feat(ci): allow for supporting multi-arch images to be built and shipped#787
Open
knechtionscoding wants to merge 1 commit intokelos-dev:mainfrom
Open
feat(ci): allow for supporting multi-arch images to be built and shipped#787knechtionscoding wants to merge 1 commit intokelos-dev:mainfrom
knechtionscoding wants to merge 1 commit intokelos-dev:mainfrom
Conversation
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
There was a problem hiding this comment.
4 issues found across 9 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="cursor/Dockerfile">
<violation number="1" location="cursor/Dockerfile:1">
P2: Builder toolchain is decoupled from `GO_VERSION` and uses a floating Go tag, reducing build reproducibility and risking version drift.</violation>
</file>
<file name="cmd/kelos-spawner/Dockerfile">
<violation number="1" location="cmd/kelos-spawner/Dockerfile:1">
P2: New builder base image uses a floating tag (`golang:1.25`), which can cause non-reproducible builds and external version drift.</violation>
</file>
<file name="gemini/Dockerfile">
<violation number="1" location="gemini/Dockerfile:1">
P2: Builder stage uses a floating Go image tag, making release artifacts non-reproducible across rebuilds.</violation>
</file>
<file name="claude-code/Dockerfile">
<violation number="1" location="claude-code/Dockerfile:1">
P2: New builder stage uses an unpinned `golang` image tag, making shipped binary builds non-deterministic and vulnerable to upstream image drift.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
github-actions
bot
added
needs-triage
needs-kind
There was a problem hiding this comment.
1 issue found across 5 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="cmd/kelos-token-refresher/Dockerfile">
<violation number="1" location="cmd/kelos-token-refresher/Dockerfile:10">
P2: The Dockerfile now builds `kelos-token-refresher` twice: once via `go build` and again via `make build`, which overwrites the same output. This makes the new build step redundant and risks different build flags being used in the final binary.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
|
|
knechtionscoding
force-pushed
the
feat/multi-arch-images-upstream
branch
from
9ba75ee to
c9adc5e
Compare
knechtionscoding
force-pushed
the
feat/multi-arch-images-upstream
branch
from
c9adc5e to
a8a012c
Compare
There was a problem hiding this comment.
7 issues found across 8 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="gemini/Dockerfile">
<violation number="1" location="gemini/Dockerfile:1">
P2: Defaulting the base image to `agent-base:latest` makes builds non-reproducible and can silently pull upstream changes; consider pinning to a specific version or digest.</violation>
</file>
<file name="opencode/Dockerfile">
<violation number="1" location="opencode/Dockerfile:1">
P2: Base image is pinned to a mutable `latest` tag, making builds non-reproducible and allowing silent upstream drift.</violation>
</file>
<file name="codex/Dockerfile">
<violation number="1" location="codex/Dockerfile:1">
P2: Base image uses mutable `latest` tag, making builds non-reproducible and allowing upstream changes without review.</violation>
<violation number="2" location="codex/Dockerfile:2">
P2: Removal of the `kelos-capture` binary copy likely breaks the entrypoint contract: `/kelos/kelos-capture` is still invoked by the entrypoint and documented as required, but this Dockerfile no longer ensures it exists in the image.</violation>
</file>
<file name="cursor/Dockerfile">
<violation number="1" location="cursor/Dockerfile:1">
P2: Base image is unpinned (`latest`), making builds non-reproducible and increasing supply-chain drift risk. Pin the base image to a specific version or digest.</violation>
<violation number="2" location="cursor/Dockerfile:2">
P2: cursor image no longer installs /kelos/kelos-capture, but the entrypoint still calls it, so the container will fail if the base image doesn’t provide that binary.</violation>
</file>
<file name=".github/workflows/release.yaml">
<violation number="1" location=".github/workflows/release.yaml:9">
P2: Per-ref concurrency allows tag release workflows to run in parallel, but the workflow still updates shared `latest` tags. Two tag releases close together can race and overwrite `latest` nondeterministically. Consider restoring a shared concurrency group for tag releases or otherwise serializing `push-latest`.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
| && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256" | ||
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest |
There was a problem hiding this comment.
P2: Defaulting the base image to agent-base:latest makes builds non-reproducible and can silently pull upstream changes; consider pinning to a specific version or digest.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At gemini/Dockerfile, line 1:
<comment>Defaulting the base image to `agent-base:latest` makes builds non-reproducible and can silently pull upstream changes; consider pinning to a specific version or digest.</comment>
<file context>
@@ -1,40 +1,12 @@
- && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256"
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
</file context>
| && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256" | ||
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest |
There was a problem hiding this comment.
P2: Base image is pinned to a mutable latest tag, making builds non-reproducible and allowing silent upstream drift.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At opencode/Dockerfile, line 1:
<comment>Base image is pinned to a mutable `latest` tag, making builds non-reproducible and allowing silent upstream drift.</comment>
<file context>
@@ -1,40 +1,12 @@
- && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256"
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
</file context>
| && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256" | ||
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest |
There was a problem hiding this comment.
