Replaces BuildKit's `--mount=type=secret` with `--mount=type=bind,from=…`
backed by a named build context. Secrets are capped at 500 KiB and are
meant for keys, not blobs — the Melexis tarball routinely exceeds that.
A named context overriding a `FROM scratch AS melexis-bundle` stub stage
gives "optional, file-of-any-size, never-in-image" semantics without
polluting the default build context.
- docker/Dockerfile: add the scratch stub stage, change the install step
to `--mount=type=bind,from=melexis-bundle,target=/melexis-bundle`,
update the usage header to show the new `--build-context` invocation,
fail loudly with a clear message when INCLUDE_MELEXIS=1 but no bundle
is bound.
- docker/README.md: document the new build flow, the rationale for the
bind-mount vs secret tradeoff, and bench instructions.
- .dockerignore: ignore the new `melexis-bundle/` directory at the repo
root (named build contexts respect a .dockerignore at THEIR own root,
not the default one — so this entry only prevents accidental inclusion
via the default context).
- requirements.txt: pin the Melexis stack's transitive PyPI deps
(pyparsing, natsort, intelhex, pygdbmi, crcmod, packaging, zeroconf)
unconditionally so mock and hw images share a single venv layout. The
size delta in the mock image is a few MB.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
