Molecule AI Core-DevOps
1492b40b38
Pins all FROM image tags to exact SHA256 digests for reproducible builds. Without digest pinning, a registry push of a new image to the same tag can silently change the layer content between builds — a supply-chain risk especially for prod-deployed images. Pinned images (7 Dockerfiles): - golang:1.25-alpine → sha256:c4ea15b... (workspace-server/Dockerfile, Dockerfile.dev, Dockerfile.tenant, tests/harness/cp-stub/Dockerfile) - alpine:3.20 → sha256:c64c687c... (workspace-server/Dockerfile, tests/harness/cp-stub/Dockerfile) - node:20-alpine → sha256:afdf982... (workspace-server/Dockerfile.tenant) - node:22-alpine → sha256:cb15fca... (canvas/Dockerfile) - python:3.11-slim → sha256:e78299e... (workspace/Dockerfile) - nginx:1.27-alpine → sha256:62223d6... (tests/harness/cf-proxy/Dockerfile) Note: docker-compose.yml service images (postgres, redis, clickhouse, litellm, ollama) are intentionally left on major-version tags — those are runtime-pulled and updated regularly for local-dev ergonomics. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
45 lines
2.0 KiB
Docker
45 lines
2.0 KiB
Docker
# Dockerfile.dev — local-development image with air-driven live reload.
|
|
#
|
|
# Selected by docker-compose.dev.yml (overlay over docker-compose.yml).
|
|
# Production stays on workspace-server/Dockerfile (static binary, no air).
|
|
#
|
|
# Workflow:
|
|
# 1. docker compose -f docker-compose.yml -f docker-compose.dev.yml up
|
|
# 2. Edit any .go file under workspace-server/
|
|
# 3. air detects, rebuilds, kills old binary, starts new one (~3-5s)
|
|
# 4. No `docker compose up --build` needed
|
|
#
|
|
# Templates + plugins are NOT pre-cloned here — air-mode assumes the
|
|
# developer's filesystem has the workspace-configs-templates/ + plugins/
|
|
# dirs available, mounted at runtime via docker-compose.dev.yml.
|
|
|
|
FROM golang:1.25-alpine@sha256:c4ea15b4a7912716eb362a022e2b12317762eca387423760bc59c0f9ae69423c
|
|
|
|
# air + git (for go mod) + ca-certs (for TLS) + tzdata (for time-zone DB)
|
|
# + docker-cli + docker-cli-buildx so the platform binary can shell out to
|
|
# /var/run/docker.sock (bind-mounted from host) for local-build provisioning.
|
|
# docker-cli alone is insufficient: alpine's docker-cli enables BuildKit by
|
|
# default but ships without buildx, producing
|
|
# `ERROR: BuildKit is enabled but the buildx component is missing or broken`
|
|
# on every `docker build`. docker-cli-buildx provides the buildx subcommand.
|
|
RUN apk add --no-cache git ca-certificates tzdata wget docker-cli docker-cli-buildx \
|
|
&& go install github.com/air-verse/air@latest
|
|
|
|
WORKDIR /app/workspace-server
|
|
|
|
# Pre-fetch deps so the first `air` rebuild on a fresh container is fast.
|
|
# These are bind-mount-overridden at runtime, so the COPY here is just
|
|
# to warm the module cache.
|
|
COPY workspace-server/go.mod workspace-server/go.sum ./
|
|
RUN go mod download
|
|
|
|
# Source is bind-mounted at runtime (see docker-compose.dev.yml volumes
|
|
# block) so the Dockerfile doesn't need to COPY it. air watches the
|
|
# bind-mounted dir for changes.
|
|
|
|
ENV CGO_ENABLED=0
|
|
ENV GOFLAGS="-buildvcs=false"
|
|
|
|
# Run air with the .air.toml in the bind-mounted source dir.
|
|
CMD ["air", "-c", ".air.toml"]
|