joakimp/opencode-devbox
Public Access
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ci: CI-resolve mempalace-toolkit to a pinned SHA
Validate / docs-check (push) Successful in 7s
Details
Validate / base-change-warning (push) Successful in 58s
Details
Validate / validate-base (push) Successful in 3m19s
Details
Validate / validate-omos (push) Successful in 4m19s
Details

Browse Source 
mempalace-toolkit is the only dependency cloned in Dockerfile.base (all
others live in the variant), so it bypassed the resolve-versions ->
build-arg plumbing and its ref stayed a literal `main`. Because the base
only rebuilds on a content hash, a toolkit-only fix would silently fail to
land unless Dockerfile.base itself changed.

Mirrors pi-devbox commit 4744f05, adapted to this repo:
- resolve-versions: new mempalace_toolkit_ref output via the gitea commits
  API (first gitea call in this repo's CI; works unauthenticated, no secret).
- base-decide: needs resolve-versions; fold the SHA into the base-tag hash
  so a moved toolkit forces a base rebuild (they no longer run in parallel).
- build-base: needs resolve-versions; pass --build-arg MEMPALACE_TOOLKIT_REF.
- Dockerfile.base: clone switched to SHA-capable git fetch + checkout
  FETCH_HEAD (git clone --branch <SHA> would fail).
- docs lockstep: .gitea/README.md Step 1 (no longer "in parallel"), AGENTS.md
  Critical conventions, CHANGELOG Unreleased.

base_tag now reflects a live gitea lookup; on API blip it falls back to
`main`, triggering one extra rebuild, never a missed one. No new tag —
lands on the next release or workflow_dispatch.
This commit is contained in:
pi
2026-06-14 15:51:55 +02:00
parent 4409bd0719
commit e963f83e70
5 changed files with 73 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+24
View File
@@ -8,8 +8,32 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
## Unreleased
### Changed
- **`mempalace-toolkit` is now CI-resolved to a commit SHA.** It is the only
dependency cloned in `Dockerfile.base` (everything else is in the variant),
so it bypassed the `resolve-versions` → build-arg plumbing and its ref stayed
a literal `main` — meaning a toolkit-only fix would silently fail to land
unless `Dockerfile.base` itself changed. Now `resolve-versions` resolves the
`mempalace-toolkit` `main` HEAD to a SHA (new `mempalace_toolkit_ref` output,
via the gitea commits API — unauthenticated, no secret needed), `base-decide`
folds that SHA into the base-tag hash (so a moved toolkit forces a base
rebuild) and now **depends on `resolve-versions`**, and `build-base` passes it
as `--build-arg MEMPALACE_TOOLKIT_REF`. The base clone switched from
`git clone --branch` to a SHA-capable `git fetch <ref> + checkout FETCH_HEAD`.
Trade-off: `base_tag` now reflects a live gitea lookup — an API blip falls
back to `main` and triggers one *extra* rebuild, never a *missed* one. Updated
`.gitea/README.md` Step 1 and `AGENTS.md` Critical conventions in lockstep.
### Docs (no image change)
- Correct the MemPalace `diary_write` anyOf workaround watch-target: upstream
PR #1735 was **closed unmerged** (2026-06-11), so the old “remove once #1735
ships” TODO pointed at a dead PR. Issue #1728 is still open; PR #1717 is the
current live candidate; mempalace PyPI latest is still 3.4.0 (== our pin), so
the workaround stays. Rewrote the `Dockerfile.base` tracking comment and added
a durable note under `AGENTS.md` Critical conventions.
- Fix the quick-start description in `README.md` and the Hub `HUB_TEMPLATE`
(`scripts/generate-dockerhub-md.py`, regenerated `DOCKER_HUB.md`): bare
`docker compose run --rm devbox` lands in a **login shell** (default `CMD` is