From 52c215254f5b655bb88dcffb4060aa2fe2889bbd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Anders=20B=C3=A4lter?= <anders@84codes.com>
Date: Wed, 11 Mar 2026 21:34:10 +0100
Subject: [PATCH] Create non-root app user in Ruby base image

Creates a system user (uid 1000) in the base stage so downstream
Dockerfiles can switch to it with USER app. Not activated here so the
build stage keeps root for package installation.
---
 ruby/Dockerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ruby/Dockerfile b/ruby/Dockerfile
index 192f66b..c4ed520 100644
--- a/ruby/Dockerfile
+++ b/ruby/Dockerfile
@@ -11,6 +11,9 @@ RUN apt-get update -qq \
     postgresql-client \
     && rm -rf /var/lib/apt/lists /var/cache/apt/archives
 
+# Non-root user for runtime stages (USER not set here so build stage keeps root)
+RUN useradd --system --uid 1000 app && chown app:app /app
+
 # Set production environment
 ENV BUNDLE_DEPLOYMENT="1" \
     BUNDLE_PATH="/usr/local/bundle" \