From 3be93961c7dafe22c64ced670ec29d34263b9ae6 Mon Sep 17 00:00:00 2001
From: "cartsnitch-engineer[bot]"
 <269717931+cartsnitch-engineer[bot]@users.noreply.github.com>
Date: Sun, 22 Mar 2026 01:27:20 +0000
Subject: [PATCH] fix: use non-root nginx image for Kubernetes runAsNonRoot
 compatibility

Switch from nginx:stable-alpine to nginxinc/nginx-unprivileged:stable-alpine.
The unprivileged image runs as nginx user (UID 101) on port 8080, satisfying
the runAsNonRoot: true security context in Kubernetes.

Fixes: https://github.com/cartsnitch/infra/issues/65

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 Dockerfile | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 6a8b88d..069d83b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,13 +9,13 @@ RUN npm ci
 COPY . .
 RUN npm run build
 
-# Stage 2: Production
-FROM nginx:stable-alpine AS prod
+# Stage 2: Production — uses nginxinc/nginx-unprivileged which runs as non-root (UID 101)
+FROM nginxinc/nginx-unprivileged:stable-alpine AS prod
 
 COPY --from=build /app/dist /usr/share/nginx/html
 COPY nginx.conf /etc/nginx/conf.d/default.conf
 
-EXPOSE 80
+EXPOSE 8080
 
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-  CMD wget -qO- http://localhost/health || exit 1
+  CMD wget -qO- http://localhost:8080/health || exit 1