From 03629cdac78ed97a3853efe11bf19f53df4eba64 Mon Sep 17 00:00:00 2001 From: pi Date: Wed, 3 Jun 2026 17:04:21 +0200 Subject: [PATCH] refactor: build FROM joakimp/pi-devbox:base-pi-only (Option B) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The pi-only building block now lives in this repo as the internal base-pi-only tag (produced by opencode-devbox CI from Dockerfile.variant, INSTALL_OPENCODE=false) instead of opencode-devbox:latest-pi-only — so an 'opencode-devbox' tag never ships without opencode. - Dockerfile: BASE_IMAGE default joakimp/opencode-devbox:latest-pi-only -> joakimp/pi-devbox:base-pi-only. - Updated README, AGENTS, DOCKER_HUB, docker-compose, CHANGELOG. - Single source of truth unchanged (opencode-devbox/Dockerfile.variant); publish ordering + EXPECTED_PI_VERSION smoke guard unchanged. --- AGENTS.md | 10 +++++----- CHANGELOG.md | 15 ++++++++++++--- DOCKER_HUB.md | 11 +++++++---- Dockerfile | 39 ++++++++++++++++++++++----------------- README.md | 20 ++++++++++++-------- docker-compose.yml | 4 ++-- 6 files changed, 60 insertions(+), 39 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 7e4a481..70db297 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -5,7 +5,7 @@ pi-focused image. As of 2026-06-03 it no longer installs pi itself. ## Repository layout -- `Dockerfile` — thin re-brand: `FROM opencode-devbox:latest-pi-only` (overridable via `BASE_IMAGE` arg). No install logic of its own — pi + companions are inherited from the pi-only variant (built `INSTALL_OPENCODE=false`, so **no opencode** — that's the distinction from `latest-with-pi`). This refactor removed the install-logic duplication that used to drift against `opencode-devbox/Dockerfile.variant`. +- `Dockerfile` — thin re-brand: `FROM joakimp/pi-devbox:base-pi-only` (overridable via `BASE_IMAGE` arg). No install logic of its own — pi + companions are inherited from the pi-only build (built `INSTALL_OPENCODE=false`, so **no opencode** — that's the distinction from `opencode-devbox:latest-with-pi`). The `base-pi-only` tag is produced by opencode-devbox CI (from `opencode-devbox/Dockerfile.variant`) but published into THIS repo as an internal building-block tag. This refactor removed the install-logic duplication that used to drift against `opencode-devbox/Dockerfile.variant`. - `docker-compose.yml` — compose file for local use - `.env.example` — environment variable template - `scripts/smoke-test.sh` — sanity checks run by CI before pushing to Docker Hub @@ -14,12 +14,12 @@ pi-focused image. As of 2026-06-03 it no longer installs pi itself. ## Versioning scheme - Tags follow the pi npm version: `v{pi_version}[letter]` -- The image inherits pi from `latest-pi-only`, so the **publish ordering matters**: rebuild opencode-devbox first so `latest-pi-only` carries the target pi version, *then* tag this repo. The smoke test asserts `pi --version` matches the tag (`EXPECTED_PI_VERSION`) and fails loudly if the base is stale. +- The image inherits pi from `base-pi-only`, so the **publish ordering matters**: rebuild opencode-devbox first so `joakimp/pi-devbox:base-pi-only` carries the target pi version, *then* tag this repo. The smoke test asserts `pi --version` matches the tag (`EXPECTED_PI_VERSION`) and fails loudly if the base is stale. - Docker Hub: `joakimp/pi-devbox:vX.Y.Z` + `joakimp/pi-devbox:latest` ## Release-day checklist -1. Ensure opencode-devbox has been released so `joakimp/opencode-devbox:latest-pi-only` carries the target pi version (and the fork/recall extensions). This is the hard prerequisite — the smoke guard enforces it. +1. Ensure opencode-devbox has been released so `joakimp/pi-devbox:base-pi-only` carries the target pi version (and the fork/recall extensions). This is the hard prerequisite — the smoke guard enforces it. 2. Update `CHANGELOG.md`: promote `Unreleased` → `vX.Y.Z — YYYY-MM-DD` 3. Add fresh `## Unreleased` section 4. Commit, tag `vX.Y.Z`, push tag → CI fires automatically @@ -39,7 +39,7 @@ per version. Don't try to derive notes from the npm registry metadata ## Key facts -- **Base image**: `joakimp/opencode-devbox:latest-pi-only` — the