utils.config import config  # pragma: no cover # NOSONAR (C0415)
 
     assert config.approved_domains == []
     assert config.approved_rooms == []

tests/test_datetime.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 """Provides test cases for app/utils/datetime.py."""
 
 import pytest

tests/test_helpers.py

@@ -1,5 +1,3 @@
-#!/usr/bin/env python3
-
 """Provides test cases for app/utils/helpers.py."""
 
 from app.utils.helpers import validate_email_syntax  # pragma: no cover