From 5699ebecfdbe35176a468c6bd25159b2e050e2aa Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 07:47:09 +0000
Subject: [PATCH 1/4] Dockerignore: convert to whitelist

* convert dockerignore from blacklist-based to whitelist
* decrease docker build context size significantly
* make docker builds less dependent on local state (e.g. local node_modules in submodules)
* add script for checking docker build context
* add CI tests to monitor if surprisingly large changes are made to the build context
---
 .dockerignore                             |  30 ++++++-
 .github/workflows/test-docker-context.yml |  19 ++++
 test/check-docker-context.sh              | 101 ++++++++++++++++++++++
 3 files changed, 148 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/test-docker-context.yml
 create mode 100755 test/check-docker-context.sh

diff --git a/.dockerignore b/.dockerignore
index 93f13619..f0c56075 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,2 +1,28 @@
-node_modules
-npm-debug.log
+**
+
+!/docs/
+!/files/
+!/test/files/
+
+!/client/.browserslistrc
+!/client/.eslintrc.js
+!/client/.tx/config
+!/client/icomoon.json
+!/client/jsconfig.json
+!/client/package.json
+!/client/package-lock.json
+!/client/vue.config.js
+!/client/bin/
+!/client/docs/
+!/client/public/
+!/client/src/
+!/client/transifex/
+
+!/server/.npmrc
+!/server/package.json
+!/server/package-lock.json
+!/server/Makefile
+!/server/pm2.config.js
+!/server/config/
+!/server/docs/
+!/server/lib/
diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
new file mode 100644
index 00000000..5fd52ca6
--- /dev/null
+++ b/.github/workflows/test-docker-context.yml
@@ -0,0 +1,19 @@
+name: Test docker context
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  build:
+    timeout-minutes: 3
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        fetch-tags: true
+        submodules: recursive
+    # Some reasonable boundaries; these may change in future.  Numbers outside
+    # these bounds indicate a misconfiguration, and should be investigated.
+    - run: ./test/check-docker-context.sh --min-size 2000 --max-size 15000 --min-count 500 --max-count 1000
diff --git a/test/check-docker-context.sh b/test/check-docker-context.sh
new file mode 100755
index 00000000..0e3bb0c6
--- /dev/null
+++ b/test/check-docker-context.sh
@@ -0,0 +1,101 @@
+#!/bin/bash -eu
+set -o pipefail
+log() { echo "[$(basename "$0")] $*"; }
+
+# See: https://stackoverflow.com/a/71751097
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --report) skip_size=true; skip_count=true ;;
+
+    --min-size)   shift;min_size="$1" ;;
+    --max-size)   shift;max_size="$1" ;;
+    --skip-size)  skip_size=true ;;
+
+    --min-count)  shift;min_count="$1" ;;
+    --max-count)  shift;max_count="$1" ;;
+    --skip-count) skip_count=true ;;
+
+    *) log "!!! Unrecognised arg: $1"; exit 1 ;;
+  esac
+  shift
+done
+
+tmp="$(mktemp)"
+
+log "Building docker image..."
+(
+docker build --no-cache --progress plain --file - . 2>&1 <<EOF
+FROM busybox
+COPY . /build-context
+WORKDIR /build-context
+RUN find . -type f
+RUN du -s .
+EOF
+) | tee "$tmp"
+
+vars="$(awk '
+  / DONE / { stage="" }
+
+  /RUN find \./ { stage="files" }
+  /RUN du -s .$/ { stage="size" }
+
+  stage == "files" { ++file_count }
+  stage == "size"  { total_size=$3 }
+
+  /writing image/ { image_hash=$4 }
+
+  END {
+    print "file_count: " file_count "\n"
+    print "total_size: " total_size "\n"
+    print "image_hash: " image_hash "\n"
+  }
+' "$tmp")"
+
+
+file_count="$(echo "$vars" | grep file_count | cut -d: -f2)"
+total_size="$(echo "$vars" | grep total_size | cut -d: -f2)"
+docker_img="$(echo "$vars" | grep image_hash | cut -d: -f3)"
+
+cleanup() {
+  log "Removing docker image..."
+  docker image rm "$docker_img" >/dev/null
+}
+throw_err() {
+  log "!!!"
+  log "!!! $* !!!"
+  log "!!!"
+  cleanup
+  exit 1
+}
+
+for_humans() {
+  local size="$1"
+  if [[ "$size" -gt 999999 ]]; then
+    log "$((size / 1000000)) GB"
+  else
+    log "$((size / 1000)) MB"
+  fi
+}
+
+log "File count: $file_count"
+if [[ "${skip_count-}" != "true" ]]; then
+  if [[ "$file_count" -lt "$min_count" ]] || [[ "$file_count" -gt "$max_count" ]]; then
+    throw_err "This is a surprising number of files - expected between $min_count and $max_count"
+  fi
+fi
+
+log "Total size: $(for_humans "$total_size")"
+if [[ "${skip_size-}" != "true" ]]; then
+  # N.B. busybox `du` outputs in kB
+  # See: https://www.busybox.net/downloads/BusyBox.html#du
+  expected="- expected between $(for_humans "$min_size") and $(for_humans "$max_size")"
+  if [[ "$total_size" -lt "$min_size" ]]; then
+    throw_err "This is a surprisingly small total size $expected"
+  elif [[ "$total_size" -gt "$max_size" ]]; then
+    throw_err "This is a surprisingly large total size $expected"
+  fi
+fi
+
+cleanup
+log "Everything looks OK."

