diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index c19996b..0797d63 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -31,6 +31,10 @@ jobs: context: images/backend-builder-base file: images/backend-builder-base/Dockerfile version_file: images/backend-builder-base/VERSION + - image_name: coding-agent-base + context: images/coding-agent-base + file: images/coding-agent-base/Dockerfile + version_file: images/coding-agent-base/VERSION permissions: contents: read diff --git a/images/coding-agent-base/Dockerfile b/images/coding-agent-base/Dockerfile new file mode 100644 index 0000000..8479d48 --- /dev/null +++ b/images/coding-agent-base/Dockerfile @@ -0,0 +1,46 @@ +# coding-agent-base +# Base image for AI coding agents (Claude Code, OpenCode, Codex, etc.) +# +# Purpose: Provide a consistent, isolated environment for coding agents +# that can be used to work on repositories safely. +# +# Security features: +# - No host filesystem access (use volume mounts) +# - Minimal attack surface (Alpine-based) +# - No privileged operations +# - Network access configurable at runtime + +ARG NODE_VERSION=20.20.0 +ARG ALPINE_VERSION=3.22 +FROM node:${NODE_VERSION}-alpine${ALPINE_VERSION} + +# Install core tools +RUN apk add --no-cache \ + bash \ + build-base \ + ca-certificates \ + curl \ + git \ + jq \ + openssh-client \ + pkgconf \ + tar \ + unzip \ + xz \ + zstd \ + && rm -rf /var/cache/apk/* + +# Install GitHub CLI +RUN apk add --no-cache github-cli + +# Create non-root user for safety +RUN addgroup -S agent && adduser -S agent -G agent + +# Set up workspace +WORKDIR /workspace + +# Agent runs as non-root by default +USER agent + +# Default to bash for interactive use +CMD ["/bin/bash"] diff --git a/images/coding-agent-base/README.md b/images/coding-agent-base/README.md new file mode 100644 index 0000000..09b3130 --- /dev/null +++ b/images/coding-agent-base/README.md @@ -0,0 +1,76 @@ +# coding-agent-base + +Base image for AI coding agents (Claude Code, OpenCode, Codex, etc.) + +## Purpose + +Provide a consistent, isolated environment for coding agents that can work on repositories safely. + +## Includes + +- Alpine Linux 3.22 +- Node.js 20.20.0 +- Git +- GitHub CLI (`gh`) +- Build toolchain (`build-base`) +- SSH client (for git over SSH) +- Common utilities (`curl`, `jq`, `tar`, etc.) + +## Security Features + +- Non-root user (`agent`) by default +- No host filesystem access (use volume mounts) +- Minimal attack surface (Alpine-based) +- No privileged operations + +## Usage + +### Basic run with volume mount + +```bash +docker run -it --rm \ + -v /path/to/repo:/workspace \ + -e ANTHROPIC_API_KEY=your-key \ + ghcr.io/makerprism/coding-agent-base:1.0.0 \ + /bin/bash +``` + +### With OpenCode + +```bash +docker run -it --rm \ + -v /path/to/repo:/workspace \ + -e ANTHROPIC_API_KEY=your-key \ + ghcr.io/makerprism/coding-agent-base:1.0.0 \ + npx opencode-ai +``` + +### With Claude Code + +```bash +docker run -it --rm \ + -v /path/to/repo:/workspace \ + -e ANTHROPIC_API_KEY=your-key \ + ghcr.io/makerprism/coding-agent-base:1.0.0 \ + npx @zed-industries/claude-agent-acp +``` + +## Customizing + +For project-specific needs, extend this image: + +```dockerfile +FROM ghcr.io/makerprism/coding-agent-base:1.0.0 + +# Add OCaml toolchain +USER root +RUN apk add --no-cache ocaml opam +USER agent + +# Install additional npm tools +RUN npm install -g some-tool +``` + +## Versioning + +See [VERSION](./VERSION) file. Follows semantic versioning. diff --git a/images/coding-agent-base/VERSION b/images/coding-agent-base/VERSION new file mode 100644 index 0000000..3eefcb9 --- /dev/null +++ b/images/coding-agent-base/VERSION @@ -0,0 +1 @@ +1.0.0