Skip to content

docs: address issue #23194 #23877

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
github-actions wants to merge 4 commits into
base: main
Choose a base branch
from
+42 −18
Open

docs: address issue #23194 #23877

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8c3b5db
chore: fix gitignore for cagent validation log
dvdksn Dec 19, 2025
02d82e2
docs: address issue #23194
github-actions[bot] Dec 19, 2025
fddd7d2
ci: install npm dependencies for cagent
dvdksn Dec 19, 2025
3f662ec
ci: add timeout (15m) for cagent run task
dvdksn Dec 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .github/workflows/agent.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,16 @@ jobs:
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"

- name: Install dependencies
run: npm ci

- name: Create branch
run: |
git checkout -b agent/issue-${{ github.event.issue.number }}

- name: Run agent
uses: docker/[email protected]
timeout-minutes: 15
with:
cagent-version: v1.15.5
agent: ./agent.yml
Expand Down
2 changes: 1 addition & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,4 @@ cagent
# cagent tmp files
.cagent
.upstream-issues.md
.validation-log.md
.validation.log
54 changes: 37 additions & 17 deletions content/manuals/build/building/best-practices.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -77,30 +77,51 @@ dependencies can considerably lower the attack surface.

## Rebuild your images often

Docker images are immutable. Building an image is taking a snapshot of that
image at that moment. That includes any base images, libraries, or other
software you use in your build. To keep your images up-to-date and secure, make
sure to rebuild your image often, with updated dependencies.
Docker images are immutable. Building an image is taking a snapshot of
that image at that moment. That includes any base images, libraries, or
other software you use in your build. To keep your images up-to-date and
secure, rebuild your images regularly with updated dependencies.

To ensure that you're getting the latest versions of dependencies in your build,
you can use the `--no-cache` option to avoid cache hits.
### Use --pull to get fresh base images

```console
$ docker build --no-cache -t my-image:my-tag .
```

The following Dockerfile uses the `24.04` tag of the `ubuntu` image. Over time,
that tag may resolve to a different underlying version of the `ubuntu` image,
as the publisher rebuilds the image with new security patches and updated
libraries. Using the `--no-cache`, you can avoid cache hits and ensure a fresh
download of base images and dependencies.
The following Dockerfile uses the `24.04` tag of the `ubuntu` image.
Over time, that tag may resolve to a different underlying version of the
`ubuntu` image, as the publisher rebuilds the image with new security
patches and updated libraries.

```dockerfile
# syntax=docker/dockerfile:1
FROM ubuntu:24.04
RUN apt-get -y update && apt-get install -y --no-install-recommends python3
```

To get the latest version of the base image, use the `--pull` flag:

```console
$ docker build --pull -t my-image:my-tag .
```

The `--pull` flag forces Docker to check for and download a newer
version of the base image, even if you have a version cached locally.

### Use --no-cache for clean builds

The `--no-cache` flag disables the build cache, forcing Docker to
rebuild all layers from scratch:

```console
$ docker build --no-cache -t my-image:my-tag .
```

This gets the latest available versions of dependencies from package
managers like `apt-get` or `npm`. However, `--no-cache` doesn't pull a
fresh base image - it only prevents reusing cached layers. For a
Copy link
Contributor

@craig-osterhout craig-osterhout Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm being nitpicky because "AI". Not a fan of the plain dash here, although it works.

completely fresh build with the latest base image, combine both flags:

```console
$ docker build --pull --no-cache -t my-image:my-tag .
```

Also consider [pinning base image versions](#pin-base-image-versions).

## Exclude with .dockerignore
Expand Down Expand Up @@ -639,10 +660,10 @@ RUN ln -s /usr/share/dotnet/dotnet /usr/bin/dotnet
```

For more information about `ADD` or `COPY`, see the following:

- [Dockerfile reference for the ADD instruction](/reference/dockerfile.md#add)
- [Dockerfile reference for the COPY instruction](/reference/dockerfile.md#copy)


### ENTRYPOINT

The best use for `ENTRYPOINT` is to set the image's main command, allowing that
Expand Down Expand Up @@ -695,7 +716,6 @@ fi
exec "$@"
```


This script uses [the `exec` Bash command](https://wiki.bash-hackers.org/commands/builtin/exec) so that the final running application becomes the container's PID 1. This allows the application to receive any Unix signals sent to the container. For more information, see the [`ENTRYPOINT` reference](/reference/dockerfile.md#entrypoint).

In the following example, a helper script is copied into the container and run via `ENTRYPOINT` on
Expand Down