feat(ecr-assets): add support for docker build context

[cogwirrel]

Issue # (if applicable)

Fixes #31598

Reason for this change

Add support for docker's --build-context flag in docker builds. This is useful for a few reasons outlined in the linked issue (and other similar issues), such as:

• Sharing files from directories outside the Docker build directory
• Using specific image versions as build contexts (docker-image://alpine:latest)
• Referencing remote URLs as build contexts

Description of changes

Adds support for Docker's --build-context flag when building Docker image assets. This allows users to specify additional named build contexts that can be referenced in Dockerfiles via COPY --from=<name>.

• Added buildContexts (optional Record<string, string>) to DockerBuildOptions, DockerImageAssetOptions, DockerImageAssetInvalidationOptions, and DockerImageAssetSource
• Updated DockerImage.fromBuild() to pass --build-context key=value flags to the docker build command
• Wired buildContexts through the full asset pipeline: DockerImageAsset → synthesizer → asset manifest → cloud assembly schema
• Added token validation for buildContexts keys and values (same as buildArgs)
• Added buildContexts to asset hash invalidation (controllable via invalidation.buildContexts)
• Added ASSET_RESOURCE_METADATA_DOCKER_BUILD_CONTEXTS_KEY metadata constant
• Updated the aws-ecr-assets README with documentation and usage example

In terms of design decisions, this follows the same pattern as buildArgs.

The necessary changes to the CLI have been released: aws/aws-cdk-cli#1128

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Integration test

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ✅	Skipped	Failed
Security Guardian Results with resolved templates	48 ran	48 passed

Test	Result
No test annotations available

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

[cogwirrel]

aws/aws-cdk-cli#1128 has been merged and released:

• @aws-cdk/[email protected]
• @aws-cdk/[email protected]
• @aws-cdk/[email protected]

Updated this PR to depend on the latest versions.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[aws-cdk-automation]

This PR cannot be merged because it has conflicts. Please resolve them. The PR will be considered stale and closed if it remains in an unmergeable state.

[mrgrain]

@cogwirrel Happy with this once the build passes. Thanks for the contribution! Might be easier to split the package updates out into a separate PR. Feel free to ping me internally to move this forward.

[mergify]

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-25 09:27 UTC · Rule: default-squash
• ✅ Checks skipped · PR is already up-to-date
• ✅ Merged — 2026-03-25 09:27 UTC · at 6afbb85e30bbf18831cf4261bbd13a1c79f0df01

This pull request spent 6 seconds in the queue, with no time running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub branch protection]
  • feat(ecr-assets): add support for docker build context #36930
• #changes-requested-reviews-by = 0 [🛡 GitHub branch protection]
  • feat(ecr-assets): add support for docker build context #36930
• any of [🛡 GitHub branch protection]:
  • check-success = validate-pr
  • check-neutral = validate-pr
  • check-skipped = validate-pr
• any of [🛡 GitHub branch protection]:
  • check-success = build
  • check-neutral = build
  • check-skipped = build

[github-actions]

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.