Merge pull request 'fix: use git push instead of GitHub API for tag creation' (#11) from fix/git-tag-push into main

Reviewed-on: #11

.gitea/workflows/docker-build.yaml

@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          fetch-depth: 0
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
@@ -37,10 +39,20 @@ jobs:
             type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
 
       - name: Build and push
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7
+        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           pull: true
+
+      - name: Bump version and push tag
+        if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+        uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1.75.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          DEFAULT_BUMP: patch
+          RELEASE_BRANCHES: main
+          WITH_V: true
+          GIT_API_TAGGING: false

AGENTS.md

@@ -2,33 +2,40 @@
 
 ## Project overview
 
-This repository builds and publishes a Docker image for [OpenCode](https://opencode.ai), the open source AI coding agent. The image runs OpenCode in headless server mode (`opencode serve`) and is automatically rebuilt and pushed to Docker Hub (`jcabillot/opencode`) every night by a Jenkins pipeline.
+This repository builds and publishes a Docker image for [OpenCode](https://opencode.ai), the open source AI coding agent. The image runs OpenCode in headless server mode (`opencode serve`) and is automatically rebuilt and pushed to Docker Hub (`jcabillot/opencode`) every night by a Gitea Actions pipeline.
 
 ## Repository structure
 
 ```
 .
-├── Dockerfile      # Image definition
+├── Dockerfile                            # Image definition
-├── Jenkinsfile     # CI/CD pipeline (nightly build + Docker Hub push)
+├── .gitea/workflows/docker-build.yaml    # CI/CD pipeline (Gitea Actions)
-├── opencode-attach # Helper script for attaching to a running server
+├── renovate.json                         # Dependency update automation (Renovatebot)
-└── README.md       # Usage documentation
+├── opencode-attach                       # Helper script for attaching to a running server
+└── README.md                             # Usage documentation
 ```
 
+## Dependency management
+
+- **Always pin versions** in the Dockerfile `npm install` command (e.g. `opencode-ai@1.16.2 n2-soul@9.0.9`). Never leave packages unpinned.
+- **Update renovate customManagers** when adding, removing, or renaming a dependency tracked in the Dockerfile. Each pinned package must have a corresponding `customManager` entry in `renovate.json` with a regex `matchStrings` pattern that captures the version. If a dependency is added without a renovate entry, Renovatebot will not open automated PRs for it.
+- **apt packages** (apt-get install lines in Dockerfile) and **COPY --from** image references are not currently tracked by Renovate. Pinning these manually is acceptable for now but adding renovate managers for them is encouraged.
+
 ## Dockerfile conventions
 
 - **Base image**: `node:24` — Debian-based Node.js image (not Alpine, needed for apt packages).
-- **Install**: `npm i -g opencode-ai n2-soul@<version>` — installs OpenCode and Soul globally.
+- **Install**: `npm i -g opencode-ai@<version> n2-soul@<version>` — installs OpenCode and Soul globally, both pinned.
 - **Version check**: `RUN opencode --version` after install to validate the build and record the installed version in build logs.
 - **Dedicated user**: a non-root `opencode` user and group are created with `groupadd`/`useradd` (UID/GID 1000). All runtime steps run as this user.
 - **Cluster tooling**: `kubectl` is copied from the official `registry.k8s.io/kubectl` image (multi-stage COPY).
 - **Entrypoint**: `["opencode"]` — arguments are passed at runtime (e.g. `serve`).
 
-## Jenkinsfile conventions
+## CI/CD conventions (Gitea Actions)
 
-- The pipeline runs on a `@midnight` cron trigger for nightly rebuilds.
+- Pipeline triggers on push to `main`, PRs targeting `main`, and a nightly cron (`cron: '0 0 * * *'`).
-- Build uses `--no-cache --pull` to always fetch the latest base image and package version.
+- Image is pushed to Docker Hub only on non-PR events (main branch pushes and cron runs).
-- Docker Hub credentials are stored under the `dockerhub_jcabillot` Jenkins credential ID.
+- Docker Hub credentials are stored in Gitea Actions secrets (`DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN`).
-- The image is published as `jcabillot/opencode` (no explicit tag = `latest`).
+- The image is published as `jcabillot/opencode:latest` with digest and branch tags.
 
 ## Useful commands
 

Dockerfile

@@ -17,7 +17,7 @@ RUN apt-get update && \
     chown -R 1000:1000 /usr/local/lib/node_modules/n2-soul/
 
 COPY --chmod=755 opencode-attach /usr/local/bin/opencode-attach
-COPY --from=registry.k8s.io/kubectl:v1.36.1 /bin/kubectl /usr/local/bin/kubectl
+COPY --from=registry.k8s.io/kubectl:v1.36.2 /bin/kubectl /usr/local/bin/kubectl
 
 USER opencode
 WORKDIR /home/opencode

renovate.json

@@ -9,6 +9,15 @@
       "depNameTemplate": "n2-soul",
       "datasourceTemplate": "npm",
       "versioningTemplate": "npm"
+    },
+    {
+      "customType": "regex",
+      "description": "Track opencode-ai npm package pinned in Dockerfile RUN command",
+      "managerFilePatterns": ["/^Dockerfile$/"],
+      "matchStrings": ["opencode-ai@(?<currentValue>[^\\s]+)"],
+      "depNameTemplate": "opencode-ai",
+      "datasourceTemplate": "npm",
+      "versioningTemplate": "npm"
     }
   ]
-}
+}