build: harden .dockerignore (secrets/, data/)

The host-side docker-compose mounts secrets/ and data/ read-only at runtime, but the build context still slurped them in. Add secrets/, data/, and general SSH key patterns (*.pem, *.key, id_rsa*, id_ed25519*, known_hosts, .ssh/) so private material can never be baked into the image even by accident. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 20:50:37 +00:00
parent 98b432ebce
commit 9a7b35b677
1 changed files with 10 additions and 0 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -10,3 +10,13 @@ dist
 .vite
 coverage
 /tmp
+
+# Secrets and runtime data
+secrets/
+data/
+*.pem
+*.key
+id_rsa*
+id_ed25519*
+known_hosts
+.ssh/