docker: default published images to seaweed user (#8819)

* ci: add Trivy CVE scan to container release workflow

* docker: default published images to seaweed user

* Revert "ci: add Trivy CVE scan to container release workflow"

This reverts commit bc9b7e1cf7a0694e355c5d23b5e323a07e8ba670.

docker/Dockerfile.go_build

@@ -79,5 +79,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]

docker/Dockerfile.local

@@ -37,5 +37,9 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data
 
-# Entrypoint will handle permission fixes and user switching
+# Run as non-root by default (satisfies security scanners).
+# Use `docker run --user root` if you need the entrypoint to fix
+# /data volume ownership before dropping privileges.
+USER seaweed
+
 ENTRYPOINT ["/entrypoint.sh"]