Skip to content

feat(docker): Add container image containing the CLP package, for Docker Compose integration (resolves #1164). #1166

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 60 commits into from
Sep 3, 2025
+196 −54
Merged

feat(docker): Add container image containing the CLP package, for Docker Compose integration (resolves #1164). #1166

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
60 commits
Select commit Hold shift + click to select a range
8ea4529
feat(docker): Add CLP package image for Docker Compose integration.
junhaoliao Aug 5, 2025
4d402c1
Update install-prebuilt-packages.sh
junhaoliao Aug 6, 2025
adef439
lint
junhaoliao Aug 6, 2025
9aa74ff
Rename workflow from 'clp-execution-image-build' to 'clp-image-build'
junhaoliao Aug 6, 2025
542da81
correct action name
junhaoliao Aug 6, 2025
ce43d17
fix(workflow): Revert workflow name to 'clp-execution-image-build'
junhaoliao Aug 6, 2025
2c2ee50
Merge branch 'main' into package-image
junhaoliao Aug 6, 2025
75f88d9
fix(workflow): revert action path in workflow configuration
junhaoliao Aug 6, 2025
414e1fb
fix(build): add quotes around image tag in build command
junhaoliao Aug 6, 2025
0e9138a
fix(docker): combine install and cleanup commands in Dockerfile
junhaoliao Aug 6, 2025
912b678
Merge branch 'main' into package-image
junhaoliao Aug 8, 2025
dcc8a70
add docs
junhaoliao Aug 8, 2025
46ffa55
Merge branch 'main' into package-image
junhaoliao Aug 19, 2025
9db7ca9
improve error handling in install-prebuilt-packages.sh
junhaoliao Aug 19, 2025
d609987
set default user and group to 1000
junhaoliao Aug 19, 2025
1b3959d
update docker image name description
junhaoliao Aug 19, 2025
1f13954
update CLP package image dependencies
junhaoliao Aug 19, 2025
aceb39f
Merge branch 'main' into package-image
junhaoliao Aug 22, 2025
c49d8b4
remove unneeded prebuilt packages
junhaoliao Aug 24, 2025
099afc0
Merge branch 'main' into package-image
junhaoliao Aug 24, 2025
73ca1a0
Update MariaDB client package from libmariadb-dev to libmariadb3
junhaoliao Aug 24, 2025
a4317ea
docs - Apply suggestions from code review
junhaoliao Aug 25, 2025
806f2f8
Merge remote-tracking branch 'origin/main' into package-image
junhaoliao Aug 25, 2025
1887626
refactor(actions): Rename clp-image-build to clp-build-runtime-image …
junhaoliao Aug 25, 2025
20dcfb1
Remove incompatible input options from action.yaml
junhaoliao Aug 25, 2025
ddab8d1
rename path -> dockerfile_path
junhaoliao Aug 25, 2025
92861b9
Add comment to clarify npm cache environment variable usage
junhaoliao Aug 25, 2025
b39644e
refactor(install): Remove unnecessary packages and update dependencie…
junhaoliao Aug 25, 2025
c17a782
Rename container image name -> clp-package
junhaoliao Aug 25, 2025
8ff64f2
Move && to the next line - Apply suggestions from code review
junhaoliao Aug 25, 2025
1dfe706
alphabetize ENV definitions in Dockerfile - Apply suggestions from co…
junhaoliao Aug 25, 2025
47d0517
Merge remote-tracking branch 'junhao/package-image' into package-image
junhaoliao Aug 25, 2025
628ddae
move job 'ubuntu-jammy-package-image' to clp-core-build.yaml and rena…
junhaoliao Aug 25, 2025
23f1ef2
fix clp-build-runtime-image action to account for package image name …
junhaoliao Aug 25, 2025
63a7ec3
mark clp-build-runtime-image's platform_id and platform_version_id as…
junhaoliao Aug 25, 2025
61da837
move package image task into separate task file
junhaoliao Aug 25, 2025
227d6dd
CRLF -> LF
junhaoliao Aug 25, 2025
e98bb8e
use `paths-ignore` instead of inverted glob patterns in `paths`
junhaoliao Aug 25, 2025
e6f1af5
alphabetize
junhaoliao Aug 25, 2025
860e5ef
use absolute path for `.github/actions`
junhaoliao Aug 25, 2025
4180739
fix outdated action name
junhaoliao Aug 25, 2025
6cfabd7
fix outdated task command ` docker-images:package`
junhaoliao Aug 25, 2025
f1c566f
order task attrs according to dev guide
junhaoliao Aug 25, 2025
09539ae
fix order of ENV defs in Dockerfile
junhaoliao Aug 25, 2025
b49daba
test ci: to be reverted
junhaoliao Sep 2, 2025
be2560e
revert the last change
junhaoliao Sep 2, 2025
44a2dc5
Rename step name "Update Metadata" -> "Extract GitHub Metadata" - App…
junhaoliao Sep 2, 2025
2ebbfe0
rename action step ID for metadata extraction
junhaoliao Sep 2, 2025
1254827
update npm cache dir comment - Apply suggestions from code review
junhaoliao Sep 2, 2025
62cf06a
use yaml multiline string syntax for long `if` - Apply suggestions fr…
junhaoliao Sep 2, 2025
2f29228
Merge branch 'main' into package-image
junhaoliao Sep 2, 2025
c413a13
add checksum file for package task
junhaoliao Sep 2, 2025
bb36035
reorder COPY instruction in clp-package Dockerfile
junhaoliao Sep 2, 2025
ea4ce51
flatten the image at the last
junhaoliao Sep 2, 2025
3c81014
move COPY to later
junhaoliao Sep 2, 2025
e5a66cf
Merge branch 'main' into package-image
junhaoliao Sep 2, 2025
ff21c8e
Merge branch 'main' into package-image
junhaoliao Sep 3, 2025
cbea39b
docs: rename `clp-core-build` workflow and references -> `clp-artifac…
junhaoliao Sep 3, 2025
a857701
docs: update workflows to include CLP package image build
junhaoliao Sep 3, 2025
7dfbcc5
ci: rename workflow `clp-core-build` -> `clp-artifact-build`
junhaoliao Sep 3, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 26 additions & 6 deletions ...ons/clp-execution-image-build/action.yaml → .github/actions/clp-image-build/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,14 @@
name: "clp-execution-image-build"
description: "Builds a container image that contains the dependencies necessary
to run the CLP package."
name: "clp-image-build"
description: "Builds a CLP container image."

inputs:
image_type:
description: "Type of image to build"
required: true
type: "choice"
options:
- "execution"
- "package"
image_registry:
default: "ghcr.io"
description: "Container image registry"
Expand Down Expand Up @@ -50,15 +56,29 @@ runs:
uses: "docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804"
with:
images: "${{inputs.image_registry}}/${{steps.sanitization.outputs.REPOSITORY}}\
/clp-execution-x86-${{inputs.platform_id}}-${{inputs.platform_version_id}}"
/clp-${{inputs.image_type}}-x86-${{inputs.platform_id}}-${{inputs.platform_version_id}}"

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Hard-coded x86 causes wrong tags for ARM images

The docker/metadata-action line still bakes in -x86- even though the action is now multi-purpose.
Attempts to publish arm64 images will end up mis-tagged.

