feat: versioned releases — vault-gated tag, image build, and deploy #112

New issue

Closed

opened 2026-04-01 13:40:34 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-01 13:40:34 +00:00

Collaborator

Problem

Agents run from a bind-mounted host repo (./:/home/agent/disinto:ro). The host repo drifts behind Forgejo main — currently 38+ commits behind. Agents run stale factory code while implementing changes on top of new code. This causes subtle bugs and confusion.

Proposed solution

Two changes:

1. Bake code into Docker image (remove bind mount)

Remove ./:/home/agent/disinto:ro from agents and agents-llama services in docker-compose.yml
Add COPY . /home/agent/disinto to docker/agents/Dockerfile
The compose template in bin/disinto (generate_compose()) must also be updated
Agents now run from a pinned copy of the code baked into the image

2. Vault-gated release workflow

Create formulas/release.toml — a formula the runner executes when a release vault PR is approved.

Trigger: Human creates and merges a vault PR:

id = "release-v1.2.0"
formula = "release"
context = "Tag v1.2.0 — includes vault redesign, .profile system, architect agent"
secrets = []

The release formula does:

Verify the target version tag does not already exist
Tag the current Forgejo main via API: POST /api/v1/repos/johba/disinto/tags
Push tag to mirrors (Codeberg, GitHub) via mirror_push (already pushes --tags)
Build the new agents image: docker compose build --no-cache agents
Tag the image: docker tag disinto-agents disinto-agents:<version>
Restart agent containers: docker compose up -d agents agents-llama
Write result with the new version and image ID

Runner container needs:

Docker socket access (already has it: /var/run/docker.sock)
SSH keys for mirror push (already mounted: .ssh:/home/agent/.ssh:ro)
Forgejo token for tag creation (already injected via .env)
Access to docker-compose.yml for build + restart

What `disinto release` looks like (optional CLI shortcut)

disinto release v1.2.0

Equivalent to creating the vault PR manually. Convenience wrapper that:

Calls lib/vault.sh:vault_request("release-v1.2.0", toml_content)
Prints the PR URL for human to review and merge

Affected files

docker/agents/Dockerfile (update — add COPY)
docker-compose.yml / bin/disinto generate_compose (update — remove bind mount)
formulas/release.toml (new)
bin/disinto (update — add release subcommand)
vault/examples/release.toml (new — example for schema docs)

Acceptance criteria

Agents image contains disinto code (no bind mount)
formulas/release.toml tags, builds, and restarts via vault-gated flow
Tags appear on Forgejo, Codeberg, and GitHub after release
Docker image tagged with version
disinto release v1.2.0 creates vault PR
Agent containers run the new version after release completes
CI green

Dependencies

Depends on dispatcher (#76) being operational — vault PRs must be executable.
The vault TOML schema (#74) and lib/vault.sh (#75) are already merged.

## Problem Agents run from a bind-mounted host repo (`./:/home/agent/disinto:ro`). The host repo drifts behind Forgejo main — currently 38+ commits behind. Agents run stale factory code while implementing changes on top of new code. This causes subtle bugs and confusion. ## Proposed solution Two changes: ### 1. Bake code into Docker image (remove bind mount) - Remove `./:/home/agent/disinto:ro` from agents and agents-llama services in docker-compose.yml - Add `COPY . /home/agent/disinto` to `docker/agents/Dockerfile` - The compose template in `bin/disinto` (`generate_compose()`) must also be updated - Agents now run from a pinned copy of the code baked into the image ### 2. Vault-gated release workflow Create `formulas/release.toml` — a formula the runner executes when a release vault PR is approved. **Trigger:** Human creates and merges a vault PR: ```toml id = "release-v1.2.0" formula = "release" context = "Tag v1.2.0 — includes vault redesign, .profile system, architect agent" secrets = [] ``` **The release formula does:** 1. Verify the target version tag does not already exist 2. Tag the current Forgejo main via API: `POST /api/v1/repos/johba/disinto/tags` 3. Push tag to mirrors (Codeberg, GitHub) via `mirror_push` (already pushes `--tags`) 4. Build the new agents image: `docker compose build --no-cache agents` 5. Tag the image: `docker tag disinto-agents disinto-agents:<version>` 6. Restart agent containers: `docker compose up -d agents agents-llama` 7. Write result with the new version and image ID **Runner container needs:** - Docker socket access (already has it: `/var/run/docker.sock`) - SSH keys for mirror push (already mounted: `.ssh:/home/agent/.ssh:ro`) - Forgejo token for tag creation (already injected via `.env`) - Access to docker-compose.yml for build + restart ### What `disinto release` looks like (optional CLI shortcut) ```bash disinto release v1.2.0 ``` Equivalent to creating the vault PR manually. Convenience wrapper that: 1. Calls `lib/vault.sh:vault_request("release-v1.2.0", toml_content)` 2. Prints the PR URL for human to review and merge ## Affected files - `docker/agents/Dockerfile` (update — add COPY) - `docker-compose.yml` / `bin/disinto` generate_compose (update — remove bind mount) - `formulas/release.toml` (new) - `bin/disinto` (update — add `release` subcommand) - `vault/examples/release.toml` (new — example for schema docs) ## Acceptance criteria - [ ] Agents image contains disinto code (no bind mount) - [ ] `formulas/release.toml` tags, builds, and restarts via vault-gated flow - [ ] Tags appear on Forgejo, Codeberg, and GitHub after release - [ ] Docker image tagged with version - [ ] `disinto release v1.2.0` creates vault PR - [ ] Agent containers run the new version after release completes - [ ] CI green ## Dependencies Depends on dispatcher (#76) being operational — vault PRs must be executable. The vault TOML schema (#74) and lib/vault.sh (#75) are already merged.