pi
72298ae77e
Validate / base-change-warning (push) Successful in 14s
Validate / docs-check (push) Successful in 13s
Publish Docker Image / resolve-versions (push) Successful in 8s
Publish Docker Image / base-decide (push) Successful in 13s
Validate / validate-omos (push) Successful in 12m42s
Validate / validate-base (push) Successful in 13m39s
Publish Docker Image / build-base (push) Successful in 44m17s
Publish Docker Image / smoke-base (push) Successful in 3m46s
Publish Docker Image / smoke-omos (push) Successful in 5m54s
Publish Docker Image / build-variant-base (push) Successful in 18m11s
Publish Docker Image / build-variant-omos (push) Successful in 19m34s
Publish Docker Image / promote-base-latest (push) Successful in 9s
Publish Docker Image / update-description (push) Successful in 15s
PR-5 (per docs/CLEANUP-v2.0.0.md). Major release with two breaking changes:
1. pi fully removed (deprecated in v1.17.2). Gone: INSTALL_PI + all PI_*
build args; with-pi/omos-with-pi/pi-only variants; base-pi-only publish
job; all ~/.pi entrypoint wiring; the 3 pi smoke/validate/build-variant
CI jobs. Only base + omos variants remain (4 tags/release).
2. NPM_CONFIG_PREFIX relocated ~/.pi/npm-global -> ~/.config/opencode/npm-global
(persistent in both compose files). entrypoint-user.sh gains a one-time
migration shim that copies old global npm packages forward.
Also: opencode 1.17.2->1.17.4; DOCKER_HUB.md gains {{OPENCODE_VERSION}}
placeholder filled by CI at publish time (mirrors pi-devbox); full docs
drift sweep across README/AGENTS/.gitea-README/.env.example/manual-host-publish;
DOCKER_HUB.md regenerated + --check passes; both workflows YAML-valid;
all shell scripts pass bash -n.
122 lines
5.6 KiB
Bash
122 lines
5.6 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
USER_NAME="developer"
|
|
CURRENT_UID=$(id -u "$USER_NAME")
|
|
CURRENT_GID=$(id -g "$USER_NAME")
|
|
|
|
# ── UID/GID adjustment ───────────────────────────────────────────────
|
|
# Priority per dimension: env var > auto-detect from /workspace > no-op
|
|
# UID and GID are detected independently so a GID-only mismatch (e.g. host
|
|
# user has UID 1000 but primary group at GID 1001) is still corrected.
|
|
TARGET_UID="${USER_UID:-}"
|
|
TARGET_GID="${USER_GID:-}"
|
|
|
|
if [ -d /workspace ]; then
|
|
WORKSPACE_UID=$(stat -c '%u' /workspace 2>/dev/null || stat -f '%u' /workspace 2>/dev/null || echo "")
|
|
WORKSPACE_GID=$(stat -c '%g' /workspace 2>/dev/null || stat -f '%g' /workspace 2>/dev/null || echo "")
|
|
# Adopt workspace UID if env var not set and workspace is non-root-owned
|
|
if [ -z "$TARGET_UID" ] && [ -n "$WORKSPACE_UID" ] && [ "$WORKSPACE_UID" != "0" ] && [ "$WORKSPACE_UID" != "$CURRENT_UID" ]; then
|
|
TARGET_UID="$WORKSPACE_UID"
|
|
fi
|
|
# Adopt workspace GID if env var not set and workspace group differs
|
|
if [ -z "$TARGET_GID" ] && [ -n "$WORKSPACE_GID" ] && [ "$WORKSPACE_GID" != "0" ] && [ "$WORKSPACE_GID" != "$CURRENT_GID" ]; then
|
|
TARGET_GID="$WORKSPACE_GID"
|
|
fi
|
|
fi
|
|
|
|
# Apply UID/GID changes if needed
|
|
if [ -n "$TARGET_GID" ] && [ "$TARGET_GID" != "$CURRENT_GID" ]; then
|
|
groupmod -g "$TARGET_GID" "$USER_NAME" 2>/dev/null || true
|
|
find /home/"$USER_NAME" -not -path "/home/$USER_NAME/.ssh/*" -group "$CURRENT_GID" -exec chgrp "$TARGET_GID" {} + 2>/dev/null || true
|
|
echo "Adjusted developer GID to $TARGET_GID"
|
|
fi
|
|
|
|
if [ -n "$TARGET_UID" ] && [ "$TARGET_UID" != "$CURRENT_UID" ]; then
|
|
usermod -u "$TARGET_UID" "$USER_NAME" 2>/dev/null || true
|
|
find /home/"$USER_NAME" -not -path "/home/$USER_NAME/.ssh/*" -user "$CURRENT_UID" -exec chown "$TARGET_UID" {} + 2>/dev/null || true
|
|
echo "Adjusted developer UID to $TARGET_UID"
|
|
fi
|
|
|
|
# ── SSH key permissions ──────────────────────────────────────────────
|
|
# If SSH keys are mounted, fix permissions (skip if read-only mount)
|
|
if [ -d "/home/$USER_NAME/.ssh" ] && [ "$(ls -A "/home/$USER_NAME/.ssh" 2>/dev/null)" ]; then
|
|
if touch "/home/$USER_NAME/.ssh/.perm_test" 2>/dev/null; then
|
|
rm -f "/home/$USER_NAME/.ssh/.perm_test"
|
|
chmod 700 "/home/$USER_NAME/.ssh"
|
|
find "/home/$USER_NAME/.ssh" -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; 2>/dev/null || true
|
|
find "/home/$USER_NAME/.ssh" -type f -name "*.pub" -exec chmod 644 {} \; 2>/dev/null || true
|
|
[ -f "/home/$USER_NAME/.ssh/known_hosts" ] && chmod 644 "/home/$USER_NAME/.ssh/known_hosts"
|
|
[ -f "/home/$USER_NAME/.ssh/config" ] && chmod 600 "/home/$USER_NAME/.ssh/config"