-          /clp-${{inputs.image_type}}-x86-${{inputs.platform_id}}-${{inputs.platform_version_id}}"
+          /clp-${{inputs.image_type}}-${{inputs.platform_id}}-${{inputs.platform_version_id}}"

(Alternatively inject ${{env.ARCH_NAME}} when multi-arch builds land.)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
images: "${{inputs.image_registry}}/${{steps.sanitization.outputs.REPOSITORY}}\
/clp-execution-x86-${{inputs.platform_id}}-${{inputs.platform_version_id}}"
/clp-${{inputs.image_type}}-x86-${{inputs.platform_id}}-${{inputs.platform_version_id}}"
images: "${{inputs.image_registry}}/${{steps.sanitization.outputs.REPOSITORY}}\
/clp-${{inputs.image_type}}-${{inputs.platform_id}}-${{inputs.platform_version_id}}"
🤖 Prompt for AI Agents 
In .github/actions/clp-image-build/action.yaml around lines 58 to 60, the image
tag hardcodes "x86" which causes incorrect tags for ARM images. Replace the
fixed "x86" string with a dynamic variable that reflects the actual
architecture, such as using an input or environment variable like
`${{inputs.arch}}` or `${{env.ARCH_NAME}}` to correctly tag images for different
architectures.

- name: "Determine Dockerfile Path"
id: "dockerfile"
shell: "bash"
run: |
base_path="./tools/docker-images"
platform="${{inputs.platform_id}}-${{inputs.platform_version_id}}"

if [[ "${{inputs.image_type}}" == "execution" ]]; then
path="$base_path/clp-execution-base-$platform/Dockerfile"
Copy link
Member

@kirkrodrigues kirkrodrigues Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about dockerfile_path to avoid confusion with "$PATH"?

else
path="$base_path/clp-package-$platform/Dockerfile"
fi

echo "DOCKERFILE=$path" >> "$GITHUB_OUTPUT"

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

Harden path resolution: quote expansions, fail fast, validate image_type, and ensure Dockerfile exists

Unquoted variables and missing existence checks can lead to brittle failures. Also, path can be confused with $PATH.

Apply:

-    - name: "Determine Dockerfile Path"
+    - name: "Determine Dockerfile Path"
       id: "dockerfile"
       shell: "bash"
       run: |
-        base_path="./tools/docker-images"
-        platform="${{inputs.platform_id}}-${{inputs.platform_version_id}}"
-
-        if [[ "${{inputs.image_type}}" == "execution" ]]; then
-          path="$base_path/clp-execution-base-$platform/Dockerfile"
-        else
-          path="$base_path/clp-package-$platform/Dockerfile"
-        fi
-
-        echo "DOCKERFILE=$path" >> "$GITHUB_OUTPUT"
+        set -euo pipefail
+        base_path="./tools/docker-images"
+        platform="${{ inputs.platform_id }}-${{ inputs.platform_version_id }}"
+
+        case "${{ inputs.image_type }}" in
+          execution)
+            dockerfile_path="${base_path}/clp-execution-base-${platform}/Dockerfile"
+            ;;
+          package)
+            dockerfile_path="${base_path}/clp-package-${platform}/Dockerfile"
+            ;;
+          *)
+            echo "Unsupported image_type: '${{ inputs.image_type }}' (expected: execution|package)" >&2
+            exit 1
+            ;;
+        esac
+
+        if [[ ! -f "${dockerfile_path}" ]]; then
+          echo "Dockerfile not found at: ${dockerfile_path}" >&2
+          exit 1
+        fi
+
+        printf 'DOCKERFILE=%s\n' "${dockerfile_path}" >> "$GITHUB_OUTPUT"

This addresses quoting, validation, and verifiable failure modes.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: "Determine Dockerfile Path"
id: "dockerfile"
shell: "bash"
run: |
base_path="./tools/docker-images"
platform="${{inputs.platform_id}}-${{inputs.platform_version_id}}"
if [[ "${{inputs.image_type}}" == "execution" ]]; then
path="$base_path/clp-execution-base-$platform/Dockerfile"
else
path="$base_path/clp-package-$platform/Dockerfile"
fi
echo "DOCKERFILE=$path" >> "$GITHUB_OUTPUT"
- name: "Determine Dockerfile Path"
id: "dockerfile"
shell: "bash"
run: |
set -euo pipefail
base_path="./tools/docker-images"
platform="${{ inputs.platform_id }}-${{ inputs.platform_version_id }}"
case "${{ inputs.image_type }}" in
execution)
dockerfile_path="${base_path}/clp-execution-base-${platform}/Dockerfile"
;;
package)
dockerfile_path="${base_path}/clp-package-${platform}/Dockerfile"
;;
*)
echo "Unsupported image_type: '${{ inputs.image_type }}' (expected: execution|package)" >&2
exit 1
;;
esac
if [[ ! -f "${dockerfile_path}" ]]; then
echo "Dockerfile not found at: ${dockerfile_path}" >&2
exit 1
fi
printf 'DOCKERFILE=%s\n' "${dockerfile_path}" >> "$GITHUB_OUTPUT"
🤖 Prompt for AI Agents 
In .github/actions/clp-image-build/action.yaml around lines 61 to 75, the script
uses unquoted expansions, a generic variable name `path`, and lacks
validation/existence checks; update it to: enable fail-fast (set -e), use a
non-conflicting variable name like `dockerfile_path`, quote all variable
expansions when constructing paths, validate that inputs.image_type is one of
the expected values (e.g., "execution" or "package") and exit with a clear error
for invalid values, check that the computed Dockerfile exists and fail with an
informative message if not, and then write the quoted path to GITHUB_OUTPUT.

- name: "Build and Push"
if: "github.event_name != 'pull_request' && github.ref == 'refs/heads/main'"
uses: "docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4"
with:
context: "./"
file: "./tools/docker-images/\
clp-execution-base-${{inputs.platform_id}}-${{inputs.platform_version_id}}/Dockerfile"
file: "${{steps.dockerfile.outputs.DOCKERFILE}}"
push: true
tags: "${{steps.meta.outputs.tags}}"
labels: "${{steps.meta.outputs.labels}}"
1 change: 1 addition & 0 deletions .github/actions/run-on-image/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ runs:
- run: >-
docker run
--user $(id -u):$(id -g)
--env npm_config_cache=/tmp/.npm
--volume "$GITHUB_WORKSPACE":/mnt/repo
--workdir /mnt/repo
${{steps.get_image_props.outputs.qualified_image_name}}
Expand Down
7 changes: 4 additions & 3 deletions .github/workflows/clp-execution-image-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,12 @@ name: "clp-execution-image-build"
on:
pull_request:
paths:
- ".github/actions/clp-execution-image-build/action.yaml"
- ".github/actions/clp-image-build/action.yaml"
- ".github/workflows/clp-execution-image-build.yaml"
- "tools/docker-images/**/*"
push:
paths:
- ".github/actions/clp-execution-image-build/action.yaml"
- ".github/actions/clp-image-build/action.yaml"
- ".github/workflows/clp-execution-image-build.yaml"
- "tools/docker-images/**/*"
schedule:
Expand Down Expand Up @@ -61,8 +61,9 @@ jobs:
shell: "bash"
run: "chown $(id -u):$(id -g) -R ."

