From 5699ebecfdbe35176a468c6bd25159b2e050e2aa Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 07:47:09 +0000
Subject: [PATCH 01/13] Dockerignore: convert to whitelist

* convert dockerignore from blacklist-based to whitelist
* decrease docker build context size significantly
* make docker builds less dependent on local state (e.g. local node_modules in submodules)
* add script for checking docker build context
* add CI tests to monitor if surprisingly large changes are made to the build context
---
 .dockerignore                             |  30 ++++++-
 .github/workflows/test-docker-context.yml |  19 ++++
 test/check-docker-context.sh              | 101 ++++++++++++++++++++++
 3 files changed, 148 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/test-docker-context.yml
 create mode 100755 test/check-docker-context.sh

diff --git a/.dockerignore b/.dockerignore
index 93f136199..f0c560757 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,28 @@
-node_modules
-npm-debug.log
+**
+
+!/docs/
+!/files/
+!/test/files/
+
+!/client/.browserslistrc
+!/client/.eslintrc.js
+!/client/.tx/config
+!/client/icomoon.json
+!/client/jsconfig.json
+!/client/package.json
+!/client/package-lock.json
+!/client/vue.config.js
+!/client/bin/
+!/client/docs/
+!/client/public/
+!/client/src/
+!/client/transifex/
+
+!/server/.npmrc
+!/server/package.json
+!/server/package-lock.json
+!/server/Makefile
+!/server/pm2.config.js
+!/server/config/
+!/server/docs/
+!/server/lib/
diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
new file mode 100644
index 000000000..5fd52ca68
--- /dev/null
+++ b/.github/workflows/test-docker-context.yml
@@ -0,0 +1,19 @@
+name: Test docker context
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    timeout-minutes: 3
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        fetch-tags: true
+        submodules: recursive
+    # Some reasonable boundaries; these may change in future.  Numbers outside
+    # these bounds indicate a misconfiguration, and should be investigated.
+    - run: ./test/check-docker-context.sh --min-size 2000 --max-size 15000 --min-count 500 --max-count 1000
diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
new file mode 100755
index 000000000..0e3bb0c60
--- /dev/null
+++ b/test/check-docker-context.sh
@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+set -o pipefail
+log() { echo "[$(basename "$0")] $*"; }
+
+# See: https://stackoverflow.com/a/71751097
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --report) skip_size=true; skip_count=true ;;
+
+    --min-size)   shift;min_size="$1" ;;
+    --max-size)   shift;max_size="$1" ;;
+    --skip-size)  skip_size=true ;;
+
+    --min-count)  shift;min_count="$1" ;;
+    --max-count)  shift;max_count="$1" ;;
+    --skip-count) skip_count=true ;;
+
+    *) log "!!! Unrecognised arg: $1"; exit 1 ;;
+  esac
+  shift
+done
+
+tmp="$(mktemp)"
+
+log "Building docker image..."
+(
+docker build --no-cache --progress plain --file - . 2>&1 <<EOF
+FROM busybox
+COPY . /build-context
+WORKDIR /build-context
+RUN find . -type f
+RUN du -s .
+EOF
+) | tee "$tmp"
+
+vars="$(awk '
+  / DONE / { stage="" }
+
+  /RUN find \./ { stage="files" }
+  /RUN du -s .$/ { stage="size" }
+
+  stage == "files" { ++file_count }
+  stage == "size"  { total_size=$3 }
+
+  /writing image/ { image_hash=$4 }
+
+  END {
+    print "file_count: " file_count "\n"
+    print "total_size: " total_size "\n"
+    print "image_hash: " image_hash "\n"
+  }
+' "$tmp")"
+
+
+file_count="$(echo "$vars" | grep file_count | cut -d: -f2)"
+total_size="$(echo "$vars" | grep total_size | cut -d: -f2)"
+docker_img="$(echo "$vars" | grep image_hash | cut -d: -f3)"
+
+cleanup() {
+  log "Removing docker image..."
+  docker image rm "$docker_img" >/dev/null
+}
+throw_err() {
+  log "!!!"
+  log "!!! $* !!!"
+  log "!!!"
+  cleanup
+  exit 1
+}
+
+for_humans() {
+  local size="$1"
+  if [[ "$size" -gt 999999 ]]; then
+    log "$((size / 1000000)) GB"
+  else
+    log "$((size / 1000)) MB"
+  fi
+}
+
+log "File count: $file_count"
+if [[ "${skip_count-}" != "true" ]]; then
+  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
+    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
+  fi
+fi
+
+log "Total size: $(for_humans "$total_size")"
+if [[ "${skip_size-}" != "true" ]]; then
+  # N.B. busybox `du` outputs in kB
+  # See: https://www.busybox.net/downloads/BusyBox.html#du
+  expected="- expected between $(for_humans "$min_size") and $(for_humans "$max_size")"
+  if [[ "$total_size" -lt "$min_size" ]]; then
+    throw_err "This is a surprisingly small total size $expected"
+  elif [[ "$total_size" -gt "$max_size" ]]; then
+    throw_err "This is a surprisingly large total size $expected"
+  fi
+fi
+
+cleanup
+log "Everything looks OK."

