From 2e99825a29251f04f34257c680677c8c8430366a Mon Sep 17 00:00:00 2001 From: nickorlabs <130688404+nickorlabs@users.noreply.github.com> Date: Mon, 15 Jun 2026 00:49:46 -0500 Subject: [PATCH] chore: align secrets env ignore patterns Align git and Docker ignore patterns for secrets.env artifacts while preserving the intended encrypted-file workflow. --- .dockerignore | 6 ++++++ .gitignore | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/.dockerignore b/.dockerignore index aed7e9368..271d27a7a 100644 --- a/.dockerignore +++ b/.dockerignore @@ -10,6 +10,12 @@ dist/ build/ .env .env.bak.* +# Secrets: keep plaintext and every transient secrets.env variant out of +# the build context. If an encrypted secrets.env is used, it is mounted +# at runtime — never baked into the image. Mirrored in .gitignore. +secrets.env +secrets.env.* +!secrets.env.example /data/ /logs/ .git/ diff --git a/.gitignore b/.gitignore index 846e6cf74..2f9e2d984 100644 --- a/.gitignore +++ b/.gitignore @@ -15,6 +15,13 @@ venv/ .env.bak.* !.env.example +# SOPS workflow — encrypted `secrets.env` is intentionally committable, +# but every variant (plaintext, manual decrypt copy, editor backup) +# must stay out of git. Mirrored in .dockerignore so the same artifacts +# also cannot enter image build layers. +secrets.env.* +!secrets.env.example + # Data — all user data stays local data/ !services/hwfit/data/