|
|
fi
|
|
fi
|
|
|
|
# ── Fix ownership of named volume mount points ──────────────────────
|
|
# Named volumes are created as root on first use. Fix ownership so the
|
|
# developer user can write to them.
|
|
FINAL_UID="${TARGET_UID:-$CURRENT_UID}"
|
|
FINAL_GID="${TARGET_GID:-$CURRENT_GID}"
|
|
|
|
# First, fix parent dirs that Docker auto-creates as root:root when it
|
|
# materializes nested mount points (e.g. mounting a volume at
|
|
# .local/state/opencode creates .local/state as root). Non-recursive —
|
|
# we only need the dir node itself; children are handled below or were
|
|
# created by the user.
|
|
for parent in \
|
|
/home/"$USER_NAME"/.local \
|
|
/home/"$USER_NAME"/.local/share \
|
|
/home/"$USER_NAME"/.local/state \
|
|
/home/"$USER_NAME"/.cache \
|
|
/home/"$USER_NAME"/.config; do
|
|
if [ -d "$parent" ] && [ "$(stat -c '%u' "$parent" 2>/dev/null)" != "$FINAL_UID" ]; then
|
|
chown "$FINAL_UID":"$FINAL_GID" "$parent" 2>/dev/null || true
|
|
fi
|
|
done
|
|
|
|
for dir in \
|
|
/home/"$USER_NAME"/.local/share/opencode \
|
|
/home/"$USER_NAME"/.local/state/opencode \
|
|
/home/"$USER_NAME"/.local/share/uv \
|
|
/home/"$USER_NAME"/.local/share/zoxide \
|
|
/home/"$USER_NAME"/.local/share/nvim \
|
|
/home/"$USER_NAME"/.mempalace \
|
|
/home/"$USER_NAME"/.cache/bash \
|
|
/home/"$USER_NAME"/.cache/chroma \
|
|
/home/"$USER_NAME"/.rustup \
|
|
/home/"$USER_NAME"/.cargo \
|
|
/home/"$USER_NAME"/.vscode-server \
|
|
/home/"$USER_NAME"/.config/opencode \
|
|
/home/"$USER_NAME"/.config/nvim \
|
|
/home/"$USER_NAME"/.ssh-local \
|
|
/home/"$USER_NAME"/.agents/skills; do
|
|
[ -d "$dir" ] || continue
|
|
|
|
# Sentinel-file fast path: on volumes with thousands of files (nvim
|
|
# plugins, palace data) the recursive chown used to cost multiple
|
|
# seconds on every container start even when ownership was already
|
|
# correct. Now we write a sentinel after a successful chown and skip
|
|
# the walk when the sentinel matches the target UID:GID.
|
|
#
|
|
# If USER_UID changes between runs (user switches hosts, different
|
|
# workspace owner), the sentinel won't match and the full chown runs.
|
|
sentinel="$dir/.devbox-owner"
|
|
expected="$FINAL_UID:$FINAL_GID"
|
|
if [ -f "$sentinel" ] && [ "$(cat "$sentinel" 2>/dev/null)" = "$expected" ]; then
|
|
continue
|
|
fi
|
|
|
|
# Recursive chown needed. Only do it when the top-level differs too
|
|
# (covers the common case of fresh root-owned named volumes).
|
|
if [ "$(stat -c '%u' "$dir" 2>/dev/null)" != "$FINAL_UID" ]; then
|
|
chown -R "$FINAL_UID":"$FINAL_GID" "$dir" 2>/dev/null || true
|
|
fi
|
|
|
|
# Write sentinel so subsequent starts skip the recursive walk.
|
|
# Suppress errors — a read-only mount would fail here, but that would
|
|
# already have failed above on the chown itself.
|
|
echo "$expected" > "$sentinel" 2>/dev/null || true
|
|
done
|
|
|
|
# ── Drop to developer user for remaining setup ──────────────────────
|
|
exec gosu "$USER_NAME" /usr/local/bin/entrypoint-user.sh "$@"
|