- uses: "./.github/actions/clp-execution-image-build"
- uses: "./.github/actions/clp-image-build"
with:
image_type: "execution"
image_registry: "ghcr.io"
image_registry_username: "${{github.actor}}"
image_registry_password: "${{secrets.GITHUB_TOKEN}}"
Expand Down
103 changes: 103 additions & 0 deletions .github/workflows/clp-package-image-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: "clp-package-image-build"

on:
push:
workflow_dispatch:

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Trigger mismatch: workflow doesn’t run on pull_request but contains PR-specific logic

The use_published_image condition branches on github.event_name == 'pull_request', but the workflow isn’t triggered by pull_request. If you intend PR builds (without pushing), add a pull_request trigger, ideally with the same path filtering strategy you use elsewhere.

Proposed minimal addition:

 on:
   push:
+  pull_request:
   workflow_dispatch:

If PR builds are intentionally disabled for cost/safety, consider removing the pull_request branch in the predicate to avoid confusion.

🤖 Prompt for AI Agents 
.github/workflows/clp-package-image-build.yaml lines 3-6: the workflow contains
conditions that check github.event_name == 'pull_request' but the workflow has
no pull_request trigger; either add a pull_request trigger (preferably mirroring
the path filters used in your other workflows) so PRs actually run this job, or
remove/adjust the github.event_name == 'pull_request' branches to avoid
dead/incorrect logic; update the triggers and any path/filter blocks
consistently so the condition and triggers align.

env:
DEPS_IMAGE_NAME_PREFIX: "clp-core-dependencies-x86-"
Copy link
Member Author

@junhaoliao junhaoliao Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(Similar to the comment at https://github.com/y-scope/clp/pull/1166/files#r2256441706)

I see how it can be awkward to build the package with a "core" dependencies container, but i haven't seen any quicker way to build the package. if there's no significant benefit in differentiating between "core" and "package" dependencies, shall we just unify them (simply rename the existing build env containers).

Copy link
Member

@kirkrodrigues kirkrodrigues Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I think we can rename the existing containers and make them sufficient for building the entire CLP package (since the requirements for building the package are not a lot more than what's required for building core). That said, let's defer this to another PR to avoid delaying this one.

Copy link
Member Author

@junhaoliao junhaoliao Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@coderabbitai create an issue to track the effort of creating a universal build env image

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

@junhaoliao I've created a GitHub issue to track the effort of creating a universal build environment image. The issue captures the context from your discussion with kirkrodrigues about unifying the "core" and "package" dependencies containers, includes references to this PR and the specific comment, and outlines the proposed solution with clear acceptance criteria.

🏁 Script executed:

#!/bin/bash
# Create GitHub issue to track universal build environment image effort

gh issue create \
  --title "Unify core and package dependencies into universal build environment image" \
  --body "## Context

Currently, we have separate \"core\" dependencies containers that are being used to build both core components and the full CLP package. This creates an awkward situation where package builds rely on \"core\" dependency containers.

## Problem

As discussed in PR #1166 (https://github.com/y-scope/clp/pull/1166#discussion_r2256457011), the current naming and separation between \"core\" and \"package\" dependencies doesn't provide significant benefits and creates confusion.

## Proposed Solution

Rename and unify the existing build environment containers to create a universal build environment image that can:
- Build CLP core components
- Build the complete CLP package
- Provide all necessary dependencies for the entire build process

## References

- Original discussion: https://github.com/y-scope/clp/pull/1166#discussion_r2256457011  
- PR #1166: https://github.com/y-scope/clp/pull/1166

## Acceptance Criteria

- [ ] Rename existing core dependencies containers to reflect their universal nature
- [ ] Ensure the unified image contains all dependencies needed for both core and package builds
- [ ] Update all workflows and documentation to reference the new unified image name
- [ ] Verify that both core and package builds work correctly with the unified image

---
Requested by: @junhaoliao" \
  --assignee junhaoliao

Length of output: 1491

@junhaoliao Perfect! I've successfully created issue #1266 to track the effort of creating a universal build environment image. The issue is now available at #1266 and has been assigned to you as requested.

The issue captures all the relevant context from your discussion with kirkrodrigues about unifying the "core" and "package" dependencies containers, includes proper references to this PR and the specific comment thread, and provides clear acceptance criteria for completing the work.

🧠 Learnings used 
Learnt from: quinntaylormitchell
PR: y-scope/clp#918
File: .github/workflows/clp-execution-image-build.yaml:77-97
Timestamp: 2025-05-26T16:03:05.519Z
Learning: In .github/workflows/clp-execution-image-build.yaml, the ubuntu-jammy-execution-image and ubuntu-noble-execution-image jobs are intentionally kept separate (rather than using a matrix strategy) to make it easier to remove individual platform versions when they reach end of life, such as when jammy eventually becomes obsolete.


jobs:
filter-relevant-changes:
name: "filter-relevant-changes"
runs-on: "ubuntu-24.04"
outputs:
ubuntu_jammy_image_changed: "${{steps.filter.outputs.ubuntu_jammy_image}}"
steps:
- uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
submodules: "recursive"

- name: "Work around actions/runner-images/issues/6775"
run: "chown $(id -u):$(id -g) -R ."
shell: "bash"

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Quote $(id -u) and $(id -g) to silence ShellCheck SC2046

The workaround lines can trigger word-splitting warnings; quoting fixes it.

-        run: "chown $(id -u):$(id -g) -R ."
+        run: "chown $(id -u):$(id -g) -R ."

(Only quotes needed around the whole expression if re-templated; keep consistent across all three occurrences.)

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools
🪛 actionlint (1.7.7)

22-22: shellcheck reported issue in this script: SC2046:warning:1:7: Quote this to prevent word splitting

(shellcheck)

22-22: shellcheck reported issue in this script: SC2046:warning:1:16: Quote this to prevent word splitting

(shellcheck)

🤖 Prompt for AI Agents 
In .github/workflows/clp-package-image-build.yaml around lines 21 to 24, the
shell command uses unquoted command substitutions $(id -u) and $(id -g), which
can cause word-splitting warnings from ShellCheck SC2046. Fix this by adding
double quotes around each command substitution, changing them to "$(id -u)" and
"$(id -g)" to properly quote the expressions and prevent word splitting.

