linear-coding-agent/Dockerfile at main · MatterAIOrg/linear-coding-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
# syntax=docker/dockerfile:1.6
#
# Multi-stage build for the Linear coding agent.
#
#   builder  : installs full deps, compiles TypeScript -> dist/
#   runtime  : minimal image with git, gh, jq, the compiled app, the
#              shipped hook scripts, and the orbcode CLI on PATH.
#
# Required env vars (passed via docker-compose env_file):
#   MATTERAI_API_KEY    - used by orbcode; without it the agent cannot run
#   LINEAR_API_KEY      - used by the agent to talk to Linear
#   LINEAR_WEBHOOK_SECRET - used to verify Linear webhook signatures
#   GITHUB_TOKEN        - used for clone/push and `gh pr create`

# ---- Build stage -----------------------------------------------------------
FROM node:20-slim AS builder
WORKDIR /app

# Install all deps (including devDependencies for the build)
COPY package.json package-lock.json* ./
RUN npm ci

# Build TypeScript -> dist/
COPY tsconfig.json ./
COPY src ./src
RUN npm run build && npm prune --omit=dev


# ---- Runtime stage ---------------------------------------------------------
FROM node:20-slim AS runtime
WORKDIR /app

ENV NODE_ENV=production \
    PORT=3000 \
    DATA_DIR=/data \
    WORKTREE_DIR=/data/worktrees

# System packages the agent needs at runtime:
#   git   - clone/branch/commit/push
#   jq    - the hook scripts parse JSON with it
#   curl, gnupg, ca-certificates - to fetch the GitHub CLI signing key
RUN apt-get update && apt-get install -y --no-install-recommends \
        git \
        jq \
        curl \
        gnupg \
        ca-certificates \
    && rm -rf /var/lib/apt/lists/*

# Install the GitHub CLI from the official apt repo.
RUN set -eux; \
    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \
        | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg; \
    chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg; \
    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
        > /etc/apt/sources.list.d/github-cli.list; \
    apt-get update; \
    apt-get install -y --no-install-recommends gh; \
    rm -rf /var/lib/apt/lists/*; \
    gh --version

# Production deps only.
COPY package.json package-lock.json* ./
RUN npm ci --omit=dev && npm cache clean --force

# Install the orbcode CLI globally. This is what the agent spawns; it reads
# MATTERAI_API_KEY from the inherited environment.
RUN npm install -g @matterailab/orbcode && orbcode --version

# Copy the compiled app from the builder.
COPY --from=builder --chown=node:node /app/dist ./dist

# Ship the hook scripts and make them executable. The runner resolves them
# via $LINEAR_AGENT_*_HOOK env vars pointing at /app/hooks/*.
COPY --chown=node:node hooks ./hooks
RUN chmod +x /app/hooks/*.sh

# /data is the persistent volume mount target - create it now so the
# non-root user can write to it from the first request.
RUN mkdir -p /data/worktrees && chown -R node:node /data

# Drop privileges. The node image ships a non-root `node` user (uid 1000).
USER node

EXPOSE 3000

# Health check against the agent's /health endpoint. Uses node's built-in
# fetch (Node 18+) so we don't need to install curl just for this.
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
    CMD node -e "fetch('http://localhost:'+process.env.PORT+'/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"

CMD ["node", "dist/index.js"]