charles/claude-hooks

Fork

You've already forked claude-hooks

Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Containers: image build + multi-arch publish #18

New issue

Closed

opened 2026-04-17 12:43:11 +00:00 by claude-desktop · 0 comments

claude-desktop commented

2026-04-17 12:43:11 +00:00

Collaborator

Copy link

User story

As an operator, I want a single multi-arch Docker image that bundles every runtime worker dependency (Bun, git, forgejo-mcp, Claude Code CLI), published to the Forgejo registry on release, so that the container-runtime story (#19) has a stable image to pull.

Split out of the original containerisation story (#17).

Acceptance criteria

Image

Dockerfile in the repo root
Base: debian:bookworm-slim pinned by digest
Non-root claude user with an empty $HOME at /home/claude
Installs: bun (pinned), git, forgejo-mcp (decide: AUR binary vs. build-from-source vs. registry download — document), python3, Claude Code CLI (pinned version)
Builds on linux/amd64 and linux/arm64 via docker buildx
Target image size < 500 MB
.dockerignore excludes node_modules, .cache, test output, etc.

CI

.forgejo/workflows/release.yml gains a publish-image job that runs after the build-x86_64 / build-aarch64 jobs and pushes both latest and v${VERSION} tags to the Forgejo registry
Image digest is recorded in the release notes
.forgejo/workflows/qa.yml builds the image on every push (no publish) to catch Dockerfile regressions early

Tests

CI smoke test: run the built image with --rm and exercise bun --version, git --version, forgejo-mcp --help, Claude Code CLI help
CI filesystem check: confirm the image contains no .claude.json, no .credentials.json, no .config/claude-hooks anywhere

Out of scope

Runtime orchestration (per-agent containers, tokens, volumes) — #19
just recipes, systemd, rolling updates, README — #20
Rootless Docker, seccomp, AppArmor profiles — revisit after measuring

References

Parent tracking issue: #17
Security incident motivating the milestone: 2026-04-17 dev-agent identity leak (commit bab386a)

Dependencies

Blocked by: none
Blocks: #19 (runtime)
Branch off: main
Full graph: #17

## User story As an **operator**, I want a single multi-arch Docker image that bundles every runtime worker dependency (Bun, git, forgejo-mcp, Claude Code CLI), published to the Forgejo registry on release, so that the container-runtime story (#19) has a stable image to pull. Split out of the original containerisation story (#17). ## Acceptance criteria ### Image - [ ] `Dockerfile` in the repo root - [ ] Base: `debian:bookworm-slim` pinned by digest - [ ] Non-root `claude` user with an empty `$HOME` at `/home/claude` - [ ] Installs: `bun` (pinned), `git`, `forgejo-mcp` (decide: AUR binary vs. build-from-source vs. registry download — document), `python3`, Claude Code CLI (pinned version) - [ ] Builds on `linux/amd64` and `linux/arm64` via `docker buildx` - [ ] Target image size < 500 MB - [ ] `.dockerignore` excludes `node_modules`, `.cache`, test output, etc. ### CI - [ ] `.forgejo/workflows/release.yml` gains a `publish-image` job that runs after the `build-x86_64` / `build-aarch64` jobs and pushes both `latest` and `v${VERSION}` tags to the Forgejo registry - [ ] Image digest is recorded in the release notes - [ ] `.forgejo/workflows/qa.yml` builds the image on every push (no publish) to catch Dockerfile regressions early ### Tests - [ ] CI smoke test: run the built image with `--rm` and exercise `bun --version`, `git --version`, `forgejo-mcp --help`, Claude Code CLI help - [ ] CI filesystem check: confirm the image contains no `.claude.json`, no `.credentials.json`, no `.config/claude-hooks` anywhere ## Out of scope - Runtime orchestration (per-agent containers, tokens, volumes) — #19 - `just` recipes, systemd, rolling updates, README — #20 - Rootless Docker, seccomp, AppArmor profiles — revisit after measuring ## References - Parent tracking issue: #17 - Security incident motivating the milestone: 2026-04-17 dev-agent identity leak (commit `bab386a`) ## Dependencies - **Blocked by:** none - **Blocks:** #19 (runtime) - **Branch off:** `main` - **Full graph:** #17

claude-desktop added this to the Containerised workers milestone

2026-04-17 12:44:07 +00:00

claude-desktop referenced this issue

2026-04-17 12:44:24 +00:00

Containers: per-agent runtime + state volumes #19

claude-desktop referenced this issue

2026-04-17 12:44:29 +00:00

Containers: orchestration, systemd, rolling updates, docs #20

claude-desktop added the

area:infra

type:user-story

labels

2026-04-17 12:44:30 +00:00

claude-desktop referenced this issue

2026-04-17 12:44:51 +00:00

Tracking: containerised workers #17

dev was assigned by code-lead

2026-04-17 12:54:34 +00:00

dev was unassigned by charles

2026-04-17 13:21:12 +00:00

dev was assigned by charles

2026-04-17 13:21:16 +00:00

code-lead referenced this issue

2026-04-17 13:34:15 +00:00

feat(container): per-agent runtime and state volume primitives #22

dev referenced this issue from a commit

2026-04-17 13:34:16 +00:00

feat(infra): add multi-arch Docker image build and publish

dev referenced this issue from a pull request that will close it,

2026-04-17 13:34:28 +00:00

feat(infra): multi-arch Docker image build and publish #23

code-lead referenced this issue from a commit

2026-04-17 15:00:09 +00:00

feat(container): per-agent runtime and state volume primitives (#22)

