From c1eeaf835d016a7db8054362a0ea13dad630ea42 Mon Sep 17 00:00:00 2001
From: ReenigneArcher <42013603+ReenigneArcher@users.noreply.github.com>
Date: Sat, 28 Feb 2026 10:31:34 -0500
Subject: [PATCH] build(docker): do not run with root user

---
 Dockerfile | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ec5c3f45..db4c50d8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -37,12 +37,12 @@ targets=(
 for base_dir in "${base_dirs[@]}"; do
   for target in "${targets[@]}"; do
     if [ -e "$base_dir/$target" ]; then
-      cp -rf "$base_dir/$target" ${TMPDIR}/
+      cp -rf "$base_dir/$target" "${TMPDIR}/"
     fi
   done
 done
 
-cp -RTf ./ ${TMPDIR}/
+cp -RTf ./ "${TMPDIR}/"
 
 _SITE
 
@@ -68,8 +68,14 @@ RUN <<_SETUP
 set -e
 
 bundle install
+
+# Create a non-root user and transfer ownership
+useradd --no-create-home --shell /bin/bash jekyll
+chown -R jekyll:jekyll /app
 _SETUP
 
+USER jekyll
+
 # Expose the port that Jekyll will run on
 EXPOSE 4000