From aba23feddd38d14d2ffa4cd47cd8d93b467f072c Mon Sep 17 00:00:00 2001 From: Richie Foreman Date: Sat, 20 Sep 2025 10:19:03 -0400 Subject: [PATCH] feat(CI): Add a github action to build the sandbox image and push to GHCR (#8670) Co-authored-by: matt korwel --- .github/actions/push-sandbox/action.yaml | 85 ++++++++++++++++++++++++ .github/workflows/release-sandbox.yml | 33 +++++++++ scripts/build_sandbox.js | 20 ++---- 3 files changed, 125 insertions(+), 13 deletions(-) create mode 100644 .github/actions/push-sandbox/action.yaml create mode 100644 .github/workflows/release-sandbox.yml diff --git a/.github/actions/push-sandbox/action.yaml b/.github/actions/push-sandbox/action.yaml new file mode 100644 index 0000000000..85c705b9ce --- /dev/null +++ b/.github/actions/push-sandbox/action.yaml @@ -0,0 +1,85 @@ +name: 'Build and push sandbox docker' +description: 'Pushes sandbox docker image to container registry' + +inputs: + github-actor: + description: 'Github actor' + required: true + github-secret: + description: 'Github secret' + required: true + github-sha: + description: 'Github Commit SHA Hash' + required: true + github-ref-name: + description: 'Github ref name' + required: true + dry-run: + description: 'Whether this is a dry run.' + required: true + type: 'boolean' + +runs: + using: 'composite' + steps: + - name: 'Checkout' + uses: 'actions/checkout@v4' + with: + ref: '${{ inputs.github-sha }}' + fetch-depth: 0 + - name: 'Install Dependencies' + shell: 'bash' + run: 'npm install' + - name: 'npm build' + shell: 'bash' + run: 'npm run build' + - name: 'Set up Docker Buildx' + uses: 'docker/setup-buildx-action@v3' + - name: 'Log in to GitHub Container Registry' + uses: 'docker/login-action@v3' + with: + registry: 'ghcr.io' + username: '${{ inputs.github-actor }}' + password: '${{ inputs.github-secret }}' + - name: 'determine image tag' + id: 'image_tag' + shell: 'bash' + run: |- + SHELL_TAG_NAME="${{ inputs.github-ref-name }}" + FINAL_TAG="${{ inputs.github-sha }}" + if [[ "$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then + echo "Release detected." + FINAL_TAG="${SHELL_TAG_NAME#v}" + else + echo "Development release detected. Using commit SHA as tag." + fi + echo "Determined image tag: $FINAL_TAG" + echo "FINAL_TAG=$FINAL_TAG" >> $GITHUB_OUTPUT + - name: 'build' + id: 'docker_build' + shell: 'bash' + env: + GEMINI_SANDBOX_IMAGE_TAG: '${{ steps.image_tag.outputs.FINAL_TAG }}' + GEMINI_SANDBOX: 'docker' + run: |- + npm run build:sandbox -- \ + --image ghcr.io/${{ github.repository}}/sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \ + --output-file final_image_uri.txt + echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT + - name: 'publish' + shell: 'bash' + if: "${{ inputs.dry-run == 'false' }}" + run: |- + docker push "${{ steps.docker_build.outputs.uri }}" + - name: 'Create issue on failure' + if: |- + ${{ failure() }} + shell: 'bash' + env: + GITHUB_TOKEN: '${{ inputs.github-secret }}' + DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}' + run: |- + gh issue create \ + --title "Docker build failed" \ + --body "The docker build failed. See the full run for details: ${DETAILS_URL}" \ + --label "kind/bug,release-failure" diff --git a/.github/workflows/release-sandbox.yml b/.github/workflows/release-sandbox.yml new file mode 100644 index 0000000000..e0c224e573 --- /dev/null +++ b/.github/workflows/release-sandbox.yml @@ -0,0 +1,33 @@ +name: 'Release Sandbox' + +on: + workflow_dispatch: + inputs: + ref: + description: 'The branch, tag, or SHA to release from.' + required: false + type: 'string' + default: 'main' + dry-run: + description: 'Whether this is a dry run.' + required: false + type: 'boolean' + default: true + +jobs: + build: + runs-on: 'ubuntu-latest' + steps: + - name: 'Checkout' + uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' + with: + ref: '${{ github.event.inputs.ref || github.sha }}' + fetch-depth: 0 + - name: 'Push' + uses: './.github/actions/push-sandbox' + with: + github-actor: '${{ github.actor }}' + github-secret: '${{ secrets.GITHUB_TOKEN }}' + github-sha: '${{ github.event.inputs.ref || github.sha }}' + github-ref-name: '${{github.event.inputs.ref}}' + dry-run: '${{ github.event.inputs.dry-run }}' diff --git a/scripts/build_sandbox.js b/scripts/build_sandbox.js index 9795776dc1..84ac96bc99 100644 --- a/scripts/build_sandbox.js +++ b/scripts/build_sandbox.js @@ -41,11 +41,13 @@ const argv = yargs(hideBin(process.argv)) .option('f', { alias: 'dockerfile', type: 'string', + default: 'Dockerfile', description: 'use for custom image', }) .option('i', { alias: 'image', type: 'string', + default: cliPkgJson.config.sandboxImageUri, description: 'use name for custom image', }) .option('output-file', { @@ -74,12 +76,10 @@ if (sandboxCommand === 'sandbox-exec') { console.log(`using ${sandboxCommand} for sandboxing`); -const baseImage = cliPkgJson.config.sandboxImageUri; -const customImage = argv.i; -const baseDockerfile = 'Dockerfile'; -const customDockerfile = argv.f; +const image = argv.i; +const dockerFile = argv.f; -if (!baseImage?.length) { +if (!image.length) { console.warn( 'No default image tag specified in gemini-cli/packages/cli/package.json', ); @@ -160,7 +160,7 @@ function buildImage(imageName, dockerfile) { execSync( `${sandboxCommand} build ${buildCommandArgs} ${ process.env.BUILD_SANDBOX_FLAGS || '' - } --build-arg CLI_VERSION_ARG=${npmPackageVersion} -f "${dockerfile}" -t "${imageName}" .`, + } --build-arg CLI_VERSION_ARG=${npmPackageVersion} -f "${dockerfile}" -t "${finalImageName}" .`, { stdio: buildStdout, shell: shellToUse }, ); console.log(`built ${finalImageName}`); @@ -187,12 +187,6 @@ function buildImage(imageName, dockerfile) { } } -if (baseImage && baseDockerfile) { - buildImage(baseImage, baseDockerfile); -} - -if (customDockerfile && customImage) { - buildImage(customImage, customDockerfile); -} +buildImage(image, dockerFile); execSync(`${sandboxCommand} image prune -f`, { stdio: 'ignore' });