Skip to content

fix: harden production docker build context#136

Merged
erskingardner merged 2 commits into
masterfrom
uma/docker-build-hardening
Jun 29, 2026
Merged

fix: harden production docker build context#136
erskingardner merged 2 commits into
masterfrom
uma/docker-build-hardening

Conversation

@erskingardner

@erskingardner erskingardner commented Jun 29, 2026

Copy link
Copy Markdown
Member

Summary

  • Exclude local deployment backups and Caddy scratch files from the Docker build context.
  • Create and chown /home/goggles for the non-root runtime user so Gunicorn can create its control socket without permission errors.

Verification

  • Deployed equivalent changes on goggles.ipf.dev during the audit-redesign rollout.
  • Rebuilt goggles-web successfully with a small build context.
  • Verified /healthz/, login, and static assets returned 200 after restart.

Sensitive paths

None. This only touches .dockerignore and Dockerfile.


Open in Stage

Summary by CodeRabbit

  • Chores
    • Tightened container build setup by excluding additional local deployment and configuration artifacts from the build context.
    • Improved container user setup by creating and assigning ownership of the runtime home directory, helping ensure smoother startup and permission handling.

@stage-review

stage-review Bot commented Jun 29, 2026

Copy link
Copy Markdown

Ready to review this PR? Stage has broken it down into 2 individual chapters for you:

Title
1 Exclude deployment artifacts from Docker context
2 Configure home directory for non-root user
Open in Stage

Chapters generated by Stage for commit 20d1ad2 on Jun 29, 2026 1:28pm UTC.

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a6247ed4-abbe-43ff-9e60-36e2b2262264

📥 Commits

Reviewing files that changed from the base of the PR and between 951c990 and 20d1ad2.

📒 Files selected for processing (2)
  • .dockerignore
  • Dockerfile

Walkthrough

Adds three entries to .dockerignore to exclude local deployment backups and Caddy goggles configs from the build context. Updates the Dockerfile RUN command to also create /home/goggles and set its ownership to goggles:goggles.

Changes

Docker Configuration

Layer / File(s) Summary
Build context exclusions and user home directory
.dockerignore, Dockerfile
Three paths (local-deploy-backups/, Caddyfile.with-goggles, caddy-with-goggles.json) are added to .dockerignore; the RUN command in Dockerfile now creates /home/goggles and assigns its ownership to goggles:goggles.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: hardening the production Docker build context and runtime setup.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch uma/docker-build-hardening

Comment @coderabbitai help to get the list of available commands.

@erskingardner erskingardner merged commit 483ba42 into master Jun 29, 2026
3 checks passed
@erskingardner erskingardner deleted the uma/docker-build-hardening branch June 29, 2026 13:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant