Install script should not tamper with SSH private key file permissions or share to app container

[draaglom]

Description

edit: removed the permissions bit, I got muddled on that front

I ran the onelinesetup script on my development machine (m1 macos sonoma, docker running via colima) and only spotted after the fact that id_rsa was mounted into the magento app automatically.

To my mind, it's quite unexpected for a docker compose project to be making this sort of change (without explicit choice!). Yes, docker is not a perfect sandbox, and one should only run trusted containers -- but sharing a private key file means increasing the level of trust one must have for the magento app, all its php + js dependencies, any additions made in this repo, and so on.

Looking back at previous issues, it looks like the motivation is that folks fairly frequently? raised issues like this one about needing to clone private repos inside the app container.

If the goal is to maximise developer-experience & minimise related issues on the repo, one compromise option could potentially be something like -- revert to a commented-out line in compose.yaml, but to call attention to that line in the onelinesetup script e.g. by directly printing some guidance to the console, or even presenting an explicit yes/no choice to the user and un-commenting if approved.

What do you think?

Steps To Reproduce

Run the onelinesetup script curl -s https://raw.githubusercontent.com/markshust/docker-magento/master/lib/onelinesetup | bash -s -- magento.test 2.4.6-p3 community

Expected Result

• ~/.ssh/id_rsa would not be shared with the app container by default

Actual Result

• ~/.ssh/id_rsa is shared with the app image.