Merge branch 'main' into dependabot/go_modules/packages/sandbox-container/native/desktop-wrapper/golang.org/x/image-0.38.0

Author: whoiskatrin

.changeset/process-tree-kill.md

@@ -1,7 +1,7 @@
 #!/bin/bash
 # Copy a container image tag with retries on transient failures.
 #
-# Sourced (not executed) by workflow steps - avoid changing shell options.
+# Sourced (not executed) by workflow steps — avoid changing shell options.
 #
 # Usage: source .github/crane-copy-retry.sh
 #        crane_copy_retry "registry/image:src" "registry/image:dst"
@@ -10,7 +10,7 @@ crane_copy_retry() {
   local src="$1" dst="$2"
   if crane copy "$src" "$dst"; then return 0; fi
   for delay in 10 30; do
-    echo "::warning::crane copy failed for $dst - retrying in ${delay}s"
+    echo "::warning::crane copy failed for $dst — retrying in ${delay}s"
     sleep "$delay"
     if crane copy "$src" "$dst"; then return 0; fi
   done

.github/crane-copy-retry.sh

@@ -204,6 +204,16 @@ jobs:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           NPM_CONFIG_PROVENANCE: true
 
+      - name: Update Docker Hub description
+        uses: peter-evans/dockerhub-description@v4
+        continue-on-error: true
+        with:
+          username: ${{ secrets.DOCKER_HUB_USERNAME }}
+          password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
+          repository: cloudflare/sandbox
+          readme-filepath: ./DOCKER_README.md
+          short-description: ${{ github.event.repository.description }}
+
       - name: Publish Docker images to Docker Hub
         if: steps.changesets.outputs.published == 'true'
         run: |

.github/workflows/release.yml

@@ -195,38 +195,56 @@ jobs:
         env:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
-      - name: Retag cached images for this PR
+      - name: Retag cached images
+        id: retag-cached
         if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit == 'true' }}
+        continue-on-error: true
         run: |
           source .github/load-docker-images.sh
+          source .github/crane-copy-retry.sh
           REGISTRY="registry.cloudflare.com/${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
           HASH="${{ inputs.docker_hash }}"
           TAG="${{ inputs.image_tag }}"
-          pids=()
+          failed=0
           for image in "${DOCKER_IMAGES[@]}"; do
-            crane copy "${REGISTRY}/${image}:ci-${HASH}" "${REGISTRY}/${image}:${TAG}" &
-            pids+=($!)
+            crane_copy_retry "${REGISTRY}/${image}:ci-${HASH}" "${REGISTRY}/${image}:${TAG}" || failed=1
           done
-          for pid in "${pids[@]}"; do wait "$pid"; done
+          exit "$failed"
         env:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
-      # --- Full Docker build (only when registry miss) ---
+      - name: Resolve Docker path
+        id: docker-path
+        if: ${{ !inputs.skip_docker }}
+        run: |
+          if [[ "${{ steps.registry-check.outputs.hit }}" != "true" ]]; then
+            echo "build=true" >> $GITHUB_OUTPUT
+            echo "::notice::Docker path: full build (cache miss)"
+          elif [[ "${{ steps.retag-cached.outcome }}" == "failure" ]]; then
+            echo "build=true" >> $GITHUB_OUTPUT
+            echo "::warning::Docker path: full build (retag failed, falling back)"
+          else
+            echo "build=false" >> $GITHUB_OUTPUT
+            echo "::notice::Docker path: cache retag"
+          fi
+
+      # --- Full Docker build (cache miss or retag fallback) ---
 
       - name: Set up Docker Buildx
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         uses: docker/setup-buildx-action@v3
 
       - name: Login to GHCR (for build cache)
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
 
       - name: Read Bun version
         id: bun-version
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         run: echo "version=$(cat .bun-version)" >> $GITHUB_OUTPUT
 
       - name: Build Docker images (bake)
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         uses: docker/bake-action@v6
         env:
           TAG: ${{ inputs.image_tag }}
@@ -240,22 +258,22 @@ jobs:
           load: true
 
       - name: Push base image to CF registry
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         run: npx wrangler containers push sandbox:${{ inputs.image_tag }}
         env:
           CLOUDFLARE_API_TOKEN: ${{ secrets.CLOUDFLARE_API_TOKEN }}
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
       - name: Build standalone image
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         run: |
           docker buildx build \
             --build-arg BASE_IMAGE=registry.cloudflare.com/${{ secrets.CLOUDFLARE_ACCOUNT_ID }}/sandbox:${{ inputs.image_tag }} \
             --load -t sandbox-standalone:${{ inputs.image_tag }} \
             -f tests/e2e/test-worker/Dockerfile.standalone tests/e2e/test-worker
 
