mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Thomas Kosiewski
51836e681e
Splits the dogfood image into two artifacts: - `ghcr.io/coder/oss-dogfood-base:<distro>-<base-sha>`: Ubuntu base with apt packages, chrome, rustup, brew, gh, and the mise binary. The base-sha is a cache key over `Dockerfile.base` and `files/`, so commits that don't touch those inputs reuse the previous build. - `codercom/oss-dogfood:<final-sha>-<distro>` and rolling tags (`:22.04`, `:26.04`, `:latest`, `:<branch>`): produced by `mise oci build` on top of the base, with one content-addressed OCI layer per mise tool. The rolling tag scheme is unchanged, so the workspace template doesn't need updating. Single-tool version bumps now invalidate only that tool's OCI layer, so workspaces re-pull just what changed instead of the entire 5-6 GB image on every recreate. Also: - Drops the build-time `pnpm dlx playwright@1.47.0 install --with-deps chromium` step (~400 MB) and the equivalent `playwright-driver.browsers` install from `flake.nix`. `@playwright/mcp` (used by the claude-code and codex MCP servers in `dogfood/coder/main.tf`) does NOT auto-install browsers, so the existing `install-deps` `coder_script` now runs two installs on workspace start: `pnpm exec playwright install chromium` for the site's pinned `@playwright/test`, and `npx --package=@playwright/mcp@latest playwright-core install --no-shell chromium` so the MCP servers find their matching browser revision. Browser revisions coexist under `~/.cache/ms-playwright/chromium-<rev>/`, which lives on the home volume so both downloads happen once per workspace recreate and persist across restarts. Net effect: same MCP behavior as before, +~1-2 min on first workspace start. Nix devshell users running site e2e tests locally now need `pnpm exec playwright install` once (instead of getting browsers via nixpkgs). - Bumps the pinned mise binary to v2026.5.12 (matching main after #25521) and adds top-level `min_version = "2026.5.12"` to `mise.toml` so every consumer (devs, CI, the embedded mise inside the dogfood image, mise oci builds) fails fast on an older mise. - Adds bison, flex, libicu-dev, libreadline-dev, uuid-dev, and zlib1g-dev to both Ubuntu base images for source-build use cases (e.g., building Postgres from source). - Replaces skopeo with crane as the registry client `mise oci push` shells out to: crane is added to `mise.toml`, the workflow drops its `apt-get install skopeo` and forces `--tool crane`, and the local wrapper image stops bundling skopeo. One source of truth for tool versions, no apt drift, smaller wrapper image, and workspace users get a registry client on PATH for free via mise oci's tool layers. - Removes `nix.hash`/`mise.hash` and their Makefile rules. The registry digest already captures every effective change since CI rebuilds when any baked-in input moves; the per-file `filesha1()` entries in `pull_triggers` are redundant. Supersedes #25400 (the `mise.hash` pull trigger landed there in `2b612abe7b`; this PR removes it as part of the broader simplification). > [!NOTE] > `mise oci build` is experimental and requires `MISE_EXPERIMENTAL=1` (set at job level in the workflow). The local-only `scripts/dogfood/mise-oci-wrapper.sh` builds a tiny `coderdev/mise-oci-wrapper:<version>` Debian image with curl-installed mise on first invocation (cached by version tag thereafter); we don't reuse `jdxcode/mise:latest` because that tag lags upstream GitHub releases by days and would defeat the `min_version` enforcement above. > [!NOTE] > `compute-base-sha.sh` and `compute-final-sha.sh` are cache keys, not strict content addresses: the base Dockerfile still pulls dynamic resources at build time (gh/buildx `releases/latest`, chrome `stable_current_amd64.deb`, apt mirror state). Two runs with identical checked-in files can produce slightly different bytes, which is acceptable here because the cache-hit savings on irrelevant commits outweigh that drift. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Signed-off-by: Thomas Kosiewski <tk@coder.com> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
85 lines
3.1 KiB
TOML
85 lines
3.1 KiB
TOML
# Keep in lockstep with MISE_VERSION in dogfood/coder/ubuntu-*/Dockerfile.base,
|
|
# .github/workflows/dogfood.yaml, and scripts/dogfood/mise-oci-wrapper.sh.
|
|
min_version = "2026.5.12"
|
|
|
|
[settings]
|
|
lockfile = true
|
|
|
|
[tools]
