Fix ignored file in devspace build

[kensimon]

A recent change added
include_str!("../../../pxe/ipxe/local/embed.ipxe"); to the ipxe-renderer crate, but that path is currently ignored by the dockerfiles in dev/deployment/devspace. Fix that by un-ignoring that path.

Related issues

Type of Change

• Add - New feature or capability
• Change - Changes in existing functionality
• Fix - Bug fixes
• Remove - Removed features or deprecated functionality
• Internal - Internal changes (refactoring, tests, docs, etc.)

Breaking Changes

• This PR contains breaking changes

Testing

• Unit tests added/updated
• Integration tests added/updated
• Manual testing performed
• No testing required (docs, internal refactor, etc.)

Additional Notes

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Optimized Docker build configurations to exclude template and asset files from the build context across multiple services, improving build efficiency and reducing unnecessary artifacts in Docker images.

Walkthrough

Three Devspace Dockerfile-specific .dockerignore files are updated to replace or augment a broad pxe/** ignore pattern with explicit, hierarchical ignore entries for pxe/templates/**, pxe/ipxe/**, pxe/ipxe/local/**, and the specific file pxe/ipxe/local/embed.ipxe across the api, bmc-proxy, and machine-a-tron build contexts.

Changes

Dockerignore pxe/ Pattern Refinements

Layer / File(s)	Summary
Explicit pxe/ ignore patterns across all three dockerignore files dev/deployment/devspace/Dockerfile.api.dockerignore, dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore, dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore	Dockerfile.api.dockerignore replaces the single pxe/** entry with granular patterns for pxe/templates/**, pxe/, pxe/ipxe/**, pxe/ipxe/local/**, and pxe/ipxe/local/embed.ipxe. Dockerfile.bmc-proxy.dockerignore appends pxe/ipxe/local/embed.ipxe. Dockerfile.machine-a-tron.dockerignore adds pxe/, pxe/ipxe/, pxe/ipxe/local/, and pxe/ipxe/local/embed.ipxe.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly addresses the primary change: fixing ignored files in devspace build configuration files.
Description check	✅ Passed	The description clearly explains the issue, the recent change that caused it, and the fix applied across relevant dockerfiles.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore`:
- Line 12: The Dockerfile.bmc-proxy.dockerignore file is missing hierarchical
un-ignore patterns needed for Docker to properly access the nested embed.ipxe
file. Add the parent directory un-ignore patterns before the final file
un-ignore: insert !pxe/ on a new line before !pxe/ipxe/local/embed.ipxe, then
add !pxe/ipxe/ on the next line, then add !pxe/ipxe/local/ on the next line, and
keep !pxe/ipxe/local/embed.ipxe as the final un-ignore pattern. This mirrors the
hierarchical structure already present in Dockerfile.api.dockerignore and
Dockerfile.machine-a-tron.dockerignore and ensures Docker's .dockerignore
semantics properly un-ignore parent directories before attempting to access the
nested file.

In `@dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore`:
- Around line 15-18: The three devspace dockerignore files
(Dockerfile.api.dockerignore, Dockerfile.machine-a-tron.dockerignore, and
Dockerfile.bmc-proxy.dockerignore) use inconsistent patterns for including PXE
assets. Either standardize all three files to use the same pattern (such as the
hierarchical approach with !pxe/, !pxe/ipxe/, !pxe/ipxe/local/, and
!pxe/ipxe/local/embed.ipxe), or add clear code comments in each file explaining
why its specific pattern differs from the others (for example, if bmc-proxy
genuinely requires fewer assets). Ensure the choice aligns with the actual asset
requirements of each build context to eliminate maintenance friction.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 96eedde1-c6bc-4387-b9e2-3a7ba79c2389

📥 Commits

Reviewing files that changed from the base of the PR and between 7eb1969 and bc762cb.

📒 Files selected for processing (3)

• dev/deployment/devspace/Dockerfile.api.dockerignore
• dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore
• dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify pxe/ipxe/local/embed.ipxe is in the bmc-proxy build context
# Expected: The file should be accessible in the Docker build context without errors

# Check the .dockerignore rules and confirm the file is not excluded
grep -E "^pxe|embed\.ipxe" dev/deployment/devspace/.dockerignore dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore

Repository: NVIDIA/infra-controller

Length of output: 241

---

🏁 Script executed:

# Check if the pxe/ipxe/local/embed.ipxe file actually exists
fd -type f "embed.ipxe"

Repository: NVIDIA/infra-controller

Length of output: 238

---

🏁 Script executed:

# Look for .dockerignore files in the repository
fd -type f "\.dockerignore$"

Repository: NVIDIA/infra-controller

Length of output: 238

---

🏁 Script executed:

# Examine the Dockerfile.api.dockerignore and Dockerfile.machine-a-tron.dockerignore 
# to see the hierarchical un-ignores pattern mentioned in the review
fd -type f "Dockerfile\.\w+\.dockerignore$" -exec cat {} +

Repository: NVIDIA/infra-controller

Length of output: 238

---

🏁 Script executed:

# Check if there's a root-level .dockerignore that might be blocking pxe/
cat .dockerignore 2>/dev/null || echo "No root .dockerignore found"

Repository: NVIDIA/infra-controller

Length of output: 427

---

🏁 Script executed:

