Skip to content

ci: testing some dockerfile validation and visualization#136

Closed
nicklasl wants to merge 1 commit into
mainfrom
dependency-ci-tool-v2
Closed

ci: testing some dockerfile validation and visualization#136
nicklasl wants to merge 1 commit into
mainfrom
dependency-ci-tool-v2

Conversation

@nicklasl
Copy link
Copy Markdown
Member

@nicklasl nicklasl commented Nov 12, 2025
edited
Loading

Summary

Adds CI tooling to track and validate Dockerfile build stage dependencies. The tool parses
multi-stage Dockerfiles, performs topological validation, and posts informational reports on
PRs when dependencies change.

Changes

New files

  • tools/dockerfile-deps.py: Python script that:

    • Parses multi-stage Dockerfile to extract build stage dependencies
    • Tracks both stage-to-stage deps (FROM, COPY --from) and file deps (COPY/ADD)
    • Performs topological sort to detect circular dependencies
    • Generates color-coded Mermaid dependency graphs
    • Validates against source of truth
    • Outputs markdown reports for GitHub Actions

  • .github/workflows/dockerfile-deps.yml: CI workflow that:

    • On main: generates source of truth and uploads as GitHub artifact (90-day retention)
    • On PRs: downloads artifact from main, validates changes, posts informational comment
    • Never blocks PRs - purely informational

Modified files

  • .gitignore: Added .dockerfile-deps.json (generated artifact, not committed)

How it works

  1. When PRs modify the Dockerfile, CI downloads the latest dependency snapshot from main
  2. Validates current PR's dependencies against the snapshot
  3. Posts a comment showing what changed (if anything)
  4. When merged to main, new snapshot is generated and stored for future PRs

Test plan

  • Create PR with workflow changes
  • Merge to main to generate initial artifact
  • Test PR validation by modifying Dockerfile
  • Verify informational comment appears

@nicklasl nicklasl changed the title feat: store dockerfile deps as artifact instead of committed file ci: testing some dockerfile validation and visualization Nov 12, 2025
@nicklasl nicklasl marked this pull request as ready for review November 12, 2025 14:19
@nicklasl
ci: testing some dockerfile validation and visualization
21c6815 
ci: mermaids with colors

Potential fix for code scanning alert no. 3: Workflow does not contain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

feat: store dockerfile deps as artifact instead of committed file

Store source of truth in GitHub artifacts (90-day retention) instead of
committing to repo. PR builds download from main and post informational
comments without blocking merges.
@nicklasl nicklasl force-pushed the dependency-ci-tool-v2 branch from 9659fd6 to 21c6815 Compare November 12, 2025 14:21
@nicklasl
Copy link
Copy Markdown
Member Author

nicklasl commented Nov 13, 2025

This is all pretty and neat but why do we need it? 😸

@nicklasl nicklasl closed this Nov 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@nicklasl