feat: use a non-root Docker user

Create a non-root `app` user within Docker that maps to default user
(uid 1000) on Linux-based systems.

Refs #10

templates/Dockerfile.twig

@@ -3,17 +3,27 @@ FROM php:{{ php.version }} AS base
 COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
 RUN which composer && composer -V
 
+ARG DOCKER_UID=1000
+ENV DOCKER_UID="${DOCKER_UID}"
+
 WORKDIR /app
 
+RUN adduser --disabled-password --uid "${DOCKER_UID}" app \
+  && chown app:app -R /app
+
+USER app
+
 ENV PATH="${PATH}:/app/vendor/bin"
 
-COPY composer.* ./
+COPY --chown=app:app composer.* ./
 
 {% if dockerfile.stages.build %}
 ################################################################################
 
 FROM {{ dockerfile.stages.build.extends }} AS build
 
+USER root
+
 {% if dockerfile.stages.build.packages %}
 RUN apt-get update -yqq \
   && apt-get install -yqq --no-install-recommends \
@@ -25,15 +35,17 @@ RUN docker-php-ext-install {{ dockerfile.stages.build.extensions.install | join(
 {% endif %}
 
 {% for directory in dockerfile.stages.build.extra_directories %}
-COPY {{ directory }} {{ directory }}
+COPY --chown=app:app {{ directory }} {{ directory }}
 {% endfor %}
 
+USER app
+
 {% for command in dockerfile.stages.build.commands %}
 RUN {{ command }}
 {% endfor %}
 {% endif %}
 
-COPY tools/docker/images/php/root /
+COPY --chown=app:app tools/docker/images/php/root /
 
 ENTRYPOINT ["/usr/local/bin/docker-entrypoint-php"]
 CMD ["php-fpm"]
@@ -43,7 +55,7 @@ CMD ["php-fpm"]
 
 FROM {{ dockerfile.stages.test.extends }} AS test
 
-COPY . .
+COPY --chown=app:app . .
 
 RUN {% for command in dockerfile.stages.test.commands -%}
 {% if not loop.first %}  && {% endif %}

templates/env.example.twig

@@ -1,3 +1,5 @@
+DOCKER_UID=1000
+
 {% if dockerCompose %}
 export COMPOSE_PROJECT_NAME={{ name }}
 export COMPOSE_PROFILES=web,php,database