fix(ci): restore bootstrap and e2e flows

skulidropek · skulidropek · commit 712cec13eda9 · 2026-03-15T19:21:02.000Z
diff --git a/packages/lib/src/core/templates-entrypoint/base.ts b/packages/lib/src/core/templates-entrypoint/base.ts
@@ -163,4 +163,5 @@ PrintLastLog no
 EOF
 chmod 0644 "$DOCKER_GIT_SSHD_CONF" || true`
 
-export const renderEntrypointSshd = (): string => `# 5) Run sshd in foreground\nexec /usr/sbin/sshd -D`
+export const renderEntrypointSshd = (): string =>
+  `# 5) Run sshd in foreground (log to stderr for CI/debuggability)\nexec /usr/sbin/sshd -D -e`
diff --git a/packages/lib/src/core/templates-entrypoint/nested-docker-git.ts b/packages/lib/src/core/templates-entrypoint/nested-docker-git.ts
@@ -136,7 +136,7 @@ docker_git_export_env_if_unset() {
 
   if [[ -n "${"$"}{!key+x}" ]]; then
     docker_git_upsert_ssh_env "$key" "${"$"}{!key}"
-    return 1
+    return 0
   fi
 
   export "$key=$value"
diff --git a/packages/lib/src/core/templates/docker-compose.ts b/packages/lib/src/core/templates/docker-compose.ts
@@ -62,8 +62,7 @@ const renderResourceLimits = (resourceLimits: ResolvedComposeResourceLimits | un
     ? ""
     : `    cpus: ${resourceLimits.cpuLimit}\n    mem_limit: "${resourceLimits.ramLimit}"\n    memswap_limit: "${resourceLimits.ramLimit}"\n`
 
-const renderBootstrapMounts = (): string =>
-  `      - ${bootstrapVolumeKey}:/opt/docker-git/bootstrap/source:ro`
+const renderBootstrapMounts = (): string => `      - ${bootstrapVolumeKey}:/opt/docker-git/bootstrap/source:ro`
 
 const buildPlaywrightFragments = (
   config: TemplateConfig,
diff --git a/packages/lib/src/core/templates/dockerfile.ts b/packages/lib/src/core/templates/dockerfile.ts
@@ -65,11 +65,31 @@ RUN claude --version`
 const renderDockerfileOpenCode = (): string =>
   `# Tooling: OpenCode (binary)
 RUN set -eu; \
+  ARCH="$(uname -m)"; \
+  case "$ARCH" in \
+    x86_64|amd64) OPENCODE_ARCH="x64" ;; \
+    aarch64|arm64) OPENCODE_ARCH="arm64" ;; \
+    *) echo "Unsupported arch for OpenCode: $ARCH" >&2; exit 1 ;; \
+  esac; \
+  OPENCODE_TARGET="linux-$OPENCODE_ARCH"; \
+  if [ "$OPENCODE_ARCH" = "x64" ] && ! grep -qwi avx2 /proc/cpuinfo 2>/dev/null; then \
+    OPENCODE_TARGET="$OPENCODE_TARGET-baseline"; \
+  fi; \
+  if [ -f /etc/alpine-release ] || { command -v ldd >/dev/null 2>&1 && ldd --version 2>&1 | grep -qi musl; }; then \
+    OPENCODE_TARGET="$OPENCODE_TARGET-musl"; \
+  fi; \
+  OPENCODE_ARCHIVE="opencode-$OPENCODE_TARGET.tar.gz"; \
+  mkdir -p /usr/local/.opencode/bin; \
   for attempt in 1 2 3 4 5; do \
-    if curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 https://opencode.ai/install \
-      | HOME=/usr/local bash -s -- --no-modify-path; then \
+    tmp_archive="$(mktemp)"; \
+    if curl -fsSL --retry 5 --retry-all-errors --retry-delay 2 \
+      "https://github.com/anomalyco/opencode/releases/latest/download/$OPENCODE_ARCHIVE" \
+      -o "$tmp_archive" \
+      && tar -xzf "$tmp_archive" -C /usr/local/.opencode/bin opencode; then \
+      rm -f "$tmp_archive"; \
       exit 0; \
     fi; \
+    rm -f "$tmp_archive"; \
     echo "opencode install attempt \${attempt} failed; retrying..." >&2; \
     sleep $((attempt * 2)); \
   done; \
diff --git a/packages/lib/src/shell/docker-volume.ts b/packages/lib/src/shell/docker-volume.ts
@@ -6,7 +6,9 @@ import type { Effect } from "effect"
 import { runCommandWithExitCodes } from "./command-runner.js"
 import { DockerCommandError } from "./errors.js"
 