From 50613014c1fe198d44298a185e626c5cea322d31 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 09:07:07 +0000
Subject: [PATCH 2/4] Include .git directories

---
 .dockerignore | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.dockerignore b/.dockerignore
index f0c56075..f3d0aa79 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,5 +1,8 @@
 **
 
+# .git directories required for generating version.txt
+
+!/.git/
 !/docs/
 !/files/
 !/test/files/
@@ -7,6 +10,7 @@
 !/client/.browserslistrc
 !/client/.eslintrc.js
 !/client/.tx/config
+!/client/.git/
 !/client/icomoon.json
 !/client/jsconfig.json
 !/client/package.json
@@ -19,6 +23,7 @@
 !/client/transifex/
 
 !/server/.npmrc
+!/server/.git/
 !/server/package.json
 !/server/package-lock.json
 !/server/Makefile

From 73630f13a74bd762f734cc793c336501a6ba87d6 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Sat, 5 Oct 2024 09:29:37 +0000
Subject: [PATCH 3/4] Increase expected context size

---
 .github/workflows/test-docker-context.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-docker-context.yml b/.github/workflows/test-docker-context.yml
index 5fd52ca6..f917740a 100644
--- a/.github/workflows/test-docker-context.yml
+++ b/.github/workflows/test-docker-context.yml
@@ -16,4 +16,4 @@ jobs:
         submodules: recursive
     # Some reasonable boundaries; these may change in future.  Numbers outside
     # these bounds indicate a misconfiguration, and should be investigated.
-    - run: ./test/check-docker-context.sh --min-size 2000 --max-size 15000 --min-count 500 --max-count 1000
+    - run: ./test/check-docker-context.sh --min-size 30000 --max-size 50000 --min-count 500 --max-count 1000

From 3b9ddda8c3f5574fb28b3e5a5e5e1b6f6bff50a2 Mon Sep 17 00:00:00 2001
From: alxndrsn <alxndrsn>
Date: Wed, 9 Oct 2024 06:51:42 +0000
Subject: [PATCH 4/4] trim client whitelist

---
 .dockerignore | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/.dockerignore b/.dockerignore
index f3d0aa79..16bf4021 100644
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,19 +8,12 @@
 !/test/files/
 
 !/client/.browserslistrc
-!/client/.eslintrc.js
-!/client/.tx/config
 !/client/.git/
-!/client/icomoon.json
-!/client/jsconfig.json
 !/client/package.json
 !/client/package-lock.json
 !/client/vue.config.js
-!/client/bin/
-!/client/docs/
 !/client/public/
 !/client/src/
-!/client/transifex/
 
 !/server/.npmrc
 !/server/.git/