build(docker): fail image build if source maps leak into served assets#63
Merged
Conversation
Unconditional guard in the serve stage: any *.map under /srv fails the build with a clear error, on PR, push-to-main, and release builds alike. Defends against the Sentry plugin's upload-then-delete step silently failing on token-bearing builds (ADR 0014, consequences amended). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #62.
Adds an unconditional guard to the Dockerfile's serve stage: if any
*.mapfile is present in the served assets, the image build fails with a clear error listing the offending files. Runs on every build of the image — PR, push-to-main, and tag-triggered release — so it covers the release path where the Sentry plugin's upload-then-delete sourcemap flow actually executes and could silently fail.Implementation notes:
maps="$(find -L /srv -name '*.map')" && [ -z "$maps" ] || { ...; exit 1; }— the&&/||routing also fails the build iffinditself errors (no vacuous pass),-Lfollows symlinks, and quoting handles arbitrary filenames.RUNproduces no filesystem changes → empty layer, no image-size impact. BuildKit caching can't weaken the guard: the cache key includes the digest of the copieddistlayer, so a cache hit means identical, previously-validated content..mapinvariant was previously "verified" by a one-off manual check (which never exercised the delete path); it's now enforced on every build.Verification:
docker build✓ (exit 0).map(including one with a space in the filename) in the builder output fails the build withERROR: source maps leaked into served assets …listing the file ✓ — plant removed, not committedFollow-up from #61 review.
🤖 Generated with Claude Code