mirror of
https://github.com/garrytan/gstack.git
synced 2026-05-07 05:56:41 +02:00
Garry Tan
1a01632b90
The CI Dockerfile's Node install was failing on ubicloud runners. NodeSource's setup_22.x script runs two internal apt operations that both depend on archive.ubuntu.com + security.ubuntu.com being reachable: 1. apt-get update (to refresh package lists) 2. apt-get install gnupg (as a prerequisite for its gpg keyring) Ubicloud's CI runners frequently can't reach those mirrors — last build hit ~2min of connection timeouts to every security.ubuntu.com IP (185.125.190.82, 91.189.91.83, 91.189.92.24, etc.) plus archive.ubuntu.com mirrors. Compounding this: on Ubuntu 24.04 (noble) "gnupg" was renamed to "gpg" and "gpgconf". NodeSource's setup script still looks for "gnupg", so even when apt works, it fails with "Package 'gnupg' has no installation candidate." The subsequent apt-get install nodejs then fails because the NodeSource repo was never added. Fix: drop NodeSource entirely. Download Node.js v22.20.0 from nodejs.org as a tarball, extract to /usr/local. One host, no apt, no script, no keyring. Before: RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \ && apt-get install -y --no-install-recommends nodejs ... After: ENV NODE_VERSION=22.20.0 RUN curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" -o /tmp/node.tar.xz \ && tar -xJ -C /usr/local --strip-components=1 --no-same-owner -f /tmp/node.tar.xz \ && rm -f /tmp/node.tar.xz \ && node --version && npm --version Same installed path (/usr/local/bin/node and npm). Pinned version for reproducibility. Version is bump-visible in the Dockerfile now. Does not address the separate apt flakiness that affects the GitHub CLI install (line 17) or `npx playwright install-deps chromium` (line 33) — those use apt too. If those fail on a future build we can address then. Failing job: build-image (71777913820) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
73 lines
3.3 KiB
Docker
73 lines
3.3 KiB
Docker
# gstack CI eval runner — pre-baked toolchain + deps
|
|
# Rebuild weekly via ci-image.yml, on Dockerfile changes, or on lockfile changes
|
|
FROM ubuntu:24.04
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
|
|
|
# System deps
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
git curl unzip ca-certificates jq bc gpg \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# GitHub CLI
|
|
RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
|
|
| gpg --dearmor -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
|
|
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
|
|
| tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
|
|
&& apt-get update && apt-get install -y --no-install-recommends gh \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Node.js 22 LTS (needed for claude CLI)
|
|
# Install from the official nodejs.org tarball instead of NodeSource's apt setup.
|
|
# NodeSource's setup_22.x script runs its own `apt-get update` + `apt-get install gnupg`,
|
|
# both of which depend on archive.ubuntu.com / security.ubuntu.com being reachable.
|
|
# Ubicloud CI runners frequently can't reach those mirrors (connection timeouts),
|
|
# and "gnupg" was renamed to "gpg" on Ubuntu 24.04 anyway, so NodeSource's script
|
|
# fails before it can add its own repo. Direct tarball download is network-simpler
|
|
# (one host: nodejs.org) and doesn't touch apt at all.
|
|
ENV NODE_VERSION=22.20.0
|
|
RUN curl -fsSL "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" -o /tmp/node.tar.xz \
|
|
&& tar -xJ -C /usr/local --strip-components=1 --no-same-owner -f /tmp/node.tar.xz \
|
|
&& rm -f /tmp/node.tar.xz \
|
|
&& node --version \
|
|
&& npm --version
|
|
|
|
# Bun (install to /usr/local so non-root users can access it)
|
|
ENV BUN_INSTALL="/usr/local"
|
|
RUN curl -fsSL https://bun.sh/install | BUN_VERSION=1.3.10 bash
|
|
|
|
# Claude CLI
|
|
RUN npm i -g @anthropic-ai/claude-code
|
|
|
|
# Playwright system deps (Chromium) — needed for browse E2E tests
|
|
RUN npx playwright install-deps chromium
|
|
|
|
# Pre-install dependencies (cached layer — only rebuilds when package.json changes)
|
|
COPY package.json /workspace/
|
|
WORKDIR /workspace
|
|
RUN bun install && rm -rf /tmp/*
|
|
|
|
# Install Playwright Chromium to a shared location accessible by all users
|
|
ENV PLAYWRIGHT_BROWSERS_PATH=/opt/playwright-browsers
|
|
RUN npx playwright install chromium \
|
|
&& chmod -R a+rX /opt/playwright-browsers
|
|
|
|
# Verify everything works
|
|
RUN bun --version && node --version && claude --version && jq --version && gh --version \
|
|
&& npx playwright --version
|
|
|
|
# At runtime: checkout overwrites /workspace, but node_modules persists
|
|
# if we move it out of the way and symlink back
|
|
# Save node_modules + package.json snapshot for cache validation at runtime
|
|
RUN mv /workspace/node_modules /opt/node_modules_cache \
|
|
&& cp /workspace/package.json /opt/node_modules_cache/.package.json
|
|
|
|
# Claude CLI refuses --dangerously-skip-permissions as root.
|
|
# Create a non-root user for eval runs (GH Actions overrides USER, so
|
|
# the workflow must set options.user or use gosu/su-exec at runtime).
|
|
RUN useradd -m -s /bin/bash runner \
|
|
&& chmod -R a+rX /opt/node_modules_cache \
|
|
&& mkdir -p /home/runner/.gstack && chown -R runner:runner /home/runner/.gstack \
|
|
&& chmod 1777 /tmp \
|
|
&& mkdir -p /home/runner/.bun && chown -R runner:runner /home/runner/.bun
|