Skip to content

feat(docker): 支持 CI 构建 docker 镜像#247

Closed
jlovec wants to merge 2 commits into
tiann:mainfrom
jlovec:fix/docker-lockfile-frozen-install
Closed

feat(docker): 支持 CI 构建 docker 镜像#247
jlovec wants to merge 2 commits into
tiann:mainfrom
jlovec:fix/docker-lockfile-frozen-install

Conversation

@jlovec
Copy link
Copy Markdown
Contributor

@jlovec jlovec commented Mar 6, 2026

变更说明

  • 同步 bun.lock,修复 bun install --frozen-lockfile 在 Docker 构建中的失败问题。
  • Dockerfile.cli 中改为使用 bun add -g @anthropic-ai/claude-code 安装 Claude Code,避免 Bun 基础镜像中缺少 npm 导致构建失败。

背景

此前 PR 的 Docker workflow 在构建阶段失败,主要原因有两点:

  1. lockfile 与依赖解析结果不一致,--frozen-lockfile 直接失败。
  2. CLI 镜像内执行 npm install -g,但镜像环境无可用 npm 命令。

验证

  • 在 fork 仓库 PR 上,Docker Images workflow 已通过(hub/cli 均成功)。
  • 当前分支已整理为单个 commit,便于审阅和回滚。

风险与兼容性

  • 仅调整 Docker 构建链路与 lockfile,不改动运行时业务逻辑。
  • 变更范围聚焦在镜像构建稳定性。

github-actions[bot]
github-actions Bot reviewed Mar 6, 2026
View reviewed changes
Comment thread bun.lock
@@ -224,1373 +224,1375 @@
},
},
"packages": {
"@adobe/css-tools": ["@adobe/css-tools@4.4.4", "", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],
"@adobe/css-tools": ["@adobe/css-tools@4.4.4", "http://mirrors.cloud.tencent.com/npm/@adobe/css-tools/-/css-tools-4.4.4.tgz", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],

Copy link
Copy Markdown

@github-actions github-actions Bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] 依赖 tarball URL 使用 HTTP 镜像

Why this is a problem: bun.lock 中大量依赖指向 http:// 镜像,构建链路走明文传输,存在 MITM/降级与可用性风险,且不符合依赖下载的安全传输预期。

Suggested fix:

-    "@adobe/css-tools": ["@adobe/css-tools@4.4.4", "http://mirrors.cloud.tencent.com/npm/@adobe/css-tools/-/css-tools-4.4.4.tgz", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],
+    "@adobe/css-tools": ["@adobe/css-tools@4.4.4", "https://mirrors.cloud.tencent.com/npm/@adobe/css-tools/-/css-tools-4.4.4.tgz", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],

github-actions[bot]
github-actions Bot reviewed Mar 6, 2026
View reviewed changes
Comment thread docker-compose.yml
volumes:
- cli-data:/data/hapi
- ${CLAUDE_CONFIG_DIR:-~/.claude}:/root/.claude
depends_on:
Copy link
Copy Markdown

@github-actions github-actions Bot Mar 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MINOR] ~ 在 Compose 中不展开,默认挂载路径失效

Why this is a problem: ~/.claude 不会被 Docker Compose 展开为用户 Home,默认会变成字面路径,导致 Claude 配置目录未正确挂载。

Suggested fix:

-      - ${CLAUDE_CONFIG_DIR:-~/.claude}:/root/.claude
+      - ${CLAUDE_CONFIG_DIR:?set CLAUDE_CONFIG_DIR in .env}:/root/.claude

github-actions[bot]
github-actions Bot reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown

@github-actions github-actions Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • [Major] bun.lock 中依赖 tarball URL 变为 http:// 镜像,明文传输风险。示例:bun.lock:227
  • [Minor] Compose 中 ~/.claude 不会展开为 Home,默认挂载可能失效。示例:docker-compose.yml:37

Testing

  • Not run (automation)

@jlovec
fix(docker): ship secure and reliable hub/cli container workflow
3a6c74f 
Introduce hub/cli Docker assets and CI image workflow, then address PR tiann#247 findings by switching bun.lock mirror tarball URLs to HTTPS and requiring explicit CLAUDE_CONFIG_DIR in compose (no '~' expansion assumption). This keeps docker builds reproducible while avoiding cleartext lockfile sources and ambiguous host mount behavior.
@jlovec jlovec force-pushed the fix/docker-lockfile-frozen-install branch from 999eff2 to 3a6c74f Compare March 6, 2026 09:14
@jlovec
Copy link
Copy Markdown
Contributor Author

jlovec commented Mar 6, 2026

已按审查意见修复并整理为 1 个提交:\n- bun.lock 中 mirror tarball URL 已从 http 切换为 https\n- docker-compose 不再依赖 '~' 展开,改为要求显式 CLAUDE_CONFIG_DIR\n- README 已更新为必须提供绝对路径\n\n请重新触发检查,谢谢。

@jlovec jlovec changed the title fix(docker): 修复 Docker 镜像 CI 构建失败 fix(docker): 支持Docker 镜像 CI 构建失败 Mar 6, 2026
@jlovec jlovec changed the title fix(docker): 支持Docker 镜像 CI 构建失败 fix(docker): 支持 CI 构建 docker 镜像 Mar 6, 2026
@jlovec jlovec changed the title fix(docker): 支持 CI 构建 docker 镜像 feat(docker): 支持 CI 构建 docker 镜像 Mar 6, 2026
jlovec added a commit to jlovec/zhushen that referenced this pull request Mar 6, 2026
@jlovec
fix(docker): ship secure and reliable hub/cli container workflow
c963566 
Introduce hub/cli Docker assets and CI image workflow, then address PR tiann#247 findings by switching bun.lock mirror tarball URLs to HTTPS and requiring explicit CLAUDE_CONFIG_DIR in compose (no '~' expansion assumption). This keeps docker builds reproducible while avoiding cleartext lockfile sources and ambiguous host mount behavior.
@jlovec
Copy link
Copy Markdown
Contributor Author

jlovec commented Mar 6, 2026

按功能拆分后已由新 PR 承接:#256(Docker/Compose 安全与构建链路)以及 #254(spawn 稳定性修复)。为避免跨主题耦合,此 PR 关闭。

@jlovec jlovec closed this Mar 6, 2026
@jlovec jlovec deleted the fix/docker-lockfile-frozen-install branch March 8, 2026 04:12
@SmallSpider0 SmallSpider0 mentioned this pull request May 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jlovec