Scala Steward runs as root when using the published Docker image (but it probably shouldn't)

[bpholt]

The Dockerfile generated by the current build configuration leaves the user set to root, meaning the application runs as root inside the container. This is not recommended, and I think was probably an oversight.

scala-steward/build.sbt

Lines 379 to 393 in 1f8ea30

	Seq(
	Cmd("USER", "root"),
	Cmd(
	"RUN",
	"apk --no-cache add bash git gpg ca-certificates curl maven openssh nodejs npm ncurses"
	),
	Cmd("RUN", installSbt),
	Cmd("RUN", installMill),
	Cmd("RUN", installCoursier),
	Cmd("RUN", installScalaCli),
	Cmd("RUN", s"$csBin install --install-dir $binDir scalafix scalafmt"),
	Cmd("RUN", "npm install --global yarn"),
	// Ensure binaries are in PATH
	Cmd("RUN", "echo $PATH"),
	Cmd("RUN", "which cs mill mvn node npm sbt scala-cli scalafix scalafmt yarn")

Line 380 sets the user to root so the build can configure the dependencies inside the image, but as you can see there's no subsequent USER {user} directive to reset the user context.

We're in the process of testing this locally, but I think adding this as the final Dockerfile directive should reset the user context back to the user created by sbt-native-packager.

Cmd("USER", (Docker / daemonUser).value)

I'll make a PR to fix this if the tests we're doing internally look promising.