chore: No longer run weaver as root, or give full filesystem access (#1359)

Makefile

@@ -113,33 +113,44 @@ yamllint:
 # Generate markdown tables from YAML definitions
 .PHONY: table-generation
 table-generation:
-	docker run --rm -v $(PWD)/model:/source -v $(PWD)/docs:/spec -v $(PWD)/templates:/weaver/templates \
+	docker run --rm \
+		-u $(id -u ${USER}):$(id -g ${USER}) \
+		--mount 'type=bind,source=$(PWD)/templates,target=/home/weaver/templates,readonly' \
+		--mount 'type=bind,source=$(PWD)/model,target=/home/weaver/source,readonly' \
+		--mount 'type=bind,source=$(PWD)/docs,target=/home/weaver/target' \
 		$(WEAVER_CONTAINER) registry update-markdown \
-		--registry=/source \
+		--registry=/home/weaver/source \
 		--attribute-registry-base-url=/docs/attributes-registry \
-		--templates=/weaver/templates \
+		--templates=/home/weaver/templates \
 		--target=markdown \
-		/spec
+		/home/weaver/target
 
 # Generate attribute registry markdown.
 .PHONY: attribute-registry-generation
 attribute-registry-generation:
-	docker run --rm -v $(PWD)/model:/source -v $(PWD)/docs:/spec -v $(PWD)/templates:/weaver/templates \
+	docker run --rm \
+		-u $(id -u ${USER}):$(id -g ${USER}) \
+		--mount 'type=bind,source=$(PWD)/templates,target=/home/weaver/templates,readonly' \
+		--mount 'type=bind,source=$(PWD)/model,target=/home/weaver/source,readonly' \
+		--mount 'type=bind,source=$(PWD)/docs,target=/home/weaver/target' \
 		$(WEAVER_CONTAINER) registry generate \
-		  --registry=/source \
-		  --templates=/weaver/templates \
+		  --registry=/home/weaver/source \
+		  --templates=/home/weaver/templates \
 		  markdown \
-		  /spec/attributes-registry/
+		  /home/weaver/target/attributes-registry/
 	npm run fix:format
 
 # Check if current markdown tables differ from the ones that would be generated from YAML definitions (weaver).
 .PHONY: table-check
 table-check:
-	docker run --rm -v $(PWD)/model:/source -v $(PWD)/docs:/spec -v $(PWD)/templates:/weaver/templates \
+	docker run --rm \
+		--mount 'type=bind,source=$(PWD)/templates,target=/home/weaver/templates,readonly' \
+		--mount 'type=bind,source=$(PWD)/model,target=/home/weaver/source,readonly' \
+		--mount 'type=bind,source=$(PWD)/docs,target=/home/weaver/target,readonly' \
 		$(WEAVER_CONTAINER) registry update-markdown \
-		--registry=/source \
+		--registry=/home/weaver/target \
 		--attribute-registry-base-url=/docs/attributes-registry \
-		--templates=/weaver/templates \
+		--templates=/home/weaver/templates \
 		--target=markdown \
 		--dry-run \
 		/spec
@@ -215,11 +226,14 @@ generate-gh-issue-templates:
 LATEST_RELEASED_SEMCONV_VERSION := $(shell git ls-remote --tags https://github.com/open-telemetry/semantic-conventions.git | cut -f 2 | sort --reverse | head -n 1 | tr '/' ' ' | cut -d ' ' -f 3 | $(SED) 's/v//g')
 .PHONY: check-policies
 check-policies:
-	docker run --rm -v $(PWD)/model:/source -v $(PWD)/docs:/spec -v $(PWD)/policies:/policies \
+	docker run --rm \
+		-u $(id -u ${USER}):$(id -g ${USER}) \
+		--mount 'type=bind,source=$(PWD)/policies,target=/home/weaver/policies,readonly' \
+		--mount 'type=bind,source=$(PWD)/model,target=/home/weaver/source,readonly' \
 		${WEAVER_CONTAINER} registry check \
-		--registry=/source \
+		--registry=/home/weaver/source \
 		--baseline-registry=https://github.com/open-telemetry/semantic-conventions/archive/refs/tags/v$(LATEST_RELEASED_SEMCONV_VERSION).zip[model] \
-		--policy=/policies
+		--policy=/home/weaver/policies
 
 # Test rego policies
 .PHONY: test-policies

dependencies.Dockerfile

@@ -3,7 +3,7 @@
 # Dependabot can keep this file up to date with latest containers.
 
 # Weaver is used to generate markdown docs, and enforce policies on the model.
-FROM otel/weaver:0.8.0 AS weaver
+FROM otel/weaver:v0.9.1 AS weaver
 
 # OPA is used to test policies enforced by weaver.
 FROM openpolicyagent/opa:0.67.1 AS opa