fix(ci): add non-root USER to cypress snapshot Dockerfile

[subrata71]

Description

Switch to the built-in node user (provided by the cypress/factory base image) before the ENTRYPOINT to avoid running the container process as root.

The cypress/factory image already sets chmod 777 /root so the Cypress binary cache at /root/.cache/Cypress remains accessible to non-root users. This is the officially supported pattern from the Cypress Docker images project.

Also cleans up apt lists after installing chromium to reduce image layer size.

Fixes https://linear.app/appsmith/issue/APP-15224/triage-semgrep-finding-781859531-missing-non-root-user-in

Automation

/ok-to-test tags="@tag.Sanity"

🔍 Cypress test results

Communication

Should the DevRel and Marketing teams inform users about this change?

• Yes
• No

Summary by CodeRabbit

Release Notes

• Chores
  • Optimized Cypress test container Docker image to reduce size by streamlining installation steps and removing temporary package lists.

Tip

🟢 🟢 🟢 All cypress tests have passed! 🎉 🎉 🎉
Workflow run: https://github.com/appsmithorg/appsmith/actions/runs/26184866538
Commit: 8bf6885
Cypress dashboard.
Tags: @tag.Sanity
Spec:

---

Wed, 20 May 2026 20:03:46 UTC

[coderabbitai]

Walkthrough

The Cypress test Docker image consolidates Chromium package installation with apt cache cleanup into a single RUN command. This reduces the resulting image size by removing package lists immediately after installation rather than leaving them in the layer.

Changes

Dockerfile Image Optimization

Layer / File(s)	Summary
Chromium installation with cache cleanup app/client/cypress/Dockerfile	Chromium package installation is combined with removal of apt package lists in a multi-line RUN command to reduce image size and follow Docker best practices.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

📦 A Dockerfile grows lean,
Apt caches wiped clean,
Docker best practice takes the stage—
Chromium bloat removed per page.
Smaller images, faster builds,
One RUN command fulfills! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding a non-root USER directive to the Cypress Dockerfile for security purposes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description is comprehensive, well-structured, and addresses all critical template sections including motivation, issue reference, automation tag, and DevRel communication decision.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/semgrep-781859531-cypress-dockerfile-nonroot-user

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}