feat: switch base image to GitHub runner and add DevOps tools#1
Merged
miragecentury merged 15 commits intomainfrom Feb 19, 2026
Merged
feat: switch base image to GitHub runner and add DevOps tools#1miragecentury merged 15 commits intomainfrom
miragecentury merged 15 commits intomainfrom
Conversation
Replace ubuntu:24.04 base with ghcr.io/actions/runner for native GitHub Actions runner support. Add skopeo, Argo Workflows CLI, HashiCorp Packer, and Cloud Native Buildpacks (pack) CLI as configurable build args. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
Swap out HashiCorp Packer for Kargo CLI (v1.9.2) for application lifecycle orchestration support. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
Runs weekly (Monday 08:00 UTC) and on manual dispatch. Checks latest releases for Argo, Kargo, and pack CLIs and opens a PR when updates are available. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
- Add build tools to image (dive, trivy, buildah, yq, hadolint) so the image can build itself as a self-hosted runner - Configure buildah vfs storage driver for container/rootless usage - Create semantic-release config for automated versioning from conventional commits with changelog generation - Add release workflow: semantic-release -> buildah build -> dive filesystem scan -> trivy vulnerability scan -> skopeo push with semver tags (major, major.minor, full, latest) - Add CI workflow: commitlint, hadolint lint, and build test on PRs - Update scheduled update-tools workflow with new tools (dive, hadolint, yq) - Add best practice configs: .hadolint.yaml (trusted registries), .commitlintrc.yaml (conventional commits), .containerignore (minimal build context) https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
Install pre-commit in the container image and add .pre-commit-config.yaml with hooks for trailing whitespace, YAML validation, hadolint, shellcheck, and commitlint. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
There was a problem hiding this comment.
Pull request overview
This pull request transitions the container image from a basic Ubuntu base to the official GitHub Actions runner image, adding comprehensive DevOps tooling to create a self-hosted runner capable of building itself. The changes establish a complete CI/CD pipeline with automated version management, security scanning, and tool updates.
Changes:
- Replaced
ubuntu:24.04base image withghcr.io/actions/runnerfor native GitHub Actions support - Added DevOps CLI tools (Argo Workflows, Kargo, pack, skopeo) and build pipeline tools (buildah, dive, trivy, hadolint, yq, pre-commit)
- Implemented automated release workflow with semantic versioning, vulnerability scanning, and multi-tag publishing to GHCR
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 11 comments.
Show a summary per file
| File | Description |
|---|---|
| Containerfile | Switched to GitHub runner base image; added skopeo, buildah, trivy, dive, hadolint, yq, Argo CLI, Kargo CLI, pack CLI, and pre-commit; added Python 3.12/3.13/3.14 with Poetry and UV |
| manifest.yaml | Updated build args from Ubuntu-specific to tool version args (RUNNER_VERSION, ARGO_VERSION, KARGO_VERSION, PACK_VERSION, DIVE_VERSION, HADOLINT_VERSION, YQ_VERSION) |
| README.md | Complete documentation rewrite covering included tools, CI/CD workflows, release process, local development setup, and project structure |
| .github/workflows/release.yaml | New semantic release workflow with buildah build, hadolint/dive/trivy scanning, and multi-tag push to GHCR |
| .github/workflows/ci.yaml | New CI workflow with commitlint, hadolint linting, and test build validation |
| .github/workflows/update-tools.yaml | New automated tool version checker that creates PRs when updates are available |
| .releaserc.yaml | Semantic release configuration for automated versioning and changelog generation |
| .pre-commit-config.yaml | Pre-commit hooks for code quality, linting, and commit message validation |
| .hadolint.yaml | Hadolint configuration defining trusted container registries |
| .commitlintrc.yaml | Commitlint configuration extending conventional commit rules |
| .containerignore | Build context exclusions for CI artifacts and configuration files |
Comments suppressed due to low confidence (1)
Containerfile:114
- Poetry and UV are installed twice - once in the base stage as root (lines 105-114) and again in the runtime stage as the runner user (lines 127-136). This duplication is wasteful and increases image size unnecessarily. The base stage installations as root won't be available to the runner user anyway. Consider removing lines 105-114 from the base stage since they are properly installed in the runtime stage where they will actually be used.
