fix: address PR review feedback

KingPin · KingPin · commit 00708866b29e · 2026-03-26T00:30:27.000-04:00
- Remove unreachable case 3) SLEEP_TIME=20 branches in retry loops
  (guarded by ATTEMPT -lt 3, so ATTEMPT=3 never reaches the case)
- Clarify README: appuser is pre-created in v2 but entrypoint runs
  as root for s6-overlay; users should use --user 1000:1000
diff --git a/Dockerfile.v1 b/Dockerfile.v1
@@ -28,7 +28,6 @@ RUN for ATTEMPT in 1 2 3; do \
                 case $ATTEMPT in \
                     1) SLEEP_TIME=5 ;; \
                     2) SLEEP_TIME=10 ;; \
-                    3) SLEEP_TIME=20 ;; \
                 esac; \
                 echo "Download attempt $ATTEMPT failed, retrying in ${SLEEP_TIME}s..."; \
                 sleep $SLEEP_TIME; \
@@ -49,7 +48,6 @@ RUN for ATTEMPT in 1 2 3; do \
                 case $ATTEMPT in \
                     1) SLEEP_TIME=5 ;; \
                     2) SLEEP_TIME=10 ;; \
-                    3) SLEEP_TIME=20 ;; \
                 esac; \
                 echo "Extension installation attempt $ATTEMPT failed, retrying in ${SLEEP_TIME}s..."; \
                 sleep $SLEEP_TIME; \
diff --git a/Dockerfile.v2 b/Dockerfile.v2
@@ -138,7 +138,6 @@ RUN if [ "$BASEOS" = "trixie" ] || [ "$BASEOS" = "bookworm" ]; then \
                 case $ATTEMPT in \
                     1) SLEEP_TIME=5 ;; \
                     2) SLEEP_TIME=10 ;; \
-                    3) SLEEP_TIME=20 ;; \
                 esac; \
                 echo "Download attempt $ATTEMPT failed, retrying in ${SLEEP_TIME}s..."; \
                 sleep $SLEEP_TIME; \
@@ -183,7 +182,6 @@ RUN if [ "$BASEOS" = "trixie" ] || [ "$BASEOS" = "bookworm" ]; then \
                 case $ATTEMPT in \
                     1) SLEEP_TIME=5 ;; \
                     2) SLEEP_TIME=10 ;; \
-                    3) SLEEP_TIME=20 ;; \
                 esac; \
                 echo "Download attempt $ATTEMPT failed, retrying in ${SLEEP_TIME}s..."; \
                 sleep $SLEEP_TIME; \
diff --git a/README.md b/README.md
@@ -156,10 +156,12 @@ We maintain **two image variants** to support both existing users and modern use
 ✅ Proper PID 1 and process supervision (s6)
 ✅ Safe for running FPM + sidecar processes (e.g., cron, queue workers)
 ✅ Environment-based PHP config at runtime
-✅ Non-root user (appuser, UID 1000) by default
+✅ Includes non-root user (`appuser`, UID 1000) for running your application
 ✅ Easier to add background services and health checks
 ✅ Handles container signals properly
 
+> The container entrypoint runs as root (required for s6-overlay as PID 1), but a non-root `appuser` is pre-created. To run your app as this user, use `--user 1000:1000` or configure your orchestrator's security context.
+
 **Cons:**
 
 ❌ Slightly larger image due to s6-overlay (~2-3MB)
@@ -208,7 +210,7 @@ For more details, see [docs/ci.md](docs/ci.md).
 
 These images are designed with security in mind:
 
-- **Non-root User (v2)**: v2 containers include a non-root `appuser` (UID 1000). v1 images run as the base PHP image default (root)
+- **Non-root User (v2)**: v2 images include a pre-created `appuser` (UID 1000) for running your application. The entrypoint runs as root for s6-overlay, but your app can run as appuser via `--user 1000:1000`. v1 images run as the base PHP image default (root)
 - **Limited Permissions (v2)**: `/var/www/html` directory has appropriate ownership and permissions
 - **Security Updates**: Images are regularly scanned for vulnerabilities via Trivy
 
