Update Dockerfile to use non-root user (#735)

* Update Dockerfile to use non-root user

This follows standard security best practices to NOT run applications inside docker containers as the root user if possible

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>

* Revert sync command argument

The dependencies should be synced with `--frozen` not `--locked` because they are already locked in the `uv.lock` file and the `pyproject.toml` does not need checking.

See https://docs.astral.sh/uv/reference/cli/#uv-sync

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>

---------

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>
Co-authored-by: automatic-pr-updater[bot] <217796550+automatic-pr-updater[bot]@users.noreply.github.com>

Author: CarrotManMatt

Dockerfile

@@ -22,13 +22,17 @@ COPY cogs/ /app/cogs/
 
 FROM python:3.13-slim-trixie
 
+RUN groupadd --system --gid 999 nonroot && useradd --system --gid 999 --uid 999 --create-home nonroot
+
 LABEL org.opencontainers.image.source=https://github.com/CSSUoB/TeX-Bot-Py-V2
 LABEL org.opencontainers.image.licenses=Apache-2.0
 
-COPY --from=builder --chown=app:app /app /app
+COPY --from=builder --chown=nonroot:nonroot /app /app
 
 ENV LANG=C.UTF-8 PATH="/app/.venv/bin:$PATH"
 
 WORKDIR /app
 
+USER nonroot
+
 ENTRYPOINT ["python", "-m", "main"]