Fix "EACCES: permission denied" for NPM v7 and v8

With NPM v7 and v8, when running as root, NPM uses the UID and GID of
the current working directory owner to execute scripts (see
[npm/cli#4095][]).

This can cause a problem if `npm install` is run as root in a directory
owned by another user because module installation scripts will instead
use that user's UID and GID but may still try to write to root's home
directory.  For example, Puppeteer will try to download Chromium to
`/root/.cache/puppeteer/chrome`, raising "EACCES: permission denied".

Similarly, this can cause a problem if `npm install` is run as root in a
directory owned by root, and then that directory is later `chown`ed to
another user.  Subsequent NPM commands (e.g. `npm run build`) run as
root will instead use that user's UID and GID, and will raise "EACCES:
permission denied" when touching anything in the root-owned
`node_modules` directory (e.g. `node_modules/.cache`).

NPM v9 removed this behavior (see [npm/rfcs#546][]), but v9 was first
released on 2022-10-24, and v8 is still widespread.

Therefore, as a workaround, instead of `chown`ing the application
directory to a non-root user, this commit `chmod`s the application
directory to grant owner-equivalent permissions to non-root users.
Additionally, this commit `chown`s and `chmod`s the `PACKAGE_JSON_DIR`
directory in the same way.

[npm/cli#4095]: npm/cli#4095
[npm/rfcs#546]: npm/rfcs#546

builder/Dockerfile

@@ -24,7 +24,7 @@ ONBUILD ENV NODE_ENV="${NODE_ENV:-production}"
 
 ONBUILD ARG APP_DIR
 ONBUILD WORKDIR "/artifacts/${APP_DIR:-/rails}"
-ONBUILD RUN chown 1000:1000 .
+ONBUILD RUN chmod o=u .
 
 
 ONBUILD COPY Gemfile Gemfile.lock .
@@ -63,3 +63,4 @@ ONBUILD RUN --mount=type=secret,required=false,id=config/master.key,target=confi
             --mount=type=secret,required=false,id=RAILS_MASTER_KEY,target=config/master.key \
               HOME="/tmp" dockhand prepare-rails-app --clean
 ONBUILD USER root
+ONBUILD RUN chown root "${PACKAGE_JSON_DIR:-.}" && chmod o=u "${PACKAGE_JSON_DIR:-.}"