chore: merge final consecutive RUN in Dockerfile (close docker:S7031)

Dockerfile

@@ -193,32 +193,44 @@ WORKDIR /var/www/html
 COPY --from=builder --chown=root:www-data /build /var/www/html
 COPY rootfs/ /
 
-# Surface the dependency manifest for ops debugging
-# (`docker exec snipe-it cat /var/lib/snipeit/deps.txt`), prepare the
-# writable surfaces for the www-data process, and mark entrypoint executable.
-# Single RUN so we ship one image layer instead of three (SonarCloud
-# docker:S7031 — consecutive RUN instructions should be merged).
+# All runtime-stage filesystem setup folded into a single RUN — SonarCloud
+# docker:S7031 (consecutive RUN instructions should be merged). The blocks
+# correspond to:
+#
+#   1. Dependency manifest surfaced for ops debugging
+#      (`docker exec snipe-it cat /var/lib/snipeit/deps.txt`).
+#   2. Writable surfaces for the www-data process — storage, bootstrap
+#      cache, /var/lib/snipeit (user content), and /run/php-fpm (the
+#      socket directory). All four are also re-chown'd by entrypoint.sh
+#      at container start, so the snipe-it process can write to them
+#      regardless of how the operator mounts volumes:
+#        - named volume → image-layer chown survives until first write
+#        - bind-mount → host UID/GID wins, entrypoint chown fixes it
+#        - tmpfs → mount masks image-layer chown, entrypoint fixes it
+#   3. Entrypoint executable bit.
+#
+# About /run/php-fpm: php-fpm binds its unix socket here. Compose mounts
+# a tmpfs at this path; this mkdir is the fallback for `docker run` of
+# the image standalone. The image inherits `EXPOSE 9000` from the
+# `php:8.5-fpm-alpine` base — that's only OCI metadata, and our
+# `php-fpm.d/zz-snipe-it.conf` sets `listen = /run/php-fpm/snipeit.sock`,
+# so nothing actually binds to TCP 9000. Socket-only listening closes a
+# FastCGI bypass: with TCP, any sibling container on the snipeit network
+# could speak FastCGI directly to php-fpm, bypassing nginx access
+# control. (Dockerfile has no `UNEXPOSE`; the inherited EXPOSE metadata
+# is moot when no process listens.)
 RUN set -eux; \
-    mkdir -p /var/lib/snipeit \
+    mkdir -p /var/lib/snipeit /run/php-fpm \
     && cp /var/www/html/deps-manifest.txt /var/lib/snipeit/deps.txt \
     && chmod 0644 /var/lib/snipeit/deps.txt \
     && rm -f /var/www/html/deps-manifest.txt \
     && chown -R www-data:www-data \
         /var/www/html/storage \
         /var/www/html/bootstrap/cache \
         /var/lib/snipeit \
+        /run/php-fpm \
     && chmod 0755 /usr/local/bin/entrypoint.sh
 
-# php-fpm listens on a unix socket at /run/php-fpm/snipeit.sock (shared
-# tmpfs volume between `app` and `web` in compose). NO TCP port exposed.
-# Rationale: closes a FastCGI bypass — with TCP on 0.0.0.0:9000, any
-# sibling container on the snipeit network could speak FastCGI directly,
-# trivially bypassing nginx access control.
-
-# /run/php-fpm must exist for php-fpm to bind the socket — compose mounts
-# a tmpfs here; this RUN is the fallback if the image is run standalone.
-RUN mkdir -p /run/php-fpm && chown www-data:www-data /run/php-fpm
-
 # --start-interval=5s probes every 5s during the 120s start_period instead of
 # waiting up to the full --interval=30s between checks. Means `docker compose
 # up --wait` returns as soon as php-fpm actually accepts FastCGI (typically

rootfs/usr/local/bin/entrypoint.sh

@@ -71,12 +71,18 @@ mkdir -p \
   /var/www/html/storage/framework/views \
   /var/www/html/storage/logs \
   /var/www/html/bootstrap/cache \
-  /var/lib/snipeit
+  /var/lib/snipeit \
+  /run/php-fpm
 
+# /run/php-fpm is also chown'd in case compose mounts a tmpfs here:
+# tmpfs masks the image-bake chown, so php-fpm (UID www-data) can't
+# create its socket without this. Standalone `docker run` of the image
+# falls back to the image-layer chown set in the Dockerfile.
 chown -R www-data:www-data \
   /var/www/html/storage \
   /var/www/html/bootstrap/cache \
-  /var/lib/snipeit 2>/dev/null || true
+  /var/lib/snipeit \
+  /run/php-fpm 2>/dev/null || true
 # Only chmod the directories we just (potentially) created via mkdir -p above —
 # a recursive chmod across the whole storage tree pegs CPU for seconds on large
 # instances on every container start. Pre-existing files keep their modes.