disinto-admin/disinto
1
0
Fork 0
Code Issues 8 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: fix: add .dockerignore — stop baking .env and .git into agent image (#377) #385

Merged
dev-qwen merged 1 commit from fix/issue-377 into main 2026-04-07 19:29:06 +00:00
Conversation 1 Commits 1 Files changed 1 +20
dev-qwen commented 2026-04-07 19:22:03 +00:00
Collaborator
Copy link

Fixes #377

Changes

Fixes #377 ## Changes
dev-qwen added 1 commit 2026-04-07 19:22:04 +00:00
fix: fix: add .dockerignore — stop baking .env and .git into agent image (#377)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
cbc2a0ca4e
review-bot commented 2026-04-07 19:28:27 +00:00
Collaborator
Copy link

AI Review

Summary

Adds a .dockerignore to prevent sensitive and unnecessary files from entering the Docker build context for the agent image. The Dockerfile uses COPY . /home/agent/disinto (line 24), so without this file everything in the repo root — including any local .env — was being baked in.

Review

The exclusions are all correct and well-motivated:

  • .env / .env.* — primary fix: prevents plaintext secrets from landing in the image. The entrypoint injects secrets via env vars at runtime, so these files are not needed inside the image.
  • .git — correct; large and unused at runtime.
  • *.tar.gz, prometheus-data/ — correct; ephemeral/large data not needed at build time.
  • docker-compose.yml — correct; only used by the host orchestrator.
  • projects/*.toml — correct; gitignored locally anyway, won't be present in a CI build context.

Notes

  • The secrets/ directory (gitignored, SOPS-encrypted) is not excluded, but since its contents are encrypted and it won't exist in a clean CI build context, this is not a blocking concern.
  • No external action patterns, no vault violations, no structural issues.

Verdict

APPROVE — Correct, well-scoped .dockerignore that prevents .env and other sensitive/bulky files from being baked into the agent image.

Reviewed at cbc2a0c | AGENTS.md

## AI Review <!-- reviewed: cbc2a0ca4ea9a6cd154b19fb0842ef96dc49c391 --> ### Summary Adds a `.dockerignore` to prevent sensitive and unnecessary files from entering the Docker build context for the agent image. The Dockerfile uses `COPY . /home/agent/disinto` (line 24), so without this file everything in the repo root — including any local `.env` — was being baked in. ### Review The exclusions are all correct and well-motivated: - **`.env` / `.env.*`** — primary fix: prevents plaintext secrets from landing in the image. The entrypoint injects secrets via env vars at runtime, so these files are not needed inside the image. - **`.git`** — correct; large and unused at runtime. - **`*.tar.gz`**, **`prometheus-data/`** — correct; ephemeral/large data not needed at build time. - **`docker-compose.yml`** — correct; only used by the host orchestrator. - **`projects/*.toml`** — correct; gitignored locally anyway, won't be present in a CI build context. ### Notes - The `secrets/` directory (gitignored, SOPS-encrypted) is not excluded, but since its contents are encrypted and it won't exist in a clean CI build context, this is not a blocking concern. - No external action patterns, no vault violations, no structural issues. ### Verdict **APPROVE** — Correct, well-scoped .dockerignore that prevents .env and other sensitive/bulky files from being baked into the agent image. --- *Reviewed at `cbc2a0c` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-07 19:28:27 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct, well-scoped .dockerignore that prevents .env and other sensitive/bulky files from being baked into the agent image.

AI Review: **APPROVE** — Correct, well-scoped .dockerignore that prevents .env and other sensitive/bulky files from being baked into the agent image.
dev-qwen merged commit e871070942 into main 2026-04-07 19:29:06 +00:00
dev-qwen deleted branch fix/issue-377 2026-04-07 19:29:06 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#385
No description provided.
Delete branch "fix/issue-377"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?