From e3fdac15b54ae5cc7b1d624ff8288084d5e1807c Mon Sep 17 00:00:00 2001
From: Toutsu <Hegin4@yandex.ru>
Date: Tue, 12 May 2026 12:31:20 +0300
Subject: [PATCH] ci: satisfy trivy dockerfile checks

Run runtime images as the built-in non-root .NET app user and install Web runtime OS dependencies with --no-install-recommends.
---
 src/GmRelay.Bot/Dockerfile | 2 ++
 src/GmRelay.Web/Dockerfile | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/GmRelay.Bot/Dockerfile b/src/GmRelay.Bot/Dockerfile
index 820392c..fe2b961 100644
--- a/src/GmRelay.Bot/Dockerfile
+++ b/src/GmRelay.Bot/Dockerfile
@@ -33,5 +33,7 @@ WORKDIR /app
 # Копируем только AOT-результаты из билда
 COPY --from=build /app/publish .
 
+USER $APP_UID
+
 # Запуск скомпилированного AOT бинарного файла напрямую
 ENTRYPOINT ["./GmRelay.Bot"]
diff --git a/src/GmRelay.Web/Dockerfile b/src/GmRelay.Web/Dockerfile
index 7a6f163..e73a6f1 100644
--- a/src/GmRelay.Web/Dockerfile
+++ b/src/GmRelay.Web/Dockerfile
@@ -18,8 +18,9 @@ RUN dotnet publish "GmRelay.Web.csproj" -c Release -o /app/publish /p:UseAppHost
 # Stage 2: Runtime
 FROM mcr.microsoft.com/dotnet/aspnet:10.0-noble AS final
 WORKDIR /app
-RUN apt-get update && apt-get install -y libgssapi-krb5-2 && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends libgssapi-krb5-2 && rm -rf /var/lib/apt/lists/*
 COPY --from=build /app/publish .
 ENV ASPNETCORE_URLS=http://+:8080
 EXPOSE 8080
+USER $APP_UID
 ENTRYPOINT ["dotnet", "GmRelay.Web.dll"]