From fa03b5944ec6c781d93e948faff5543312b944ff Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Wed, 25 Mar 2026 10:54:57 -0400 Subject: [PATCH] Add our tooling to Dockerfile, restore build workflow - Expand base apt: jq, procps, python3, python3-pip, gh - Install kubectl, uv/uvx, kubeseal binaries - Add @google/gemini-cli to production agent installs - Use pnpm-lock.yaml* wildcard + --no-frozen-lockfile (lockfile policy) - Restore build.yml targeting runners-cpfarhood Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/build.yml | 53 +++++++++++++++++++++++++++++++++++++ Dockerfile | 20 ++++++++++---- 2 files changed, 68 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/build.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 00000000..ee8d41eb --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,53 @@ +name: Build & Push + +on: + push: + branches: [master] + workflow_dispatch: + +permissions: + contents: read + packages: write + +jobs: + build: + runs-on: runners-cpfarhood + timeout-minutes: 30 + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/cpfarhood/paperclip + tags: | + type=raw,value=latest + type=sha,prefix= + type=semver,pattern={{version}} + + - name: Build and push + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + no-cache: true diff --git a/Dockerfile b/Dockerfile index 36d5acab..4f61a890 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM node:lts-trixie-slim AS base ARG USER_UID=1000 ARG USER_GID=1000 RUN apt-get update \ - && apt-get install -y --no-install-recommends ca-certificates gosu curl git wget ripgrep python3 \ + && apt-get install -y --no-install-recommends ca-certificates curl git jq procps python3 python3-pip \ && mkdir -p -m 755 /etc/apt/keyrings \ && wget -nv -O/etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg \ && echo "20e0125d6f6e077a9ad46f03371bc26d90b04939fb95170f5a1905099cc6bcc0 /etc/apt/keyrings/githubcli-archive-keyring.gpg" | sha256sum -c - \ @@ -12,16 +12,26 @@ RUN apt-get update \ && apt-get update \ && apt-get install -y --no-install-recommends gh \ && rm -rf /var/lib/apt/lists/* \ - && corepack enable + && curl -fsSL "https://dl.k8s.io/release/$(curl -fsSL https://dl.k8s.io/release/stable.txt)/bin/linux/$(dpkg --print-architecture)/kubectl" \ + -o /usr/local/bin/kubectl \ + && chmod +x /usr/local/bin/kubectl \ + && curl -LsSf https://astral.sh/uv/install.sh | sh \ + && mv /root/.local/bin/uv /usr/local/bin/uv \ + && mv /root/.local/bin/uvx /usr/local/bin/uvx \ + && curl -fsSL "https://github.com/bitnami-labs/sealed-secrets/releases/latest/download/kubeseal-$(uname -s | tr '[:upper:]' '[:lower:]')-$(dpkg --print-architecture)" \ + -o /usr/local/bin/kubeseal \ + && chmod +x /usr/local/bin/kubeseal # Modify the existing node user/group to have the specified UID/GID to match host user RUN usermod -u $USER_UID --non-unique node \ && groupmod -g $USER_GID --non-unique node \ && usermod -g $USER_GID -d /paperclip node +RUN corepack enable + FROM base AS deps WORKDIR /app -COPY package.json pnpm-workspace.yaml pnpm-lock.yaml .npmrc ./ +COPY package.json pnpm-workspace.yaml pnpm-lock.yaml* .npmrc ./ COPY cli/package.json cli/ COPY server/package.json server/ COPY ui/package.json ui/ @@ -39,7 +49,7 @@ COPY packages/adapters/pi-local/package.json packages/adapters/pi-local/ COPY packages/plugins/sdk/package.json packages/plugins/sdk/ COPY patches/ patches/ -RUN pnpm install --frozen-lockfile +RUN pnpm install --no-frozen-lockfile FROM base AS build WORKDIR /app @@ -55,7 +65,7 @@ ARG USER_UID=1000 ARG USER_GID=1000 WORKDIR /app COPY --chown=node:node --from=build /app /app -RUN npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai \ +RUN npm install --global --omit=dev @anthropic-ai/claude-code@latest @openai/codex@latest opencode-ai @google/gemini-cli \ && mkdir -p /paperclip \ && chown node:node /paperclip