Publish dev-base container image from aos (Dockerfile + CI publish) #221

Closed
opened 2026-06-16 01:58:46 +00:00 by coilysiren · 1 comment
Owner

Part of epic #220

Publish the dev-base container image from aos

aos owns the dev environment as a published artifact, the analog of the ward/coily brew binaries. ward pulls it by tag and never touches the Dockerfile.

Scope

  • Dockerfile in aos defining the canonical agent dev environment: python + uv, pre-commit, aws cli, the ward + coily binaries, claude, and whatever else the inner loop needs. One image, all repos, so config cannot drift.
  • CI build + publish of dev-base:<tag> to a registry on push to main (tag scheme TBD - content hash or release version, decide here).
  • Pin the toolchain versions in the image so a pulled tag is reproducible.

Out of scope

  • Mount/compose logic (ward, child of #220).
  • Eligibility manifest (sibling aos ticket).
  • Running services in containers (later effort).

Notes

  • This is the "homebrew installs the binary and stops" pattern at the image layer: build + publish here, consume by tag in ward.
  • ward keeps a --build escape hatch that points at the aos checkout when present, for iterating on this Dockerfile without a publish round-trip.
Part of epic https://forgejo.coilysiren.me/coilyco-flight-deck/agentic-os/issues/220 ## Publish the `dev-base` container image from aos aos owns the dev environment as a published artifact, the analog of the ward/coily brew binaries. ward pulls it by tag and never touches the Dockerfile. ### Scope - **Dockerfile in aos** defining the canonical agent dev environment: python + uv, pre-commit, aws cli, the ward + coily binaries, claude, and whatever else the inner loop needs. One image, all repos, so config cannot drift. - **CI build + publish** of `dev-base:<tag>` to a registry on push to main (tag scheme TBD - content hash or release version, decide here). - **Pin the toolchain versions** in the image so a pulled tag is reproducible. ### Out of scope - Mount/compose logic (ward, child of #220). - Eligibility manifest (sibling aos ticket). - Running services in containers (later effort). ### Notes - This is the "homebrew installs the binary and stops" pattern at the image layer: build + publish here, consume by tag in ward. - ward keeps a `--build` escape hatch that points at the aos checkout when present, for iterating on this Dockerfile without a publish round-trip.
Author
Owner

Shipped and closed. The dev-base image builds and publishes from aos.

What landed

  • docker/dev-base/Dockerfile - ubuntu:24.04 base with the inner-loop toolchain pinned via ARG (uv, pre-commit, python3, node, go, aws cli v2, claude), all world-readable so the image runs as any uid. No repo source or user baked in.
  • publish-image job in .forgejo/workflows/release.yml - on each release tag, the DinD docker runner builds a multi-arch (linux/amd64 + linux/arm64) image with buildx + qemu and pushes it to the forgejo registry, with a registry layer cache so unchanged-Dockerfile republishes stay cheap.
  • Walkthrough in docs/dev-base-image.md, linked from FEATURES.

Decisions settled here

  • Registry: forgejo container registry (laptops pull it off-network, so not the LAN k3s registry).
  • Image name: forgejo.coilysiren.me/coilyco-flight-deck/agentic-os.
  • Tag scheme: release version + :latest, so the image tag tracks DEFAULT_REV.
  • Auth: a forgejo PAT with write:package in the REGISTRY_TOKEN Actions secret (the auto-issued Actions token can read but not write the registry, which is what the first run's 401 reqPackageAccess showed). A read-only read:package PAT for laptop pulls is stashed at /forgejo/registry-read-token.

Evidence (run #16, task 507, status success): the build executed both linux/amd64 and linux/arm64 stages, and the push step logged pushing manifest for forgejo.coilysiren.me/coilyco-flight-deck/agentic-os:v0.27.0 ... done and the same for :latest. bump-pin advanced DEFAULT_REV to v0.27.0 in the same run.

ward + coily in the image were deferred (need a cross-repo build token) and tracked in #223.

Shipped and closed. The dev-base image builds and publishes from aos. **What landed** - `docker/dev-base/Dockerfile` - `ubuntu:24.04` base with the inner-loop toolchain pinned via ARG (uv, pre-commit, python3, node, go, aws cli v2, claude), all world-readable so the image runs as any uid. No repo source or user baked in. - `publish-image` job in `.forgejo/workflows/release.yml` - on each release tag, the DinD docker runner builds a multi-arch (linux/amd64 + linux/arm64) image with buildx + qemu and pushes it to the forgejo registry, with a registry layer cache so unchanged-Dockerfile republishes stay cheap. - Walkthrough in `docs/dev-base-image.md`, linked from FEATURES. **Decisions settled here** - Registry: forgejo container registry (laptops pull it off-network, so not the LAN k3s registry). - Image name: `forgejo.coilysiren.me/coilyco-flight-deck/agentic-os`. - Tag scheme: release version + `:latest`, so the image tag tracks `DEFAULT_REV`. - Auth: a forgejo PAT with `write:package` in the `REGISTRY_TOKEN` Actions secret (the auto-issued Actions token can read but not write the registry, which is what the first run's `401 reqPackageAccess` showed). A read-only `read:package` PAT for laptop pulls is stashed at `/forgejo/registry-read-token`. **Evidence (run #16, task 507, status success)**: the build executed both `linux/amd64` and `linux/arm64` stages, and the push step logged `pushing manifest for forgejo.coilysiren.me/coilyco-flight-deck/agentic-os:v0.27.0 ... done` and the same for `:latest`. `bump-pin` advanced `DEFAULT_REV` to v0.27.0 in the same run. ward + coily in the image were deferred (need a cross-repo build token) and tracked in https://forgejo.coilysiren.me/coilyco-flight-deck/agentic-os/issues/223.
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-flight-deck/agentic-os#221
No description provided.