From 306176f516631bdd61cf9ae1e575c82b74c74e28 Mon Sep 17 00:00:00 2001 From: Sean Story Date: Tue, 14 Apr 2026 08:22:00 -0500 Subject: [PATCH 1/2] Exclude dev and test deps from docker images --- Dockerfile | 3 +++ Dockerfile.wolfi | 3 +++ 2 files changed, 6 insertions(+) diff --git a/Dockerfile b/Dockerfile index 1b8cfa34..3904eea3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,6 +14,9 @@ RUN groupadd -g 451 crawlergroup && \ USER crawleruser COPY --chown=crawleruser:crawlergroup --chmod=775 . /home/app WORKDIR /home/app +# Exclude development and test gems from the production image to reduce +# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.) +RUN bundle config set --local without 'development test' RUN make clean install # Clean up build dependencies diff --git a/Dockerfile.wolfi b/Dockerfile.wolfi index 4813a9aa..bc3928bb 100644 --- a/Dockerfile.wolfi +++ b/Dockerfile.wolfi @@ -48,6 +48,9 @@ WORKDIR /home/app # skip jenv/rbenv setup ENV IS_DOCKER=1 +# Exclude development and test gems from the production image to reduce +# image size and CVE surface area (e.g. rack, rspec, rubocop, pry, etc.) +RUN bundle config set --local without 'development test' RUN make clean install # add more directories and files not to be copied to the runtime image from /home/app RUN rm -rf .git .github .idea .devcontainer .buildkite From e3eaa06f082a3a0e6066bc6f28e035f81a921850 Mon Sep 17 00:00:00 2001 From: Sean Story Date: Tue, 14 Apr 2026 09:56:35 -0500 Subject: [PATCH 2/2] fix CI --- .buildkite/scripts/run_ci_step.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.buildkite/scripts/run_ci_step.sh b/.buildkite/scripts/run_ci_step.sh index 01b9127d..9919904c 100755 --- a/.buildkite/scripts/run_ci_step.sh +++ b/.buildkite/scripts/run_ci_step.sh @@ -8,6 +8,10 @@ JAVA_VERSION="$(cat .java-version)" export RUBY_VERSION export JAVA_VERSION +# The Docker image excludes dev/test gems for a leaner production build. +# CI needs them, so clear the 'without' config before installing. +bundle config unset without + case $1 in lint) echo "---- running linter"