From 4187c344ceefe2f0218835d1cd585453cf8c8e2e Mon Sep 17 00:00:00 2001 From: "Jonathan A. Sternberg" Date: Mon, 5 Jan 2026 09:46:12 -0600 Subject: [PATCH] dockerfile: promote experimental linter rule This promotes the `CopyIgnoredFile` linter rule out of experimental. Signed-off-by: Jonathan A. Sternberg --- frontend/dockerfile/dockerfile_lint_test.go | 57 ++++++++++--------- frontend/dockerfile/docs/rules/_index.md | 2 +- .../docs/rules/copy-ignored-file.md | 4 -- frontend/dockerfile/linter/ruleset.go | 1 - 4 files changed, 31 insertions(+), 33 deletions(-) diff --git a/frontend/dockerfile/dockerfile_lint_test.go b/frontend/dockerfile/dockerfile_lint_test.go index e90909784305..96a285948d3e 100644 --- a/frontend/dockerfile/dockerfile_lint_test.go +++ b/frontend/dockerfile/dockerfile_lint_test.go @@ -54,7 +54,7 @@ var lintTests = integration.TestFuncs( ) func testDefinitionDescription(t *testing.T, sb integration.Sandbox) { - dockerfile := []byte(`# check=experimental=InvalidDefinitionDescription + dockerfile := []byte(`# check=skip=all;experimental=InvalidDefinitionDescription # foo this is the foo ARG foo=bar @@ -131,18 +131,6 @@ Dockerfile FROM scratch COPY Dockerfile . ADD Dockerfile /windy -`) - checkLinterWarnings(t, sb, &lintTestParams{ - Dockerfile: dockerfile, - DockerIgnore: dockerignore, - BuildErrLocation: 3, - StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`), - }) - - dockerfile = []byte(`# check=experimental=CopyIgnoredFile -FROM scratch -COPY Dockerfile . -ADD Dockerfile /windy `) checkLinterWarnings(t, sb, &lintTestParams{ @@ -170,7 +158,7 @@ ADD Dockerfile /windy }, }) - dockerfile = []byte(`# check=skip=all;experimental=CopyIgnoredFile + dockerfile = []byte(` FROM scratch COPY Dockerfile . ADD Dockerfile /windy @@ -201,6 +189,19 @@ ADD Dockerfile /windy }, }) + dockerfile = []byte(`# check=skip=CopyIgnoredFile + +FROM scratch +COPY Dockerfile . +ADD Dockerfile /windy +`) + checkLinterWarnings(t, sb, &lintTestParams{ + Dockerfile: dockerfile, + DockerIgnore: dockerignore, + BuildErrLocation: 3, + StreamBuildErrRegexp: regexp.MustCompile(`failed to solve: failed to compute cache key: failed to calculate checksum of ref [^\s]+ "/Dockerfile": not found`), + }) + dockerignore = []byte(` foobar `) @@ -232,7 +233,8 @@ COPY ./Dockerfile . } func testSecretsUsedInArgOrEnv(t *testing.T, sb integration.Sandbox) { - dockerfile := []byte(` + dockerfile := []byte(`# check=skip=InvalidDefinitionDescription + FROM scratch ARG SECRET_PASSPHRASE ENV SUPER_Secret=foo @@ -260,7 +262,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "SECRET_PASSPHRASE")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 3, + Line: 4, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -268,7 +270,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "SUPER_Secret")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 4, + Line: 5, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -276,7 +278,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "password")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 5, + Line: 6, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -284,7 +286,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "secret")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 5, + Line: 6, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -292,7 +294,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "auth")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 6, + Line: 7, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -300,7 +302,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ARG "super_duper_secret_token")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 6, + Line: 7, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -308,7 +310,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "apikey")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 7, + Line: 8, }, { RuleName: "SecretsUsedInArgOrEnv", @@ -316,7 +318,7 @@ ARG alternate_password Detail: `Do not use ARG or ENV instructions for sensitive data (ENV "git_key")`, URL: "https://docs.docker.com/go/dockerfile/rule/secrets-used-in-arg-or-env/", Level: 1, - Line: 8, + Line: 9, }, }, }) @@ -1692,8 +1694,9 @@ func checkProgressStream(t *testing.T, sb integration.Sandbox, lintTest *lintTes } else { if lintTest.BuildErr != "" { require.ErrorContains(t, err, lintTest.BuildErr) - } else if !lintTest.StreamBuildErrRegexp.MatchString(err.Error()) { - t.Fatalf("error %q does not match %q", err.Error(), lintTest.StreamBuildErrRegexp.String()) + } else { + require.Error(t, err) + require.Regexp(t, lintTest.StreamBuildErrRegexp, err) } } @@ -1745,10 +1748,10 @@ func checkLinterWarnings(t *testing.T, sb integration.Sandbox, lintTest *lintTes if lintTest.TmpDir == nil { testfiles := []fstest.Applier{ - fstest.CreateFile("Dockerfile", lintTest.Dockerfile, 0600), + fstest.CreateFile("Dockerfile", lintTest.Dockerfile, 0o600), } if lintTest.DockerIgnore != nil { - testfiles = append(testfiles, fstest.CreateFile(".dockerignore", lintTest.DockerIgnore, 0600)) + testfiles = append(testfiles, fstest.CreateFile(".dockerignore", lintTest.DockerIgnore, 0o600)) } lintTest.TmpDir = integration.Tmpdir( t, diff --git a/frontend/dockerfile/docs/rules/_index.md b/frontend/dockerfile/docs/rules/_index.md index d1b1f1050d26..2060cc6db45e 100644 --- a/frontend/dockerfile/docs/rules/_index.md +++ b/frontend/dockerfile/docs/rules/_index.md @@ -100,7 +100,7 @@ To learn more about how to use build checks, see FROM --platform flag should not use a constant value - CopyIgnoredFile (experimental) + CopyIgnoredFile Attempting to Copy file that is excluded by .dockerignore diff --git a/frontend/dockerfile/docs/rules/copy-ignored-file.md b/frontend/dockerfile/docs/rules/copy-ignored-file.md index 3e8e57e8d4c5..535da0be6375 100644 --- a/frontend/dockerfile/docs/rules/copy-ignored-file.md +++ b/frontend/dockerfile/docs/rules/copy-ignored-file.md @@ -6,10 +6,6 @@ aliases: - /go/dockerfile/rule/copy-ignored-file/ --- -> [!NOTE] -> This check is experimental and is not enabled by default. To enable it, see -> [Experimental checks](https://docs.docker.com/go/build-checks-experimental/). - ## Output ```text diff --git a/frontend/dockerfile/linter/ruleset.go b/frontend/dockerfile/linter/ruleset.go index 7a94c76aaa21..d1397f3bb34d 100644 --- a/frontend/dockerfile/linter/ruleset.go +++ b/frontend/dockerfile/linter/ruleset.go @@ -163,7 +163,6 @@ var ( Format: func(cmd, file string) string { return fmt.Sprintf("Attempting to %s file %q that is excluded by .dockerignore", cmd, file) }, - Experimental: true, } RuleInvalidDefinitionDescription = LinterRule[func(string, string) string]{ Name: "InvalidDefinitionDescription",