ci: build and publish docker-agent sandbox templates#3454
Conversation
Adds templates/Dockerfile and two CI jobs that build and push
docker/sandbox-templates:docker-agent{,-docker} images on main (edge)
and v* tags (versioned + floating).
Assisted-By: claude-sonnet-4-5
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
The changes correctly mirror the existing multi-arch image publish pattern and introduce a new CI job (merge-and-push-template) to build and push sandbox templates. One notable issue was found: the manifest-list assembly step uses a bare bash glob without a guard against an empty digest directory.
| tags=(-t "docker/docker-agent-sbx-templates:edge") | ||
| fi | ||
| args=() | ||
| for digest in *; do args+=("docker/docker-agent-sbx-templates@sha256:${digest}"); done |
There was a problem hiding this comment.
[MEDIUM] Glob for digest in * may pass literal * to imagetools create if directory is unexpectedly empty
When bash runs for digest in * in a directory and nullglob is not set (the default), an empty directory leaves * unexpanded — so args would contain docker/docker-agent-sbx-templates@sha256:* instead of real digests. This would cause docker buildx imagetools create to fail with a confusing error rather than a clean CI failure.
The if-no-files-found: error guard on the upload step provides strong protection in the happy path, but the download step (actions/download-artifact) has no equivalent guard. A defensive fix would add a check after the loop:
args=()
for digest in *; do args+=("docker/docker-agent-sbx-templates@sha256:${digest}"); done
if [[ ${#args[@]} -eq 0 ]]; then
echo "ERROR: no template digests found" >&2
exit 1
fi
docker buildx imagetools create "${tags[@]}" "${args[@]}"Alternatively, shopt -s nullglob before the loop would make the glob expand to nothing (empty args), and the subsequent length check would catch it cleanly.
Deploy sbx templates for docker-agent on each merge to main and tag.