From 50613014c1fe198d44298a185e626c5cea322d31 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 09:07:07 +0000
Subject: [PATCH 02/13] Include .git directories

---
 .dockerignore | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.dockerignore b/.dockerignore
index f0c560757..f3d0aa792 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,8 @@
 **
 
+# .git directories required for generating version.txt
+
+!/.git/
 !/docs/
 !/files/
 !/test/files/
@@ -7,6 +10,7 @@
 !/client/.browserslistrc
 !/client/.eslintrc.js
 !/client/.tx/config
+!/client/.git/
 !/client/icomoon.json
 !/client/jsconfig.json
 !/client/package.json
@@ -19,6 +23,7 @@
 !/client/transifex/
 
 !/server/.npmrc
+!/server/.git/
 !/server/package.json
 !/server/package-lock.json
 !/server/Makefile

From 73630f13a74bd762f734cc793c336501a6ba87d6 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 09:29:37 +0000
Subject: [PATCH 03/13] Increase expected context size

---
 .github/workflows/test-docker-context.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
index 5fd52ca68..f917740a9 100644
--- a/.github/workflows/test-docker-context.yml
+++ b/.github/workflows/test-docker-context.yml
@@ -16,4 +16,4 @@ jobs:
         submodules: recursive
     # Some reasonable boundaries; these may change in future.  Numbers outside
     # these bounds indicate a misconfiguration, and should be investigated.
-    - run: ./test/check-docker-context.sh --min-size 2000 --max-size 15000 --min-count 500 --max-count 1000
+    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 500 --max-count 1000

From 3b9ddda8c3f5574fb28b3e5a5e5e1b6f6bff50a2 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Wed, 9 Oct 2024 06:51:42 +0000
Subject: [PATCH 04/13] trim client whitelist

---
 .dockerignore | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index f3d0aa792..16bf40211 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,19 +8,12 @@
 !/test/files/
 
 !/client/.browserslistrc
-!/client/.eslintrc.js
-!/client/.tx/config
 !/client/.git/
-!/client/icomoon.json
-!/client/jsconfig.json
 !/client/package.json
 !/client/package-lock.json
 !/client/vue.config.js
-!/client/bin/
-!/client/docs/
 !/client/public/
 !/client/src/
-!/client/transifex/
 
 !/server/.npmrc
 !/server/.git/

From ee8a637455ded490f7f23481f0edefe5adaa2a95 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Thu, 13 Feb 2025 07:45:43 +0000
Subject: [PATCH 05/13] fix for_humans() output

---
 test/check-docker-context.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
index 0e3bb0c60..ad64dfbb8 100755
--- a/test/check-docker-context.sh
+++ b/test/check-docker-context.sh
@@ -72,9 +72,9 @@ throw_err() {
 for_humans() {
   local size="$1"
   if [[ "$size" -gt 999999 ]]; then
-    log "$((size / 1000000)) GB"
+    echo "$((size / 1000000)) GB"
   else
-    log "$((size / 1000)) MB"
+    echo "$((size / 1000)) MB"
   fi
 }
 

