fix: enforce docker context policy#3954
Open
pinehill99 wants to merge 4 commits into
Open
Conversation
Add CI policy checker for Docker build-context exclusions.
Exclude local environment, cache, debug, and generated files from Docker build contexts.
Fail CI when required Docker build-context exclusions or Dockerfile copy hygiene regress.
Assert build-context exclusions, CI wiring, and the policy checker.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #3949
Summary
.dockerignorerules for local env files, secret material, caches, logs, scratch/debug output, local DB files, and build artifactsscripts/check_docker_context.pyso CI fails when required local/debug build-context exclusions are missingCOPY ./ADD .patterns when Dockerfiles are presentScope and overlap
Current overlap checked on 2026-05-25 KST: issue #3949 is open and has one matching open PR, #3950. #3950 adds
.dockerignoreand a.dockerignoretest. This PR intentionally adds the missing executable CI policy gate as well, so the build-context policy fails closed if required exclusions or Dockerfile copy hygiene regress later.The current repository has no Dockerfiles, so there are no broad Dockerfile copy patterns to rewrite. The checker still enforces that policy for future Dockerfiles.
Validation
python3 -m pytest tests/test_docker_context_policy.py -qfailed before implementation because.dockerignore, CI checker wiring, andscripts/check_docker_context.pywere missingpython3 -m pytest tests/test_docker_context_policy.py -q-> 3 passedpython3 scripts/check_docker_context.py-> passed and listed excluded local/debug samplespython3 -m pytest tests/test_docker_context_policy.py tests/test_config.py tests/test_agent_registry.py -q-> 16 passeduv run flake8 scripts/check_docker_context.py tests/test_docker_context_policy.py-> passed with pyproject dev-dependencies deprecation warning onlypython3 -m py_compile scripts/check_docker_context.py tests/test_docker_context_policy.py-> passedgit diff --check-> passedFull
python3 -m pytest tests -qwas attempted and stopped on the existing main-branchImportError: cannot import name 'AgentStatus' from 'src.agent'intests/test_scheduler.py; this PR does not touch that unrelated suite-health issue.Risk control
pinehill99Chrome session before PR creation.