bapung/ngn-agent
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore: optimize docker image (3 layers), update registry tag, update state

Browse Source
This commit is contained in:
Bagas Purwa Sentika
2026-06-16 00:11:03 +08:00
parent 4520237754
commit 607f3bffb6
3 changed files with 50 additions and 113 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.planning/STATE.md
View File

@@ -3,15 +3,15 @@ gsd_state_version: 1.0
milestone: v1.1 milestone: v1.1
milestone_name: Session Lifecycle, Memory & Reporting milestone_name: Session Lifecycle, Memory & Reporting
status: executing status: executing
stopped_at: Phase 9 context gathered stopped_at: Phase 9 complete — v1.1 all phases done
last_updated: "2026-06-15T15:03:12.180Z" last_updated: "2026-06-15T15:31:44.084Z"
last_activity: 2026-06-15 -- Phase 08 execution started last_activity: 2026-06-15 -- Phase 09 execution started
progress: progress:
total_phases: 5 total_phases: 5
completed_phases: 4 completed_phases: 5
total_plans: 5 total_plans: 7
completed_plans: 5 completed_plans: 7
percent: 80 percent: 100
--- ---
# Project State # Project State
@@ -21,14 +21,14 @@ progress:
See: .planning/PROJECT.md (updated 2026-06-14) See: .planning/PROJECT.md (updated 2026-06-14)
**Core value:** Agent must NEVER mutate real infrastructure beyond what the limited IAM role permits **Core value:** Agent must NEVER mutate real infrastructure beyond what the limited IAM role permits
**Current focus:** Phase 08cron-reporting **Current focus:** Phase 09tooling-portable-setup
## Current Position ## Current Position
Phase: 08 (cron-reporting) — EXECUTING Phase: 09 (tooling-portable-setup) — EXECUTING
Plan: 1 of 2 Plan: 1 of 2
Status: Executing Phase 08 Status: Executing Phase 09
Last activity: 2026-06-15 -- Phase 08 execution started Last activity: 2026-06-15 -- Phase 09 execution started
Progress: [░░░░░░░░░░] 0% Progress: [░░░░░░░░░░] 0%
@@ -70,7 +70,7 @@ None yet.
## Session Continuity ## Session Continuity
Last session: 2026-06-15T15:03:12.173Z Last session: 2026-06-15T15:31:44.073Z
Stopped at: Phase 9 context gathered Stopped at: Phase 9 complete — v1.1 all phases done
Resume file: .planning/phases/09-tooling-portable-setup/09-CONTEXT.md Resume file: .planning/phases/09-tooling-portable-setup/09-02-SUMMARY.md
Next action: /gsd-plan-phase 5 (Hindsight Memory Provider) Next action: /gsd-plan-phase 5 (Hindsight Memory Provider)