charles referenced this issue from a commit

2026-04-17 16:31:39 +00:00

fix(ci): static Dockerfile audit on PR, full build deferred to release

claude-desktop referenced this issue

2026-04-17 16:32:04 +00:00

Containers: release runner with docker access + restore runtime image smoke tests #26

reviewer referenced this issue

2026-04-17 16:35:24 +00:00

feat(infra): multi-arch Docker image build and publish #23

charles closed this issue

2026-04-17 16:38:44 +00:00

charles referenced this issue from a commit

2026-04-17 16:38:44 +00:00

feat(infra): multi-arch Docker image build and publish (#23)

claude-desktop referenced this issue

2026-04-17 21:17:54 +00:00

Containers: integration fixes before first flip — CMD + credentials mount path #27

No Branch/Tag specified

main

chore/sync-pre-push-from-forge-base

fix/flows-yaml-dispatch-identity

feat/board-tap-to-assign

dev/1107

code-lead/1106

code-lead/1108

dev/1104

code-lead/1103

code-lead/1080

dev/1087

feat/flows-yaml-ci-events

chore/board-drop-stalled-and-density-controls

fix/flows-yaml-routes-always-register

flows-yaml/api-defaults

dev/1023

fix/event-log-history-bleed

fix/janitor-fix-ci-logs-and-cap

dev/1022

fix/board-card-provider

code-lead/1036

dev/1025

code-lead/1020

dev/1017

code-lead/1026

feat/web-shortcut-registry-1018

dev/1015

code-lead/1009

code-lead/1008

dev/975

dev/969

dev/973

dev/967

code-lead/968

code-lead/953

dev/970

dev/976

code-lead/966

code-lead/956

code-lead/951

dev/962

dev/963

dev/977

dev/955

dev/983

dev/961

dev/974

code-lead/950

code-lead/939

dev/941

dev/940

dev/937

dev/938

dev/936

dev/935

feat/web-i18n-fr-locale

feat/spec-editor-ui-polish

chore/drop-legacy-compat

fix/skills-drop-preview-pane

fix/882-skills-safety-rail

dev/911

dev/909

dev/923

dev/917

dev/915

feat/879-sr11-m2-drop-legacy-skill

code-lead/873

dev/881

code-lead/869

dev/867

code-lead/845

code-lead/843

code-lead/844

dev/837

dev/861

dev/849

code-lead/837

code-lead/842

fix/dedup-rebase-inflight

dev/838

code-lead/847

dev/833

code-lead/848

pr/838

code-lead/841

feat/settings-save-bar/836

code-lead/840

dev/846

code-lead/839

dev/832

fix/board-sse-stale-cache

dev/834

dev/835

feat/settings-breadcrumbs

feat/forge-oauth-credentials

refactor/service-config-consolidation

feat/agent-tokens-to-secrets

feat/gitlab-oauth-to-db

feat/authelia-rip-and-voice-fixes

fix/rebase-storm-and-dead-letter

code-lead/797

code-lead/796

dev/811

code-lead/798

dev/810

code-lead/795

dev/808

code-lead/794

dev/805

dev/802

dev/803

feat/avatar-menu-settings-entry

feat/per-agent-token-tracking

dev/793

dev/747

dev/752

code-lead/790

code-lead/759

dev/756

dev/760

dev/741

dev/767

dev/740

dev/709

dev/644

dev/637

boss/614

dev/600

dev/611

dev/585

fix/login-bonus-fixes

boss/544

dev/542

refactor/api-prefix-and-session-gate

dev/489

boss/531

boss/518

dev/499

boss/516

dev/530

dev/517

dev/519

dev/515

dev/522

dev/503

dev/471

boss/329

dev/417

dev/418

dev/402

boss/327

dev/334

dev/332

boss/326

boss/325

dev/331

boss/324

boss/323

boss/322

dev/294

test/s11-task-analytics

dev/262

boss/270

dev/268

foreman/ui-consolidation-spec

dev/234

boss/196

boss/176

boss/164

fix/124-session-persist-bind

boss/52

dev/87

boss/73

dev/77

dev/81

dev/82

boss/79

dev/42

dev/35

boss/7

No results found.

Labels

Clear labels

area:agents

Agent types, pool scheduling, per-instance config

area:dashboard

Dashboard UI and observability surfaces

area:database

DB layer — schema, migrations, ORM, raw SQL

area:design

UI/UX mockup work — routes to designer agent

area:design-review

Design review dispatch — routes to design-reviewer agent

area:flows

Flow runner — YAML loader, executor, op registry, expression eval

area:infra

Deployment, isolation, containers, systemd units

area:meta

Tracking, scaffolding, project setup

area:security

Security — routes to reviewer-security (opus)

area:sessions

Session-id store, Claude SDK resume logic

area:webhook

Forgejo webhook routing and handlers

area:workdir

Clone cache, worktrees, git identity

security

Security-sensitive issue

Tracking or decisions, not implementation work

No labels

Milestone

Clear milestone

No items

No milestone

Containerised workers

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

dev

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

charles/claude-hooks#18

Reference in a new issue

Repository

charles/claude-hooks

Title

Body

No description provided.

Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?

Rows
Columns