0ec4f248af
## Thinking Path > - Paperclip is the open source app people use to manage AI agents for work > - CI/CD pipelines use GitHub Actions to automate builds and deployments of services > - The `agent-runtime-images` workflow uses `docker/login-action` for authenticating with Docker registries before pushing images > - `docker/login-action` v3 is now superseded; v4 was released with Node 24 as the default runtime and updated internal dependencies (`@actions/core`, AWS SDK, `@docker/actions-toolkit`) > - This pull request bumps `docker/login-action` from v3 to v4 in the `agent-runtime-images.yml` workflow > - The benefit is staying on a supported runtime version and receiving upstream security and dependency updates ## Linked Issues or Issue Description Automated dependency bump — no upstream issue. The underlying need is routine dependency maintenance: - **Change type:** Dependency version bump (GitHub Actions) - **Scope:** Single workflow file, single-line version tag change - **Motivation:** v4 modernizes the action runtime to Node 24 and receives updated `@actions/core` (3.x) and AWS SDK dependencies with security patches ## What Changed - Bumps `docker/login-action` from `v3` → `v4` in `.github/workflows/agent-runtime-images.yml` - v4 switches to Node 24 as the default Actions runtime (requires runner v2.327.1+; GitHub-hosted runners satisfy this automatically) - No changes to the action's inputs, outputs, or behavior — the API is fully backward-compatible ## Verification - All CI checks pass (green) on this PR - No input/output interface changes; the login step behavior is identical - GitHub-hosted runners automatically meet the Node 24 runtime requirement (runner v2.327.1+) ## Risks Low risk. This is a one-line version bump on a widely-used, officially maintained Docker action. The v4 release has no breaking changes to inputs or outputs. The only new requirement (Node 24 / runner v2.327.1+) is satisfied by GitHub-hosted runners automatically. ## Model Used None — automated Dependabot bump. PR description updated by Claude Sonnet 4.6 (Anthropic, 200k context, tool use enabled) to satisfy the PR template requirement. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have searched GitHub for duplicate or related PRs and linked them above - [x] I have either (a) linked existing issues with `Fixes: #` / `Closes #` / `Refs #` OR (b) described the issue in-PR following the relevant issue template - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] All Paperclip CI gates are green - [ ] Greptile is 5/5 with no open P2s, recommendations, or follow-ups - [ ] I will address all Greptile and reviewer comments before requesting merge Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
99 lines
3.7 KiB
YAML
99 lines
3.7 KiB
YAML
name: Agent runtime images
|
|
|
|
on:
|
|
push:
|
|
branches: [master]
|
|
paths:
|
|
- "docker/agent-runtime/**"
|
|
- "tools/agent-shim/**"
|
|
- ".github/workflows/agent-runtime-images.yml"
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: "Image version tag (e.g., v1.0.0 or dev-test)"
|
|
required: true
|
|
default: "dev"
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
id-token: write # cosign keyless OIDC
|
|
|
|
env:
|
|
REGISTRY: ghcr.io/paperclipai
|
|
VERSION: ${{ github.event.inputs.version || format('git-{0}', github.sha) }}
|
|
|
|
jobs:
|
|
build-and-sign:
|
|
runs-on: ubuntu-22.04
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Log into GHCR
|
|
uses: docker/login-action@v4
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
|
|
- name: Build + push all deployed harness images (linux/amd64)
|
|
id: bake
|
|
run: |
|
|
# Scope: the five harnesses the kubernetes sandbox provider supports
|
|
# out of the box (opencode, pi, codex, gemini, claude). acpx/hermes
|
|
# have Dockerfiles in the bake group but are not published by default.
|
|
# Platforms come from the bake HCL (linux/amd64).
|
|
# Use --push rather than a "*.push" --set so the wildcard does not hit
|
|
# the bake group (which has no such key -> "unknown key" error).
|
|
docker buildx bake \
|
|
-f docker/agent-runtime/buildx-bake.hcl \
|
|
base opencode pi codex gemini claude \
|
|
--push \
|
|
--metadata-file=bake-metadata.json
|
|
# Extract digests for cosign signing
|
|
BASE_DIGEST=$(jq -r '."base"."containerimage.digest"' bake-metadata.json)
|
|
OPENCODE_DIGEST=$(jq -r '."opencode"."containerimage.digest"' bake-metadata.json)
|
|
PI_DIGEST=$(jq -r '."pi"."containerimage.digest"' bake-metadata.json)
|
|
CODEX_DIGEST=$(jq -r '."codex"."containerimage.digest"' bake-metadata.json)
|
|
GEMINI_DIGEST=$(jq -r '."gemini"."containerimage.digest"' bake-metadata.json)
|
|
CLAUDE_DIGEST=$(jq -r '."claude"."containerimage.digest"' bake-metadata.json)
|
|
echo "base_digest=$BASE_DIGEST" >> "$GITHUB_OUTPUT"
|
|
echo "opencode_digest=$OPENCODE_DIGEST" >> "$GITHUB_OUTPUT"
|
|
echo "pi_digest=$PI_DIGEST" >> "$GITHUB_OUTPUT"
|
|
echo "codex_digest=$CODEX_DIGEST" >> "$GITHUB_OUTPUT"
|
|
echo "gemini_digest=$GEMINI_DIGEST" >> "$GITHUB_OUTPUT"
|
|
echo "claude_digest=$CLAUDE_DIGEST" >> "$GITHUB_OUTPUT"
|
|
env:
|
|
VERSION: ${{ env.VERSION }}
|
|
REGISTRY: ${{ env.REGISTRY }}
|
|
|
|
- name: Cosign sign base
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-base@${{ steps.bake.outputs.base_digest }}"
|
|
|
|
- name: Cosign sign opencode
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-opencode@${{ steps.bake.outputs.opencode_digest }}"
|
|
|
|
- name: Cosign sign pi
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-pi@${{ steps.bake.outputs.pi_digest }}"
|
|
|
|
- name: Cosign sign codex
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-codex@${{ steps.bake.outputs.codex_digest }}"
|
|
|
|
- name: Cosign sign gemini
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-gemini@${{ steps.bake.outputs.gemini_digest }}"
|
|
|
|
- name: Cosign sign claude
|
|
run: |
|
|
cosign sign --yes "${{ env.REGISTRY }}/agent-runtime-claude@${{ steps.bake.outputs.claude_digest }}"
|