From 1af760b1f00833af434ce4a666e89d80c351ebda Mon Sep 17 00:00:00 2001
From: "Henning C. Nielsen" <hcnp@trifork.com>
Date: Thu, 16 May 2024 16:25:02 +0200
Subject: [PATCH] ci: Update java and configure non-root

---
 Dockerfile | 44 +++++++++++++++++++++++++++++++-------------
 1 file changed, 31 insertions(+), 13 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e70267f..6eb9187 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,27 +1,45 @@
-FROM ruby:3.3.0
+FROM openjdk:23-jdk-slim-bookworm
+LABEL maintainer="Henning C. Nielsen"
 
 # https://github.com/codacy/codacy-hadolint/blob/master/codacy-hadolint/docs/description/DL4006.md
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+ARG user=publisher,
+ARG group=publisher
+ARG uid=1000
+ARG gid=1000
+
 # https://github.com/nodesource/distributions?tab=readme-ov-file#debian-versions
-RUN  curl -fsSL https://deb.nodesource.com/setup_18.x | bash - \
-  && apt-get update \
+RUN  apt-get update \
   && apt-get install --yes --no-install-recommends \
        build-essential=12.9 \
-       openjdk-17-jdk-headless=17.0.9+9-1~deb12u1 \
-       nodejs=18.19.0-1nodesource1 \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/* \
+       curl=7.88.1-10+deb12u5 \
+       ruby=1:3.1 \
+       ruby-dev=1:3.1 \
   \
-  && gem update --system 3.5.5 \
+  && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+  && apt-get install --yes --no-install-recommends nodejs=20.13.1-1nodesource1 \
+  \
+  # && gem update --system 3.5.10 \
   && gem install \
-       bundler:2.5.5 \
+       bundler:2.5.10 \
        jekyll:4.3.3 \
   \
-  && npm install -g npm@10.4.0 \
-  && npm install -g fsh-sushi@3.6.1 \
+  && npm install -g npm@10.8.0 \
+  && npm install -g fsh-sushi@3.10.0 \
   \
   && mkdir input-cache \
-  && curl -fsSL https://github.com/HL7/fhir-ig-publisher/releases/download/1.5.14/publisher.jar -o input-cache/publisher.jar
+  && curl -fsSL https://github.com/HL7/fhir-ig-publisher/releases/download/1.6.7/publisher.jar -o input-cache/publisher.jar \
+  \
+  && apt-get autoremove --yes curl \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/* \
+  \
+  && groupadd -g ${gid} ${group} \
+  && useradd -l -u ${uid} -g ${group} -m ${user}
+
+# Do not run the entrypoint as root. That is a security risk.
+USER ${uid}:${gid}
+WORKDIR /home/${user}
 
-ENTRYPOINT [ "java", "-Xmx4g", "-jar", "input-cache/publisher.jar", "-ig"]
+ENTRYPOINT [ "java", "-Xmx4g", "-jar", "/input-cache/publisher.jar"]