docker: install glab in Alpine runtime via OpenCSG APK mirror

.gitlab/ci.yml

@@ -18,6 +18,12 @@
 #   docker push ${ACR_REGISTRY}/opencsg_public/binfmt:latest
 # Or set CI variable SKIP_BINFMT_INSTALL=true if the GitLab Runner host already
 # has binfmt_misc + qemu-user registered for arm64.
+#
+# BuildKit (docker-container driver): buildx bootstrap pulls moby/buildkit from
+# Docker Hub by default — mirror to ACR and set BUILDKIT_CI_IMAGE, e.g.:
+#   docker pull moby/buildkit:buildx-stable-1
+#   docker tag moby/buildkit:buildx-stable-1 ${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1
+#   docker push ${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1
 
 variables:
   DOCKER_TLS_CERTDIR: "/certs"
@@ -27,6 +33,7 @@ variables:
   BUILDX_NO_DEFAULT_ATTESTATIONS: "1"
   DOCKER_PLATFORMS: "linux/amd64,linux/arm64"
   BINFMT_IMAGE: "${ACR_REGISTRY}/opencsg_public/binfmt:latest"
+  BUILDKIT_CI_IMAGE: "${ACR_REGISTRY}/opencsg_public/moby-buildkit:buildx-stable-1"
 
 stages:
   - build
@@ -67,7 +74,8 @@ docker-build-push:
       fi
     - export BUILDX_BUILDER="picoclaw-mx-${CI_PIPELINE_ID}"
     - docker buildx rm "${BUILDX_BUILDER}" 2>/dev/null || true
-    - docker buildx create --name "${BUILDX_BUILDER}" --driver docker-container --bootstrap --use
+    - echo "BuildKit image for buildx driver ${BUILDKIT_CI_IMAGE}"
+    - docker buildx create --name "${BUILDX_BUILDER}" --driver docker-container --driver-opt "image=${BUILDKIT_CI_IMAGE}" --bootstrap --use
   script:
     - |
       set -euo pipefail

docker/Dockerfile

@@ -50,11 +50,26 @@ RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories
 # Stage 2: Minimal runtime image
 # ============================================================
 FROM opencsg-registry.cn-beijing.cr.aliyuncs.com/opencsg_public/alpine:3.23
+ARG TARGETARCH
 
 RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.aliyun.com/g' /etc/apk/repositories
 
 RUN apk add --no-cache ca-certificates curl python3 tini tzdata
 
+# glab (GitLab CLI): install from OpenCSG-hosted APKs (stable in mainland CN; see gitlab-csgclaw/SKILL.md).
+RUN set -eu; \
+  case "${TARGETARCH}" in \
+    arm64) glab_apk_url="https://csgclaw.opencsg.com/apks/glab_1.92.1_linux_arm64.apk" ;; \
+    amd64) glab_apk_url="https://csgclaw.opencsg.com/apks/glab_1.92.1_linux_amd64.apk" ;; \
+    *) echo "glab: unsupported TARGETARCH=${TARGETARCH}" >&2; exit 1 ;; \
+  esac; \
+  curl -fsSL "$glab_apk_url" -o /tmp/glab.apk; \
+  apk add --no-cache --allow-untrusted /tmp/glab.apk; \
+  rm -f /tmp/glab.apk; \
+  glab --version
+
+ENV GLAB_TELEMETRY_DISABLED=1
+
 # Health check (use 127.0.0.1: gateway listens on IPv4 only; "localhost" may resolve to ::1 and fail)
 HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
   CMD wget -q --spider http://127.0.0.1:18790/health || exit 1