From 10ad476494c454583ef2fdd7831807dd613edf14 Mon Sep 17 00:00:00 2001 From: wanghj Date: Sat, 9 May 2026 19:48:46 +0800 Subject: [PATCH 1/2] ci(gitlab): pull BuildKit image from ACR for buildx docker-container driver Avoid docker.io/moby/buildkit bootstrap failures in restricted networks; document mirror steps; BUILDKIT_CI_IMAGE overridable. Co-authored-by: Cursor --- .gitlab/ci.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.gitlab/ci.yml b/.gitlab/ci.yml index 6615abe48f..40a0b3ddd1 100644 --- a/.gitlab/ci.yml +++ b/.gitlab/ci.yml @@ -18,6 +18,12 @@ # docker push ${ACR_REGISTRY}/opencsg_public/binfmt:latest # Or set CI variable SKIP_BINFMT_INSTALL=true if the GitLab Runner host already # has binfmt_misc + qemu-user registered for arm64. +# +# BuildKit (docker-container driver): buildx bootstrap pulls moby/buildkit from +# Docker Hub by default — mirror to ACR and set BUILDKIT_CI_IMAGE, e.g.: +# docker pull moby/buildkit:buildx-stable-1 +# docker tag moby/buildkit:buildx-stable-1 ${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1 +# docker push ${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1 variables: DOCKER_TLS_CERTDIR: "/certs" @@ -27,6 +33,7 @@ variables: BUILDX_NO_DEFAULT_ATTESTATIONS: "1" DOCKER_PLATFORMS: "linux/amd64,linux/arm64" BINFMT_IMAGE: "${ACR_REGISTRY}/opencsg_public/binfmt:latest" + BUILDKIT_CI_IMAGE: "${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1" stages: - build @@ -67,7 +74,8 @@ docker-build-push: fi - export BUILDX_BUILDER="picoclaw-mx-${CI_PIPELINE_ID}" - docker buildx rm "${BUILDX_BUILDER}" 2>/dev/null || true - - docker buildx create --name "${BUILDX_BUILDER}" --driver docker-container --bootstrap --use + - echo "BuildKit image for buildx driver ${BUILDKIT_CI_IMAGE}" + - docker buildx create --name "${BUILDX_BUILDER}" --driver docker-container --driver-opt "image=${BUILDKIT_CI_IMAGE}" --bootstrap --use script: - | set -euo pipefail From 9f3764537555ad3119e83a3cefbea9d320edaec5 Mon Sep 17 00:00:00 2001 From: wanghj Date: Wed, 13 May 2026 17:23:59 +0800 Subject: [PATCH 2/2] docker: install glab in runtime image via OpenCSG APK mirror Install GitLab CLI from csgclaw.opencsg.com APKs (amd64/arm64) for stable builds in mainland CN; set GLAB_TELEMETRY_DISABLED=1. Aligns with gitlab-csgclaw/SKILL.md glab bootstrap guidance. --- docker/Dockerfile | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 4c644840d8..aa6484c392 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -50,11 +50,26 @@ RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories # Stage 2: Minimal runtime image # ============================================================ FROM opencsg-registry.cn-beijing.cr.aliyuncs.com/opencsg_public/alpine:3.23 +ARG TARGETARCH RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories RUN apk add --no-cache ca-certificates curl python3 tini tzdata +# glab (GitLab CLI): install from OpenCSG-hosted APKs (stable in mainland CN; see gitlab-csgclaw/SKILL.md). +RUN set -eu; \ + case "${TARGETARCH}" in \ + arm64) glab_apk_url="https://csgclaw.opencsg.com/apks/glab_1.92.1_linux_arm64.apk" ;; \ + amd64) glab_apk_url="https://csgclaw.opencsg.com/apks/glab_1.92.1_linux_amd64.apk" ;; \ + *) echo "glab: unsupported TARGETARCH=${TARGETARCH}" >&2; exit 1 ;; \ + esac; \ + curl -fsSL "$glab_apk_url" -o /tmp/glab.apk; \ + apk add --no-cache --allow-untrusted /tmp/glab.apk; \ + rm -f /tmp/glab.apk; \ + glab --version + +ENV GLAB_TELEMETRY_DISABLED=1 + # Health check (use 127.0.0.1: gateway listens on IPv4 only; "localhost" may resolve to ::1 and fail) HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD wget -q --spider http://127.0.0.1:18790/health || exit 1