-const shellEscape = (value: string): string => `'${value.replaceAll("'", "'\\''")}'`
+const escapedSingleQuote = String.raw`'\''`
+
+const shellEscape = (value: string): string => `'${value.replaceAll("'", escapedSingleQuote)}'`
 
 export const runDockerVolumeCreate = (
   cwd: string,
@@ -31,13 +33,16 @@ export const runDockerVolumeReplaceFromDirectory = (
   volumeName: string,
   sourceDir: string
 ): Effect.Effect<void, DockerCommandError | PlatformError, CommandExecutor.CommandExecutor> => {
-  const command =
-    `tar -C ${shellEscape(sourceDir)} -cf - . | ` +
-    `docker run --rm -i -v ${shellEscape(`${volumeName}:/target`)} alpine:3.20 ` +
-    `sh -euc ${shellEscape("mkdir -p /target && find /target -mindepth 1 -maxdepth 1 -exec rm -rf -- {} + && tar -xf - -C /target")}`
+  const targetVolume = `${volumeName}:/target`
+  const replaceCommand = shellEscape(
+    "mkdir -p /target && find /target -mindepth 1 -maxdepth 1 -exec rm -rf -- {} + && tar -xf - -C /target"
+  )
+  const command = `tar -C ${shellEscape(sourceDir)} -cf - . | ` +
+    `docker run --rm -i -v ${shellEscape(targetVolume)} alpine:3.20 ` +
+    `sh -euc ${replaceCommand}`
 
   return runCommandWithExitCodes(
-    { cwd, command: "bash", args: ["-lc", command] },
+    { cwd, command: "bash", args: ["-c", command] },
     [Number(ExitCode(0))],
     (exitCode) => new DockerCommandError({ exitCode })
   )
diff --git a/packages/lib/src/usecases/shared-volume-seed.ts b/packages/lib/src/usecases/shared-volume-seed.ts
@@ -10,10 +10,7 @@ import {
   resolveProjectBootstrapVolumeName,
   type TemplateConfig
 } from "../core/domain.js"
-import {
-  runDockerVolumeCreate,
-  runDockerVolumeReplaceFromDirectory
-} from "../shell/docker-volume.js"
+import { runDockerVolumeCreate, runDockerVolumeReplaceFromDirectory } from "../shell/docker-volume.js"
 import type { DockerCommandError } from "../shell/errors.js"
 
 type SharedVolumeSeedEnvironment = CommandExecutor | FileSystem.FileSystem | Path.Path
@@ -74,63 +71,117 @@ const copyFileIfPresent = (
     yield* _(fs.copyFile(sourcePath, targetPath))
   })
 
