Skip to content

ci: build base template via e2b CLI in addition to DockerHub push #1401

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mishushakov wants to merge 6 commits into
base: main
Choose a base branch
from
+60 −21
Open

ci: build base template via e2b CLI in addition to DockerHub push #1401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8ef1cd6
ci: build base template via e2b CLI in addition to DockerHub push
mishushakov Jun 8, 2026
ee86f02
ci: build e2b CLI from source for template build
mishushakov Jun 8, 2026
7f29aeb
ci: extract CLI build into shared composite action
mishushakov Jun 8, 2026
5d9204c
Merge branch 'main' into mishushakov/saskatoon-v1
mishushakov Jun 8, 2026
d7a7776
ci: drop E2B_ACCESS_TOKEN from template build
mishushakov Jun 8, 2026
fbe6304
ci: drop redundant SDK build from build-cli action
mishushakov Jun 9, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions .github/actions/build-cli/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: 'Build and install E2B CLI'
description: >-
Builds the e2b CLI from source in this repo and installs it globally so the
`e2b` command is available on PATH. Assumes the repository has already been
checked out.

runs:
using: 'composite'
steps:
- name: Parse .tool-versions
uses: wistia/parse-tool-versions@v2.1.1
with:
filename: '.tool-versions'

@cursor cursor Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH

This workflow executes wistia/parse-tool-versions@v2.1.1 by mutable tag inside a job that later uses E2B publishing credentials. Tag retarget or upstream compromise would allow attacker-controlled code to run in CI and steal those credentials.

Impact: A supply-chain compromise of the action can lead to unauthorized template publication/API usage via exfiltrated secrets.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 7f29aeb. Configure here.

uppercase: 'true'
prefix: 'tool_version_'

- name: Install pnpm
uses: pnpm/action-setup@v4
with:
version: '${{ env.TOOL_VERSION_PNPM }}'

- name: Setup Node
uses: actions/setup-node@v3
with:
node-version: '${{ env.TOOL_VERSION_NODEJS }}'
cache: pnpm
cache-dependency-path: pnpm-lock.yaml

- name: Install dependencies
shell: bash
run: pnpm install --frozen-lockfile

- name: Build the CLI
shell: bash
run: pnpm build
working-directory: ./packages/cli

- name: Install the CLI globally
shell: bash
run: npm install -g .
working-directory: ./packages/cli
20 changes: 18 additions & 2 deletions .github/workflows/templates.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,12 +12,12 @@ permissions:
contents: read

jobs:
buildAndPublish:
buildAndPushImage:
Comment thread
mishushakov marked this conversation as resolved.
defaults:
run:
working-directory: ./templates/base

name: Build and Push Images
name: Build and Push Image to DockerHub
runs-on: ubuntu-22.04
steps:
- name: Checkout repository
Expand All @@ -39,3 +39,19 @@ jobs:
--platform linux/amd64,linux/arm64 \
--push \
--tag ${{ secrets.DOCKERHUB_USERNAME }}/base:latest .

buildTemplate:
name: Build and Publish E2B Template
runs-on: ubuntu-22.04
env:
E2B_API_KEY: ${{ secrets.E2B_API_KEY }}
steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Build and install E2B CLI
uses: ./.github/actions/build-cli

- name: Build and publish base template
working-directory: ./templates/base
run: e2b template create base --memory-mb 512

@cursor cursor Bot Jun 8, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Agentic Security Review
Severity: HIGH

E2B_API_KEY and E2B_ACCESS_TOKEN are defined at job scope, so every step in buildTemplate (including checkout and CLI build/install steps) receives publishing credentials. This broadens the blast radius of any compromised action/dependency script before publish executes.

Impact: CI supply-chain compromise in an earlier step can exfiltrate template-publishing credentials and enable unauthorized template publication/API actions.

Fix in Cursor Fix in Web

Reviewed by Cursor Security Reviewer for commit 7f29aeb. Configure here.

3 changes: 1 addition & 2 deletions templates/base/e2b.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,7 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt-get install -y \
gh; \
rm -rf /var/lib/apt/lists/*

RUN groupadd --gid 1000 node \
&& useradd --uid 1000 --gid node --shell /bin/bash --create-home node
RUN groupadd -r node && useradd -r -g node -s /bin/bash -m node

ENV NODE_VERSION=20.9.0

Expand Down
17 changes: 0 additions & 17 deletions templates/base/e2b.toml
View file
Open in desktop

This file was deleted.

Loading