From 5a49f14e0476cbd8b031dc4aefb6f477a15f3e76 Mon Sep 17 00:00:00 2001
From: sto <puz.github.sto.happiness841@passmail.net>
Date: Sat, 17 Jan 2026 09:49:02 +0100
Subject: [PATCH] Merge
 https://github.com/rails/rails/pull/54428/commits/658c989d8ba5bfbfe8e8c29d101453235c1f11e8

---
 Dockerfile | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index e5ff88e..e961444 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -51,19 +51,18 @@ RUN SECRET_KEY_BASE_DUMMY=1 ./bin/rails assets:precompile
 # Final stage for app image
 FROM base
 
+# Run and own only the runtime files as a non-root user for security
+RUN groupadd --system --gid 1000 rails && \
+    useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash
+USER 1000:1000
+
 # Copy built artifacts: gems, application
-COPY --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
-COPY --from=build /rails /rails
+COPY --chown=rails:rails --from=build "${BUNDLE_PATH}" "${BUNDLE_PATH}"
+COPY --chown=rails:rails --from=build /rails /rails
 
 # TODO: find how not to depend on this hack to include the compiled SCSS.
 RUN cp app/assets/builds/application.css `ls public/assets/application-*.css`
 
-# Run and own only the runtime files as a non-root user for security
-RUN groupadd --system --gid 1000 rails && \
-    useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
-    chown -R rails:rails db log storage tmp
-USER 1000:1000
-
 # Entrypoint prepares the database.
 ENTRYPOINT ["/rails/bin/docker-entrypoint"]