- name: "Filter relevant changes"
uses: "dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36"
id: "filter"
with:
# Consider changes between the current commit and `main`
# NOTE: If a pull request changes one of the images, then we need to (1) build the image
# (based on commits in the PR) and then (2) build CLP using the changed image. If a pull
# request doesn't change an image, then we don't need to rebuild the image; instead we can
# use the published image which is based on `main`. So when determining what files have
# changed, we need to consider the delta between the current commit and `main` (rather
# than the current and previous commits) in order to detect if we need to rebuild the
# image (since it would be different from the published image).
base: "main"
filters: |
ubuntu_jammy_image:
- ".github/actions/**"
- ".github/workflows/clp-core-build.yaml"
- "components/core/tools/scripts/lib_install/*.sh"
- "components/core/tools/docker-images/clp-env-base-ubuntu-jammy/**"
- "components/core/tools/scripts/lib_install/ubuntu-jammy/**"
ubuntu-jammy-deps-image:
name: "ubuntu-jammy-deps-image"
needs: "filter-relevant-changes"
runs-on: "ubuntu-24.04"
steps:
- uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
submodules: "recursive"

- name: "Work around actions/runner-images/issues/6775"
run: "chown $(id -u):$(id -g) -R ."
shell: "bash"

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Quote command substitutions here as well

Same rationale as above.

-      - name: "Work around actions/runner-images/issues/6775"
-        run: "chown $(id -u):$(id -g) -R ."
+      - name: "Work around actions/runner-images/issues/6775"
+        run: "chown \"$(id -u)\":\"$(id -g)\" -R ."
         shell: "bash"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: "Work around actions/runner-images/issues/6775"
run: "chown $(id -u):$(id -g) -R ."
shell: "bash"
- name: "Work around actions/runner-images/issues/6775"
run: "chown \"$(id -u)\":\"$(id -g)\" -R ."
shell: "bash"
🧰 Tools
🪛 actionlint (1.7.7)

57-57: shellcheck reported issue in this script: SC2046:warning:1:7: Quote this to prevent word splitting

(shellcheck)

57-57: shellcheck reported issue in this script: SC2046:warning:1:16: Quote this to prevent word splitting

(shellcheck)

🤖 Prompt for AI Agents 
.github/workflows/clp-package-image-build.yaml around lines 56 to 59: the run
step uses unquoted command substitutions which can break if they contain spaces
or unexpected characters; update the run command to quote the substitutions
(e.g., chown "$(id -u):$(id -g)" -R .) so the shell treats the uid:gid as a
single argument and behaves consistently.

- uses: "./.github/actions/clp-core-build-containers"
env:
OS_NAME: "ubuntu-jammy"
with:
image_name: "${{env.DEPS_IMAGE_NAME_PREFIX}}${{env.OS_NAME}}"
docker_context: "components/core"
docker_file: "components/core/tools/docker-images/clp-env-base-${{env.OS_NAME}}\
/Dockerfile"
push_deps_image: >-
${{github.event_name != 'pull_request' && github.ref == 'refs/heads/main'}}
token: "${{secrets.GITHUB_TOKEN}}"
Copy link
Member

@kirkrodrigues kirkrodrigues Aug 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this is a good idea since it might cause some issues with two different workflows trying to publish the same container, not to mention the resources it'll use.

I think a quick solution might be to move this package image build into clp-core-build workflow.

Copy link
Member Author

@junhaoliao junhaoliao Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to move this package image build into clp-core-build workflow

if we move it into clp-core-build, i believe we need to update the workflows trigger conditions. instead of an allow list, we might need to write it as

on:
  pull_request:
    paths: &monitored_paths
      - "**"
      - "!.github/ISSUE_TEMPLATE/**"
      - "!.github/*"
      - "!components/core/tools/scripts/lib_install/macos/**"
      - "!docs/**"
  push:
    paths: *monitored_paths

then the other jobs in the workflow will rely on filter-relevant-changes to see if they should run, as they currently do.

is my understanding correct? are there any other paths / patterns that need to be added to the deny list (!)?

Copy link
Member

@kirkrodrigues kirkrodrigues Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's correct. That pattern should be fine.


ubuntu-jammy-package-image:
name: "ubuntu-jammy-package-image"
needs: "ubuntu-jammy-deps-image"
runs-on: "ubuntu-24.04"
env:
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Job cannot reference filter-relevant-changes outputs because it isn’t in needs

ubuntu-jammy-package-image uses
needs.filter-relevant-changes.outputs.ubuntu_jammy_image_changed
but only lists ubuntu-jammy-deps-image in needs.
Workflow evaluation will fail at runtime.

-needs: "ubuntu-jammy-deps-image"
+needs:
+  - "ubuntu-jammy-deps-image"
+  - "filter-relevant-changes"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
ubuntu-jammy-package-image:
name: "ubuntu-jammy-package-image"
needs: "ubuntu-jammy-deps-image"
runs-on: "ubuntu-24.04"
env:
ubuntu-jammy-package-image:
name: "ubuntu-jammy-package-image"
needs:
- "ubuntu-jammy-deps-image"
- "filter-relevant-changes"
runs-on: "ubuntu-24.04"
env:
🤖 Prompt for AI Agents 
In .github/workflows/clp-package-image-build.yaml around lines 71 to 75, the job
ubuntu-jammy-package-image references outputs from filter-relevant-changes in
its needs but does not list filter-relevant-changes in its needs array. To fix
this, add filter-relevant-changes to the needs list for
ubuntu-jammy-package-image so it can access the required outputs and avoid
runtime evaluation errors.

OS_NAME: "ubuntu-jammy"
Copy link
Member

@kirkrodrigues kirkrodrigues Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we move this into the scope of the step that requires it?

steps:
- uses: "actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683"
with:
submodules: "recursive"

- name: "Workaround actions/runner-images/issues/6775"
shell: "bash"
run: "chown $(id -u):$(id -g) -R ."

- name: "Build the package"
uses: "./.github/actions/run-on-image"
with:
image_name: "${{env.DEPS_IMAGE_NAME_PREFIX}}${{env.OS_NAME}}"
use_published_image: >-
${{needs.filter-relevant-changes.outputs.ubuntu_jammy_image_changed == 'false'
|| (github.event_name != 'pull_request' && github.ref == 'refs/heads/main')}}
run_command: >-
CLP_CORE_MAX_PARALLELISM_PER_BUILD_TASK=$(getconf _NPROCESSORS_ONLN) task package
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Guardrails look good; minor readability nit

The use_published_image condition is correct once needs is fixed. Optional: extract the OR’d predicate into a reusable job-level env for readability.

