Fix: respect required: false for env_file in publish command

maks2134 · maks2134 · commit ca55904d55c9 · 2026-03-20T23:42:04.000+03:00
Fixes #13648 The docker compose publish command was ignoring the required: false setting on env_file entries, causing failures when optional env files were missing. This change modifies three functions: 1. checkForSensitiveData - skips scanning env files with required: false 2. processFile - only processes required env files into layers 3. checkEnvironmentVariables - only considers required env files for environment variable warnings Added tests to verify the fix works correctly. Signed-off-by: Maks Kozlov <maks@example.com> Signed-off-by: maks2134 <maks210306@yandex.by>
diff --git a/pkg/compose/publish.go b/pkg/compose/publish.go
@@ -251,6 +251,10 @@ func processFile(ctx context.Context, file string, project *types.Project, extFi
 	}
 	for name, service := range base.Services {
 		for i, envFile := range service.EnvFiles {
+			// Only process env files that are required
+			if !envFile.Required {
+				continue
+			}
 			hash := fmt.Sprintf("%x.env", sha256.Sum256([]byte(envFile.Path)))
 			envFiles[envFile.Path] = hash
 			f, err = transform.ReplaceEnvFile(f, name, i, hash)
@@ -351,8 +355,12 @@ func (s *composeService) checkEnvironmentVariables(project *types.Project, optio
 	errorList := map[string][]string{}
 
 	for _, service := range project.Services {
-		if len(service.EnvFiles) > 0 {
-			errorList[service.Name] = append(errorList[service.Name], fmt.Sprintf("service %q has env_file declared.", service.Name))
+		for _, envFile := range service.EnvFiles {
+			// Only consider required env files
+			if envFile.Required {
+				errorList[service.Name] = append(errorList[service.Name], fmt.Sprintf("service %q has env_file declared.", service.Name))
+				break // Only need to add one error per service
+			}
 		}
 	}
 
@@ -438,6 +446,10 @@ func (s *composeService) checkForSensitiveData(project *types.Project) ([]secret
 	for _, service := range project.Services {
 		// Check env files
 		for _, envFile := range service.EnvFiles {
+			// Skip env files that are not required
+			if !envFile.Required {
+				continue
+			}
 			findings, err := scan.ScanFile(envFile.Path)
 			if err != nil {
 				return nil, fmt.Errorf("failed to scan env file %s: %w", envFile.Path, err)
diff --git a/pkg/compose/publish_test.go b/pkg/compose/publish_test.go
@@ -18,6 +18,7 @@ package compose
 
 import (
 	"slices"
+	"strings"
 	"testing"
 
 	"github.com/compose-spec/compose-go/v2/loader"
@@ -100,3 +101,69 @@ services:
 		return !slices.Contains([]string{".Data", ".Digest", ".Size"}, path.String())
 	}, cmp.Ignore()))
 }
+
+func Test_createLayers_withRequiredFalse(t *testing.T) {
+	project, err := loader.LoadWithContext(t.Context(), types.ConfigDetails{
+		WorkingDir:  "testdata/publish/",
+		Environment: types.Mapping{},
+		ConfigFiles: []types.ConfigFile{
+			{
+				Filename: "testdata/publish/compose-required-false.yaml",
+			},
+		},
+	})
+	assert.NilError(t, err)
+	project.ComposeFiles = []string{"testdata/publish/compose-required-false.yaml"}
+
+	service := &composeService{}
+	layers, err := service.createLayers(t.Context(), project, api.PublishOptions{
+		WithEnvironment: true,
+	})
+	assert.NilError(t, err)
+
+	assert.Equal(t, len(layers), 2)
+
+	assert.Equal(t, layers[0].Annotations["com.docker.compose.file"], "compose-required-false.yaml")
+
+	assert.Equal(t, layers[1].MediaType, "application/vnd.docker.compose.envfile")
+
+	envFileHash := layers[1].Annotations["com.docker.compose.envfile"]
+	assert.Assert(t, len(envFileHash) > 0)
+	assert.Assert(t, envFileHash != "missing.env")
+}
+
+func Test_checkEnvironmentVariables_withRequiredFalse(t *testing.T) {
+	project := &types.Project{
+		Services: types.Services{
+			"test": {
+				Name: "test",
+				EnvFiles: []types.EnvFile{
+					{
+						Path:     "missing.env",
+						Required: false,
+					},
+					{
+						Path:     "existing.env", 
+						Required: true,
+					},
+				},
+			},
+			"test2": {
+				Name: "test2",
+				EnvFiles: []types.EnvFile{
+					{
+						Path:     "optional.env",
+						Required: false,
+					},
+				},
+			},
+		},
+	}
+
+	service := &composeService{}
+
+	err := service.checkEnvironmentVariables(project, api.PublishOptions{})
+	assert.Assert(t, err != nil)
+	assert.Assert(t, strings.Contains(err.Error(), `service "test" has env_file declared.`))
+	assert.Assert(t, !strings.Contains(err.Error(), `service "test2"`))
+}
diff --git a/pkg/compose/testdata/publish/compose-required-false.yaml b/pkg/compose/testdata/publish/compose-required-false.yaml
@@ -0,0 +1,9 @@
+name: test-required-false
+services:
+  test:
+    image: test
+    env_file:
+      - path: missing.env
+        required: false
+      - path: existing.env
+        required: true
diff --git a/pkg/compose/testdata/publish/existing.env b/pkg/compose/testdata/publish/existing.env
@@ -0,0 +1 @@
+EXISTING_VAR=value
