This change risks breaking CI and requires workarounds for anyone who's not checking world-readable files. Are there any Docker guidelines or conventions that recommend this approach?

The Center for Internet Security (CIS) Benchmark for Docker states in section 4.1 that containers should be run as non-root whenever possible (seehttps://www.cisecurity.org/benchmark/docker). Furthermore, running as non-root by default would be applying the Principle of Least Privilege.

As for filesystem permissions, default Ubuntu systems have a umask of 0002 (meaning files are already world-readable). So this would not be a problem. In the event that this is changed, though, users can add-u $(id -u):$(id -g) to theirdocker run command, which would run the container as the host user.

Because most users simply copy/paste from the documentation, we can very easily add the-u part tohttps://github.com/koalaman/shellcheck/blob/master/README.md?plain=1#L214. Adding-u to the CI config would also be easy.

Running as an unprivileged user makes sense for reducing security risks. Good call! I agree with this.

Bump.