🧰 Tools
🪛 actionlint (1.7.7)

91-91: property "filter-relevant-changes" is not defined in object type {ubuntu-jammy-deps-image: {outputs: {}; result: string}}

(expression)

🤖 Prompt for AI Agents 
.github/workflows/clp-package-image-build.yaml around lines 91 to 96: the OR’d
predicate used inline for use_published_image hurts readability; extract the
full boolean expression into a job-level env (e.g. USE_PUBLISHED_IMAGE) that
assigns the same expression, then reference that env in use_published_image so
the condition is clearer and reusable—ensure you preserve the original
logic/parentheses and update any dependent references accordingly.

- uses: "./.github/actions/clp-image-build"
with:
image_type: "package"
image_registry: "ghcr.io"
image_registry_username: "${{github.actor}}"
image_registry_password: "${{secrets.GITHUB_TOKEN}}"
platform_id: "ubuntu"
platform_version_id: "jammy"
2 changes: 2 additions & 0 deletions components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh
View file
Open in desktop
Copy link
Member Author

@junhaoliao junhaoliao Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i understand the added dependencies are not strictly "core" related but i believe some others here (e.g. unzip) are in a similar situation. we might want to split the package specific dependencies in anther refactoring PR, though i personally don't see too much benefit yet. any concerns / other ideas?

Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,10 @@ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
openjdk-11-jdk \
pkg-config \
python3 \
python3-dev \
python3-pip \
python3-venv \
rsync \
software-properties-common \
unzip

Expand Down
11 changes: 11 additions & 0 deletions docs/src/dev-guide/building-package.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,5 +69,16 @@ To clean up all build artifacts, run:
task clean
```

## Building a Docker image

To build a Docker image containing the CLP package, run:

```shell
task docker-image-package
```

This will create a Docker image named `clp-package-<os>-ubuntu-jammy:dev` where `<os>` is `x86` or
`arm64`.

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Clarify local tag vs published tag and note arm64 build constraints.

  • Make it explicit that :dev is a local tag; published images use :main.
  • Mention that building arm64 requires an arm64 host or Docker Buildx with QEMU.

Proposed tweak:

 ## Building a Docker image

 To build a Docker image containing the CLP package, run:

 ```shell
 task docker-image-package

-This will create a Docker image named clp-package-<os>-ubuntu-jammy:dev where <os> is x86 or
-arm64.
+This will create a local Docker image named clp-package-<os>-ubuntu-jammy:dev where <os> is x86 or
+arm64. Published CI images use the :main tag (e.g., ghcr.io/y-scope/clp/clp-package-x86-ubuntu-jammy:main).
+
+Note: Building an arm64 image requires either running on an arm64 host or using Docker Buildx with QEMU emulation.


<details>
<summary>🤖 Prompt for AI Agents</summary>

In docs/src/dev-guide/building-package.md around lines 72 to 82, clarify that
the Docker image tag :dev is a local tag and that published images use the
:main tag with an example. Also, add a note that building the arm64 image
requires either an arm64 host or Docker Buildx with QEMU emulation. Update the
text to explicitly state these points for better user understanding.


</details>

<!-- fingerprinting:phantom:triton:capybara -->

<!-- This is an auto-generated comment by CodeRabbit -->

[clp-issue-872]: https://github.com/y-scope/clp/issues/872
[Task]: https://taskfile.dev/
10 changes: 10 additions & 0 deletions docs/src/dev-guide/tooling-containers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,16 @@ environment.
tools/docker-images/clp-execution-base-ubuntu-jammy
```

## clp-package-x86-ubuntu-jammy

An image containing the CLP package built in an Ubuntu Jammy x86_64 environment.

* Path:

```text
tools/docker-images/clp-package-ubuntu-jammy
```

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Align architecture wording and add GH Packages details to match other entries.

  • Use “x86” (not “x86_64”) to be consistent with headings above.
  • Add a GitHub Packages link and a pull command, like other images in this page.

Apply:

 ## clp-package-x86-ubuntu-jammy

-An image containing the CLP package built in an Ubuntu Jammy x86_64 environment.
+An image containing the CLP package built in an Ubuntu Jammy x86 environment.
 
-* Path:
+* [GitHub Packages page][pkg-ubuntu-jammy]
+* Pull command:
+
+  ```bash
+  docker pull ghcr.io/y-scope/clp/clp-package-x86-ubuntu-jammy:main
+  ```
+
+* Path:
 
   ```text
   tools/docker-images/clp-package-ubuntu-jammy

Add this link reference at the bottom alongside the others:

```text
[pkg-ubuntu-jammy]: https://github.com/y-scope/clp/pkgs/container/clp%2Fclp-package-x86-ubuntu-jammy

If the package page isn’t public yet, we can temporarily omit the link and add it once the workflow publishes the image.

Let’s verify the existing entries and link references in docs/src/dev-guide/tooling-containers.md to match the pattern used elsewhere.

🏁 Script executed:

#!/bin/bash
set -euxo pipefail

# Show all clp-package sections for architecture naming and GH Packages link usage
rg "^## clp-package" -n docs/src/dev-guide/tooling-containers.md -A5

# Show all existing [pkg-…] link references
rg "^\[pkg-" -n docs/src/dev-guide/tooling-containers.md

Length of output: 298

Let’s inspect how neighbouring image entries are structured—particularly their headings, pull commands, and GitHub Packages links.

🏁 Script executed:

#!/bin/bash
set -euxo pipefail

# List all second-level sections to locate other image entries
rg "^## " -n docs/src/dev-guide/tooling-containers.md

# Show existing pull commands for comparison
rg -n -C3 "Pull command" docs/src/dev-guide/tooling-containers.md

# Show existing GitHub Packages link references
rg -n -C3 "GitHub Packages" docs/src/dev-guide/tooling-containers.md

Length of output: 2429

Standardize “x86” phrasing and add GitHub Packages details for the CLP package image

File: docs/src/dev-guide/tooling-containers.md, lines 136–145

  • Change the description to use “x86” (not “x86_64”).
  • Add a GitHub Packages page link and docker pull command, consistent with other entries.
  • Add the [pkg-ubuntu-jammy] link reference at the bottom.

Apply:

 ## clp-package-x86-ubuntu-jammy

-An image containing the CLP package built in an Ubuntu Jammy x86_64 environment.
+An image containing the CLP package built in an Ubuntu Jammy x86 environment.
 
-* Path:
+* [GitHub Packages page][pkg-ubuntu-jammy]
+* Pull command:
+
+  ```bash
+  docker pull ghcr.io/y-scope/clp/clp-package-x86-ubuntu-jammy:main
+  ```
+
+* Path:
   ```text
   tools/docker-images/clp-package-ubuntu-jammy

