Drop root privileges

Dockerfile

@@ -5,27 +5,30 @@ COPY --from=koalaman/shellcheck:v0.9.0 /bin/shellcheck /bin/
 ENV BUILD_BASE_VERSION="0.5-r3"
 # renovate: datasource=repology depName=alpine_3_18/gcc versioning=loose
 ENV GCC_VERSION="12.2.1_git20220924-r10"
-# renovate: datasource=repology depName=alpine_3_18/ruby versioning=loose
-ENV RUBY_VERSION="3.2.2-r0"
 # renovate: datasource=repology depName=alpine_3_18/git versioning=loose
 ENV GIT_VERSION="2.40.1-r0"
-# renovate: datasource=repology depName=alpine_3_18/openssh-keygen versioning=loose
+# renovate: datasource=repology depName=alpine_3_18/ruby versioning=loose
 ENV OPENSSH_KEYGEN_VERSION="9.3_p2-r0"
 # renovate: datasource=pypi depName=pre-commit versioning=pep440
-ENV PRE_COMMIT_VERSION="3.4.0"
+ENV RUBY_VERSION="3.2.2-r0"
+# renovate: datasource=repology depName=alpine_3_18/openssh-keygen versioning=loose
+ENV PRE_COMMIT_VERSION="3.3.3"
 # renovate: datasource=rubygems depName=mdl versioning=ruby
-ENV MDL_VERSION="0.12.0"
+ENV MDL_VERSION="0.11.0"
 
 RUN apk add --update --no-cache \
       build-base="${BUILD_BASE_VERSION}" \
       gcc="${GCC_VERSION}" \
-      ruby="${RUBY_VERSION}" \
       git="${GIT_VERSION}" \
       openssh-keygen="${OPENSSH_KEYGEN_VERSION}" \
+      ruby="${RUBY_VERSION}" \
     && \
-    pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}" && \
     gem install --no-document mdl -v "${MDL_VERSION}" && \
     mkdir /data && \
-    git config --global --add safe.directory /data
+    adduser -D -h /home/user/ -g user user
+
+USER user:user
+ENV PATH="/home/user/.local/bin:${PATH}"
+RUN pip install --no-cache-dir pre-commit=="${PRE_COMMIT_VERSION}"
 
 WORKDIR /data