# Find the embed.ipxe file
find . -name "embed.ipxe" -type f

Repository: NVIDIA/infra-controller

Length of output: 95

---

🏁 Script executed:

# Find all .dockerignore files
find dev/deployment/devspace -name "*.dockerignore" -type f

Repository: NVIDIA/infra-controller

Length of output: 240

---

🏁 Script executed:

# Examine the referenced .dockerignore files
cat dev/deployment/devspace/Dockerfile.api.dockerignore
cat dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore

Repository: NVIDIA/infra-controller

Length of output: 543

---

🏁 Script executed:

# Show the full content of Dockerfile.bmc-proxy.dockerignore
cat dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore

Repository: NVIDIA/infra-controller

Length of output: 213

---

Add hierarchical un-ignores for the nested pxe/ipxe/local/embed.ipxe file in Dockerfile.bmc-proxy.dockerignore.

The .dockerignore file ignores all files (**) at the top level, then attempts to un-ignore !pxe/ipxe/local/embed.ipxe. However, Docker's .dockerignore semantics require parent directories to be explicitly un-ignored before a nested file can be accessed. The corresponding Dockerfile.api.dockerignore and Dockerfile.machine-a-tron.dockerignore files correctly include the hierarchical un-ignores (!pxe/, !pxe/ipxe/, !pxe/ipxe/local/) that are absent from this file.

Update dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore to include:

!pxe/
!pxe/ipxe/
!pxe/ipxe/local/
!pxe/ipxe/local/embed.ipxe

This ensures consistency across all three Dockerfile-specific .dockerignore files and guarantees the file is properly included in the Docker build context.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore` at line 12, The
Dockerfile.bmc-proxy.dockerignore file is missing hierarchical un-ignore
patterns needed for Docker to properly access the nested embed.ipxe file. Add
the parent directory un-ignore patterns before the final file un-ignore: insert
!pxe/ on a new line before !pxe/ipxe/local/embed.ipxe, then add !pxe/ipxe/ on
the next line, then add !pxe/ipxe/local/ on the next line, and keep
!pxe/ipxe/local/embed.ipxe as the final un-ignore pattern. This mirrors the
hierarchical structure already present in Dockerfile.api.dockerignore and
Dockerfile.machine-a-tron.dockerignore and ensures Docker's .dockerignore
semantics properly un-ignore parent directories before attempting to access the
nested file.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Cross-check pxe asset patterns across all three devspace dockerignore files
# Expected: Consistent un-ignore patterns or documented rationale for differences

echo "=== Dockerfile.api.dockerignore ==="
grep "^!" dev/deployment/devspace/Dockerfile.api.dockerignore | grep "pxe"

echo ""
echo "=== Dockerfile.bmc-proxy.dockerignore ==="
grep "^!" dev/deployment/devspace/Dockerfile.bmc-proxy.dockerignore | grep "pxe"

echo ""
echo "=== Dockerfile.machine-a-tron.dockerignore ==="
grep "^!" dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore | grep "pxe"

Repository: NVIDIA/infra-controller

Length of output: 397

---

Align dockerignore patterns across all three devspace build contexts.

The three devspace Dockerfile build contexts employ substantively different patterns for including PXE assets:

• Dockerfile.api.dockerignore includes a broad set of patterns: !pxe, !pxe/templates (with variants), and the hierarchical !pxe/ipxe/local/ structure culminating in !pxe/ipxe/local/embed.ipxe
• Dockerfile.machine-a-tron.dockerignore uses a hierarchical approach: !pxe/, !pxe/ipxe/, !pxe/ipxe/local/, then the specific file
• Dockerfile.bmc-proxy.dockerignore includes only the minimal pattern: !pxe/ipxe/local/embed.ipxe

This fragmentation across build contexts creates maintenance friction and makes it difficult to reason about whether each context correctly excludes/includes its required assets. Adopt a consistent pattern across all three files, or document in code comments why each diverges (e.g., if bmc-proxy has different asset requirements than the others).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dev/deployment/devspace/Dockerfile.machine-a-tron.dockerignore` around lines
15 - 18, The three devspace dockerignore files (Dockerfile.api.dockerignore,
Dockerfile.machine-a-tron.dockerignore, and Dockerfile.bmc-proxy.dockerignore)
use inconsistent patterns for including PXE assets. Either standardize all three
files to use the same pattern (such as the hierarchical approach with !pxe/,
!pxe/ipxe/, !pxe/ipxe/local/, and !pxe/ipxe/local/embed.ipxe), or add clear code
comments in each file explaining why its specific pattern differs from the
others (for example, if bmc-proxy genuinely requires fewer assets). Ensure the
choice aligns with the actual asset requirements of each build context to
eliminate maintenance friction.

[github-actions]

🔍 Container Scan Summary

Service	Total	Critical	High	Medium	Low	Other
boot-artifacts-aarch64	3	0	0	3	0	0
boot-artifacts-x86_64	3	0	0	3	0	0
forge-admin-cli-x86_64	244	4	22	103	6	109
machine-validation-runner	671	23	178	262	37	171
machine_validation	671	23	178	262	37	171
nvmetal-carbide	671	23	178	262	37	171
TOTAL	2263	73	556	895	117	622

Per-CVE detail lives in the per-service grype-* artifacts (JSON + SARIF). Severity counts only — no CVE IDs published here.