feat: slim runtime and non-root user

build/Containerfile

@@ -10,7 +10,7 @@ ADD https://github.com/ProtonMail/proton-bridge.git#${version} /build/
 WORKDIR /build/
 RUN make build-nogui vault-editor
 
-FROM golang:1-trixie
+FROM debian:trixie-slim
 LABEL maintainer="SR2 Communications <contact@sr2.uk>"
 
 EXPOSE 25/tcp
@@ -18,15 +18,23 @@ EXPOSE 143/tcp
 
 # Install dependencies and protonmail bridge
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 ca-certificates \
+    && apt-get install -y --no-install-recommends socat pass libsecret-1-0 libfido2-1 libcbor0.10 ca-certificates adduser \
     && rm -rf /var/lib/apt/lists/*
 
+# Create app user
+RUN addgroup --gid 19994 protonmail && \
+    adduser --uid 19994 --gid 19994 --shell /bin/bash --home /protonmail protonmail
+
 # Copy bash scripts
-COPY gpgparams entrypoint.sh /protonmail/
+COPY --chown=19994:19994 gpgparams entrypoint.sh /protonmail/
 
 # Copy protonmail
-COPY --from=build /build/bridge /protonmail/
+COPY --from=build --chown=19994:19994 /build/bridge /protonmail/
-COPY --from=build /build/proton-bridge /protonmail/
+COPY --from=build --chown=19994:19994 /build/proton-bridge /protonmail/
-COPY --from=build /build/vault-editor /protonmail/
+COPY --from=build --chown=19994:19994 /build/vault-editor /protonmail/
+
+WORKDIR /protonmail
+
+USER 19994
 
 ENTRYPOINT ["bash", "/protonmail/entrypoint.sh"]