openova

History

e3mrah cadc7b5cea fix(sandbox-ci): mcp-server Dockerfile repo-root context + pty/mcp auto-bump wiring (chart was half-deployable) (#1667 ) Sandbox chart was un-deployable end-to-end because three CI-side gaps compounded after PR #1658 wired the mcp-server module to depend on core/controllers + core/services/shared via `replace` directives: 1. mcp-server Dockerfile built against a too-narrow context. The workflow passed `context: products/sandbox/mcp-server` and the Dockerfile assumed `COPY . .` could see everything it needed, but the `replace ../../../core/controllers` line in the module's go.mod only resolves when the build can actually reach those paths. Result: every push after #1658 failed at `go build` with `module not found`. Fix mirrors core/controllers/sandbox/Dockerfile (Slice-CC1 layout): COPY the replace targets' module roots + sources, then build with WORKDIR set to the dependent module. Static binary still produced into a distroless/static-debian12:nonroot final stage. 2. mcp-server workflow had no chart auto-bump step. Even after a green build, `runtime.mcpImage` in platform/sandbox/chart/values.yaml stayed empty so the chart's `required` guard (deployment.yaml line 72) refused to render. Added the same yq-bump + bot-commit pattern build-sandbox-controller.yaml already uses, targeting `.runtime.mcpImage` and writing a fully-qualified `<repo>:<sha>` string (consumer reads it as one image reference, not a {repository,tag} pair). Also widened paths-filter to include core/controllers/ + core/services/shared/ so changes to the replace targets re-trigger the build. 3. pty-server workflow had no auto-bump either. Same surgery: yq-bump `.runtime.ptyServerImage` + commit-and-push. Context stays narrow (pty-server has no cross-tree `replace` directives). 4. Stop-gap pin values for runtime.{ptyServerImage,mcpImage} so the next chart roll out doesn't fail-fast before the rebuilt workflows land their first bumps: - ptyServerImage → `ad5163e6` (current latest pty-server) - mcpImage → `1b0e86c` (last pre-#1658 green build; the rebuilt workflow will land the next real SHA on the next push to main). Verified locally: - `go build ./products/sandbox/mcp-server/...` clean (43.8 MB static binary at /tmp/openova-sandbox-mcp; `file` confirms statically linked ELF). - `helm template test platform/sandbox/chart --set enabled=true …` renders cleanly; both env vars carry the SHA-pinned image refs. No Chart.yaml bump. Read-only clusters. Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-18 13:22:17 +04:00
..
workflows	fix(sandbox-ci): mcp-server Dockerfile repo-root context + pty/mcp auto-bump wiring (chart was half-deployable) (#1667 )	2026-05-18 13:22:17 +04:00
dependabot.yml	chore(ci): add Dependabot for npm and GitHub Actions dependency updates	2026-03-19 13:42:02 +01:00

fix(sandbox-ci): mcp-server Dockerfile repo-root context + pty/mcp auto-bump wiring (chart was half-deployable) (#1667 )

Sandbox chart was un-deployable end-to-end because three CI-side gaps
compounded after PR #1658 wired the mcp-server module to depend on
core/controllers + core/services/shared via `replace` directives:

1. **mcp-server Dockerfile built against a too-narrow context**. The
   workflow passed `context: products/sandbox/mcp-server` and the
   Dockerfile assumed `COPY . .` could see everything it needed, but
   the `replace ../../../core/controllers` line in the module's go.mod
   only resolves when the build can actually reach those paths. Result:
   every push after #1658 failed at `go build` with `module not found`.
   Fix mirrors core/controllers/sandbox/Dockerfile (Slice-CC1 layout):
   COPY the replace targets' module roots + sources, then build with
   WORKDIR set to the dependent module. Static binary still produced
   into a distroless/static-debian12:nonroot final stage.

2. **mcp-server workflow had no chart auto-bump step**. Even after a
   green build, `runtime.mcpImage` in platform/sandbox/chart/values.yaml
   stayed empty so the chart's `required` guard
   (deployment.yaml line 72) refused to render. Added the same
   yq-bump + bot-commit pattern build-sandbox-controller.yaml already
   uses, targeting `.runtime.mcpImage` and writing a fully-qualified
   `<repo>:<sha>` string (consumer reads it as one image reference,
   not a {repository,tag} pair). Also widened paths-filter to include
   core/controllers/** + core/services/shared/** so changes to the
   replace targets re-trigger the build.

3. **pty-server workflow had no auto-bump either**. Same surgery:
   yq-bump `.runtime.ptyServerImage` + commit-and-push. Context stays
   narrow (pty-server has no cross-tree `replace` directives).

4. **Stop-gap pin values for runtime.{ptyServerImage,mcpImage}** so the
   next chart roll out doesn't fail-fast before the rebuilt workflows
   land their first bumps:
   - ptyServerImage → ad5163e6 (current latest pty-server)
   - mcpImage → 1b0e86c (last pre-#1658 green build; the rebuilt
     workflow will land the next real SHA on the next push to main).

Verified locally:
- `go build ./products/sandbox/mcp-server/...` clean (43.8 MB static
  binary at /tmp/openova-sandbox-mcp; `file` confirms statically
  linked ELF).
- `helm template test platform/sandbox/chart --set enabled=true …`
  renders cleanly; both env vars carry the SHA-pinned image refs.

No Chart.yaml bump. Read-only clusters.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-18 13:22:17 +04:00

workflows fix(sandbox-ci): mcp-server Dockerfile repo-root context + pty/mcp auto-bump wiring (chart was half-deployable) (#1667 ) 2026-05-18 13:22:17 +04:00

dependabot.yml chore(ci): add Dependabot for npm and GitHub Actions dependency updates 2026-03-19 13:42:02 +01:00