Skip to content

ci: build and publish docker-agent sandbox templates#3454

Merged
dgageot merged 1 commit into
docker:mainfrom
dgageot:sbx-templates
Jul 3, 2026
Merged

ci: build and publish docker-agent sandbox templates#3454
dgageot merged 1 commit into
docker:mainfrom
dgageot:sbx-templates

Conversation

@dgageot

@dgageot dgageot commented Jul 3, 2026

Copy link
Copy Markdown
Member

Deploy sbx templates for docker-agent on each merge to main and tag.

main:
docker/docker-agent-sbx-templates:edge

release:
docker/docker-agent-sbx-templates:v1.x
docker/docker-agent-sbx-templates:latest

Adds templates/Dockerfile and two CI jobs that build and push
docker/sandbox-templates:docker-agent{,-docker} images on main (edge)
and v* tags (versioned + floating).

Assisted-By: claude-sonnet-4-5
@dgageot dgageot requested a review from a team as a code owner July 3, 2026 16:27

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

The changes correctly mirror the existing multi-arch image publish pattern and introduce a new CI job (merge-and-push-template) to build and push sandbox templates. One notable issue was found: the manifest-list assembly step uses a bare bash glob without a guard against an empty digest directory.

Comment thread .github/workflows/ci.yml
tags=(-t "docker/docker-agent-sbx-templates:edge")
fi
args=()
for digest in *; do args+=("docker/docker-agent-sbx-templates@sha256:${digest}"); done

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Glob for digest in * may pass literal * to imagetools create if directory is unexpectedly empty

When bash runs for digest in * in a directory and nullglob is not set (the default), an empty directory leaves * unexpanded — so args would contain docker/docker-agent-sbx-templates@sha256:* instead of real digests. This would cause docker buildx imagetools create to fail with a confusing error rather than a clean CI failure.

The if-no-files-found: error guard on the upload step provides strong protection in the happy path, but the download step (actions/download-artifact) has no equivalent guard. A defensive fix would add a check after the loop:

args=()
for digest in *; do args+=("docker/docker-agent-sbx-templates@sha256:${digest}"); done
if [[ ${#args[@]} -eq 0 ]]; then
  echo "ERROR: no template digests found" >&2
  exit 1
fi
docker buildx imagetools create "${tags[@]}" "${args[@]}"

Alternatively, shopt -s nullglob before the loop would make the glob expand to nothing (empty args), and the subsequent length check would catch it cleanly.

@aheritier aheritier added area/ci CI/CD workflows and pipeline kind/chore Maintenance, deps, CI, tooling (maps to chore: commit prefix) labels Jul 3, 2026
@dgageot dgageot merged commit a54b64f into docker:main Jul 3, 2026
11 of 12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci CI/CD workflows and pipeline kind/chore Maintenance, deps, CI, tooling (maps to chore: commit prefix)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants