From 0788a3f6e371ea088ec2123b844b31fbf68a1ff1 Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Mon, 10 Nov 2025 16:21:11 +0100
Subject: [PATCH] Added non-root user for container.

---
 CHANGELOG.md               | 6 ++++++
 docker/pypgstac/Dockerfile | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ced94bc4..cd1fbc11 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
+
+## [UNRELEASED]
+
+* changed container images to use non-root `user`
+
 ## [v0.9.8]
+
 ### Fixed
 - Allow array as q parameter for full text search
 
diff --git a/docker/pypgstac/Dockerfile b/docker/pypgstac/Dockerfile
index 7f84f434..753991f3 100644
--- a/docker/pypgstac/Dockerfile
+++ b/docker/pypgstac/Dockerfile
@@ -28,3 +28,8 @@ COPY src/pypgstac /opt/src/pypgstac
 COPY src/pgstac /opt/src/pgstac
 WORKDIR /opt/src/pypgstac
 RUN uv pip install --system -e . && rm -rf /usr/local/cargo/registry
+
+RUN addgroup --gid 1000 user && \
+    adduser --uid 1000 --gid 1000 --disabled-password --gecos "" --home /home/user user && \
+    chown -R user:user /opt/src/pypgstac /opt/src/pgstac
+USER user