Merge pull request 'fix: bug: agents Dockerfile build fails — SOPS checksum download unreachable (#120)' (#122) from fix/issue-120 into main

.gitignore

@@ -25,4 +25,6 @@ gardener/dust.jsonl
 
 # Individual encrypted secrets (managed by disinto secrets add)
 secrets/
-.woodpecker/smoke-init.yml
+
+# Pre-built binaries for Docker builds (avoid network calls during build)
+docker/agents/bin/

bin/disinto

@@ -226,7 +226,9 @@ services:
       - woodpecker
 
   agents:
-    build: ./docker/agents
+    build:
+      context: .
+      dockerfile: docker/agents/Dockerfile
     restart: unless-stopped
     security_opt:
       - apparmor=unconfined
@@ -256,7 +258,9 @@ services:
       - disinto-net
 
   runner:
-    build: ./docker/agents
+    build:
+      context: .
+      dockerfile: docker/agents/Dockerfile
     profiles: ["vault"]
     security_opt:
       - apparmor=unconfined
@@ -2367,6 +2371,55 @@ disinto_run() {
   return "$rc"
 }
 
+# ── Pre-build: download binaries to docker/agents/bin/ ────────────────────────
+# This avoids network calls during docker build (needed for Docker-in-LXD builds)
+# Returns 0 on success, 1 on failure
+download_agent_binaries() {
+  local bin_dir="${FACTORY_ROOT}/docker/agents/bin"
+  mkdir -p "$bin_dir"
+
+  echo "Downloading agent binaries to ${bin_dir}..."
+
+  # Download SOPS
+  local sops_file="${bin_dir}/sops"
+  if [ ! -f "$sops_file" ]; then
+    echo "  Downloading SOPS v3.9.4..."
+    curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 -o "$sops_file"
+    if [ ! -f "$sops_file" ]; then
+      echo "Error: failed to download SOPS" >&2
+      return 1
+    fi
+  fi
+  # Verify checksum
+  echo "  Verifying SOPS checksum..."
+  if ! echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85  ${sops_file}" | sha256sum -c - >/dev/null 2>&1; then
+    echo "Error: SOPS checksum verification failed" >&2
+    return 1
+  fi
+  chmod +x "$sops_file"
+
+  # Download tea CLI
+  local tea_file="${bin_dir}/tea"
+  if [ ! -f "$tea_file" ]; then
+    echo "  Downloading tea CLI v0.9.2..."
+    curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o "$tea_file"
+    if [ ! -f "$tea_file" ]; then
+      echo "Error: failed to download tea CLI" >&2
+      return 1
+    fi
+  fi
+  # Verify checksum
+  echo "  Verifying tea CLI checksum..."
+  if ! echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  ${tea_file}" | sha256sum -c - >/dev/null 2>&1; then
+    echo "Error: tea CLI checksum verification failed" >&2
+    return 1
+  fi
+  chmod +x "$tea_file"
+
+  echo "Binaries downloaded and verified successfully"
+  return 0
+}
+
 # ── up command ────────────────────────────────────────────────────────────────
 
 disinto_up() {
@@ -2377,6 +2430,14 @@ disinto_up() {
     exit 1
   fi
 
+  # Pre-build: download binaries to docker/agents/bin/ to avoid network calls during docker build
+  echo "── Pre-build: downloading agent binaries ────────────────────────"
+  if ! download_agent_binaries; then
+    echo "Error: failed to download agent binaries" >&2
+    exit 1
+  fi
+  echo ""
+
   # Decrypt secrets to temp .env if SOPS available and .env.enc exists
   local tmp_env=""
   local enc_file="${FACTORY_ROOT}/.env.enc"

docker/agents/Dockerfile

@@ -3,20 +3,16 @@ FROM debian:bookworm-slim
 RUN apt-get update && apt-get install -y --no-install-recommends \
     bash curl git jq tmux cron python3 python3-pip openssh-client ca-certificates age shellcheck \
     && pip3 install --break-system-packages networkx \
-    && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 \
-       -o /usr/local/bin/sops \
-    && curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.checksums.txt \
-       -o /tmp/sops-checksums.txt \
-    && sha256sum -c --ignore-missing /tmp/sops-checksums.txt \
-    && rm -f /tmp/sops-checksums.txt \
-    && chmod +x /usr/local/bin/sops \
     && rm -rf /var/lib/apt/lists/*
 
+# Pre-built binaries (copied from docker/agents/bin/)
+# SOPS — encrypted data decryption tool
+COPY docker/agents/bin/sops /usr/local/bin/sops
+RUN chmod +x /usr/local/bin/sops
+
 # tea CLI — official Gitea/Forgejo CLI for issue/label/comment operations
-# Checksum from https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64.sha256
+COPY docker/agents/bin/tea /usr/local/bin/tea
-RUN curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o /usr/local/bin/tea \
+RUN chmod +x /usr/local/bin/tea
-    && echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  /usr/local/bin/tea" | sha256sum -c - \
-    && chmod +x /usr/local/bin/tea
 
 # Claude CLI is mounted from the host via docker-compose volume.
 # No internet access to cli.anthropic.com required at build time.
@@ -27,7 +23,7 @@ RUN useradd -m -u 1000 -s /bin/bash agent
 # Copy disinto code into the image
 COPY . /home/agent/disinto
 
-COPY entrypoint.sh /entrypoint.sh
+COPY docker/agents/entrypoint.sh /entrypoint.sh
 RUN chmod +x /entrypoint.sh
 
 # Entrypoint runs as root to start the cron daemon;