generated from bisco/codex-bootstrap
Initial commit
This commit is contained in:
40
.codex/profiles/docker.md
Normal file
40
.codex/profiles/docker.md
Normal file
@@ -0,0 +1,40 @@
|
||||
# Docker profile
|
||||
|
||||
Enable this profile for repositories containing Dockerfiles, Compose files, container entrypoints, reverse proxy configuration, or containerized deployment logic.
|
||||
|
||||
## Rules
|
||||
|
||||
Codex MUST:
|
||||
|
||||
- avoid `latest` tags;
|
||||
- prefer pinned or explicit versions;
|
||||
- keep images small and reproducible;
|
||||
- avoid privileged containers unless explicitly justified in an ADR;
|
||||
- avoid unnecessary published ports;
|
||||
- use least-privilege users where practical;
|
||||
- avoid storing secrets in images or Compose files;
|
||||
- use healthchecks when useful and practical;
|
||||
- document exposed ports, volumes, networks, and runtime assumptions;
|
||||
- keep entrypoints simple and explicit.
|
||||
|
||||
## Project mode behavior
|
||||
|
||||
If `.codex/project.md` sets `project_mode: work`, Codex SHOULD prefer Red Hat UBI minimal images when possible and reasonable.
|
||||
|
||||
If `.codex/project.md` sets `project_mode: personal`, Codex may use the most appropriate base image for the project, but it MUST still avoid `latest` tags and unsafe defaults.
|
||||
|
||||
## Validation examples
|
||||
|
||||
Use project-specific Docker-based commands, for example:
|
||||
|
||||
```bash
|
||||
docker compose config
|
||||
```
|
||||
|
||||
```bash
|
||||
docker compose build
|
||||
```
|
||||
|
||||
```bash
|
||||
docker compose run --rm app pytest
|
||||
```
|
||||
Reference in New Issue
Block a user