fix(ci): apply pre-clone fix to platform Dockerfile too (followup #173)

The first PR (#38) only patched Dockerfile.tenant — but the workflow also builds the platform image from workspace-server/Dockerfile, which had the SAME in-image `git clone` stage. Build run #794 caught this: "process clone-manifest.sh ... exit code 128" on the platform image. Apply the same pre-clone shape to the platform Dockerfile: drop the `templates` stage, COPY from .tenant-bundle-deps/ instead. The workflow's existing "Pre-clone manifest deps" step (added in #38) already populates .tenant-bundle-deps/ before either build runs, so no workflow change needed. Self-review note: the missed-platform-Dockerfile is a Phase 1 quality miss — I read both files but only registered the tenant one as in-scope. Saved memory `feedback_orchestrator_must_verify_before_declaring_fixed` applies: should have grepped the whole workspace-server/ for "templates" stages before claiming Task #173 done. CI run #794 caught it within ~6 minutes; net cost: one followup commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-07 13:08:36 -07:00 · 2026-05-07 13:08:36 -07:00 · 026ac369f7
commit 026ac369f7
parent 694c05552b
1 changed files with 18 additions and 13 deletions
--- a/workspace-server/Dockerfile
+++ b/workspace-server/Dockerfile
@ -1,7 +1,15 @@
-# Platform-only image (no canvas). Used by publish-platform-image workflow
+# Platform-only image (no canvas). Used by publish-workspace-server-image
-# for GHCR + Fly registry. Tenant image uses Dockerfile.tenant instead.
+# workflow for ECR. Tenant image uses Dockerfile.tenant instead.
 #
-# Build context: repo root.
+# Templates + plugins are pre-cloned by scripts/clone-manifest.sh (in CI
 # or on the operator host) into .tenant-bundle-deps/ — same pattern as
 # Dockerfile.tenant. See that file's header for the full rationale; the
 # short version is that post-2026-05-06 every workspace-template-* and
 # org-template-* repo on Gitea is private, so an in-image `git clone`
 # has no auth path that doesn't leak the Gitea token into a layer.
 #
 # Build context: repo root, with `.tenant-bundle-deps/` populated by the
 # workflow's "Pre-clone manifest deps" step (Task #173).
 FROM golang:1.25-alpine AS builder
 WORKDIR /app
@ -26,21 +34,18 @@ RUN CGO_ENABLED=0 GOOS=linux go build \
    -ldflags "-X github.com/Molecule-AI/molecule-monorepo/platform/internal/buildinfo.GitSHA=${GIT_SHA}" \
    -o /memory-plugin ./cmd/memory-plugin-postgres
 # Clone templates + plugins at build time from manifest.json
 FROM alpine:3.20 AS templates
 RUN apk add --no-cache git jq
 COPY manifest.json /manifest.json
 COPY scripts/clone-manifest.sh /scripts/clone-manifest.sh
 RUN chmod +x /scripts/clone-manifest.sh && /scripts/clone-manifest.sh /manifest.json /workspace-configs-templates /org-templates /plugins
 FROM alpine:3.20
 RUN apk add --no-cache ca-certificates git tzdata wget
 COPY --from=builder /platform /platform
 COPY --from=builder /memory-plugin /memory-plugin
 COPY workspace-server/migrations /migrations
-COPY --from=templates /workspace-configs-templates /workspace-configs-templates
+# Templates + plugins (pre-cloned by scripts/clone-manifest.sh in the
-COPY --from=templates /org-templates /org-templates
+# trusted CI / operator-host context, .git already stripped). The Gitea
-COPY --from=templates /plugins /plugins
+# token used to clone them never enters this image — same shape as
 # Dockerfile.tenant.
 COPY .tenant-bundle-deps/workspace-configs-templates /workspace-configs-templates
 COPY .tenant-bundle-deps/org-templates /org-templates
 COPY .tenant-bundle-deps/plugins /plugins
 # Non-root runtime with Docker socket access for workspace provisioning.
 RUN addgroup -g 1000 platform && adduser -u 1000 -G platform -s /bin/sh -D platform
 EXPOSE 8080