Skip to content

fix(publish): honor env_file required: false for missing files#13848

Merged
glours merged 1 commit into
docker:mainfrom
Ijtihed:fix/publish-optional-env-file
Jun 23, 2026
Merged

fix(publish): honor env_file required: false for missing files#13848
glours merged 1 commit into
docker:mainfrom
Ijtihed:fix/publish-optional-env-file

Conversation

@Ijtihed

@Ijtihed Ijtihed commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

What I did

When env_file declares required false and the file is missing then docker compose publish now skips the file instead of failing. If the optional file exists it is still scanned for sensitive data and included as a layer which preserves existing behavior.

Two locations needed guards:

  • processFile: where env files are hashed and added as OCI layers
  • checkForSensitiveData: where env files are scanned for secrets

Non-ENOENT errors (permissions, etc.) still propagate regardless of the required flag.

Related issue

Fixes #13648

Supersedes #13650, #13651, #13652 with a diff implementing what the maintainers request in #13652 review

image

(unrelated photo of my fiance's cute cat :3)

@Ijtihed Ijtihed requested a review from a team as a code owner June 17, 2026 05:21
@Ijtihed Ijtihed requested review from glours and ndeloof June 17, 2026 05:21

@glours glours left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for picking this up and aligning with the #13652 review, the fix is in the right shape. Two small asks before merging:

  1. Dead branch in processFile (publish.go:262-264): the if envFile.Required path is unreachable in production because the project loader already enforces required: at load time. Suggest dropping it (and its test) or commenting it as defensive only.
  2. Path leak on optional missing (publish.go:265): when the file is absent we skip ReplaceEnvFile, so the published YAML keeps the local path instead of the <hash>.env placeholder. Since the hash is computed from the path string alone, we can still rewrite it — keeps the artifact filesystem-agnostic and consistent with the file-present case.

Comment thread pkg/compose/publish.go Outdated
Comment on lines +262 to +264
if envFile.Required {
return nil, fmt.Errorf("env file %s not found", envFile.Path)
}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: this if envFile.Required branch is unreachable here, the project loader (called from runPublish without SkipResolveEnvironment) already rejects missing required env files via compose-go's loadEnvFile.
The test only reaches it by forcing SkipResolveEnvironment: true.
Could you either drop the branch (and Test_processFile_required_env_file_missing) or add a comment marking it as belt-and-suspenders?
The guard in checkForSensitiveData is fine, that one is reachable because loadUnresolvedFile does set SkipResolveEnvironment.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dropped them, thanks!

Comment thread pkg/compose/publish.go Outdated
if envFile.Required {
return nil, fmt.Errorf("env file %s not found", envFile.Path)
}
continue

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you still call transform.ReplaceEnvFile with the hash in this skip branch? The hash is derived from envFile.Path only (not file contents), so it's deterministic whether the file exists or not.
Without the rewrite, the published YAML keeps the publisher's local (resolved-to-absolute) path instead of the opaque <hash>.env placeholder, small filesystem-layout leak, and inconsistent with the file-present case.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch and thanks! Done. path no longer leaks now :)

Signed-off-by: Ijtihed Kilani <ijtihedk@gmail.com>
@Ijtihed Ijtihed force-pushed the fix/publish-optional-env-file branch from 56e642c to be3a4c7 Compare June 23, 2026 11:49

@glours glours left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the contribution 🙏

@glours glours enabled auto-merge (rebase) June 23, 2026 13:01
@glours glours merged commit 9cd8442 into docker:main Jun 23, 2026
39 checks passed
@codecov

codecov Bot commented Jun 23, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 63.63636% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
pkg/compose/publish.go 63.63% 2 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] docker compose publish ignores required: false on env_file

2 participants