Update Dockerfile to use non-root user

This follows standard security best practices to NOT run applications inside docker containers as the root user if possible

Signed-off-by: Matt Norton <matt@carrotmanmatt.com>

Author: CarrotManMatt

Dockerfile

@@ -11,7 +11,7 @@ WORKDIR /app
 RUN --mount=type=cache,target=/root/.cache/uv \
     --mount=type=bind,source=uv.lock,target=uv.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-    uv sync --frozen --no-install-project --no-group dev
+    uv sync --locked --no-install-project --no-group dev
 
 COPY LICENSE /app/
 COPY config.py main.py messages.json /app/
@@ -22,13 +22,17 @@ COPY cogs/ /app/cogs/
 
 FROM python:3.13-slim-trixie
 
+RUN groupadd --system --gid 999 nonroot && useradd --system --gid 999 --uid 999 --create-home nonroot
+
 LABEL org.opencontainers.image.source=https://github.com/CSSUoB/TeX-Bot-Py-V2
 LABEL org.opencontainers.image.licenses=Apache-2.0
 
-COPY --from=builder --chown=app:app /app /app
+COPY --from=builder --chown=nonroot:nonroot /app /app
 
 ENV LANG=C.UTF-8 PATH="/app/.venv/bin:$PATH"
 
 WORKDIR /app
 
+USER nonroot
+
 ENTRYPOINT ["python", "-m", "main"]