       - name: Push remaining images to CF registry
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' }}
         run: |
           source .github/load-docker-images.sh
           TAG="${{ inputs.image_tag }}"
@@ -271,24 +289,24 @@ jobs:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
       - name: Tag images with content hash
-        if: ${{ !inputs.skip_docker && steps.registry-check.outputs.hit != 'true' && inputs.docker_hash != '' }}
+        if: ${{ !inputs.skip_docker && steps.docker-path.outputs.build == 'true' && inputs.docker_hash != '' }}
         run: |
           source .github/load-docker-images.sh
+          source .github/crane-copy-retry.sh
           REGISTRY="registry.cloudflare.com/${{ secrets.CLOUDFLARE_ACCOUNT_ID }}"
           HASH="${{ inputs.docker_hash }}"
           TAG="${{ inputs.image_tag }}"
-          pids=()
+          failed=0
           for image in "${DOCKER_IMAGES[@]}"; do
-            crane copy "${REGISTRY}/${image}:${TAG}" "${REGISTRY}/${image}:ci-${HASH}" &
-            pids+=($!)
+            crane_copy_retry "${REGISTRY}/${image}:${TAG}" "${REGISTRY}/${image}:ci-${HASH}" || failed=1
           done
-          for pid in "${pids[@]}"; do wait "$pid"; done
+          exit "$failed"
         env:
           CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
 
       - name: Report image status
         id: image-status
-        if: always()
+        if: ${{ !cancelled() }}
         run: |
           if [[ "${{ inputs.skip_docker }}" == "true" ]]; then
             echo "changed=false" >> $GITHUB_OUTPUT

.github/workflows/reusable-build.yml

@@ -0,0 +1,48 @@
+# Cloudflare Sandbox
+
+Secure, isolated code execution containers for [Cloudflare Workers](https://developers.cloudflare.com/workers/). Run untrusted code safely — execute commands, manage files, run background processes, and expose services from your Workers applications.
+
+## Image Variants
+
+All images are published as tags on `cloudflare/sandbox`:
+
+| Tag                  | Base         | Description                                                    |
+| -------------------- | ------------ | -------------------------------------------------------------- |
+| `<version>`          | Ubuntu 22.04 | Default — Node.js 20, Bun, Git, curl, jq, and common utilities |
+| `<version>-python`   | Ubuntu 22.04 | Default + Python 3.11 with matplotlib, numpy, pandas, ipython  |
+| `<version>-opencode` | Ubuntu 22.04 | Default + [OpenCode](https://opencode.ai) CLI                  |
+| `<version>-musl`     | Alpine 3.21  | Minimal Alpine-based image with Git, curl, and bash            |
+| `<version>-desktop`  | Ubuntu 22.04 | Full Linux desktop (XFCE) with Xvfb, VNC, and noVNC            |
+
+## Usage
+
+These images are designed to be used with the [`@cloudflare/sandbox`](https://www.npmjs.com/package/@cloudflare/sandbox) SDK. Reference them in your project's `Dockerfile`:
+
+```dockerfile
+FROM cloudflare/sandbox:0.8.3-python
+```
+
+Then configure your `wrangler.toml` to use the image:
+
+```toml
+[containers]
+image = "./Dockerfile"
+max_instances = 1
+```
+
+See the [Getting Started guide](https://developers.cloudflare.com/sandbox/get-started/) for a complete walkthrough.
+
+## Architecture
+
+Each image runs a lightweight HTTP server (port 3000) that the Sandbox SDK communicates with. The server handles command execution, file operations, process management, and port exposure. Images are built for `linux/amd64`.
+
+## Documentation
+
+- [Full Documentation](https://developers.cloudflare.com/sandbox/)
+- [API Reference](https://developers.cloudflare.com/sandbox/api/)
+- [Examples](https://github.com/cloudflare/sandbox-sdk/tree/main/examples)
+- [GitHub Repository](https://github.com/cloudflare/sandbox-sdk)
+
+## License
+
+[Apache License 2.0](https://github.com/cloudflare/sandbox-sdk/blob/main/LICENSE)

DOCKER_README.md

@@ -1,4 +1,4 @@
-FROM docker.io/cloudflare/sandbox:0.8.0-musl
+FROM docker.io/cloudflare/sandbox:0.8.3-musl
 
 # Required during local development to access exposed ports
 EXPOSE 8080

examples/alpine/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/cloudflare/sandbox:0.8.0
+FROM docker.io/cloudflare/sandbox:0.8.3
 
 # Required during local development to access exposed ports
 EXPOSE 8080

examples/authentication/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/cloudflare/sandbox:0.8.0
+FROM docker.io/cloudflare/sandbox:0.8.3
 RUN npm install -g @anthropic-ai/claude-code
 ENV COMMAND_TIMEOUT_MS=300000
 EXPOSE 3000

examples/claude-code/Dockerfile

@@ -1 +1 @@
-FROM docker.io/cloudflare/sandbox:0.8.0-python
+FROM docker.io/cloudflare/sandbox:0.8.3-python

examples/code-interpreter/Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/cloudflare/sandbox:0.8.0
+FROM docker.io/cloudflare/sandbox:0.8.3
 
 # Required during local development to access exposed ports
 EXPOSE 8080