From 990aceff0ee52cdad963a9d7c41e716ac3c25778 Mon Sep 17 00:00:00 2001 From: Sagent Date: Tue, 9 Jun 2026 16:18:58 +0000 Subject: [PATCH] =?UTF-8?q?docs:=20add=20dependency=20management=20section?= =?UTF-8?q?=20=E2=80=94=20renovate=20must=20track=20all=20pinned=20Dockerf?= =?UTF-8?q?ile=20packages?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- AGENTS.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/AGENTS.md b/AGENTS.md index 85ffd5c..3b0bed9 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -14,10 +14,16 @@ This repository builds and publishes a Docker image for [OpenCode](https://openc └── README.md # Usage documentation ``` +## Dependency management + +- **Always pin versions** in the Dockerfile `npm install` command (e.g. `opencode-ai@1.16.2 n2-soul@9.0.9`). Never leave packages unpinned. +- **Update renovate customManagers** when adding, removing, or renaming a dependency tracked in the Dockerfile. Each pinned package must have a corresponding `customManager` entry in `renovate.json` with a regex `matchStrings` pattern that captures the version. If a dependency is added without a renovate entry, Renovatebot will not open automated PRs for it. +- **apt packages** (apt-get install lines in Dockerfile) and **COPY --from** image references are not currently tracked by Renovate. Pinning these manually is acceptable for now but adding renovate managers for them is encouraged. + ## Dockerfile conventions - **Base image**: `node:24` — Debian-based Node.js image (not Alpine, needed for apt packages). -- **Install**: `npm i -g opencode-ai n2-soul@` — installs OpenCode and Soul globally. +- **Install**: `npm i -g opencode-ai@ n2-soul@` — installs OpenCode and Soul globally, both pinned. - **Version check**: `RUN opencode --version` after install to validate the build and record the installed version in build logs. - **Dedicated user**: a non-root `opencode` user and group are created with `groupadd`/`useradd` (UID/GID 1000). All runtime steps run as this user. - **Cluster tooling**: `kubectl` is copied from the official `registry.k8s.io/kubectl` image (multi-stage COPY).