fix: replace yarn wrapper with ENV vars in Containerfile#5
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the images/code sandbox image build to rely on ENV configuration rather than a custom yarn wrapper script, aiming to make corepack/yarn work reliably under read-only sandbox filesystem policies and ensure proxy settings are inherited by subprocesses.
Changes:
- Removes the custom
/usr/local/bin/yarnwrapper in favor of corepack’s own shim. - Sets
COREPACK_HOME=/tmp/corepackto avoid read-only/usrpaths at runtime. - Bakes Yarn proxy configuration into the image via
YARN_HTTP_PROXY/YARN_HTTPS_PROXY.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
37
to
40
| RUN mkdir -p "$COREPACK_HOME" \ | ||
| && corepack enable \ | ||
| && corepack prepare yarn@stable --activate \ | ||
| && yarn --version |
Comment on lines
+30
to
+35
| # COREPACK_HOME=/tmp/corepack — writable under every sandbox policy. | ||
| # YARN_HTTP(S)_PROXY — hardcoded OpenShell proxy; inherited by all child | ||
| # processes (including git hook subprocesses), replacing the old wrapper. | ||
| ENV COREPACK_HOME=/tmp/corepack | ||
| ENV YARN_HTTP_PROXY=http://10.200.0.1:3128 | ||
| ENV YARN_HTTPS_PROXY=http://10.200.0.1:3128 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/usr/local/bin/yarnCOREPACK_HOME=/tmp/corepack— writable under every sandbox policy (fixes COREPACK_HOME points to read-only path at sandbox runtime #2)YARN_HTTP(S)_PROXY) is injected at runtime via env files, not baked into the image (related: yarn-proxy.env not sourced — YARN_HTTP_PROXY never set in sandbox #3)The old approach wrote a bash wrapper that hardcoded
COREPACK_HOMEand calledexec /usr/bin/corepack yarn. This broke because:/usr/local/share/corepackis under/usrwhich is read-only at runtimeNow corepack's own shim is the only
yarnon PATH, and everything is configured viaENV/ runtime env files.Test plan
podman build -t rhdh-fullsend-code:local -f images/code/Containerfile images/code/podman run --rm rhdh-fullsend-code:local bash -c 'echo $COREPACK_HOME'→/tmp/corepackpodman run --rm rhdh-fullsend-code:local yarn --version→ version without wrapperpodman run --rm rhdh-fullsend-code:local bash -c 'file /usr/local/bin/yarn'→ corepack shim, not script🤖 Generated with Claude Code