security(ariadne): harden image and bump jwt

2026-04-21 23:59:48 -03:00 · 2026-04-21 23:59:48 -03:00 · 18d518b47a
commit 18d518b47a
parent e22a47b65e
4 changed files with 14 additions and 4 deletions
--- a/3
+++ b/3
@ -5,8 +5,9 @@ ENV PYTHONDONTWRITEBYTECODE=1 \

 WORKDIR /app

-COPY ariadne /app/ariadne
+COPY --chown=ariadne:ariadne ariadne /app/ariadne

 EXPOSE 8080

+USER ariadne
 CMD ["uvicorn", "ariadne.app:app", "--host", "0.0.0.0", "--port", "8080"]
--- a/Dockerfile.base
+++ b/Dockerfile.base
@ -6,4 +6,9 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
 WORKDIR /app

 COPY requirements.txt /app/requirements.txt
-RUN pip install --no-cache-dir -r /app/requirements.txt
+RUN pip install --no-cache-dir -r /app/requirements.txt && \
+    addgroup --system ariadne && \
+    adduser --system --ingroup ariadne --home /app ariadne && \
+    chown -R ariadne:ariadne /app
+
+USER ariadne
--- a/Dockerfile.ci
+++ b/Dockerfile.ci
@ -1,6 +1,10 @@
 FROM registry.bstein.dev/bstein/ariadne-base:py312

+USER root
 WORKDIR /app

 COPY requirements-dev.txt /app/requirements-dev.txt
-RUN pip install --no-cache-dir -r /app/requirements-dev.txt
+RUN pip install --no-cache-dir -r /app/requirements-dev.txt && \
+    chown -R ariadne:ariadne /app
+
+USER ariadne
--- a/requirements.txt
+++ b/requirements.txt
@ -2,7 +2,7 @@ fastapi==0.115.11
 uvicorn[standard]==0.30.6
 httpx==0.27.2
 kubernetes==30.1.0
-PyJWT[crypto]==2.10.1
+PyJWT[crypto]==2.12.1
 psycopg[binary]==3.2.6
 psycopg-pool==3.2.6
 croniter==2.0.7