|
|
# Languages and runtimes.
|
|
bun = "1.2.15"
|
|
go = "1.26.2"
|
|
node = "22.19.0"
|
|
pnpm = "10.33.2"
|
|
|
|
# Codegen and proto toolchain.
|
|
"go:go.uber.org/mock/mockgen" = "v0.6.0"
|
|
"go:storj.io/drpc/cmd/protoc-gen-go-drpc" = "v0.0.34"
|
|
protoc = "23.4"
|
|
protoc-gen-go = "1.30.0"
|
|
|
|
# Go development tools.
|
|
"go:github.com/golang-migrate/migrate/v4/cmd/migrate" = "v4.19.0"
|
|
"go:github.com/goreleaser/nfpm/v2/cmd/nfpm" = "v2.35.1"
|
|
"go:github.com/mikefarah/yq/v4" = "v4.44.3"
|
|
"go:github.com/quasilyte/go-ruleguard/cmd/ruleguard" = "v0.3.13"
|
|
"go:github.com/swaggo/swag/cmd/swag" = "v1.16.2"
|
|
"go:golang.org/x/tools/cmd/goimports" = "v0.41.0"
|
|
"go:golang.org/x/tools/gopls" = "v0.21.0"
|
|
"go:gotest.tools/gotestsum" = "v1.9.0"
|
|
"go:mvdan.cc/sh/v3/cmd/shfmt" = "v3.12.0"
|
|
|
|
# Infrastructure, release, and lint CLIs.
|
|
"aqua:ahmetb/kubectx/kubens" = "0.9.4"
|
|
cosign = "2.4.3"
|
|
# crane is the registry client `mise oci push` shells out to. Sourced
|
|
# here so it travels with the rest of the mise toolset (one source of
|
|
# truth, deterministic version, no apt drift across CI / wrapper).
|
|
crane = "0.21.6"
|
|
golangci-lint = "1.64.8"
|
|
helm = "3.21.0"
|
|
kubectx = "0.9.4"
|
|
syft = "1.20.0"
|
|
terraform = "1.15.2"
|
|
|
|
# Developer-environment niceties for the dogfood image. Non-dogfood
|
|
# users who run `mise install` here will pull these too; they are
|
|
# small, optional conveniences, and mise does nothing without the
|
|
# user's explicit `mise install` invocation.
|
|
#
|
|
# `gh` is intentionally absent from this manifest: the dogfood
|
|
# image ships a wrapper at /usr/local/bin/gh that bridges
|
|
# `coder external-auth` into `gh`, and a mise shim earlier in
|
|
# PATH would bypass it.
|
|
"aqua:crate-ci/typos" = "1.46.1"
|
|
"aqua:jj-vcs/jj" = "0.41.0"
|
|
"aqua:watchexec/watchexec" = "2.5.1"
|
|
doctl = "1.158.0"
|
|
lazygit = "0.61.1"
|
|
|
|
# Pre-installs the binary so the upstream devcontainers-cli coder
|
|
# module's `command -v devcontainer` short-circuit fires
|
|
"npm:@devcontainers/cli" = "0.87.0"
|
|
|
|
# sqlc (coder fork) bundles sqlite via cgo, so the `go install` build
|
|
# needs CGO_ENABLED=1. Scope it with `install_env` so it only applies
|
|
# during install. A top-level `[env]` would re-export CGO_ENABLED=1
|
|
# through every mise shim at runtime and break cross-compilation of
|
|
# coderd (scripts/build_go.sh expects cgo=0 for slim builds).
|
|
[tools."go:github.com/coder/sqlc/cmd/sqlc"]
|
|
version = "337309bfb9524f38466a5090e310040fc7af0203"
|
|
install_env = { CGO_ENABLED = "1" }
|
|
|
|
# Consumed by `mise oci build` to produce the dogfood image on top of
|
|
# ghcr.io/coder/oss-dogfood-base. The `from` and `--tag` fields are
|
|
# overridden by CLI args at build time per distro; `mount_point`,
|
|
# `user`, and `workdir` always apply.
|
|
#
|
|
# mount_point MUST match the path the base image reserves and exposes
|
|
# via `MISE_SHARED_INSTALL_DIRS`. Both Dockerfile.base files hardcode
|
|
# /opt/mise/data in their `install --directory`, ENV, and PATH lines.
|
|
[oci]
|
|
mount_point = "/opt/mise/data"
|
|
user = "coder"
|
|
workdir = "/home/coder"
|