+type BootstrapSeedConfig = Pick<
+  TemplateConfig,
+  "authorizedKeysPath" | "envGlobalPath" | "envProjectPath" | "codexAuthPath" | "codexSharedAuthPath"
+>
+
+type BootstrapSnapshotSources = {
+  readonly authorizedKeysSource: string
+  readonly envGlobalSource: string
+  readonly envProjectSource: string
+  readonly codexAuthSource: string
+  readonly codexSharedAuthSource: string
+  readonly claudeAuthSource: string
+}
+
+type BootstrapSnapshotTargets = {
+  readonly authorizedKeysTarget: string
+  readonly envGlobalTarget: string
+  readonly envProjectTarget: string
+  readonly projectCodexTarget: string
+  readonly projectClaudeTarget: string
+  readonly sharedCodexTarget: string
+}
+
+const resolveBootstrapSnapshotSources = (
+  path: Path.Path,
+  projectDir: string,
+  config: BootstrapSeedConfig
+): BootstrapSnapshotSources => {
+  const codexAuthSource = resolvePathFromBase(path, projectDir, config.codexAuthPath)
+  return {
+    authorizedKeysSource: resolvePathFromBase(path, projectDir, config.authorizedKeysPath),
+    envGlobalSource: resolvePathFromBase(path, projectDir, config.envGlobalPath),
+    envProjectSource: resolvePathFromBase(path, projectDir, config.envProjectPath),
+    codexAuthSource,
+    codexSharedAuthSource: resolvePathFromBase(path, projectDir, config.codexSharedAuthPath),
+    claudeAuthSource: path.join(path.dirname(codexAuthSource), "claude")
+  }
+}
+
+const resolveBootstrapSnapshotTargets = (
+  path: Path.Path,
+  stagingDir: string,
+  config: BootstrapSeedConfig
+): BootstrapSnapshotTargets => {
+  const authorizedKeysBase = config.authorizedKeysPath.replaceAll("\\", "/").split("/").at(-1) ?? "authorized_keys"
+  const envGlobalBase = config.envGlobalPath.replaceAll("\\", "/").split("/").at(-1) ?? "global.env"
+  const envProjectBase = config.envProjectPath.replaceAll("\\", "/").split("/").at(-1) ?? "project.env"
+
+  return {
+    authorizedKeysTarget: path.join(stagingDir, "authorized-keys", authorizedKeysBase),
+    envGlobalTarget: path.join(stagingDir, "env-global", envGlobalBase),
+    envProjectTarget: path.join(stagingDir, "env-project", envProjectBase),
+    projectCodexTarget: path.join(stagingDir, "project-auth", "codex"),
+    projectClaudeTarget: path.join(stagingDir, "project-auth", "claude"),
+    sharedCodexTarget: path.join(stagingDir, "shared-auth", "codex")
+  }
+}
+
+const ensureBootstrapSnapshotLayout = (
+  path: Path.Path,
+  fs: FileSystem.FileSystem,
+  targets: BootstrapSnapshotTargets
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    yield* _(fs.makeDirectory(path.dirname(targets.authorizedKeysTarget), { recursive: true }))
+    yield* _(fs.makeDirectory(path.dirname(targets.envGlobalTarget), { recursive: true }))
+    yield* _(fs.makeDirectory(path.dirname(targets.envProjectTarget), { recursive: true }))
+    yield* _(fs.makeDirectory(targets.projectCodexTarget, { recursive: true }))
+    yield* _(fs.makeDirectory(targets.projectClaudeTarget, { recursive: true }))
+    yield* _(fs.makeDirectory(targets.sharedCodexTarget, { recursive: true }))
+  })
+
+const copyBootstrapSnapshotFiles = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sources: BootstrapSnapshotSources,
+  targets: BootstrapSnapshotTargets
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    yield* _(copyFileIfPresent(fs, path, sources.authorizedKeysSource, targets.authorizedKeysTarget))
+    yield* _(copyFileIfPresent(fs, path, sources.envGlobalSource, targets.envGlobalTarget))
+    yield* _(copyFileIfPresent(fs, path, sources.envProjectSource, targets.envProjectTarget))
+  })
+
+const copyBootstrapSnapshotAuthDirs = (
+  fs: FileSystem.FileSystem,
+  path: Path.Path,
+  sources: BootstrapSnapshotSources,
+  targets: BootstrapSnapshotTargets
+): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
+  Effect.gen(function*(_) {
+    yield* _(copyDirRecursive(fs, path, sources.codexAuthSource, targets.projectCodexTarget))
+    yield* _(copyDirRecursive(fs, path, sources.claudeAuthSource, targets.projectClaudeTarget))
+    yield* _(copyDirRecursive(fs, path, sources.codexSharedAuthSource, targets.sharedCodexTarget))
+  })
+
 const stageBootstrapSnapshot = (
   stagingDir: string,
   projectDir: string,
-  config: Pick<
-    TemplateConfig,
-    "authorizedKeysPath" | "envGlobalPath" | "envProjectPath" | "codexAuthPath" | "codexSharedAuthPath"
-  >
+  config: BootstrapSeedConfig
 ): Effect.Effect<void, PlatformError, FileSystem.FileSystem | Path.Path> =>
   Effect.gen(function*(_) {
     const fs = yield* _(FileSystem.FileSystem)
     const path = yield* _(Path.Path)
 
-    const authorizedKeysSource = resolvePathFromBase(path, projectDir, config.authorizedKeysPath)
-    const envGlobalSource = resolvePathFromBase(path, projectDir, config.envGlobalPath)
-    const envProjectSource = resolvePathFromBase(path, projectDir, config.envProjectPath)
-    const codexAuthSource = resolvePathFromBase(path, projectDir, config.codexAuthPath)
-    const codexSharedAuthSource = resolvePathFromBase(path, projectDir, config.codexSharedAuthPath)
-    const claudeAuthSource = path.join(path.dirname(codexAuthSource), "claude")
-
-    const authorizedKeysBase = config.authorizedKeysPath.replaceAll("\\", "/").split("/").at(-1) ?? "authorized_keys"
-    const envGlobalBase = config.envGlobalPath.replaceAll("\\", "/").split("/").at(-1) ?? "global.env"
-    const envProjectBase = config.envProjectPath.replaceAll("\\", "/").split("/").at(-1) ?? "project.env"
-
-    yield* _(fs.makeDirectory(path.join(stagingDir, "authorized-keys"), { recursive: true }))
-    yield* _(fs.makeDirectory(path.join(stagingDir, "env-global"), { recursive: true }))
-    yield* _(fs.makeDirectory(path.join(stagingDir, "env-project"), { recursive: true }))
-    yield* _(fs.makeDirectory(path.join(stagingDir, "project-auth", "codex"), { recursive: true }))
-    yield* _(fs.makeDirectory(path.join(stagingDir, "project-auth", "claude"), { recursive: true }))
-    yield* _(fs.makeDirectory(path.join(stagingDir, "shared-auth", "codex"), { recursive: true }))
-
-    yield* _(
-      copyFileIfPresent(
-        fs,
-        path,
-        authorizedKeysSource,
-        path.join(stagingDir, "authorized-keys", authorizedKeysBase)
-      )
-    )
-    yield* _(
-      copyFileIfPresent(
-        fs,
-        path,
-        envGlobalSource,
-        path.join(stagingDir, "env-global", envGlobalBase)
-      )
-    )
-    yield* _(
-      copyFileIfPresent(
-        fs,
-        path,
-        envProjectSource,
-        path.join(stagingDir, "env-project", envProjectBase)
-      )
-    )
-    yield* _(copyDirRecursive(fs, path, codexAuthSource, path.join(stagingDir, "project-auth", "codex")))
-    yield* _(copyDirRecursive(fs, path, claudeAuthSource, path.join(stagingDir, "project-auth", "claude")))
-    yield* _(copyDirRecursive(fs, path, codexSharedAuthSource, path.join(stagingDir, "shared-auth", "codex")))
+    const sources = resolveBootstrapSnapshotSources(path, projectDir, config)
+    const targets = resolveBootstrapSnapshotTargets(path, stagingDir, config)
+
+    yield* _(ensureBootstrapSnapshotLayout(path, fs, targets))
+    yield* _(copyBootstrapSnapshotFiles(fs, path, sources, targets))
+    yield* _(copyBootstrapSnapshotAuthDirs(fs, path, sources, targets))
   })
 