single source of truth for the pi install + companions. Rebuilt whenever opencode-devbox releases. +- **Base image**: `joakimp/pi-devbox:base-pi-only` — an internal building-block tag (produced by opencode-devbox CI from `Dockerfile.variant`, the single source of truth for the pi install + companions; published into this repo, not under opencode-devbox). Rebuilt whenever opencode-devbox releases. Not for end users — they pull `joakimp/pi-devbox:latest` or a `vX.Y.Z` tag. - **Inherited content**: pi (`/usr/bin/pi`), pi-toolkit, pi-extensions, pi-fork (`fork`), pi-observational-memory (`recall`), the mempalace bridge, the LAN-access helper, entrypoints, and all base dev tooling. The pi-only variant is built `INSTALL_OPENCODE=false`, so the image does **not** contain opencode. - **Companion repos**: cloned to `/opt/` by the pi-only build; `entrypoint-user.sh` (inherited) deploys/registers them on container start. - **MemPalace**: fully operational — inherited from base; bridge extension deployed by entrypoint. @@ -49,7 +49,7 @@ per version. Don't try to derive notes from the npm registry metadata - This repo no longer installs pi or clones companion repos — do **not** re-add that logic here. Change it in `opencode-devbox/Dockerfile.variant` (the single source of truth) instead. - The smoke test threshold is 2750 MB (tracks the pi-only variant) — update if the image legitimately grows past it. - The CI still resolves the tag's pi version, but only to feed `EXPECTED_PI_VERSION` to the smoke base-freshness guard — it is no longer passed as a build-arg (nothing in the Dockerfile consumes it). -- To pin a specific base build instead of tracking `latest-pi-only`, override the `BASE_IMAGE` arg (a version tag or a digest). +- To pin a specific base build instead of tracking `base-pi-only`, override the `BASE_IMAGE` arg (a `base-pi-only-vX.Y.Z` tag or a digest). ## Documentation drift sweep diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a3c867..81edc76 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,12 +11,21 @@ Tags follow the pi npm version: `v{pi_version}[letter]` — bare tag for the fir ### Changed: refactored to re-brand the opencode-devbox `pi-only` variant pi-devbox no longer installs pi itself. The `Dockerfile` is now a thin -`FROM joakimp/opencode-devbox:latest-pi-only` (overridable via the `BASE_IMAGE` +`FROM joakimp/pi-devbox:base-pi-only` (overridable via the `BASE_IMAGE` arg), inheriting pi + pi-toolkit + pi-extensions and all base tooling from the single source of truth. This eliminates the install-logic duplication that used to drift against `opencode-devbox/Dockerfile.variant`. -The `pi-only` variant is built with `INSTALL_OPENCODE=false`, so this image +The pi-only artifact is **built** by opencode-devbox's CI (from +`opencode-devbox/Dockerfile.variant` with `INSTALL_OPENCODE=false`) but is +**published into this repo** as the internal building-block tag +`joakimp/pi-devbox:base-pi-only` (+ `base-pi-only-vX.Y.Z`, where `vX.Y.Z` is +the opencode-devbox release version). This supersedes the brief approach of +publishing it as `opencode-devbox:latest-pi-only` — an "opencode-devbox" tag +with no opencode in it confused users. `base-pi-only` is internal; end users +pull `joakimp/pi-devbox:latest` or a `vX.Y.Z` tag. + +The pi-only build uses `INSTALL_OPENCODE=false`, so this image stays lean and pi-focused — it does **not** carry opencode, and remains distinct from `opencode-devbox:latest-with-pi` (which has both). @@ -31,7 +40,7 @@ distinct from `opencode-devbox:latest-with-pi` (which has both). ### Consequences / notes -- **Publish ordering**: release opencode-devbox first so `latest-pi-only` +- **Publish ordering**: release opencode-devbox first so `base-pi-only` carries the target pi version, *then* tag this repo. The smoke test asserts `pi --version` matches the tag and fails loudly if the base is stale. - CI no longer passes `PI_VERSION` as a build-arg (the Dockerfile installs diff --git a/DOCKER_HUB.md b/DOCKER_HUB.md index 8319bf4..d26383a 100644 --- a/DOCKER_HUB.md +++ b/DOCKER_HUB.md @@ -38,9 +38,12 @@ Full setup guide — authentication for each provider (Anthropic, OpenAI, Gemini ## What's inside -pi-devbox is a re-brand of the **opencode-devbox `pi-only` variant** — it builds -`FROM joakimp/opencode-devbox:latest-pi-only` and adds no layers of its own. -The pi-only variant is built `INSTALL_OPENCODE=false`, so this image is lean +pi-devbox is a re-brand of the **pi-only build** — it builds +`FROM joakimp/pi-devbox:base-pi-only` and adds no layers of its own. That +building-block tag is produced by opencode-devbox's CI (from +`Dockerfile.variant` with `INSTALL_OPENCODE=false`) but published here, in the +pi-devbox repo, so an opencode-devbox tag never ships without opencode. +The pi-only build is lean and pi-focused (no opencode — use `opencode-devbox:latest-with-pi` if you want both). Everything below is inherited from that single source of truth. @@ -68,7 +71,7 @@ The entrypoint deploys/registers all of these on first container start. Re-runni ## Versioning -Tags follow the pi npm version: `v0.74.0`, `v0.75.0`, etc. `latest` always points at the most recent release. The pi binary is inherited from `opencode-devbox:latest-pi-only`, so each release follows an opencode-devbox release that bakes the target pi version. +Tags follow the pi npm version: `v0.74.0`, `v0.75.0`, etc. `latest` always points at the most recent release. The pi binary is inherited from `joakimp/pi-devbox:base-pi-only`, so each release follows an opencode-devbox release that bakes the target pi version. (`base-pi-only` is an internal building-block tag — pull `latest` or a `vX.Y.Z` tag instead.) For container-level rebuilds on the same pi version (security updates, base bumps, fixes) the tag gets a letter suffix: `v0.74.0b`, `v0.74.0c`, … diff --git a/Dockerfile b/Dockerfile index 24aee30..d2143a3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,29 +1,34 @@ # pi-devbox — pi coding-agent container # -# As of 2026-06-03 this image is a thin re-brand of the opencode-devbox -# "pi-only" variant, which is the SINGLE SOURCE OF TRUTH for the pi install -# and its companion repos (pi-toolkit, pi-extensions, pi-fork, -# pi-observational-memory). Previously pi-devbox/Dockerfile duplicated that -# install logic, which drifted from opencode-devbox/Dockerfile.variant; this -# refactor eliminates the duplication. +# As of 2026-06-03 this image is a thin re-brand of the "pi-only" build, which +# is the SINGLE SOURCE OF TRUTH for the pi install and its companion repos +# (pi-toolkit, pi-extensions, pi-fork, pi-observational-memory). That build is +# produced by opencode-devbox's CI (from opencode-devbox/Dockerfile.variant +# with INSTALL_OPENCODE=false), but is published as an INTERNAL building-block +# tag in THIS repo — joakimp/pi-devbox:base-pi-only — NOT under opencode-devbox. +# Rationale: an "opencode-devbox" tag containing no opencode confuses +# opencode-devbox users, so the pi-only artifact lives here instead. +# Previously pi-devbox/Dockerfile duplicated the install logic, which drifted +# from opencode-devbox/Dockerfile.variant; this refactor eliminates the dup. # -# The "pi-only" variant is built with INSTALL_OPENCODE=false, so this image -# does NOT contain opencode — it stays a lean, pi-focused image, distinct -# from opencode-devbox:latest-with-pi (which carries both). +# The pi-only build uses INSTALL_OPENCODE=false, so this image does NOT contain +# opencode — it stays a lean, pi-focused image, distinct from +# opencode-devbox:latest-with-pi (which carries both). # -# Everything is inherited from the pi-only image: +# Everything is inherited from the pi-only build: # pi + pi-toolkit + pi-extensions + pi-fork (fork) + pi-observational-memory # (recall), the mempalace bridge, the LAN-access helper, entrypoints, and # all base dev tooling. # -# NOTE on PUBLISH ORDERING: rebuild opencode-devbox (so `latest-pi-only` -# carries the target pi version) BEFORE tagging this repo. The smoke test -# asserts `pi --version` matches this repo's tag and fails loudly if the -# base is stale — turning the version coupling into an enforced ordering check. +# NOTE on PUBLISH