From aec3a9259cf317dbe02371569abe1a3f2c4f70db Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Thu, 13 Feb 2025 09:22:25 +0000
Subject: [PATCH 06/13] fix bugs in script

---
 test/check-docker-context.sh | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
index ad64dfbb8..8bb1130e5 100755
--- a/test/check-docker-context.sh
+++ b/test/check-docker-context.sh
@@ -23,9 +23,20 @@ done
 
 tmp="$(mktemp)"
 
+log "Creating custom docker build driver..."
+# Use custom builder to prevent log truncation:
+# > output clipped, log limit 200KiB/s reached
+docker buildx rm docker_context_checker || true
+docker buildx create --name docker_context_checker \
+    --driver-opt env.BUILDKIT_STEP_LOG_MAX_SIZE=-1 \
+    --driver-opt env.BUILDKIT_STEP_LOG_MAX_SPEED=-1
+docker buildx use docker_context_checker
+
 log "Building docker image..."
 (
-docker build --no-cache --progress plain --file - . 2>&1 <<EOF
+docker \
+    buildx build --load \
+    --no-cache --progress plain --file - . 2>&1 <<EOF
 FROM busybox
 COPY . /build-context
 WORKDIR /build-context
@@ -43,7 +54,7 @@ vars="$(awk '
   stage == "files" { ++file_count }
   stage == "size"  { total_size=$3 }
 
-  /writing image/ { image_hash=$4 }
+  /exporting config/ { image_hash=$4 }
 
   END {
     print "file_count: " file_count "\n"

From ab1606ec8ad77778b9855bd77fc23eeeb0c573d9 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Tue, 1 Apr 2025 12:01:25 +0000
Subject: [PATCH 07/13] wip

---
 .dockerignore | 28 ++--------------------------
 1 file changed, 2 insertions(+), 26 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index 16bf40211..93f136199 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,26 +1,2 @@
-**
-
-# .git directories required for generating version.txt
-
-!/.git/
-!/docs/
-!/files/
-!/test/files/
-
-!/client/.browserslistrc
-!/client/.git/
-!/client/package.json
-!/client/package-lock.json
-!/client/vue.config.js
-!/client/public/
-!/client/src/
-
-!/server/.npmrc
-!/server/.git/
-!/server/package.json
-!/server/package-lock.json
-!/server/Makefile
-!/server/pm2.config.js
-!/server/config/
-!/server/docs/
-!/server/lib/
+node_modules
+npm-debug.log

From 712a85b29f17f5ce61cfa16d2560b39d68a87d62 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Tue, 1 Apr 2025 12:04:32 +0000
Subject: [PATCH 08/13] increae expected file count

---
 .github/workflows/test-docker-context.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
index f917740a9..8353ff18a 100644
--- a/.github/workflows/test-docker-context.yml
+++ b/.github/workflows/test-docker-context.yml
@@ -16,4 +16,4 @@ jobs:
         submodules: recursive
     # Some reasonable boundaries; these may change in future.  Numbers outside
     # these bounds indicate a misconfiguration, and should be investigated.
-    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 500 --max-count 1000
+    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1000 --max-count 1500

From f279b4eec9aa9e4c9627e7fd5cf095f7c5409950 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Mon, 9 Feb 2026 10:41:46 +0000
Subject: [PATCH 09/13] remove separate ci job

---
 .github/workflows/test-docker-context.yml | 19 -------------------
 .github/workflows/test.yml                |  2 +-
 2 files changed, 1 insertion(+), 20 deletions(-)
 delete mode 100644 .github/workflows/test-docker-context.yml

diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
deleted file mode 100644
index 8353ff18a..000000000
--- a/.github/workflows/test-docker-context.yml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: Test docker context
-
-on:
-  push:
-  pull_request:
-
-jobs:
-  build:
-    timeout-minutes: 3
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-      with:
-        fetch-depth: 0
-        fetch-tags: true
-        submodules: recursive
-    # Some reasonable boundaries; these may change in future.  Numbers outside
-    # these bounds indicate a misconfiguration, and should be investigated.
-    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1000 --max-count 1500
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a8549f0f5..eec4b5089 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -75,7 +75,7 @@ jobs:
         fetch-depth: 0
         fetch-tags: true
         submodules: recursive
-    - run: ./test/check-docker-context.sh --report
+    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1000 --max-count 1500
     - run: ./test/test-images.sh
     - if: always()
       run: docker compose logs