Add at the end of the file:

```text
[pkg-ubuntu-jammy]: https://github.com/y-scope/clp/pkgs/container/clp%2Fclp-package-x86-ubuntu-jammy
🤖 Prompt for AI Agents 
In docs/src/dev-guide/tooling-containers.md around lines 136 to 145, update the
description to use "x86" instead of "x86_64" for consistency. Add a GitHub
Packages link and a docker pull command for the CLP package image, matching the
format of other entries. Also, add the link reference [pkg-ubuntu-jammy] at the
bottom of the file pointing to the appropriate GitHub Packages URL.

[core-deps-centos-stream-9]: https://github.com/y-scope/clp/pkgs/container/clp%2Fclp-core-dependencies-x86-centos-stream-9
[core-deps-ubuntu-jammy]: https://github.com/y-scope/clp/pkgs/container/clp%2Fclp-core-dependencies-x86-ubuntu-jammy
[core-ubuntu-jammy]: https://github.com/y-scope/clp/pkgs/container/clp%2Fclp-core-x86-ubuntu-jammy
Expand Down
4 changes: 4 additions & 0 deletions docs/src/dev-guide/tooling-gh-workflows.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,10 @@ This workflow builds CLP-core on macOS and runs its unit tests.
This workflow builds a container image that contains the dependencies necessary to run the CLP
package.

## clp-package-image-build

This workflow builds a container image that contains the CLP package.

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Add a direct link to the workflow file for discoverability.

Linking to .github/workflows/clp-package-image-build.yaml here mirrors how other sections point readers to concrete artefacts.

You could append: “See .github/workflows/clp-package-image-build.yaml for details.”

🤖 Prompt for AI Agents 
In docs/src/dev-guide/tooling-gh-workflows.md around lines 79 to 82, add a
direct link to the workflow file .github/workflows/clp-package-image-build.yaml
at the end of the section describing the clp-package-image-build workflow.
Append a sentence like "See .github/workflows/clp-package-image-build.yaml for
details." to improve discoverability and maintain consistency with other
sections.

## clp-lint

This workflow runs linting checks on the codebase.
11 changes: 11 additions & 0 deletions taskfile.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -162,6 +162,17 @@ tasks:
CHECKSUM_FILE: "{{.CHECKSUM_FILE}}"
INCLUDE_PATTERNS: ["{{.OUTPUT_DIR}}"]

docker-image-package:
vars:
SRC_DIR: "{{.ROOT_DIR}}/tools/docker-images/clp-package-ubuntu-jammy"
dir: "{{.SRC_DIR}}"
deps:
- "package"
sources:
- "{{.SRC_DIR}}/**/*"
cmds:
- "./build.sh"

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Make docker-image-package sensitive to package output changes and check Docker availability

Current sources only watch the Docker image directory. Since the build script uses the repo root as the Docker build context and the image embeds the freshly built package (deps: package), the task can be incorrectly considered up-to-date when only package outputs change. Also, adding a precondition to ensure Docker is installed will fail fast with a clear message.

Proposed fixes:

  • Include the built package directory in sources so image rebuilds when package contents change.
  • Add a Docker availability precondition.

Apply this diff:

   docker-image-package:
     vars:
       SRC_DIR: "{{.ROOT_DIR}}/tools/docker-images/clp-package-ubuntu-jammy"
     dir: "{{.SRC_DIR}}"
     deps:
       - "package"
     sources:
       - "{{.SRC_DIR}}/**/*"
+      - "{{.G_PACKAGE_BUILD_DIR}}/**/*"
+    preconditions:
+      - sh: "command -v docker"
+        msg: "Docker is required to build the package image. Please install Docker and try again."
     cmds:
       - "./build.sh"

Follow-up:

  • If the Dockerfile COPYs additional paths from the repo root (e.g., other tools/setup directories), consider adding those globs to sources as well to avoid stale images (or emit a checksum file in the build script and wire it via generates for stronger up-to-date checks). Would you like me to draft that too?

🏁 Script executed:

#!/bin/bash
set -e

echo "1. Searching for G_PACKAGE_BUILD_DIR in YAML files..."
rg -n 'G_PACKAGE_BUILD_DIR' --glob '*.yaml' --glob '*.yml' || true

echo "2. Extracting 'package' task from Taskfile.yaml..."
rg -n '^[ \\t]*package:' -n -C10 taskfile.yaml || true

echo "3. Checking for existing 'preconditions' usage..."
rg -n 'preconditions:' -n -C3 taskfile.yaml || true

echo "4. Showing COPY instructions in Dockerfile..."
grep -n -C2 'COPY' tools/docker-images/clp-package-ubuntu-jammy/Dockerfile || true

Length of output: 2018

Ensure docker-image-package rebuilds on package changes and verifies Docker availability

To prevent stale images when only the package output changes and to fail fast if Docker isn’t installed, update the docker-image-package task in taskfile.yaml as follows:

• Add the built package directory to sources so that any changes under {{.G_PACKAGE_BUILD_DIR}} trigger a rebuild.
• Introduce a preconditions check for Docker on the PATH with a clear error message.

Apply this diff:

   docker-image-package:
     vars:
       SRC_DIR: "{{.ROOT_DIR}}/tools/docker-images/clp-package-ubuntu-jammy"
     dir: "{{.SRC_DIR}}"
     deps:
       - "package"
     sources:
       - "{{.SRC_DIR}}/**/*"
+      - "{{.G_PACKAGE_BUILD_DIR}}/**/*"
+    preconditions:
+      - sh: "command -v docker"
+        msg: "Docker is required to build the package image. Please install Docker and try again."
     cmds:
       - "./build.sh"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
docker-image-package:
vars:
SRC_DIR: "{{.ROOT_DIR}}/tools/docker-images/clp-package-ubuntu-jammy"
dir: "{{.SRC_DIR}}"
deps:
- "package"
sources:
- "{{.SRC_DIR}}/**/*"
cmds:
- "./build.sh"
docker-image-package:
vars:
SRC_DIR: "{{.ROOT_DIR}}/tools/docker-images/clp-package-ubuntu-jammy"
dir: "{{.SRC_DIR}}"
deps:
- "package"
sources:
- "{{.SRC_DIR}}/**/*"
- "{{.G_PACKAGE_BUILD_DIR}}/**/*"
preconditions:
- sh: "command -v docker"
msg: "Docker is required to build the package image. Please install Docker and try again."
cmds:
- "./build.sh"
🤖 Prompt for AI Agents 
In taskfile.yaml around lines 165 to 175, the docker-image-package task must be
updated so image rebuilds when package output changes and to fail early if
Docker is missing: add the built package dir (e.g. include
"{{.G_PACKAGE_BUILD_DIR}}/**" or the appropriate path under that variable) to
the task's sources list so changes there trigger rebuilds, and add a
preconditions entry that verifies Docker is on PATH (run a shell check for the
docker binary and emit a clear error message and non-zero exit if not found)
before running cmds.

clp-s-generate-parsers:
vars:
CHECKSUM_FILE: "{{.G_BUILD_DIR}}/{{.TASK}}.md5"
Expand Down
22 changes: 22 additions & 0 deletions tools/docker-images/clp-package-ubuntu-jammy/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
FROM ubuntu:jammy AS base

COPY ./build/clp-package /opt/clp

WORKDIR /root
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

WORKDIR in base doesn’t carry into the final stage

Since you re-stage with FROM scratch, the final image ignores the base WORKDIR. Either drop this line here or mirror the same WORKDIR in the final stage (see separate suggestion to set WORKDIR /home/clp).

-WORKDIR /root
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