# Install Poetry latest version and add it to PATH
# hadolint ignore=DL4006
RUN curl -sSL https://install.python-poetry.org | python3 -
# Install UV
# hadolint ignore=DL4006
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
# Add Poetry and UV to PATH
RUN echo "export PATH=\"${APP_HOME}/.local/bin:\$PATH\"" >> ~/.bashrc
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Pin RUNNER_VERSION to 2.321.0 instead of latest for reproducible builds - Combine skopeo and buildah into a single RUN/apt-get layer - Remove silent || true from docker load/tag in release workflow - Mount .hadolint.yaml in release workflow validation step - Fix semver parsing with proper validation in release push step - Pass manifest build args in CI test build to match release build - Fix malformed hadolint pre-commit hook entry - Track RUNNER_VERSION in update-tools workflow - Remove duplicate Poetry/UV installs from base stage (only needed for runner user) https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
Replace the hand-rolled update-tools.yaml GitHub Actions workflow with a Renovate configuration. Renovate handles version updates for all tools (Runner, Argo, Kargo, pack, dive, hadolint, yq) across both Containerfile and manifest.yaml via regex custom managers. It also natively handles GitHub Actions and pre-commit hook updates. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
- Switch all branch references from `master` to `main` to match the repo's actual default branch (ci.yaml, release.yaml, .releaserc.yaml, README.md). Without this, CI won't trigger on PRs and releases won't run on merge. - Replace nondeterministic `docker load | docker tag $(head -1)` with `skopeo copy oci-archive:... docker-daemon:...` for a deterministic image load into the Docker daemon. - Combine the first three apt-get RUN layers (system upgrade, deadsnakes Python, skopeo/buildah) into a single layer to reduce image size and redundant apt-get update calls. - Fix README: pin RUNNER_VERSION=2.321.0 in the example manifest (was `latest`), replace update-tools workflow reference with Renovate, update project structure tree. https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W
- Change base image from ghcr.io/actions/runner to ghcr.io/actions/actions-runner to fix 403 on pull - Use uppercase AS for stage aliases (AS base, AS runtime) to satisfy hadolint - Update README base image reference Co-authored-by: Cursor <cursoragent@cursor.com>
- Install python3.12-pip, python3.13-pip for pip on PATH - Install build-essential and python3.12-dev, python3.13-dev to build C extensions Co-authored-by: Cursor <cursoragent@cursor.com>
deadsnakes PPA does not provide python3.12-pip or python3.13-pip. Bootstrap pip for both interpreters using ensurepip instead. Co-authored-by: Cursor <cursoragent@cursor.com>
- Use Containerfile terminology in builder.sh hadolint message - Fix comment typos (trailing backslashes) in builder.sh and install_tools.sh - Reorder README release workflow so hadolint runs before build - Run hadolint with .hadolint.yaml in builder.sh to match release workflow - Add files: ^Containerfile$ to pre-commit hadolint hook - Add CHANGELOG.md and install-man-page.sh to project structure - Note that local install may use different tool versions than image/CI Co-authored-by: Cursor <cursoragent@cursor.com>
deadsnakes PPA does not ship ensurepip; use PyPA get-pip.py instead. Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Replace ubuntu:24.04 base with ghcr.io/actions/runner for native
GitHub Actions runner support. Add skopeo, Argo Workflows CLI,
HashiCorp Packer, and Cloud Native Buildpacks (pack) CLI as
configurable build args.
https://claude.ai/code/session_01RofXXAMZxK4irobNYjYn3W