diff --git a/.gitignore b/.gitignore index b828cf5..fc2d715 100644 --- a/.gitignore +++ b/.gitignore @@ -25,4 +25,6 @@ gardener/dust.jsonl # Individual encrypted secrets (managed by disinto secrets add) secrets/ -.woodpecker/smoke-init.yml + +# Pre-built binaries for Docker builds (avoid network calls during build) +docker/agents/bin/ diff --git a/bin/disinto b/bin/disinto index 530cf1f..74faa68 100755 --- a/bin/disinto +++ b/bin/disinto @@ -2367,6 +2367,55 @@ disinto_run() { return "$rc" } +# ── Pre-build: download binaries to docker/agents/bin/ ──────────────────────── +# This avoids network calls during docker build (needed for Docker-in-LXD builds) +# Returns 0 on success, 1 on failure +download_agent_binaries() { + local bin_dir="${FACTORY_ROOT}/docker/agents/bin" + mkdir -p "$bin_dir" + + echo "Downloading agent binaries to ${bin_dir}..." + + # Download SOPS + local sops_file="${bin_dir}/sops" + if [ ! -f "$sops_file" ]; then + echo " Downloading SOPS v3.9.4..." + curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 -o "$sops_file" + if [ ! -f "$sops_file" ]; then + echo "Error: failed to download SOPS" >&2 + return 1 + fi + fi + # Verify checksum + echo " Verifying SOPS checksum..." + if ! echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85 ${sops_file}" | sha256sum -c - >/dev/null 2>&1; then + echo "Error: SOPS checksum verification failed" >&2 + return 1 + fi + chmod +x "$sops_file" + + # Download tea CLI + local tea_file="${bin_dir}/tea" + if [ ! -f "$tea_file" ]; then + echo " Downloading tea CLI v0.9.2..." + curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o "$tea_file" + if [ ! -f "$tea_file" ]; then + echo "Error: failed to download tea CLI" >&2 + return 1 + fi + fi + # Verify checksum + echo " Verifying tea CLI checksum..." + if ! echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d ${tea_file}" | sha256sum -c - >/dev/null 2>&1; then + echo "Error: tea CLI checksum verification failed" >&2 + return 1 + fi + chmod +x "$tea_file" + + echo "Binaries downloaded and verified successfully" + return 0 +} + # ── up command ──────────────────────────────────────────────────────────────── disinto_up() { @@ -2377,6 +2426,14 @@ disinto_up() { exit 1 fi + # Pre-build: download binaries to docker/agents/bin/ to avoid network calls during docker build + echo "── Pre-build: downloading agent binaries ────────────────────────" + if ! download_agent_binaries; then + echo "Error: failed to download agent binaries" >&2 + exit 1 + fi + echo "" + # Decrypt secrets to temp .env if SOPS available and .env.enc exists local tmp_env="" local enc_file="${FACTORY_ROOT}/.env.enc" diff --git a/docker/agents/Dockerfile b/docker/agents/Dockerfile index 0b6fad5..8d675d4 100644 --- a/docker/agents/Dockerfile +++ b/docker/agents/Dockerfile @@ -3,20 +3,16 @@ FROM debian:bookworm-slim RUN apt-get update && apt-get install -y --no-install-recommends \ bash curl git jq tmux cron python3 python3-pip openssh-client ca-certificates age shellcheck \ && pip3 install --break-system-packages networkx \ - && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \ - -o /usr/local/bin/sops \ - && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.checksums.txt \ - -o /tmp/sops-checksums.txt \ - && sha256sum -c --ignore-missing /tmp/sops-checksums.txt \ - && rm -f /tmp/sops-checksums.txt \ - && chmod +x /usr/local/bin/sops \ && rm -rf /var/lib/apt/lists/* +# Pre-built binaries (copied from docker/agents/bin/) +# SOPS — encrypted data decryption tool +COPY bin/sops /usr/local/bin/sops +RUN chmod +x /usr/local/bin/sops + # tea CLI — official Gitea/Forgejo CLI for issue/label/comment operations -# Checksum from https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64.sha256 -RUN curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o /usr/local/bin/tea \ - && echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d /usr/local/bin/tea" | sha256sum -c - \ - && chmod +x /usr/local/bin/tea +COPY bin/tea /usr/local/bin/tea +RUN chmod +x /usr/local/bin/tea # Claude CLI is mounted from the host via docker-compose volume. # No internet access to cli.anthropic.com required at build time.