feat: init
Main Release / hadolint (push) Successful in 9s
Main Release / build (push) Successful in 2m15s
Main Release / tag (push) Successful in 16s
Tag Release / hadolint (push) Successful in 15s
Tag Release / build (push) Successful in 19s
Tag Release / build-push (push) Successful in 2m48s
Main Release / hadolint (push) Successful in 9s
Main Release / build (push) Successful in 2m15s
Main Release / tag (push) Successful in 16s
Tag Release / hadolint (push) Successful in 15s
Tag Release / build (push) Successful in 19s
Tag Release / build-push (push) Successful in 2m48s
This commit is contained in:
Julien Cabillot
@@ -0,0 +1,52 @@
|
||||
name: Nightly Rebuild
|
||||
|
||||
on:
|
||||
schedule:
|
||||
- cron: '0 0 * * *'
|
||||
|
||||
jobs:
|
||||
hadolint:
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
||||
with:
|
||||
dockerfile: Dockerfile
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- run: docker build -t ci-image:${{ github.sha }} .
|
||||
|
||||
build-push:
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
- id: get-latest-tag
|
||||
run: |
|
||||
TAG=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
|
||||
echo "tag=$TAG" >> $GITHUB_OUTPUT
|
||||
- id: meta
|
||||
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
|
||||
with:
|
||||
images: jcabillot/hermes-agent
|
||||
tags: |
|
||||
type=raw,value=${{ steps.get-latest-tag.outputs.tag }}-latest,enable=${{ steps.get-latest-tag.outputs.tag != '' }}
|
||||
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
pull: true
|
||||
@@ -0,0 +1,39 @@
|
||||
name: Main Release
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
|
||||
jobs:
|
||||
hadolint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
||||
with:
|
||||
dockerfile: Dockerfile
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- run: docker build -t ci-image:${{ github.sha }} .
|
||||
|
||||
tag:
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- name: Configure git auth
|
||||
run: |
|
||||
git remote set-url origin "https://x-access-token:${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}@scm.cabillot.eu/web/hermes-agent.git"
|
||||
- uses: anothrNick/github-tag-action@4ed44965e0db8dab2b466a16da04aec3cc312fd8 # v1.75.0
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.SA_TOKEN_ACTION_PUSH_TAGS }}
|
||||
DEFAULT_BUMP: patch
|
||||
RELEASE_BRANCHES: main
|
||||
WITH_V: true
|
||||
GIT_API_TAGGING: false
|
||||
@@ -0,0 +1,21 @@
|
||||
name: PR Checks
|
||||
|
||||
on:
|
||||
pull_request:
|
||||
branches: [main]
|
||||
|
||||
jobs:
|
||||
hadolint:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
||||
with:
|
||||
dockerfile: Dockerfile
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- run: docker build -t ci-image:${{ github.sha }} .
|
||||
@@ -0,0 +1,47 @@
|
||||
name: Tag Release
|
||||
|
||||
on:
|
||||
push:
|
||||
tags: ['*']
|
||||
|
||||
jobs:
|
||||
hadolint:
|
||||
runs-on: ubuntu-latest
|
||||
continue-on-error: true
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
||||
with:
|
||||
dockerfile: Dockerfile
|
||||
|
||||
build:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- run: docker build -t ci-image:${{ github.sha }} .
|
||||
|
||||
build-push:
|
||||
needs: [build]
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
|
||||
- uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
|
||||
- uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4
|
||||
with:
|
||||
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
||||
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
||||
- id: meta
|
||||
uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6
|
||||
with:
|
||||
images: jcabillot/hermes-agent
|
||||
tags: |
|
||||
type=ref,event=tag
|
||||
type=ref,event=tag,suffix=-latest
|
||||
- uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
|
||||
with:
|
||||
context: .
|
||||
push: true
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
pull: true
|
||||
@@ -0,0 +1,39 @@
|
||||
# AGENTS.md
|
||||
|
||||
## 1. Overview
|
||||
|
||||
Container image definition for Hermes Agent with supplementary tooling, distributed via Docker Hub as `jcabillot/hermes-agent`.
|
||||
|
||||
## 2. Folder Structure
|
||||
|
||||
- `Dockerfile`: Multi-stage image build — starts from `nousresearch/hermes-agent`, installs `gnupg` and `jq`, drops privileges back to the base user.
|
||||
- `.gitea/workflows/docker-build.yaml`: Gitea Actions pipeline — builds and pushes the image to Docker Hub on push to `main` and on a daily cron schedule.
|
||||
- `renovate.json`: Regex-based custom manager that tracks upstream `nousresearch/hermes-agent` Docker tag updates and opens PRs automatically.
|
||||
- `README.md`: Public-facing documentation (image usage, tags, build instructions).
|
||||
- `AGENTS.md`: This file — contributor guide for AI agents.
|
||||
|
||||
## 3. Core Behaviors & Patterns
|
||||
|
||||
- **Build & Release**: The Dockerfile uses `ARG HERMES_AGENT_VERSION` pinned to a specific tag. On push to `main`, the CI pipeline builds with `docker build --pull`, tags the image as `latest` and `sha-<commit>`, pushes to `jcabillot/hermes-agent`, and auto-bumps the git tag (`patch`). A daily cron rebuild ensures the base image's latest security patches are pulled.
