name: Agent runtime images on: push: branches: [master] paths: - "docker/agent-runtime/**" - "tools/agent-shim/**" - ".github/workflows/agent-runtime-images.yml" workflow_dispatch: inputs: version: description: "Image version tag (e.g., v1.0.0 or dev-test)" required: true default: "dev" permissions: contents: read packages: write id-token: write # cosign keyless OIDC env: REGISTRY: ghcr.io/paperclipai VERSION: ${{ github.event.inputs.version || format('git-{0}', github.sha) }} jobs: build-and-sign: runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log into GHCR uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Install cosign uses: sigstore/cosign-installer@v3 - name: Build + push all deployed harness images (linux/amd64) id: bake run: | # Scope: the five harnesses the kubernetes sandbox provider supports # out of the box (opencode, pi, codex, gemini, claude). acpx/hermes # have Dockerfiles in the bake group but are not published by default. # Platforms come from the bake HCL (linux/amd64). # Use --push rather than a "*.push" --set so the wildcard does not hit # the bake group (which has no such key -> "unknown key" error). docker buildx bake \ -f docker/agent-runtime/buildx-bake.hcl \ base opencode pi codex gemini claude \ --push \ --metadata-file=bake-metadata.json # Extract digests for cosign signing BASE_DIGEST=$(jq -r '."base"."containerimage.digest"' bake-metadata.json) OPENCODE_DIGEST=$(jq -r '."opencode"."containerimage.digest"' bake-metadata.json) PI_DIGEST=$(jq -r '."pi"."containerimage.digest"' bake-metadata.json) CODEX_DIGEST=$(jq -r '."codex"."containerimage.digest"' bake-metadata.json) GEMINI_DIGEST=$(jq -r '."gemini"."containerimage.digest"' bake-metadata.json) CLAUDE_DIGEST=$(jq -r '."claude"."containerimage.digest"' bake-metadata.json) echo "base_digest=$BASE_DIGEST" >> "$GITHUB_OUTPUT" echo "opencode_digest=$OPENCODE_DIGEST" >> "$GITHUB_OUTPUT" echo "pi_digest=$PI_DIGEST" >> "$GITHUB_OUTPUT" echo "codex_digest=$CODEX_DIGEST" >> "$GITHUB_OUTPUT" echo "gemini_digest=$GEMINI_DIGEST" >> "$GITHUB_OUTPUT" echo "claude_digest=$CLAUDE_DIGEST" >> "$GITHUB_OUTPUT" env: VERSION: ${{ env.VERSION }} REGISTRY: ${{ env.REGISTRY }} - name: Cosign sign base run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-base@${{ steps.bake.outputs.base_digest }}" - name: Cosign sign opencode run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-opencode@${{ steps.bake.outputs.opencode_digest }}" - name: Cosign sign pi run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-pi@${{ steps.bake.outputs.pi_digest }}" - name: Cosign sign codex run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-codex@${{ steps.bake.outputs.codex_digest }}" - name: Cosign sign gemini run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-gemini@${{ steps.bake.outputs.gemini_digest }}" - name: Cosign sign claude run: | cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-claude@${{ steps.bake.outputs.claude_digest }}"