WORKDIR /root
🤖 Prompt for AI Agents 
In tools/docker-images/clp-package-ubuntu-jammy/Dockerfile around line 5, the
WORKDIR /root in the base stage doesn't persist into the final stage because you
re-start with FROM scratch; either remove this WORKDIR from the base stage or
add the same WORKDIR directive to the final stage (e.g., WORKDIR /home/clp if
you prefer that location) and update any path references accordingly so the
final image has the intended working directory.


COPY ./tools/docker-images/clp-package-ubuntu-jammy/setup-scripts ./setup-scripts
RUN ./setup-scripts/install-prebuilt-packages.sh && \
rm -rf ./setup-scripts/

# Remove cached files
RUN apt-get clean \
&& rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

# Flatten the image
FROM scratch
COPY --from=base / /

ENV PATH="/opt/clp/sbin:${PATH}"
ENV PATH="/opt/clp/bin:${PATH}"
ENV PYTHONPATH="/opt/clp/lib/python3/site-packages"
ENV CLP_HOME="/opt/clp"
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Combine PATH modifications into a single ENV and preserve original order

Multiple ENV PATH= lines duplicate state and create extra layers. A single declaration is clearer:

-ENV PATH="/opt/clp/sbin:${PATH}"
-ENV PATH="/opt/clp/bin:${PATH}"
+ENV PATH="/opt/clp/sbin:/opt/clp/bin:${PATH}"
🧰 Tools
🪛 Checkov (3.2.334)

[LOW] 1-22: Ensure that HEALTHCHECK instructions have been added to container images

(CKV_DOCKER_2)

[LOW] 1-22: Ensure that a user for the container has been created

(CKV_DOCKER_3)

🤖 Prompt for AI Agents 
In tools/docker-images/clp-package-ubuntu-jammy/Dockerfile at lines 19 to 22,
multiple ENV instructions modify PATH separately, causing redundant layers and
potential order issues. Combine the two PATH modifications into a single ENV
statement that prepends both /opt/clp/sbin and /opt/clp/bin to the existing PATH
in the correct order, then keep the PYTHONPATH and CLP_HOME ENV declarations as
separate lines.

Copy link
Member Author

@junhaoliao junhaoliao Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wouldn't splitting into multiple lines be more VCS friendly?

Copy link
Contributor

@coderabbitai coderabbitai bot Aug 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@junhaoliao You raise an excellent point about VCS friendliness! You're absolutely right that separate ENV lines make it much easier to track changes in version control - when someone adds or removes a path component, it shows up as a clean line addition/removal rather than a modification to an entire concatenated string.

The trade-off is:

  • Multiple ENV lines: Better for VCS diffs and change tracking
  • Single ENV line: Fewer Docker layers and slightly more efficient

Given that this is a new Dockerfile and you're prioritizing maintainability and clear change tracking, keeping the separate ENV lines is a perfectly reasonable choice. The Docker layer efficiency gain is minimal compared to the VCS clarity benefit you mentioned.

I'll defer to your preference on this one! 🐰

🧠 Learnings used 
Learnt from: quinntaylormitchell
PR: y-scope/clp#918
File: .github/workflows/clp-execution-image-build.yaml:77-97
Timestamp: 2025-05-26T16:03:05.519Z
Learning: In .github/workflows/clp-execution-image-build.yaml, the ubuntu-jammy-execution-image and ubuntu-noble-execution-image jobs are intentionally kept separate (rather than using a matrix strategy) to make it easier to remove individual platform versions when they reach end of life, such as when jammy eventually becomes obsolete.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/docker-images/clp-env-base-musllinux_1_2-x86/build.sh:18-24
Timestamp: 2025-07-01T14:52:02.418Z
Learning: In the CLP project, consistency across platform build scripts is prioritized over defensive programming when it comes to git remote handling. All build.sh files in docker-images directories should follow the same pattern for git metadata injection.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/docker-images/clp-env-base-musllinux_1_2-x86/build.sh:18-24
Timestamp: 2025-07-01T14:52:02.418Z
Learning: In the CLP project, consistency across platform build scripts is prioritized over defensive programming when it comes to git remote handling. All build.sh files in docker-images directories should follow the same pattern for git metadata injection.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/docker-images/clp-env-base-musllinux_1_2-aarch64/build.sh:3-5
Timestamp: 2025-07-07T17:43:04.349Z
Learning: In CLP project build scripts (specifically build.sh files in docker-images directories), maintain consistency with the established pattern of using separate `set -eu` and `set -o pipefail` commands rather than combining them into `set -euo pipefail`, to ensure uniform script structure across all platform build scripts.

Learnt from: kirkrodrigues
PR: y-scope/clp#881
File: components/core/tools/scripts/lib_install/ubuntu-jammy/install-prebuilt-packages.sh:35-41
Timestamp: 2025-05-06T09:48:55.408Z
Learning: For installation scripts in the CLP project, prefer explicit error handling over automatic dependency resolution (like `apt-get install -f`) when installing packages to give users more control over their system.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:6-15
Timestamp: 2025-07-01T14:52:15.217Z
Learning: For installation scripts in the CLP project, maintain consistency in command patterns across platforms rather than applying platform-specific optimizations. When a platform follows a pattern of separate update and install commands (like `apt-get update && apt-get install` or `apk update && apk add`), preserve this pattern for uniform script structure.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:6-15
Timestamp: 2025-07-01T14:52:15.217Z
Learning: For installation scripts in the CLP project, maintain consistency in command patterns across platforms rather than applying platform-specific optimizations. When a platform follows a pattern of separate update and install commands (like `apt-get update && apt-get install` or `apk update && apk add`), preserve this pattern for uniform script structure.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:6-15
Timestamp: 2025-07-01T14:52:15.217Z
Learning: For installation scripts in the CLP project, maintain consistency in command patterns across platforms rather than applying platform-specific optimizations. When a platform follows a pattern of separate update and install commands (like `apt-get update && apt-get install` or `apk update && apk add`), preserve this pattern for uniform script structure.

Learnt from: jackluo923
PR: y-scope/clp#718
File: components/core/tools/scripts/utils/create-debian-package.py:41-41
Timestamp: 2025-02-12T22:24:17.723Z
Learning: For the clp-core Debian package creation script, strict version format validation is considered unnecessary complexity and should be avoided.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:6-15
Timestamp: 2025-07-01T14:52:15.217Z
Learning: For installation scripts in the CLP project, maintain consistency in command patterns across different platforms (e.g., using separate update and install commands like `apk update && apk add`, `apt update && apt install`, `yum update && yum install`) rather than platform-specific optimizations, to ensure uniform script structure and readability.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-packages-from-source.sh:6-8
