Make the frontend container run as a non-root user

[SpecLad]

Motivation and context

Continuation of #9743. The frontend container actually does currently run as root, but fortunately, nginx supplies an alternative Docker image, which does not. The only difference is that without root privileges, nginx listens on port 8000 rather than 80, so change the configuration accordingly.

Also, change the ports in the ingress to their symbolic names to avoid churn in case we have to change the numbers again.

How has this been tested?

Manual testing.

Checklist

• I submit my changes into the develop branch
• I have created a changelog fragment
• [ ] I have updated the documentation accordingly
• [ ] I have added tests to cover my changes
• [ ] I have linked related issues (see GitHub docs)

License

• I submit my code changes under the same MIT License that covers the project.
  Feel free to contact the maintainers if that's a concern.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 82.18%. Comparing base (3894f32) to head (22986d0).
⚠️ Report is 1 commits behind head on develop.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #9746      +/-   ##
===========================================
+ Coverage    75.30%   82.18%   +6.87%     
===========================================
  Files          410      466      +56     
  Lines        45186    48191    +3005     
  Branches      4082     4082              
===========================================
+ Hits         34028    39605    +5577     
+ Misses       11158     8586    -2572     

Components	Coverage Δ
cvat-ui	77.01% <ø> (ø)
cvat-server	86.15% <ø> (+12.32%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull Request Overview

This PR enhances the security posture of the CVAT application by making the frontend container run as a non-root user. The change involves switching from the standard nginx Docker image to nginx's unprivileged variant and updating the port configuration throughout the application stack.

• Switches to nginxinc/nginx-unprivileged Docker image which runs without root privileges
• Updates port configuration from 80 to 8000 across all deployment files to accommodate the unprivileged nginx
• Replaces hardcoded port numbers with symbolic names in ingress configuration for better maintainability

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
Dockerfile.ui	Changes base image to nginx unprivileged variant
helm-chart/values.yaml	Updates frontend service ports from 80 to 8000
helm-chart/templates/ingress.yaml	Replaces hardcoded port numbers with symbolic port names
helm-chart/templates/cvat_frontend/deployment.yml	Updates container ports and health check ports to 8000, adds runAsNonRoot security context
docker-compose.yml	Updates Traefik configuration to use port 8000
helm-chart/Chart.yaml	Increments chart version
changelog.d/20250821_192420_roman_non_root.md	Adds changelog entry for the security improvement

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}