fix: run docker image as non-root (#795)

* do not use apk update explicitely
* change user root to node

dev/build/Dockerfile

@@ -3,9 +3,7 @@
 # ====================
 FROM node:10.15-alpine AS assets
 
-RUN apk update && \
-    apk add yarn g++ make python --no-cache && \
-    rm -rf /var/cache/apk/*
+RUN apk add yarn g++ make python --no-cache
 
 WORKDIR /wiki
 
@@ -28,22 +26,23 @@ RUN yarn --production --frozen-lockfile --non-interactive
 FROM node:10.15-alpine
 LABEL maintainer="requarks.io"
 
-RUN apk update && \
-    apk add bash curl git openssh gnupg sqlite --no-cache && \
-    rm -rf /var/cache/apk/* && \
+RUN apk add bash curl git openssh gnupg sqlite --no-cache && \
     mkdir -p /wiki && \
-    mkdir -p /logs
+    mkdir -p /logs && \
+    chown -R node:node /wiki /logs
 
 WORKDIR /wiki
 
-COPY --from=assets /wiki/assets ./assets
-COPY --from=assets /wiki/node_modules ./node_modules
-COPY ./server ./server
-COPY --from=assets /wiki/server/views ./server/views
-COPY ./dev/build/config.yml ./config.yml
-COPY ./dev/docker-common/wait.sh ./wait.sh
-COPY ./package.json ./package.json
-COPY ./LICENSE ./LICENSE
+COPY --chown=node:node --from=assets /wiki/assets ./assets
+COPY --chown=node:node --from=assets /wiki/node_modules ./node_modules
+COPY --chown=node:node ./server ./server
+COPY --chown=node:node --from=assets /wiki/server/views ./server/views
+COPY --chown=node:node ./dev/build/config.yml ./config.yml
+COPY --chown=node:node ./dev/docker-common/wait.sh ./wait.sh
+COPY --chown=node:node ./package.json ./package.json
+COPY --chown=node:node ./LICENSE ./LICENSE
+
+USER node
 
 EXPOSE 3000