 export const ensureProjectBootstrapVolumeReady = (
diff --git a/packages/lib/tests/usecases/create-project-open-ssh.test.ts b/packages/lib/tests/usecases/create-project-open-ssh.test.ts
@@ -106,7 +106,7 @@ const isDockerComposeUp = (cmd: RecordedCommand): boolean =>
 
 const isBootstrapSeed = (cmd: RecordedCommand): boolean =>
   cmd.command === "bash" &&
-  cmd.args[0] === "-lc" &&
+  (cmd.args[0] === "-c" || cmd.args[0] === "-lc") &&
   (cmd.args[1] ?? "").includes("docker run --rm -i -v 'dg-test-home-bootstrap:/target' alpine:3.20")
 
 const decideExitCode = (cmd: RecordedCommand): number => {
diff --git a/packages/lib/tests/usecases/projects-up.test.ts b/packages/lib/tests/usecases/projects-up.test.ts
@@ -64,7 +64,7 @@ const isDockerVolumeCreate = (cmd: RecordedCommand): boolean =>
 
 const isBootstrapSeed = (cmd: RecordedCommand): boolean =>
   cmd.command === "bash" &&
-  cmd.args[0] === "-lc" &&
+  (cmd.args[0] === "-c" || cmd.args[0] === "-lc") &&
   (cmd.args[1] ?? "").includes("docker run --rm -i -v 'dg-test-home-bootstrap:/target' alpine:3.20")
 
 const isDockerInspectBridgeIp = (cmd: RecordedCommand): boolean =>
diff --git a/scripts/e2e/_lib.sh b/scripts/e2e/_lib.sh
@@ -32,25 +32,35 @@ EOF
 dg_write_docker_host_file() {
   local host_path="$1"
   local mode="${2:-}"
+  local host_uid
+  local host_gid
 
   local host_dir
   local host_name
   host_dir="$(dirname "$host_path")"
   host_name="$(basename "$host_path")"
+  host_uid="$(id -u)"
+  host_gid="$(id -g)"
 
   if [[ -n "$mode" ]] && [[ ! "$mode" =~ ^[0-7]{3,4}$ ]]; then
     echo "e2e: invalid file mode: $mode" >&2
     return 1
   fi
 
   if [[ -n "$mode" ]]; then
-    docker run --rm -i -v "$host_dir":/mnt ubuntu:24.04 \
-      bash -lc "cat > \"/mnt/$host_name\" && chmod \"$mode\" \"/mnt/$host_name\""
+    docker run --rm -i \
+      -e HOST_UID="$host_uid" \
+      -e HOST_GID="$host_gid" \
+      -v "$host_dir":/mnt ubuntu:24.04 \
+      bash -lc "cat > \"/mnt/$host_name\" && chmod \"$mode\" \"/mnt/$host_name\" && chown \"\$HOST_UID:\$HOST_GID\" \"/mnt/$host_name\""
     return 0
   fi
 
-  docker run --rm -i -v "$host_dir":/mnt ubuntu:24.04 \
-    bash -lc "cat > \"/mnt/$host_name\""
+  docker run --rm -i \
+    -e HOST_UID="$host_uid" \
+    -e HOST_GID="$host_gid" \
+    -v "$host_dir":/mnt ubuntu:24.04 \
+    bash -lc "cat > \"/mnt/$host_name\" && chown \"\$HOST_UID:\$HOST_GID\" \"/mnt/$host_name\""
 }
 
 # Ensure the calling script can run `docker` (and therefore docker-git) in a
