feat(CI): Add a github action to build the sandbox image and push to GHCR (#8670)

Co-authored-by: matt korwel <matt.korwel@gmail.com>
2026-02-01 22:48:03 +00:00 · 2025-09-20 10:19:03 -04:00
parent 44691a4ce6
commit aba23feddd
3 changed files with 125 additions and 13 deletions
--- a/.github/actions/push-sandbox/action.yaml
+++ b/.github/actions/push-sandbox/action.yaml
@@ -0,0 +1,85 @@
+name: 'Build and push sandbox docker'
+description: 'Pushes sandbox docker image to container registry'
+
+inputs:
+  github-actor:
+    description: 'Github actor'
+    required: true
+  github-secret:
+    description: 'Github secret'
+    required: true
+  github-sha:
+    description: 'Github Commit SHA Hash'
+    required: true
+  github-ref-name:
+    description: 'Github ref name'
+    required: true
+  dry-run:
+    description: 'Whether this is a dry run.'
+    required: true
+    type: 'boolean'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Checkout'
+      uses: 'actions/checkout@v4'
+      with:
+        ref: '${{ inputs.github-sha }}'
+        fetch-depth: 0
+    - name: 'Install Dependencies'
+      shell: 'bash'
+      run: 'npm install'
+    - name: 'npm build'
+      shell: 'bash'
+      run: 'npm run build'
+    - name: 'Set up Docker Buildx'
+      uses: 'docker/setup-buildx-action@v3'
+    - name: 'Log in to GitHub Container Registry'
+      uses: 'docker/login-action@v3'
+      with:
+        registry: 'ghcr.io'
+        username: '${{ inputs.github-actor }}'
+        password: '${{ inputs.github-secret }}'
+    - name: 'determine image tag'
+      id: 'image_tag'
+      shell: 'bash'
+      run: |-
+        SHELL_TAG_NAME="${{ inputs.github-ref-name }}"
+        FINAL_TAG="${{ inputs.github-sha }}"
+        if [[ "$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
+          echo "Release detected."
+          FINAL_TAG="${SHELL_TAG_NAME#v}"
+        else
+          echo "Development release detected. Using commit SHA as tag."
+        fi
+        echo "Determined image tag: $FINAL_TAG"
+        echo "FINAL_TAG=$FINAL_TAG" >> $GITHUB_OUTPUT
+    - name: 'build'
+      id: 'docker_build'
+      shell: 'bash'
+      env:
+        GEMINI_SANDBOX_IMAGE_TAG: '${{ steps.image_tag.outputs.FINAL_TAG }}'
+        GEMINI_SANDBOX: 'docker'
+      run: |-
+        npm run build:sandbox -- \
+          --image ghcr.io/${{ github.repository}}/sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
+          --output-file final_image_uri.txt
+        echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT
+    - name: 'publish'
+      shell: 'bash'
+      if: "${{ inputs.dry-run == 'false' }}"
+      run: |-
+        docker push "${{ steps.docker_build.outputs.uri }}"
+    - name: 'Create issue on failure'
+      if: |-
+        ${{ failure() }}
+      shell: 'bash'
+      env:
+        GITHUB_TOKEN: '${{ inputs.github-secret }}'
+        DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+      run: |-
+        gh issue create \
+          --title "Docker build failed" \
+          --body "The docker build failed. See the full run for details: ${DETAILS_URL}" \
+          --label "kind/bug,release-failure"
--- a/.github/workflows/release-sandbox.yml
+++ b/.github/workflows/release-sandbox.yml
@@ -0,0 +1,33 @@
+name: 'Release Sandbox'
+
+on:
+  workflow_dispatch:
+    inputs:
+      ref:
+        description: 'The branch, tag, or SHA to release from.'
+        required: false
+        type: 'string'
+        default: 'main'
+      dry-run:
+        description: 'Whether this is a dry run.'
+        required: false
+        type: 'boolean'
+        default: true
+
+jobs:
+  build:
+    runs-on: 'ubuntu-latest'
+    steps:
+      - name: 'Checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8'
+        with:
+          ref: '${{ github.event.inputs.ref || github.sha }}'
+          fetch-depth: 0
+      - name: 'Push'
+        uses: './.github/actions/push-sandbox'
+        with:
+          github-actor: '${{ github.actor }}'
+          github-secret: '${{ secrets.GITHUB_TOKEN }}'
+          github-sha: '${{ github.event.inputs.ref || github.sha }}'
+          github-ref-name: '${{github.event.inputs.ref}}'
+          dry-run: '${{ github.event.inputs.dry-run }}'
--- a/scripts/build_sandbox.js
+++ b/scripts/build_sandbox.js
@@ -41,11 +41,13 @@ const argv = yargs(hideBin(process.argv))
  .option('f', {
    alias: 'dockerfile',
    type: 'string',
+    default: 'Dockerfile',
    description: 'use <dockerfile> for custom image',
  })
  .option('i', {
    alias: 'image',
    type: 'string',
+    default: cliPkgJson.config.sandboxImageUri,
    description: 'use <image> name for custom image',
  })
  .option('output-file', {
@@ -74,12 +76,10 @@ if (sandboxCommand === 'sandbox-exec') {

 console.log(`using ${sandboxCommand} for sandboxing`);

-const baseImage = cliPkgJson.config.sandboxImageUri;
-const customImage = argv.i;
-const baseDockerfile = 'Dockerfile';
-const customDockerfile = argv.f;
+const image = argv.i;
+const dockerFile = argv.f;

-if (!baseImage?.length) {
+if (!image.length) {
  console.warn(
    'No default image tag specified in gemini-cli/packages/cli/package.json',
  );
@@ -160,7 +160,7 @@ function buildImage(imageName, dockerfile) {
    execSync(
      `${sandboxCommand} build ${buildCommandArgs} ${
        process.env.BUILD_SANDBOX_FLAGS || ''
-      } --build-arg CLI_VERSION_ARG=${npmPackageVersion} -f "${dockerfile}" -t "${imageName}" .`,
+      } --build-arg CLI_VERSION_ARG=${npmPackageVersion} -f "${dockerfile}" -t "${finalImageName}" .`,
      { stdio: buildStdout, shell: shellToUse },
    );
    console.log(`built ${finalImageName}`);
@@ -187,12 +187,6 @@ function buildImage(imageName, dockerfile) {
  }
 }

-if (baseImage && baseDockerfile) {
-  buildImage(baseImage, baseDockerfile);
-}
-
-if (customDockerfile && customImage) {
-  buildImage(customImage, customDockerfile);
-}
+buildImage(image, dockerFile);

 execSync(`${sandboxCommand} image prune -f`, { stdio: 'ignore' });