|
| 1 | +# rhdh-fullsend |
| 2 | + |
| 3 | +Custom fullsend sandbox images for the RHDH team's agent infrastructure. |
| 4 | + |
| 5 | +## Why this repo exists |
| 6 | + |
| 7 | +The upstream [fullsend-code](https://github.com/fullsend-ai/fullsend) sandbox |
| 8 | +image ships with Go, Python, and shell tooling but no JavaScript package |
| 9 | +manager. The rhdh-plugins monorepo (23 workspaces, yarn) requires yarn to run |
| 10 | +tests, linting, and OpenSpec validation. Without it baked into the image, agents |
| 11 | +spend 10-15 minutes bootstrapping corepack/yarn on every run — and the |
| 12 | +workaround (a `host_files`-mounted shell script) is fragile. |
| 13 | + |
| 14 | +This repo builds a single image that extends `fullsend-code:latest` with |
| 15 | +corepack and yarn pre-activated. |
| 16 | + |
| 17 | +## Image |
| 18 | + |
| 19 | +``` |
| 20 | +ghcr.io/fullsend-ai/fullsend-code:latest (upstream) |
| 21 | + └── ghcr.io/redhat-developer/rhdh-fullsend-code:latest (this repo) |
| 22 | +``` |
| 23 | + |
| 24 | +| What's added | Why | |
| 25 | +|-------------|-----| |
| 26 | +| `corepack enable` | `/usr` is read-only in the sandbox — can't enable at runtime | |
| 27 | +| `corepack prepare yarn@stable` | Pre-downloads yarn binary, zero cold-start | |
| 28 | +| `/usr/local/bin/yarn` wrapper | Git hooks (husky) run in subprocesses without the agent's PATH | |
| 29 | + |
| 30 | +## Tags |
| 31 | + |
| 32 | +| Tag | When | Use | |
| 33 | +|-----|------|-----| |
| 34 | +| `latest` | Push to `main` | Production — harness configs reference this | |
| 35 | +| `dev` | Any non-PR build | Testing and CI | |
| 36 | +| `X.Y.Z` | Tag push `v*` | Immutable release pin | |
| 37 | +| `X.Y` | Tag push `v*` | Floating minor for auto-patch | |
| 38 | +| `<sha>` | Every non-PR build | Debugging and rollback | |
| 39 | + |
| 40 | +PRs build but don't push (validation only). |
| 41 | + |
| 42 | +## Usage |
| 43 | + |
| 44 | +Reference in your fullsend harness config: |
| 45 | + |
| 46 | +```yaml |
| 47 | +# .fullsend/customized/harness/code.yaml |
| 48 | +image: ghcr.io/redhat-developer/rhdh-fullsend-code:latest |
| 49 | +``` |
| 50 | +
|
| 51 | +This replaces the `sandbox-yarn-setup.sh` + `host_files` workaround. |
| 52 | + |
| 53 | +## Local build |
| 54 | + |
| 55 | +```bash |
| 56 | +podman build -t rhdh-fullsend-code:local \ |
| 57 | + -f images/code/Containerfile images/code/ |
| 58 | +``` |
| 59 | + |
| 60 | +## Adding more tools |
| 61 | + |
| 62 | +Edit `images/code/Containerfile`. Follow the upstream pattern: |
| 63 | +- Pin versions via `ARG` |
| 64 | +- Verify checksums with `sha256sum -c` for binary downloads |
| 65 | +- Keep `USER sandbox` as the last line |
| 66 | + |
| 67 | +## Upstream tracking |
| 68 | + |
| 69 | +This image inherits everything from `fullsend-code:latest`. When upstream |
| 70 | +updates their base image (Claude Code, gitleaks, Go, etc.), our image picks |
| 71 | +it up automatically on the next rebuild. Pin `BASE_IMAGE` to a specific |
| 72 | +digest if you need reproducibility: |
| 73 | + |
| 74 | +```dockerfile |
| 75 | +ARG BASE_IMAGE=ghcr.io/fullsend-ai/fullsend-code@sha256:abc123... |
| 76 | +``` |
0 commit comments