From 96d1fcb6064c1dbc391c13e9782119289b77fe72 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Mon, 9 Feb 2026 10:49:06 +0000
Subject: [PATCH 10/13] check-docker-context: print report before running
 checks

This allows for full reporting before failure in the case of check(s) failing.
---
 test/check-docker-context.sh | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
index 7e7076ca2..776d86e46 100755
--- a/test/check-docker-context.sh
+++ b/test/check-docker-context.sh
@@ -97,13 +97,6 @@ throw_err() {
   exit 1
 }
 
-log "File count: $file_count"
-if [[ "${skip_count-}" != "true" ]]; then
-  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
-    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
-  fi
-fi
-
 human_size() {
   if [[ "$1" -gt 999999 ]]; then
     echo "$(bc <<< "scale=3; $1 / 1000000") GB"
@@ -112,7 +105,15 @@ human_size() {
   fi
 }
 
+log "File count: $file_count"
 log "Total size: $(human_size "$total_size")"
+
+if [[ "${skip_count-}" != "true" ]]; then
+  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
+    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
+  fi
+fi
+
 if [[ "${skip_size-}" != "true" ]]; then
   # N.B. busybox `du` outputs in kB
   # See: https://www.busybox.net/downloads/BusyBox.html#du

From 1704b34450e1ef31f56eb22c7c8be352e128638c Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Mon, 9 Feb 2026 10:53:05 +0000
Subject: [PATCH 11/13] Revert "check-docker-context: print report before
 running checks"

This reverts commit 96d1fcb6064c1dbc391c13e9782119289b77fe72.
---
 test/check-docker-context.sh | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
index 776d86e46..7e7076ca2 100755
--- a/test/check-docker-context.sh
+++ b/test/check-docker-context.sh
@@ -97,6 +97,13 @@ throw_err() {
   exit 1
 }
 
+log "File count: $file_count"
+if [[ "${skip_count-}" != "true" ]]; then
+  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
+    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
+  fi
+fi
+
 human_size() {
   if [[ "$1" -gt 999999 ]]; then
     echo "$(bc <<< "scale=3; $1 / 1000000") GB"
@@ -105,15 +112,7 @@ human_size() {
   fi
 }
 
-log "File count: $file_count"
 log "Total size: $(human_size "$total_size")"
-
-if [[ "${skip_count-}" != "true" ]]; then
-  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
-    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
-  fi
-fi
-
 if [[ "${skip_size-}" != "true" ]]; then
   # N.B. busybox `du` outputs in kB
   # See: https://www.busybox.net/downloads/BusyBox.html#du

From 2f0dbc7897311239de82067d0023ac48f97f2e17 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Mon, 9 Feb 2026 10:56:38 +0000
Subject: [PATCH 12/13] update expectation of file count

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index eec4b5089..fbb6ef54f 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -75,7 +75,7 @@ jobs:
         fetch-depth: 0
         fetch-tags: true
         submodules: recursive
-    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1000 --max-count 1500
+    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1500 --max-count 1700
     - run: ./test/test-images.sh
     - if: always()
       run: docker compose logs

From 6983afa928dd18230db647938edff803672e258a Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Mon, 9 Feb 2026 10:57:10 +0000
Subject: [PATCH 13/13] update size expectations

---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index fbb6ef54f..0f1c0ae24 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -75,7 +75,7 @@ jobs:
         fetch-depth: 0
         fetch-tags: true
         submodules: recursive
-    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 1500 --max-count 1700
+    - run: ./test/check-docker-context.sh --min-size 50000 --max-size 60000 --min-count 1500 --max-count 1700
     - run: ./test/test-images.sh
     - if: always()
       run: docker compose logs