Timestamp: 2025-07-01T14:51:19.172Z
Learning: In CLP installation scripts within `components/core/tools/scripts/lib_install/`, maintain consistency with existing variable declaration patterns across platforms rather than adding individual improvements like `readonly` declarations.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-packages-from-source.sh:6-8
Timestamp: 2025-07-01T14:51:19.172Z
Learning: In CLP installation scripts within `components/core/tools/scripts/lib_install/`, maintain consistency with existing variable declaration patterns across platforms rather than adding individual improvements like `readonly` declarations.

Learnt from: jackluo923
PR: y-scope/clp#1054
File: components/core/tools/scripts/lib_install/musllinux_1_2/install-prebuilt-packages.sh:27-32
Timestamp: 2025-07-07T17:41:15.655Z
Learning: In CLP installation scripts, consistency across platform scripts is prioritized over defensive programming improvements. For example, when extracting Task binaries with tar in `install-prebuilt-packages.sh`, the extraction pattern should remain consistent with other platform scripts rather than adding defensive flags like `--strip-components=1` to handle potential tarball layout changes.

Learnt from: haiqi96
PR: y-scope/clp#594
File: components/clp-package-utils/clp_package_utils/scripts/del_archives.py:56-65
Timestamp: 2024-11-18T16:49:20.248Z
Learning: When reviewing wrapper scripts in `components/clp-package-utils/clp_package_utils/scripts/`, note that it's preferred to keep error handling simple without adding extra complexity.

Learnt from: junhaoliao
PR: y-scope/clp#1078
File: components/webui/server/src/plugins/MongoSocketIoServer/index.ts:105-108
Timestamp: 2025-07-08T17:20:02.560Z
Learning: The y-scope/clp codebase has a 100-character line length limit that takes precedence over other style preferences like template literals when they conflict.

Learnt from: Bill-hbrhbr
PR: y-scope/clp#1122
File: components/core/src/clp/clp/CMakeLists.txt:175-195
Timestamp: 2025-07-23T09:54:45.185Z
Learning: In the CLP project, when reviewing CMakeLists.txt changes that introduce new compression library dependencies (BZip2, LibLZMA, LZ4, ZLIB), the team prefers to address conditional linking improvements in separate PRs rather than expanding the scope of focused migration PRs like the LibArchive task-based installation migration.

Learnt from: quinntaylormitchell
PR: y-scope/clp#968
File: docs/src/user-guide/quick-start/overview.md:73-109
Timestamp: 2025-06-18T20:39:05.899Z
Learning: The CLP project team prefers to use video content to demonstrate detailed procedural steps (like tarball extraction) rather than including every step in the written documentation, keeping the docs focused on conceptual guidance.

Learnt from: anlowee
PR: y-scope/clp#925
File: .github/workflows/clp-s-antlr-generation.yaml:24-27
Timestamp: 2025-05-27T20:04:51.498Z
Learning: The clp codebase uses commit SHAs instead of version tags for GitHub Actions (like actions/checkout) as an established pattern across workflow files.

38 changes: 38 additions & 0 deletions tools/docker-images/clp-package-ubuntu-jammy/build.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
#!/usr/bin/env bash

# Exit on any error
set -e

# Error on undefined variable
set -u

script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
repo_root=${script_dir}/../../../

arch=$(uname -m)

if [ "$arch" = "x86_64" ]; then
arch_name="x86"
elif [ "$arch" = "aarch64" ]; then
arch_name="arm64"
else
echo "Error: Unsupported architecture - $arch"
exit 1
fi

build_cmd=(
docker build
--tag "clp-package-${arch_name}-ubuntu-jammy:dev"
Copy link
Member

@kirkrodrigues kirkrodrigues Aug 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similarly, how about naming the image clp-package:dev?

Copy link
Member Author

@junhaoliao junhaoliao Aug 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sure. removing the arch name from the repo name / tag name seems quite beneficial as well

"$repo_root"
--file "${script_dir}/Dockerfile"
)
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Preflight: fail fast if the package payload is missing

Avoids a confusing Docker build error when build/clp-package hasn’t been produced yet.

 build_cmd=(
     docker build
     --tag "clp-package-${arch_name}-ubuntu-jammy:dev"
     "$repo_root"
     --file "${script_dir}/Dockerfile"
 )
+
+# Ensure build payload exists
+if [ ! -d "${repo_root%/}/build/clp-package" ]; then
+  echo "Error: Missing build/clp-package. Run 'task package' first." >&2
+  exit 1
+fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
build_cmd=(
docker build
--tag "clp-package-${arch_name}-ubuntu-jammy:dev"
"$repo_root"
--file "${script_dir}/Dockerfile"
)
build_cmd=(
docker build
--tag "clp-package-${arch_name}-ubuntu-jammy:dev"
"$repo_root"
--file "${script_dir}/Dockerfile"
)
# Ensure build payload exists
if [ ! -d "${repo_root%/}/build/clp-package" ]; then
echo "Error: Missing build/clp-package. Run 'task package' first." >&2
exit 1
fi


if command -v git >/dev/null && git -C "$script_dir" rev-parse --is-inside-work-tree >/dev/null ;
then
build_cmd+=(
--label "org.opencontainers.image.revision=$(git -C "$script_dir" rev-parse HEAD)"
--label "org.opencontainers.image.source=$(git -C "$script_dir" remote get-url origin)"
)
Copy link
Contributor

@coderabbitai coderabbitai bot Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick (assertive)

Use repository root for Git labels to stay consistent with other image builders

Current call runs git -C "$script_dir", so the commit hash points at this directory, not the repo’s HEAD.
Down-stream tooling (e.g., SBOM, provenance scanners) expects the top-level commit SHAs—mirroring the pattern in existing clp-env-base-* scripts.

-        --label "org.opencontainers.image.revision=$(git -C "$script_dir" rev-parse HEAD)"
-        --label "org.opencontainers.image.source=$(git -C "$script_dir" remote get-url origin)"
+        --label "org.opencontainers.image.revision=$(git -C "$repo_root" rev-parse HEAD)"
+        --label "org.opencontainers.image.source=$(git -C "$repo_root" remote get-url origin)"
🤖 Prompt for AI Agents 
In tools/docker-images/clp-package-ubuntu-jammy/build.sh around lines 30 to 35,
the git commands use "$script_dir" which points to the current directory, not
the repository root. Update the git commands to use the repository root
directory by running `git rev-parse --show-toplevel` to get the root path and
then use `git -C` with that root path for the commit hash and remote URL labels.
This ensures the labels reference the repo's HEAD commit consistently with other
image builders.

fi

"${build_cmd[@]}"
19 changes: 19 additions & 0 deletions tools/docker-images/clp-package-ubuntu-jammy/setup-scripts/install-prebuilt-packages.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/usr/bin/env bash

# Exit on any error
set -e

# Error on undefined variable
set -u

apt-get update
DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
ca-certificates \
checkinstall \
curl \
libcurl4 \
libmariadb-dev \
libssl-dev \
python3 \
rsync \
zstd
Loading