Match docker build-context UX for sandbox Image builds#775
Merged
Conversation
Image objects render their Dockerfile from text and don't copy host files by default, so there's no build context to upload. Previously an Image build with no explicit context_dir defaulted to cwd, archiving and uploading the entire working directory (which has no Dockerfile). Add _image_context_dir() to resolve the build context: use the explicit context_dir when given, otherwise a throwaway empty temp dir cleaned up via an ExitStack. Apply this in build_sandbox_image and build_sandbox_application_image, and update docstrings to note that context_dir should be passed explicitly only when the image copies local files. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
When an Image build omits context_dir, assemble a minimal build context from only the files the COPY/ADD ops reference (resolved relative to cwd) instead of uploading the whole working directory. Fix two regressions in the staging path: - Honor .dockerignore: carry cwd's root .dockerignore into the staged context so the Rust archiver applies the same exclusions it would for a full-cwd context (staged files keep their cwd-relative paths). Python and TypeScript SDKs. - Preserve symlink source paths (Python): compute the staged path from the lexically-normalized source rather than the symlink-resolved target, so a COPY whose source is a symlink stages at the path the Dockerfile names. TypeScript now dereferences staged sources for parity. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
The comment claimed contextDir is required when an Image has COPY/ADD ops and that omitting it throws. The implementation instead assembles a minimal build context from the referenced sources (matching the Python SDK), so the doc now describes that behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Image builds now mirror `docker build <context>`: when context_dir is given it is uploaded as-is and COPY/ADD sources resolve relative to it. When omitted, an image with no host-file COPY/ADD ops gets an empty context (just the generated Dockerfile) so cwd is not archived; an image that does read host files via COPY/ADD fails fast with a clear message telling the caller to pass context_dir. Removes the auto-staging layer (glob/symlink/.dockerignore handling) that diverged from Docker semantics. Scoped to the SDK Image build path only; the application-image path always receives context_dir from deploy and is reverted to its original cwd-based resolution. Applied to both the Python and TypeScript SDKs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
A BuildKit `RUN --mount=type=bind` (the default mount type) reads from the build context, but `_image_requires_context` only inspected COPY/ADD ops. An image whose only host-file access was such a RUN mount fell through to the empty-context path and silently mounted nothing, breaking builds that worked when the cwd was always uploaded. Detect context-reading RUN bind mounts (type=bind, no `from=`) alongside COPY/ADD so those builds fail fast asking for `context_dir`. Mirror the fix in the TypeScript SDK and generalize the error message. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
cooleel
changed the title
eabatalov
approved these changes
Jun 26, 2026
# Conflicts: # Cargo.lock
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Align
Image.build()/createSandboxImage()withdocker build <context>:context_diris given, upload that directory as-is.RUN --mount=type=bindreading the context), fail fast asking forcontext_dirinstead of silently archiving the cwd.Bind-mount detection covers the BuildKit default (
type=bind, nofrom=);from=mounts and cache/tmpfs/secret/ssh mounts don't require a context.Why
The old path always uploaded the cwd, leaking unrelated files into the build context and surprising users. The new behavior is explicit and matches Docker.
Changes
sandbox_builder.py,sandbox-image.ts).--fromstage, and RUN bind/cache mounts.Versions
Python SDK → 0.5.51, TypeScript SDK → 0.5.50.