P2: Base image uses mutable latest tag, making builds non-reproducible and allowing upstream changes without review.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At codex/Dockerfile, line 1:
<comment>Base image uses mutable `latest` tag, making builds non-reproducible and allowing upstream changes without review.</comment>
<file context>
@@ -1,40 +1,12 @@
- && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256"
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
</file context>
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest | ||
| FROM ${BASE_IMAGE} |
There was a problem hiding this comment.
P2: Removal of the kelos-capture binary copy likely breaks the entrypoint contract: /kelos/kelos-capture is still invoked by the entrypoint and documented as required, but this Dockerfile no longer ensures it exists in the image.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At codex/Dockerfile, line 2:
<comment>Removal of the `kelos-capture` binary copy likely breaks the entrypoint contract: `/kelos/kelos-capture` is still invoked by the entrypoint and documented as required, but this Dockerfile no longer ensures it exists in the image.</comment>
<file context>
@@ -1,40 +1,12 @@
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
ARG CODEX_VERSION=0.117.0
</file context>
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest | ||
| FROM ${BASE_IMAGE} |
There was a problem hiding this comment.
P2: cursor image no longer installs /kelos/kelos-capture, but the entrypoint still calls it, so the container will fail if the base image doesn’t provide that binary.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cursor/Dockerfile, line 2:
<comment>cursor image no longer installs /kelos/kelos-capture, but the entrypoint still calls it, so the container will fail if the base image doesn’t provide that binary.</comment>
<file context>
@@ -1,37 +1,9 @@
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
COPY cursor/kelos_entrypoint.sh /kelos_entrypoint.sh
</file context>
| && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256" | ||
|
|
||
| ENV PATH="/usr/local/go/bin:${PATH}" | ||
| ARG BASE_IMAGE=agent-base:latest |
There was a problem hiding this comment.
P2: Base image is unpinned (latest), making builds non-reproducible and increasing supply-chain drift risk. Pin the base image to a specific version or digest.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At cursor/Dockerfile, line 1:
<comment>Base image is unpinned (`latest`), making builds non-reproducible and increasing supply-chain drift risk. Pin the base image to a specific version or digest.</comment>
<file context>
@@ -1,37 +1,9 @@
- && rm "/tmp/${TARBALL}" "/tmp/${TARBALL}.sha256"
-
-ENV PATH="/usr/local/go/bin:${PATH}"
+ARG BASE_IMAGE=agent-base:latest
+FROM ${BASE_IMAGE}
</file context>
|
|
||
| concurrency: | ||
| group: release | ||
| group: release-${{ github.ref }} |
There was a problem hiding this comment.
P2: Per-ref concurrency allows tag release workflows to run in parallel, but the workflow still updates shared latest tags. Two tag releases close together can race and overwrite latest nondeterministically. Consider restoring a shared concurrency group for tag releases or otherwise serializing push-latest.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At .github/workflows/release.yaml, line 9:
<comment>Per-ref concurrency allows tag release workflows to run in parallel, but the workflow still updates shared `latest` tags. Two tag releases close together can race and overwrite `latest` nondeterministically. Consider restoring a shared concurrency group for tag releases or otherwise serializing `push-latest`.</comment>
<file context>
@@ -6,23 +6,44 @@ on:
concurrency:
- group: release
+ group: release-${{ github.ref }}
cancel-in-progress: false
</file context>
Suggested change
| group: release-${{ github.ref }} | |
| group: release |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implements native multi-architecture Docker container builds for ARM64 and AMD64 platforms, replacing QEMU emulation with native runner builds for significantly improved performance and reliability.
Key Changes:
Release Workflow Redesign: Restructured
.github/workflows/release.yamlto use separate jobs with native runners:ubuntu-latestubuntu-24.04-armMulti-Stage Dockerfiles: Updated all Dockerfiles to build binaries inside containers instead of copying pre-built binaries:
cmd/kelos-spawner/Dockerfile- converted to multi-stage buildcmd/ghproxy/Dockerfile- converted to multi-stage buildShared Base Image: Refactored agent images to properly use the shared
agent-baseimage:codex/Dockerfile- now usesagent-baseinstead of duplicating Ubuntu setupgemini/Dockerfile- simplified to use shared baseopencode/Dockerfile- simplified to use shared basecursor/Dockerfile- simplified to use shared baseclaude-code/Dockerfilealready used shared base ✓Build Pipeline:
agent-base→agent-imagesPerformance Benefits:
Which issue(s) this PR is related to:
N/A
Special notes for your reviewer:
ubuntu-24.04-armrunners to be available in the GitHub organizationghcr.io/kelos-devagent-basebeing built firstThe new pipeline creates architecture-specific tags (
-amd64,-arm64) then combines them into multi-arch manifests for the main tags.Does this PR introduce a user-facing change?