From 04feb5a3c339038287c21bf18e567da0230c2d98 Mon Sep 17 00:00:00 2001
From: Zuev <yegorzuev@gmail.com>
Date: Tue, 17 Mar 2026 02:47:57 +0300
Subject: [PATCH] feat: Enhance Dockerfile security with non-root users and
 correct file permissions, and adjust Gitea workflow action versions.

---
 .gitea/workflows/docker-build.yaml | 16 ++++++++--------
 backend/Dockerfile                 |  5 +++++
 frontend/Dockerfile                |  3 +++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/.gitea/workflows/docker-build.yaml b/.gitea/workflows/docker-build.yaml
index cef8511..b23c642 100755
--- a/.gitea/workflows/docker-build.yaml
+++ b/.gitea/workflows/docker-build.yaml
@@ -17,10 +17,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -28,12 +28,12 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.BACKEND_IMAGE }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
         with:
           context: ./backend
           push: true
@@ -45,10 +45,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -56,12 +56,12 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.FRONTEND_IMAGE }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
         with:
           context: ./frontend
           push: true
diff --git a/backend/Dockerfile b/backend/Dockerfile
index 08a9825..e4b3343 100755
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -6,6 +6,11 @@ COPY src ./src
 RUN mvn package -DskipTests -B
 
 FROM eclipse-temurin:17-jre-alpine
+
+# Best practice: run as a non-root user
+RUN addgroup -S spring && adduser -S spring -G spring
+USER spring:spring
+
 WORKDIR /app
 COPY --from=build /app/target/app.jar app.jar
 EXPOSE 8080
diff --git a/frontend/Dockerfile b/frontend/Dockerfile
index 93424dd..c9203f0 100755
--- a/frontend/Dockerfile
+++ b/frontend/Dockerfile
@@ -1,2 +1,5 @@
 FROM httpd:alpine
 COPY . /usr/local/apache2/htdocs/
+
+# Set appropriate permissions for the web server to serve static files
+RUN chown -R www-data:www-data /usr/local/apache2/htdocs/