From 6356e0f1d0f9fd2b4e53f99978596112dd309a05 Mon Sep 17 00:00:00 2001
From: Eason WaveKat <eason@wavekat.com>
Date: Tue, 19 May 2026 20:22:29 +1200
Subject: [PATCH 1/2] fix(gha-runners): install gh CLI in docker runner image

release-plz/git-config shells out to `gh api graphql` to derive the
commit identity; the container lacked gh and the job exit-127'd.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/docker/Dockerfile | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index ee10dcd..1701fe4 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -34,6 +34,19 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && corepack enable \
     && rm -rf /var/lib/apt/lists/*
 
+# GitHub CLI (`gh`) — required by actions that shell out to the GitHub
+# API (e.g. release-plz/git-config calls `gh api graphql` to derive the
+# commit identity). Not in the default Ubuntu archive, so we add the
+# official cli.github.com apt repo.
+RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
+      -o /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && chmod a+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
+      > /etc/apt/sources.list.d/github-cli.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends gh \
+    && rm -rf /var/lib/apt/lists/*
+
 # Non-root runner user. Passwordless sudo so workflows can still do
 # `sudo apt-get install ...` for one-off deps — safe inside the
 # container's isolated rootfs.

From 11f3167b582c0b6886aff21df293e35d11eeab01 Mon Sep 17 00:00:00 2001
From: Eason WaveKat <eason@wavekat.com>
Date: Tue, 19 May 2026 20:58:14 +1200
Subject: [PATCH 2/2] fix(gha-runners): install Rust toolchain in docker runner
 image

release-plz and other Rust-based workflows shell out to `cargo`;
the container lacked the Rust toolchain and the job exit-127'd.
Installed via rustup under /usr/local so both root and the runner
user have it on PATH.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 scripts/docker/Dockerfile | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/scripts/docker/Dockerfile b/scripts/docker/Dockerfile
index 1701fe4..527203d 100644
--- a/scripts/docker/Dockerfile
+++ b/scripts/docker/Dockerfile
@@ -47,6 +47,19 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
     && apt-get install -y --no-install-recommends gh \
     && rm -rf /var/lib/apt/lists/*
 
+# Rust toolchain (stable) via rustup. Required by Rust-based workflows
+# and by actions like release-plz that shell out to `cargo`. Installed
+# system-wide under /usr/local so both root and the `runner` user can
+# use it without PATH gymnastics.
+ENV RUSTUP_HOME=/usr/local/rustup \
+    CARGO_HOME=/usr/local/cargo \
+    PATH=/usr/local/cargo/bin:$PATH
+RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
+      | sh -s -- -y --no-modify-path --profile minimal --default-toolchain stable \
+    && chmod -R a+rwX "$RUSTUP_HOME" "$CARGO_HOME" \
+    && rustc --version \
+    && cargo --version
+
 # Non-root runner user. Passwordless sudo so workflows can still do
 # `sudo apt-get install ...` for one-off deps — safe inside the
 # container's isolated rootfs.