From bab6dd25064edb1c92e83ad04dcd9531b3846ea4 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Thu, 7 May 2026 23:26:46 +0000
Subject: [PATCH] [ci] Dockerfile: download Vault CLI at build time instead of
 COPY

The 495MB vault binary is in .gitignore so it doesn't ship to
Forgejo, breaking 'COPY vault /usr/local/bin/vault'. Switch to
the standard download-zip-then-unzip pattern used for terraform
and sops in this same Dockerfile.
---
 Dockerfile | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index f6f2741..ec69149 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,6 +5,7 @@ ARG TERRAGRUNT_VERSION=0.99.4
 ARG SOPS_VERSION=3.9.4
 ARG KUBECTL_VERSION=1.34.0
 ARG BD_VERSION=1.0.2
+ARG VAULT_VERSION=1.20.4
 
 # System packages: infra tools + Python + Node.js (for Claude CLI).
 # gcompat/libc6-compat provide the glibc shim the bd binary links against.
@@ -36,8 +37,14 @@ RUN curl -fsSL "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/amd64/ku
     -o /usr/local/bin/kubectl \
     && chmod +x /usr/local/bin/kubectl
 
-# Vault CLI
-COPY vault /usr/local/bin/vault
+# Vault CLI — download from HashiCorp releases. The binary used to be
+# committed to the repo (495MB) but that doesn't survive the Forgejo
+# extraction (.gitignore excludes it). Pulling at build time is cleaner.
+RUN curl -fsSL "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" \
+    -o /tmp/vault.zip \
+    && unzip /tmp/vault.zip -d /usr/local/bin/ \
+    && rm /tmp/vault.zip \
+    && chmod +x /usr/local/bin/vault
 
 # Claude Code CLI
 RUN npm install -g @anthropic-ai/claude-code