feat(images): add alpine-agents base image and image build tasks (#69)

* feat(images): publish alpine-agents base image

* fix(images): verify node, npm, and python in alpine-agents

* chore(images): move Dockerfiles under images and add mise build tasks

* fix(images): expose agent CLIs on default PATH

* fix(images): verify mise is functional across base images

Author: lox

.github/workflows/base-image.yml

@@ -4,8 +4,9 @@ on:
   push:
     branches: [main]
     paths:
-      - Dockerfile.base-image
-      - Dockerfile.base-image-docker
+      - images/Dockerfile.base-image
+      - images/Dockerfile.base-image-docker
+      - images/Dockerfile.base-image-agents
       - scripts/base-image-tag.sh
       - .github/workflows/base-image.yml
   workflow_dispatch:
@@ -22,11 +23,14 @@ jobs:
       matrix:
         include:
           - image_name: alpine
-            dockerfile: Dockerfile.base-image
+            dockerfile: images/Dockerfile.base-image
             repository: ghcr.io/buildkite/cleanroom-base/alpine
           - image_name: alpine-docker
-            dockerfile: Dockerfile.base-image-docker
+            dockerfile: images/Dockerfile.base-image-docker
             repository: ghcr.io/buildkite/cleanroom-base/alpine-docker
+          - image_name: alpine-agents
+            dockerfile: images/Dockerfile.base-image-agents
+            repository: ghcr.io/buildkite/cleanroom-base/alpine-agents
     steps:
       - uses: actions/checkout@v4
 

.mise.toml

@@ -27,6 +27,23 @@ run = "scripts/build-go.sh"
 description = "Build macOS darwin-vz helper into dist/"
 run = "{% if os() == \"macos\" %}mkdir -p dist && xcrun swiftc -O -framework Virtualization cmd/cleanroom-darwin-vz/main.swift -o dist/cleanroom-darwin-vz && codesign --force --sign - --entitlements cmd/cleanroom-darwin-vz/entitlements.plist dist/cleanroom-darwin-vz{% else %}true{% endif %}"
 
+[tasks."build:image:alpine"]
+description = "Build local alpine base image"
+run = "docker build -f images/Dockerfile.base-image -t cleanroom-base:alpine ."
+
+[tasks."build:image:alpine-docker"]
+description = "Build local alpine-docker base image"
+run = "docker build -f images/Dockerfile.base-image-docker -t cleanroom-base:alpine-docker ."
+
+[tasks."build:image:alpine-agents"]
+description = "Build local alpine-agents base image"
+run = "docker build -f images/Dockerfile.base-image-agents -t cleanroom-base:alpine-agents ."
+
+[tasks."build:images"]
+description = "Build all local base images"
+depends = ["build:image:alpine", "build:image:alpine-docker", "build:image:alpine-agents"]
+run = "true"
+
 [tasks.build]
 description = "Build binaries into dist/"
 depends = ["build:go", "build:darwin"]

README.md

@@ -220,7 +220,17 @@ cleanroom image import ghcr.io/buildkite/cleanroom-base/alpine@sha256:... ./root
 cleanroom image bump-ref    # resolve :latest tag to digest and update cleanroom.yaml
 ```
 
-`ghcr.io/buildkite/cleanroom-base/alpine` and `ghcr.io/buildkite/cleanroom-base/alpine-docker` are published from this repo on pushes to `main`.
+`ghcr.io/buildkite/cleanroom-base/alpine`, `ghcr.io/buildkite/cleanroom-base/alpine-docker`, and `ghcr.io/buildkite/cleanroom-base/alpine-agents` are published from this repo on pushes to `main`.
+
+Build these locally with `mise`:
+
+```bash
+mise run build:images
+# or individually:
+mise run build:image:alpine
+mise run build:image:alpine-docker
+mise run build:image:alpine-agents
+```
 
 ## Runtime config
 

Dockerfile.base-image images/Dockerfile.base-imageDockerfile.base-image renamed to images/Dockerfile.base-image

@@ -5,4 +5,6 @@ RUN apk add --no-cache \
   strace \
   mise
 
+RUN mise --version
+
 CMD ["/bin/sh"]

images/Dockerfile.base-image-agents

@@ -0,0 +1,38 @@
+FROM alpine:3.22
+
+ARG CODEX_VERSION=0.106.0
+ARG CLAUDE_CODE_VERSION=2.1.63
+ARG GEMINI_CLI_VERSION=0.31.0
+
+# `gemini` currently needs native build deps on Alpine and GNU `env` for `env -S`.
+RUN apk add --no-cache \
+  coreutils \
+  g++ \
+  git \
+  make \
+  nodejs \
+  npm \
+  python3 \
+  strace \
+  mise
+
+# Install common agent CLIs with pinned versions for reproducible builds.
+RUN mise use -g --pin \
+  npm:@openai/codex@"${CODEX_VERSION}" \
+  npm:@anthropic-ai/claude-code@"${CLAUDE_CODE_VERSION}" \
+  npm:@google/gemini-cli@"${GEMINI_CLI_VERSION}"
+
+# Ensure agent binaries are available on the default PATH even when OCI env
+# metadata is not propagated.
+RUN ln -sf /root/.local/share/mise/shims/codex /usr/local/bin/codex \
+  && ln -sf /root/.local/share/mise/shims/claude /usr/local/bin/claude \
+  && ln -sf /root/.local/share/mise/shims/gemini /usr/local/bin/gemini
+
+ENV PATH="/root/.local/share/mise/shims:${PATH}"
+
+RUN mise --version && node --version && npm --version && python3 --version \
+  && PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" codex --version \
+  && PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" claude --version \
+  && PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" gemini --version
+
+CMD ["/bin/sh"]

Dockerfile.base-image-docker images/Dockerfile.base-image-dockerDockerfile.base-image-docker renamed to images/Dockerfile.base-image-docker

@@ -6,4 +6,6 @@ RUN apk add --no-cache \
   strace \
   mise
 
+RUN docker --version && mise --version
+
 CMD ["/bin/sh"]

scripts/base-image-tag.sh

@@ -2,7 +2,7 @@
 set -euo pipefail
 
 image_name="${1:-alpine}"
-dockerfile="${2:-Dockerfile.base-image}"
+dockerfile="${2:-images/Dockerfile.base-image}"
 
 if [[ ! -f "$dockerfile" ]]; then
   echo "dockerfile not found: $dockerfile" >&2