ORDERING: rebuild opencode-devbox (so `base-pi-only` carries +# the target pi version) BEFORE tagging this repo. The smoke test asserts +# `pi --version` matches this repo's tag and fails loudly if the base is stale +# — turning the version coupling into an enforced ordering check. # -# Override BASE_IMAGE to pin a specific pi-only build (e.g. a version tag or a -# digest) instead of tracking latest-pi-only. -ARG BASE_IMAGE=joakimp/opencode-devbox:latest-pi-only +# base-pi-only is an internal building-block alias (existence-only, not for +# end users — pull joakimp/pi-devbox:latest or a vX.Y.Z tag instead). Override +# BASE_IMAGE to pin a specific pi-only build (a version tag or a digest). +ARG BASE_IMAGE=joakimp/pi-devbox:base-pi-only FROM ${BASE_IMAGE} # WORKDIR / ENTRYPOINT / CMD and all tooling inherited from the base. diff --git a/README.md b/README.md index f58f6d2..8e7a57d 100644 --- a/README.md +++ b/README.md @@ -9,10 +9,14 @@ A Docker container with [pi coding-agent](https://github.com/earendil-works/pi) ## What's inside -pi-devbox is a re-brand of the **opencode-devbox `pi-only` variant** — it `FROM`s -`opencode-devbox:latest-pi-only` and adds no layers of its own. Everything below -is inherited from that single source of truth. The pi-only variant is built with -`INSTALL_OPENCODE=false`, so this image is lean and pi-focused — no opencode. +pi-devbox is a thin re-brand of the **`pi-only` build** — it `FROM`s +`joakimp/pi-devbox:base-pi-only` and adds no layers of its own. That base build +is produced by opencode-devbox's CI (from `opencode-devbox/Dockerfile.variant` +with `INSTALL_OPENCODE=false`, the single source of truth for the pi install + +companions) but is published **into this repo** as the internal building-block +tag `base-pi-only` — *not* under opencode-devbox, so an "opencode-devbox" tag +never ships without opencode. Everything below is inherited from that build, +which is lean and pi-focused — no opencode. Base tooling: @@ -208,7 +212,7 @@ Tags follow the pi npm package version: `v0.74.0`, `v0.75.0`, … `latest` alway Container-level rebuilds on the same pi version (security updates, base bumps, fixes) get a letter suffix: `v0.74.0b`, `v0.74.0c`, … -The pi binary is inherited from `opencode-devbox:latest-pi-only`, so a release of this image must be preceded by an opencode-devbox release that bakes the target pi version into `latest-pi-only`. The smoke test enforces this (it asserts `pi --version` matches the tag). +The pi binary is inherited from `joakimp/pi-devbox:base-pi-only`, so a release of this image must be preceded by an opencode-devbox release that bakes the target pi version into `base-pi-only`. The smoke test enforces this (it asserts `pi --version` matches the tag). --- @@ -221,9 +225,9 @@ the base. To pin a specific pi-only build or hack on it: git clone https://gitea.jordbo.se/joakimp/pi-devbox cd pi-devbox -# Default tracks latest-pi-only; override BASE_IMAGE to pin a build: +# Default tracks base-pi-only; override BASE_IMAGE to pin a build: docker compose build \ - --build-arg BASE_IMAGE=joakimp/opencode-devbox:v1.15.13-pi-only + --build-arg BASE_IMAGE=joakimp/pi-devbox:base-pi-only-v1.15.13c docker compose up -d ``` @@ -236,7 +240,7 @@ Build args supported: | Arg | Default | Effect | |---|---|---| -| `BASE_IMAGE` | `joakimp/opencode-devbox:latest-pi-only` | Parent image — set to a `:vX.Y.Z-pi-only` tag or a digest for reproducible builds | +| `BASE_IMAGE` | `joakimp/pi-devbox:base-pi-only` | Parent image (internal building-block tag) — set to a `:base-pi-only-vX.Y.Z` tag or a digest for reproducible builds | --- diff --git a/docker-compose.yml b/docker-compose.yml index a9ab5e2..a021ee1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -17,8 +17,8 @@ services: # build: # context: . # args: - # # Pin a specific pi-only build instead of tracking latest-pi-only: - # BASE_IMAGE: "joakimp/opencode-devbox:v1.15.13-pi-only" + # # Pin a specific pi-only build instead of tracking base-pi-only: + # BASE_IMAGE: "joakimp/pi-devbox:base-pi-only-v1.15.13c" container_name: pi-devbox stdin_open: true tty: true