|
||||
- **Dependency Tracking**: renovate.json uses a regex custom manager to scan `Dockerfile` for `ARG HERMES_AGENT_VERSION=v<version>` and opens a PR when `nousresearch/hermes-agent` publishes a new Docker tag. Base image version is the single tracked dependency.
|
||||
- **Security Posture**: The build runs as `root` only for `apt` operations, then drops to an unprivileged user (`UID/GID 10000`). The CI pipeline uses Docker Buildx with `pull: true` to ensure fresh base layers.
|
||||
- **Tag Strategy**: Two tags produced — `latest` (floating, main branch) and `sha-<commit>` (immutable, per-commit). Rolling tags (branch names) are intentionally omitted to avoid ambiguity.
|
||||
|
||||
## 4. Conventions
|
||||
|
||||
- **Version Pinning**: Base image versions are pinned via `ARG` at the top of the Dockerfile, not hardcoded in `FROM`. The version is managed by renovate, not manually updated.
|
||||
- **CI Secrets**: Three secrets required — `DOCKERHUB_USERNAME`, `DOCKERHUB_TOKEN`, `GITHUB_TOKEN`. The login step is skipped on pull request events to prevent credential exposure from forks.
|
||||
- **Dockerfile Style**: `apt-get` operations run in a single `RUN` layer with cleanup (`rm -rf /var/lib/apt/lists/*`). Comments annotate user context transitions. Hadolint ignores pinned with inline comments.
|
||||
- **Pin Hashing**: All GitHub Action versions in the pipeline are pinned to commit SHA hashes with the semantic version in a trailing comment.
|
||||
|
||||
## 5. Working Agreements
|
||||
|
||||
- Respond in the user's preferred language (French or English); keep technical terms in English, never translate code blocks
|
||||
- Create tests/lint only when explicitly requested
|
||||
- Build context by reviewing related usages and patterns before editing
|
||||
- Prefer simple solutions; avoid unnecessary abstraction
|
||||
- Ask for clarification when requirements are ambiguous
|
||||
- Make minimal changes; preserve public APIs and behavior
|
||||
- Run type-check after code changes (no type-checker in this project — skip)
|
||||
- New files: single-purpose, colocated with related concerns
|
||||
- External dependencies: only when necessary, explain why
|
||||
+21
@@ -0,0 +1,21 @@
|
||||
# Base image (nousresearch/hermes-agent) already ships with:
|
||||
# git, curl, ripgrep, docker-cli, openssh-client, python3-dev,
|
||||
# gcc, ffmpeg, node 22, npm, procps, xz-utils, s6-overlay.
|
||||
|
||||
ARG HERMES_AGENT_VERSION=v2026.6.5
|
||||
FROM nousresearch/hermes-agent:${HERMES_AGENT_VERSION}
|
||||
|
||||
USER root
|
||||
|
||||
# Install system packages and HashiCorp repo
|
||||
# hadolint ignore=DL3008
|
||||
RUN apt-get update -qq && apt-get upgrade -qq --yes --no-install-recommends \
|
||||
gnupg \
|
||||
jq \
|
||||
&& apt-get -qq --yes autoremove --purge \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Drop back to the base image's default user
|
||||
ARG HERMES_UID=10000
|
||||
ARG HERMES_GID=10000
|
||||
USER ${HERMES_UID}:${HERMES_GID}
|
||||
@@ -1,3 +1,28 @@
|
||||
# hermes-agent
|
||||
|
||||
Hermes Agent container image
|
||||
Container image for [Hermes Agent](https://github.com/NousResearch/hermes-agent) with additional tooling.
|
||||
|
||||
## Image
|
||||
|
||||
`jcabillot/hermes-agent` — [Docker Hub](https://hub.docker.com/r/jcabillot/hermes-agent)
|
||||
|
||||
Based on `nousresearch/hermes-agent` with `gnupg` and `jq` added.
|
||||
|
||||
## Usage
|
||||
|
||||
```bash
|
||||
docker pull jcabillot/hermes-agent
|
||||
```
|
||||
|
||||
## Build locally
|
||||
|
||||
```bash
|
||||
docker build -t jcabillot/hermes-agent .
|
||||
```
|
||||
|
||||
## Tags
|
||||
|
||||
| Tag | Description |
|
||||
|-----|-------------|
|
||||
| `latest` | Latest stable build from `main` |
|
||||
| `sha-<commit>` | Per-commit build |
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"customManagers": [
|
||||
{
|
||||
"customType": "regex",
|
||||
"description": "Track nousresearch/hermes-agent Docker tag pinned in Dockerfile ARG",
|
||||
"managerFilePatterns": ["/^Dockerfile$/"],
|
||||
"matchStrings": ["ARG HERMES_AGENT_VERSION=v(?<currentValue>[^\\s]+)"],
|
||||
"depNameTemplate": "nousresearch/hermes-agent",
|
||||
"datasourceTemplate": "docker",
|
||||
"versioningTemplate": "docker",
|
||||
"extractVersionTemplate": "v^(?<version>.*)$"
|
||||
}
|
||||
]
|
||||
}
|
||||
Reference in New Issue
Block a user