107
docker/Dockerfile
View File

@@ -1,112 +1,53 @@
# ============================================================================= FROM nikolaik/python-nodejs:python3.11-nodejs20 AS base
# ngn-agent Docker Image — Custom Hermes image with platform engineering tools
# =============================================================================
# D-01: Base image tag python3.11-nodejs20 — verify availability at build time;
# if manifest not found, update to python3.11-nodejs22-bookworm
# (Node.js 20 EOL April 2026).
FROM nikolaik/python-nodejs:python3.11-nodejs20
LABEL description="ngn-agent: Custom Hermes Docker image with platform engineering tools" LABEL description="ngn-agent: Custom Hermes Docker image with platform engineering tools"
LABEL maintainer="ngn-agent" LABEL maintainer="ngn-agent"
# =============================================================================
# Tool version pinning (D-02: pin for reproducibility)
# =============================================================================
ARG TERRAFORM_VERSION=1.15.6 ARG TERRAFORM_VERSION=1.15.6
ARG HELM_VERSION=4.2.0 ARG HELM_VERSION=4.2.0
ARG KUBECTL_VERSION=1.36.1 ARG KUBECTL_VERSION=1.36.1
ARG PUPP_VERSION=1.1.0 ARG PUPP_VERSION=1.1.0
# ============================================================================= SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Install system dependencies (single RUN, clean apt lists after)
# =============================================================================
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
curl \ curl ca-certificates unzip gnupg wget \
ca-certificates \ && wget -O- https://apt.releases.hashicorp.com/gpg 2>/dev/null \
unzip \
gnupg \
wget \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install AWS CLI v2 (D-03: official curl → unzip → ./aws/install method)
# No apt repo for v2 — use the bundled installer.
# Architecture detection: supports x86_64 and arm64 (aarch64).
# T-09-01: download over HTTPS.
# =============================================================================
RUN ARCH=$(uname -m) && \
case "$ARCH" in \
x86_64) AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" ;; \
aarch64) AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip" ;; \
*) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
esac && \
curl -fsSL "$AWS_URL" -o "awscliv2.zip" \
&& unzip -q awscliv2.zip \
&& ./aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli \
&& rm -rf awscliv2.zip aws/
# =============================================================================
# Install Terraform (D-03: HashiCorp apt repo, version-pinned)
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN wget -O- https://apt.releases.hashicorp.com/gpg 2>/dev/null \
| gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \ | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg \
&& . /etc/os-release && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com ${VERSION_CODENAME} main" \ && curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.36/deb/Release.key \
| tee /etc/apt/sources.list.d/hashicorp.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends terraform=${TERRAFORM_VERSION}-1 \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install kubectl (D-03: Google Kubernetes apt repo)
# NOT version-pinned — must match target cluster version.
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.36/deb/Release.key \
| gpg --dearmor -o /usr/share/keyrings/kubernetes-apt-keyring.gpg \ | gpg --dearmor -o /usr/share/keyrings/kubernetes-apt-keyring.gpg \
&& curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \
| gpg --dearmor -o /usr/share/keyrings/helm.gpg \
&& . /etc/os-release \
&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com ${VERSION_CODENAME} main" \
| tee /etc/apt/sources.list.d/hashicorp.list > /dev/null \
&& echo 'deb [signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.36/deb/ /' \ && echo 'deb [signed-by=/usr/share/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.36/deb/ /' \
| tee /etc/apt/sources.list.d/kubernetes.list > /dev/null \ | tee /etc/apt/sources.list.d/kubernetes.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends kubectl \
&& rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install Helm (D-03: Buildkite apt repo, version-pinned)
# T-09-01: HTTPS + GPG key verification.
# =============================================================================
RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey \
| gpg --dearmor -o /usr/share/keyrings/helm.gpg \
&& echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \ && echo "deb [signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
| tee /etc/apt/sources.list.d/helm-stable-debian.list > /dev/null \ | tee /etc/apt/sources.list.d/helm-stable-debian.list > /dev/null \
&& apt-get update && apt-get install -y --no-install-recommends helm=${HELM_VERSION}-1 \ && apt-get update && apt-get install -y --no-install-recommends \
terraform=${TERRAFORM_VERSION}-1 \
kubectl \
helm=${HELM_VERSION}-1 \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# =============================================================================
# Install Datadog CLI — pup (D-03: GitHub releases binary)
# Architecture detection: supports x86_64 and arm64 (aarch64).
# T-09-01: download over HTTPS.
# =============================================================================
RUN ARCH=$(uname -m) && \ RUN ARCH=$(uname -m) && \
case "$ARCH" in \ case "$ARCH" in \
x86_64) PUPP_ARCH="x86_64" ;; \ x86_64) AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"; PUPP_ARCH="x86_64" ;; \
aarch64) PUPP_ARCH="arm64" ;; \ aarch64) AWS_URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"; PUPP_ARCH="arm64" ;; \
*) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \ *) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;; \
esac && \ esac \
curl -fsSL "https://github.com/DataDog/pup/releases/download/v${PUPP_VERSION}/pup_${PUPP_VERSION}_Linux_${PUPP_ARCH}.tar.gz" \ && curl -fsSL "$AWS_URL" -o /tmp/awscliv2.zip \
-o /tmp/pup.tar.gz \ && unzip -q /tmp/awscliv2.zip -d /tmp \
&& /tmp/aws/install --bin-dir /usr/local/bin --install-dir /usr/local/aws-cli \
&& curl -fsSL "https://github.com/DataDog/pup/releases/download/v${PUPP_VERSION}/pup_${PUPP_VERSION}_Linux_${PUPP_ARCH}.tar.gz" -o /tmp/pup.tar.gz \
&& tar xzf /tmp/pup.tar.gz -C /usr/local/bin/ pup \ && tar xzf /tmp/pup.tar.gz -C /usr/local/bin/ pup \
&& rm -f /tmp/pup.tar.gz && rm -rf /tmp/awscliv2.zip /tmp/aws /tmp/pup.tar.gz \
&& echo "=== Tool versions ===" \
# =============================================================================
# Verify all tool installations
# =============================================================================
RUN echo "=== Tool versions ===" \
&& aws --version \ && aws --version \
&& terraform --version \ && terraform --version \
&& helm version --short \ && helm version --short \
&& kubectl version --client --output=yaml 2>/dev/null | grep gitVersion || true \ && kubectl version --client --output=yaml 2>/dev/null | grep gitVersion || true \
&& pup --version || true && pup --version || true
# =============================================================================
# Default command (matching base image behavior)
# =============================================================================
CMD ["bash"] CMD ["bash"]

28
docker/build.sh
View File

@@ -1,26 +1,22 @@
#!/bin/bash #!/bin/bash
# =============================================================================
# ngn-agent Docker Image Build Script
#
# D-04: Single-command build entry point at docker/build.sh.
# Builds the custom Hermes Docker image with platform engineering tools.
# D-05: Tag: ngn-agent:latest (local only, no registry push).
# =============================================================================
set -euo pipefail set -euo pipefail
IMAGE_NAME="ngn-agent" REGISTRY="${REGISTRY:-gitea.bpg.pw/bapung/ngn-agent}"
IMAGE_TAG="latest" BUILD_TAG="${BUILD_TAG:-latest}"
# Resolve script location — ensures build context is the docker/ directory
# (not the repo root, preventing accidental build context leaks — T-09-02)
DOCKER_DIR="$(cd "$(dirname "$0")" && pwd)" DOCKER_DIR="$(cd "$(dirname "$0")" && pwd)"
echo "==> Building ${IMAGE_NAME}:${IMAGE_TAG}..." echo "==> Building ${REGISTRY}:${BUILD_TAG}..."
docker build \ docker build \
-t "${IMAGE_NAME}:${IMAGE_TAG}" \ -t "${REGISTRY}:${BUILD_TAG}" \
-f "${DOCKER_DIR}/Dockerfile" \ -f "${DOCKER_DIR}/Dockerfile" \
"${DOCKER_DIR}" "${DOCKER_DIR}"
echo "==> Build complete: ${IMAGE_NAME}:${IMAGE_TAG}" echo "==> Build complete: ${REGISTRY}:${BUILD_TAG}"
docker images "${IMAGE_NAME}:${IMAGE_TAG}" docker images "${REGISTRY}:${BUILD_TAG}"
if [[ "${1:-}" == "--push" ]]; then
echo "==> Pushing to ${REGISTRY}:${BUILD_TAG}..."
docker push "${REGISTRY}:${BUILD_TAG}"
echo "==> Push complete"
fi