Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions images/code/Containerfile
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ RUN if command -v apt-get >/dev/null 2>&1; then \
# env file overrides this with the OpenShell bundle if present.
RUN git config --system http.sslCAInfo /etc/ssl/certs/ca-certificates.crt 2>/dev/null || true

# Configure Git to use gitsign for commit signing (keyless signing via Sigstore).
# Signing is opt-in: enabled per-agent via GIT_CONFIG_* env vars in the agents
# repo, not globally. This avoids blocking commits when Sigstore endpoints are
# not accessible or when signing is not needed.
RUN git config --system gpg.format x509 \
&& git config --system gpg.x509.program gitsign

# ---------------------------------------------------------------------------
# Go toolchain — needed to compile and run tests in Go-based target repos.
# Without this the agent falls back to manual code review (no `go build`,
Expand Down Expand Up @@ -94,6 +101,26 @@ RUN case "$TARGETARCH" in \
&& chmod +x /usr/local/bin/lychee \
&& rm -rf /tmp/lychee.tar.gz "/tmp/lychee-${LY_TRIPLE}"

# ---------------------------------------------------------------------------
# gitsign — keyless Git signing using Sigstore. Used to cryptographically
# sign agent commits with verifiable provenance via OIDC.
# To update: bump GITSIGN_VERSION and GITSIGN_SHA256_{AMD64,ARM64} from:
# https://github.com/sigstore/gitsign/releases
ARG GITSIGN_VERSION=0.16.1
ARG GITSIGN_SHA256_AMD64=4a29a1f4b9add1f0f6d9a3e9e6ba0cffa121b971be82d62bb1496d7d1d877b0a
ARG GITSIGN_SHA256_ARM64=66eb0378608c8fbceb497eecb58a525345549f46e9588616daa0f157624f33b4
RUN case "$TARGETARCH" in \
amd64) GS_SHA="$GITSIGN_SHA256_AMD64" ;; \
arm64) GS_SHA="$GITSIGN_SHA256_ARM64" ;; \
*) echo "unsupported TARGETARCH=$TARGETARCH" >&2; exit 1 ;; \
esac \
&& curl -fsSL \
"https://github.com/sigstore/gitsign/releases/download/v${GITSIGN_VERSION}/gitsign_${GITSIGN_VERSION}_linux_${TARGETARCH}" \
-o /tmp/gitsign \
&& echo "${GS_SHA} /tmp/gitsign" | sha256sum -c - \
Comment on lines +117 to +120

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Informational

1. No download retries 🐞 Bug ☼ Reliability

The new gitsign install layer uses a single-shot curl -fsSL without retries/timeouts, so transient
network failures will fail the entire image build instead of recovering on retry. This increases
CI/build flakiness for images/code builds compared to other repo downloads that already use
--retry.
Agent Prompt
### Issue description
The gitsign binary download uses `curl -fsSL` with no retry/timeout flags, which makes the code-agent image build fail on transient network errors.

### Issue Context
Elsewhere in this repo, some external downloads are already treated as flaky and use `curl --retry` (e.g., ProtectAI model download in the sandbox base image).

### Fix Focus Areas
- images/code/Containerfile[112-122]

### Suggested change
Update the gitsign `curl` invocation to include retry + timeout options (example):
- `--retry 3 --retry-delay 5 --connect-timeout 10 --max-time 120`

Keep `-f`/`--fail` behavior so checksum verification still runs only on successful downloads.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

&& mv /tmp/gitsign /usr/local/bin/gitsign \
&& chmod +x /usr/local/bin/gitsign

# ---------------------------------------------------------------------------
# gitleaks is already installed in the base sandbox image.
# See images/sandbox/Containerfile for the pinned version and checksums.
Expand Down
Loading