dependabot-core icon indicating copy to clipboard operation
dependabot-core copied to clipboard
verified publisher icon dependabot

Add Actions workflow to enforce Docker layer count for ecosystem Dockerfiles

Open Copilot opened this issue 3 months ago • 7 comments

  • [x] Create GitHub Actions workflow to check Docker layer counts on PRs
    • [x] Detect all ecosystem Dockerfiles in the repository
    • [x] Compare layer counts between PR branch and base branch
    • [x] Fail if any Dockerfile has more layers in PR than in base
    • [x] Output results for each Dockerfile checked
    • [x] Make check non-required (does not block merging)
  • [x] Add documentation to CONTRIBUTING.md about the Docker layer count check
  • [x] Extract scripts from workflow YAML into separate files
  • [x] Use docker history for accurate layer counts (builds images first)
  • [x] Fix code scanning alert for code injection via template expansion
  • [x] Add HEREDOC syntax recommendation in documentation
Original prompt

This section details on the original issue you should resolve

<issue_title>Add Actions workflow to enforce Docker layer count for ecosystem Dockerfiles</issue_title> <issue_description>## Summary

Introduce a GitHub Actions workflow that automatically checks the number of layers in each ecosystem Dockerfile (e.g., npm_and_yarn/Dockerfile, bundler/Dockerfile, etc.) in this repository. The workflow must run on every pull request, enumerate the existing Docker layers, and ensure that PR changes do NOT add any new layers to any Dockerfile. If a Dockerfile is modified and results in more layers than before, the workflow should fail (but the check should NOT be required to merge PRs).

Motivation

Docker image layer count directly affects build performance and caching efficiency. This project has strict layering to optimize build times and cache utilization across its ecosystem Dockerfiles. Introducing additional layers may unintentionally harm performance. Automated checks will help maintain this standard without relying on manual reviews.

Acceptance Criteria

  • For each PR, the workflow:
    • Detects all ecosystem Dockerfiles (*/Dockerfile in root or subdirectories like npm_and_yarn/, bundler/, etc.)
    • Compares the layer count between the PR branch and the base branch (main/default)
    • Fails if any Dockerfile has a greater number of layers in the PR than in the base
    • Outputs results for each Dockerfile checked (display changed/new/removed layers)
    • Does NOT block merging (non-required check), but should be marked failure if layers are added
    • Provide rerun and debugging help for contributors
  • Add documentation for this check to the developer docs (e.g., CONTRIBUTING.md)

Implementation Notes

  • You can use dive, [docker history], or any other tool/script that outputs Docker layer counts (in CI)
  • Should handle multi-stage Dockerfiles, artifacts, and differences in base image layers
  • If possible, exclude changes that only affect labels, metadata, or comments
  • The workflow should only fail (not warn) when a layer is added—other changes (edits/removal) are fine
  • Provide code comments and explanations for maintainers

Example file pattern

  • uv/Dockerfile
  • helm/Dockerfile
  • swift/Dockerfile
  • bazel/Dockerfile
  • composer/Dockerfile

Suggestion

  • Use matrix strategy to test all Dockerfiles
  • Consider reusing actions or scripts from other Docker layer analysis projects

Search results for Dockerfiles in this repo are limited to 10 results—ensure your workflow checks all ecosystem Dockerfiles.

See examples in GitHub code search.</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes dependabot/dependabot-core#13697

đź’ˇ You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

Copilot avatar Dec 03 '25 10:12 Copilot

@copilot can we extract the scripts out of the actions yaml please? That'll make them easier to read, reuse and lint.

jurre avatar Dec 03 '25 10:12 jurre

@copilot can we extract the scripts out of the actions yaml please? That'll make them easier to read, reuse and lint.

Done in bb4cadc. Extracted scripts into script/docker-layer-count-detect and script/docker-layer-count-check. The workflow now just calls these scripts, making them easier to read, test, and lint.

Copilot avatar Dec 03 '25 10:12 Copilot

@copilot there's a code scanning alert:

[.github/workflows/docker-layer-count.yml:31](https://github.com/dependabot/dependabot-core/blob/451d4a0e73a6c6ed2f2499525dc8dc3db91a3435/.github/workflows/docker-layer-count.yml#L31-L31) 

      - name: Find changed Dockerfiles
        id: find-dockerfiles
        run: script/docker-layer-count-detect "${{ github.base_ref }}"
code injection via template expansion
zizmor

Can you please address this?

jurre avatar Dec 03 '25 13:12 jurre

@copilot there's a code scanning alert:

...

Fixed in a6c1cef. Changed both template expansions to use environment variables instead of direct interpolation in shell commands. This prevents code injection via malicious branch names or matrix values.

Copilot avatar Dec 03 '25 13:12 Copilot

@jurre With this PR, will the future PR CI will fail if the docker layer count for ecosystems dockerfile is not met?

honeyankit avatar Dec 03 '25 16:12 honeyankit

It fails if extra layers were introduced

jurre avatar Dec 03 '25 17:12 jurre

This only detects if layer counts increase, would we want to be notified if layer counts decrease?

I'd think no, decreasing seems positive so no need to be alerted?

jurre avatar Dec 04 '25 15:12 jurre