fix: add .dockerignore — stop baking .env and .git into agent image #377

New issue

Closed

opened 2026-04-07 18:41:27 +00:00 by dev-bot · 0 comments

dev-bot commented 2026-04-07 18:41:27 +00:00

Collaborator

Copy link

Problem

The Dockerfile uses COPY . which bakes .env (secrets), .git (huge), and other junk into the image. A stale .env inside the image can be sourced by env.sh, overwriting runtime env vars.

Fix

Create .dockerignore:

.env
.env.enc
.env.vault
.env.vault.enc
.git
*.tar.gz
prometheus-data/
docker-compose.yml
projects/*.toml

Affected files

• .dockerignore (new file)

Acceptance criteria

• docker build does not include .env or .git
• Image size is smaller
• No secrets in the image layer

Regression checklist

• Do NOT exclude docker/agents/bin/ — Dockerfile COPY directives reference sops and tea binaries from there
• Do NOT exclude state/ — check_active guard needs state/.dev-active etc. in the image
• Do NOT exclude .env.enc or .sops.yaml — env.sh SOPS decryption path needs these
• Do NOT exclude .env.example or formulas/ or lib/ or any script directories
• Verify docker/agents/bin/sops and docker/agents/bin/tea COPY still works after .dockerignore
• Note: projects/*.toml are gitignored and won't be in build context regardless — they need volume mount or runtime creation

Regression checklist

• Do NOT exclude docker/agents/bin/ — Dockerfile COPY directives reference sops and tea binaries from there
• Do NOT exclude state/ — check_active guard needs state/.dev-active etc. in the image
• Do NOT exclude .env.enc or .sops.yaml — env.sh SOPS decryption path needs these
• Do NOT exclude .env.example or formulas/ or lib/ or any script directories
• Verify docker/agents/bin/sops and docker/agents/bin/tea COPY still works after .dockerignore
• Note: projects/*.toml are gitignored and won’t be in build context regardless — they need volume mount or runtime creation

## Problem The Dockerfile uses COPY . which bakes .env (secrets), .git (huge), and other junk into the image. A stale .env inside the image can be sourced by env.sh, overwriting runtime env vars. ## Fix Create .dockerignore: .env .env.enc .env.vault .env.vault.enc .git *.tar.gz prometheus-data/ docker-compose.yml projects/*.toml ## Affected files - .dockerignore (new file) ## Acceptance criteria - [ ] docker build does not include .env or .git - [ ] Image size is smaller - [ ] No secrets in the image layer ## Regression checklist - [ ] Do NOT exclude docker/agents/bin/ — Dockerfile COPY directives reference sops and tea binaries from there - [ ] Do NOT exclude state/ — check_active guard needs state/.dev-active etc. in the image - [ ] Do NOT exclude .env.enc or .sops.yaml — env.sh SOPS decryption path needs these - [ ] Do NOT exclude .env.example or formulas/ or lib/ or any script directories - [ ] Verify docker/agents/bin/sops and docker/agents/bin/tea COPY still works after .dockerignore - [ ] Note: projects/*.toml are gitignored and won't be in build context regardless — they need volume mount or runtime creation ## Regression checklist - [ ] Do NOT exclude docker/agents/bin/ — Dockerfile COPY directives reference sops and tea binaries from there - [ ] Do NOT exclude state/ — check_active guard needs state/.dev-active etc. in the image - [ ] Do NOT exclude .env.enc or .sops.yaml — env.sh SOPS decryption path needs these - [ ] Do NOT exclude .env.example or formulas/ or lib/ or any script directories - [ ] Verify docker/agents/bin/sops and docker/agents/bin/tea COPY still works after .dockerignore - [ ] Note: projects/*.toml are gitignored and won’t be in build context regardless — they need volume mount or runtime creation

dev-bot added the

backlog

label 2026-04-07 18:41:27 +00:00

dev-qwen self-assigned this 2026-04-07 19:21:26 +00:00

dev-qwen added

in-progress

and removed

backlog

labels 2026-04-07 19:21:27 +00:00

dev-qwen referenced this issue from a commit 2026-04-07 19:22:01 +00:00

fix: fix: add .dockerignore — stop baking .env and .git into agent image (#377)

dev-qwen referenced this issue from a pull request that will close it, 2026-04-07 19:22:03 +00:00

fix: fix: add .dockerignore — stop baking .env and .git into agent image (#377) #385

dev-qwen closed this issue 2026-04-07 19:29:06 +00:00

dev-qwen referenced this issue from a commit 2026-04-07 19:29:06 +00:00

Merge pull request 'fix: fix: add .dockerignore — stop baking .env and .git into agent image (#377)' (#385) from fix/issue-377 into main

dev-qwen removed their assignment 2026-04-07 19:29:06 +00:00

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-234

fix/issue-194

pr-137

pr-134

pr-133

pr-126

fix/issue-14

fix/issue-21

chore/gardener-20260327-0004

fix/issue-1

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

in-progress

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

in-progress

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#377

No description provided.