ci: Use non-root user in Docker when running codegen (#31)

* Run Docker in CI as non-root user

* Make useradd line a little less clever

Author: JoshMock

.buildkite/Dockerfile

@@ -1,16 +1,32 @@
 ARG NODE_VERSION=${NODE_VERSION:-18}
 FROM node:$NODE_VERSION
 
+ARG BUILDER_USER=1000
+ARG BUILDER_GROUP=1000
+
 # Install zip util
 RUN apt-get clean -y && \
-    apt-get -qy update && \
-    apt-get -y install zip && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+    apt-get update -y && \
+    apt-get install -y zip
+
+# Set up all files as owned by non-root user
+RUN groupadd -f --system -g ${BUILDER_GROUP} elastic \
+    && (id -u ${BUILDER_USER} || useradd --system --shell /bin/bash -u ${BUILDER_USER} -g ${BUILDER_GROUP} -m elastic) \
+    && mkdir -p /usr/src/app \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /usr/src/ \
+    && mkdir -p /.npm \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /.npm \
+    && mkdir -p /.cache \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /.cache
 
 WORKDIR /usr/src/app
 
+# run remainder of commands as non-root user
+USER ${BUILDER_USER}:${BUILDER_GROUP}
+
+# install dependencies
 COPY package.json .
-RUN npm install
+RUN npm install --production=false
 
+# copy project files
 COPY . .

.buildkite/run-client.sh

@@ -6,13 +6,15 @@ script_path=$(dirname "$(realpath -s "$0")")
 set -euo pipefail
 repo=$(pwd)
 
-export NODE_VERSION=${NODE_VERSION:-16}
+export NODE_VERSION=${NODE_VERSION:-18}
 
 echo "--- :docker: Building Docker image"
 docker build \
        --file "$script_path/Dockerfile" \
        --tag elastic/elasticsearch-serverless-js \
        --build-arg NODE_VERSION="$NODE_VERSION" \
+       --build-arg BUILDER_USER="$(id -u)" \
+       --build-arg BUILDER_GROUP="$(id -g)" \
        .
 
 echo "--- :javascript: Running tests"
@@ -22,6 +24,7 @@ export GITHUB_TOKEN
 
 mkdir -p "$repo/junit-output"
 docker run \
+       -u "$(id -u):$(id -g)" \
        -e "ELASTICSEARCH_URL" \
        -e "ES_API_SECRET_KEY" \
        -e "GITHUB_TOKEN" \

.ci/make.sh

@@ -37,7 +37,7 @@ product="elastic/elasticsearch-serverless-js"
 output_folder=".ci/output"
 codegen_folder=".ci/output"
 OUTPUT_DIR="$repo/${output_folder}"
-NODE_VERSION=20
+NODE_VERSION=18
 WORKFLOW=${WORKFLOW-staging}
 mkdir -p "$OUTPUT_DIR"
 
@@ -134,6 +134,8 @@ docker build \
   --file .buildkite/Dockerfile \
   --tag "$product" \
   --build-arg NODE_VERSION="$NODE_VERSION" \
+  --build-arg BUILDER_USER="$(id -u)" \
+  --build-arg BUILDER_GROUP="$(id -g)" \
   .
 
 # ------------------------------------------------------- #
@@ -143,8 +145,10 @@ docker build \
 echo -e "\033[34;1mINFO: running $product container\033[0m"
 
 # check CI env vars to enable support for both CI or running locally
-if [[ -z "${BUILDKITE+x}" ]] || [[ -z "${CI+x}" ]]; then
+if [[ -z "${BUILDKITE+x}" ]] && [[ -z "${CI+x}" ]] && [[ -z "${GITHUB_ACTIONS+x}" ]]; then
+  echo -e "\033[34;1mINFO: Running in local mode"
   docker run \
+    -u "$(id -u):$(id -g)" \
     --volume "$repo:/usr/src/app" \
     --volume "$(realpath $repo/../elastic-client-generator-js):/usr/src/elastic-client-generator-js" \
     --volume /usr/src/app/node_modules \
@@ -155,7 +159,9 @@ if [[ -z "${BUILDKITE+x}" ]] || [[ -z "${CI+x}" ]]; then
     /bin/bash -c "mkdir -p /usr/src/elastic-client-generator-js/output && \
       node .ci/make.mjs --task $TASK ${TASK_ARGS[*]}"
 else
+  echo -e "\033[34;1mINFO: Running in CI mode"
   docker run \
+    -u "$(id -u):$(id -g)" \
     --volume "$repo:/usr/src/app" \
     --volume /usr/src/app/node_modules \
     --env "WORKFLOW=$WORKFLOW" \