chore(docker): run optic as unprivileged user (#2756)

Author: notnmeyer

Dockerfile

@@ -1,10 +1,23 @@
-FROM alpine:latest
-
+# Doing the intial installation of Optic and Spectral separately
+# saves a bit of space in the final image--Probably due to temp
+# file creation.
+FROM alpine:latest as dl
 ARG OPTIC_CLI_VERSION=latest
-
-RUN apk --no-cache add git curl
-RUN echo "optic-docker" > /etc/machine-id
+RUN apk --no-cache add curl
+# install Optic
 RUN set -e; sh -c "$(curl -s --location https://install.useoptic.com/install.sh)" -- $OPTIC_CLI_VERSION /usr/local/bin
+# install Spectral
+RUN curl -L https://raw.github.com/stoplightio/spectral/master/scripts/install.sh | sh
 
+FROM alpine:latest
 ENV INSTALLATION_METHOD="docker"
+RUN addgroup -S optic && \
+    adduser -S optic -G optic && \
+    apk --no-cache add git curl && \
+    echo "optic-docker" > /etc/machine-id
+
+COPY --from=dl /usr/local/bin/optic /usr/local/bin/
+COPY --from=dl /usr/local/bin/spectral /usr/local/bin/
+
+USER optic
 ENTRYPOINT ["/usr/local/bin/optic"]

Taskfile.yml

@@ -95,6 +95,8 @@ tasks:
         --builder optic-multiplatform-builder
         --build-arg OPTIC_CLI_VERSION={{.OPTIC_CLI_VERSION}}
         .
+      # ensure we have the latest image pulled from the registry, easy to forget to do this
+      - docker pull localhost:5000/useoptic/optic:local
 
   docker:build:release:
     desc: Build an Optic image for all supported platforms, suitable for publishing

package.json

@@ -2,7 +2,7 @@
   "name": "openapi-workspaces",
   "license": "MIT",
   "private": true,
-  "version": "0.54.7",
+  "version": "0.54.8",
   "workspaces": [
     "projects/json-pointer-helpers",
     "projects/openapi-io",

projects/fastify-capture/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/fastify-capture",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/json-pointer-helpers/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/json-pointer-helpers",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/openapi-io/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/openapi-io",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/openapi-utilities/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/openapi-utilities",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/optic/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/optic",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/rulesets-base/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/rulesets-base",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [

projects/standard-rulesets/package.json

@@ -2,7 +2,7 @@
   "name": "@useoptic/standard-rulesets",
   "license": "MIT",
   "packageManager": "[email protected]",
-  "version": "0.54.7",
+  "version": "0.54.8",
   "main": "build/index.js",
   "types": "build/index.d.ts",
   "files": [