Molecule AI Core-DevOps
37b01b4e24
All checks were successful
sop-checklist / all-items-acked (pull_request) injected after rebase
Block internal-flavored paths / Block forbidden paths (pull_request) Successful in 38s
CI / Detect changes (pull_request) Successful in 1m22s
E2E API Smoke Test / detect-changes (pull_request) Successful in 1m24s
E2E Staging Canvas (Playwright) / detect-changes (pull_request) Successful in 1m14s
Handlers Postgres Integration / detect-changes (pull_request) Successful in 51s
publish-runtime-autobump / bump-and-tag (pull_request) Has been skipped
Runtime PR-Built Compatibility / detect-changes (pull_request) Successful in 26s
publish-runtime-autobump / pr-validate (pull_request) Successful in 54s
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 14s
lint-required-no-paths / lint-required-no-paths (pull_request) Successful in 1m32s
gate-check-v3 / gate-check (pull_request) Successful in 22s
qa-review / approved (pull_request) Successful in 20s
security-review / approved (pull_request) Successful in 17s
sop-checklist-gate / gate (pull_request) Successful in 15s
audit-force-merge / audit (pull_request) Successful in 14s
sop-tier-check / tier-check (pull_request) Successful in 19s
CI / Shellcheck (E2E scripts) (pull_request) Successful in 9s
CI / Platform (Go) (pull_request) Successful in 14s
CI / Canvas (Next.js) (pull_request) Successful in 12s
E2E API Smoke Test / E2E API Smoke Test (pull_request) Successful in 10s
Handlers Postgres Integration / Handlers Postgres Integration (pull_request) Successful in 12s
E2E Staging Canvas (Playwright) / Canvas tabs E2E (pull_request) Successful in 17s
Runtime PR-Built Compatibility / PR-built wheel + import smoke (pull_request) Successful in 2m39s
CI / Python Lint & Test (pull_request) Successful in 7m25s
CI / Canvas Deploy Reminder (pull_request) Has been skipped
CI / all-required (pull_request) Successful in 4s
Probe the A2A agent-card endpoint so orchestrators and container
runtimes can detect a live, responsive workspace agent without
requiring a registered agent token.
- Uses curl (present in python:3.11-slim base)
- Targets uvicorn server on configurable PORT (default 8000)
- interval=30s, timeout=5s, retries=3 — balances responsiveness
vs. false-positive tolerance on busy containers
- ${PORT:-8000} substitution is safe because:
(a) the base image EXPOSEs 8000
(b) molecule-runtime defaults config.a2a.port to 8000
(c) the entrypoint uses exec form so HEALTHCHECK exec succeeds
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
92 lines
4.3 KiB
Docker
92 lines
4.3 KiB
Docker
FROM python:3.11-slim@sha256:e78299e55776ca065dcb769f80161f48465ad352014240eb5fe4712e22505e9b
|
|
|
|
WORKDIR /app
|
|
|
|
# Install Node.js, git, gh CLI in a single layer to minimize image size
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends curl git ca-certificates && \
|
|
# Node.js 22
|
|
curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
|
|
apt-get install -y --no-install-recommends nodejs && \
|
|
# GitHub CLI
|
|
curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
|
|
| dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg && \
|
|
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
|
|
> /etc/apt/sources.list.d/github-cli.list && \
|
|
apt-get update && apt-get install -y --no-install-recommends gh && \
|
|
# Cleanup apt caches and temp files
|
|
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
|
|
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
|
|
|
|
# Create non-root user (claude --dangerously-skip-permissions refuses root)
|
|
RUN useradd -m -s /bin/bash agent
|
|
|
|
# Install base Python dependencies (A2A SDK + HTTP only)
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
# Copy runtime code (adapters/ has been removed — adapters now live in standalone
|
|
# template repos and install molecule-ai-workspace-runtime from PyPI)
|
|
COPY *.py ./
|
|
COPY entrypoint.sh ./
|
|
COPY skill_loader/ ./skill_loader/
|
|
COPY builtin_tools/ ./builtin_tools/
|
|
COPY plugins_registry/ ./plugins_registry/
|
|
COPY policies/ ./policies/
|
|
|
|
# Create CLI aliases
|
|
RUN ln -s /app/a2a_cli.py /usr/local/bin/a2a && chmod +x /app/a2a_cli.py /app/a2a_mcp_server.py && \
|
|
ln -s /app/molecule_ai_status.py /usr/local/bin/molecule-monorepo-status && chmod +x /app/molecule_ai_status.py
|
|
|
|
# gh wrapper — auto-prefixes PR / issue titles with the agent role + appends
|
|
# a body footer. Every agent in the template shares one GitHub PAT so plain
|
|
# `gh pr list` can't distinguish workspaces; the wrapper reads GIT_AUTHOR_NAME
|
|
# (set by the platform provisioner, "Molecule AI <Role>") and rewrites the
|
|
# title/body accordingly. Fails open when the env is missing. Anything that
|
|
# isn't `gh pr create` or `gh issue create` passes through untouched.
|
|
# /usr/local/bin is earlier in PATH than /usr/bin/gh so this shadows the
|
|
# real binary without renaming it.
|
|
COPY scripts/gh-wrapper.sh /usr/local/bin/gh
|
|
RUN chmod +x /usr/local/bin/gh
|
|
|
|
# Copy the git credential helper so entrypoint.sh can register it at boot.
|
|
# molecule-git-token-helper.sh fetches a fresh GitHub App installation token
|
|
# from the platform on every git push/fetch, preventing stale-token failures
|
|
# after the ~60 min GitHub App token TTL (issue #613 / #547).
|
|
COPY scripts/molecule-git-token-helper.sh ./scripts/
|
|
RUN chmod +x ./scripts/molecule-git-token-helper.sh
|
|
|
|
# Copy the background token refresh daemon. Runs as a background process
|
|
# started by entrypoint.sh — refreshes gh CLI auth and the credential
|
|
# helper cache every 45 min so tokens never expire mid-operation.
|
|
COPY scripts/molecule-gh-token-refresh.sh ./scripts/
|
|
RUN chmod +x ./scripts/molecule-gh-token-refresh.sh
|
|
|
|
# Dirs and permissions
|
|
RUN mkdir -p /workspace /plugins /home/agent/.claude /home/agent/.config /home/agent/.local \
|
|
/home/agent/.molecule-token-cache && \
|
|
chown -R agent:agent /app /home/agent /workspace
|
|
|
|
# Install gosu for clean root → agent user handoff in entrypoint.
|
|
# The entrypoint starts as root to fix volume ownership, then exec's
|
|
# as the agent user so Claude Code's --dangerously-skip-permissions works.
|
|
RUN apt-get update && apt-get install -y --no-install-recommends gosu && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
VOLUME /configs
|
|
VOLUME /workspace
|
|
|
|
EXPOSE 8000
|
|
|
|
# HEALTHCHECK: probe the A2A agent-card endpoint so orchestrators and
|
|
# container runtimes can detect a live, responsive workspace agent.
|
|
# Uses curl (present in python:3.11-slim base) against the uvicorn server.
|
|
# PORT is injected at runtime via the molecule-runtime entrypoint; the
|
|
# default matches EXPOSE.
|
|
HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
|
|
CMD curl -sf http://localhost:${PORT:-8000}/agent/card >/dev/null || exit 1
|
|
|
|
RUN chmod +x /app/entrypoint.sh
|
|
# Start as root — entrypoint fixes volume permissions then drops to agent
|
|
CMD ["./entrypoint.sh"]
|