From bcf240f6e623cb78564cb99f2dfcdcbb51fe6902 Mon Sep 17 00:00:00 2001 From: Marcel Hild Date: Wed, 10 Jun 2026 11:05:46 +0200 Subject: [PATCH] fix: replace yarn wrapper with ENV vars in Containerfile - Remove custom yarn wrapper script that overwrote corepack's shim - Set COREPACK_HOME=/tmp/corepack (writable under every sandbox policy) - Add YARN_HTTP_PROXY/YARN_HTTPS_PROXY for OpenShell proxy Fixes #1, fixes #2, fixes #3. Co-Authored-By: Claude Opus 4.6 --- images/code/Containerfile | 29 +++++++++++------------------ 1 file changed, 11 insertions(+), 18 deletions(-) diff --git a/images/code/Containerfile b/images/code/Containerfile index 5b2a2d4..54232ec 100644 --- a/images/code/Containerfile +++ b/images/code/Containerfile @@ -7,8 +7,7 @@ # - Node.js is already in the base image (installed by Claude Code) # # Yarn is available on PATH immediately — no runtime corepack setup needed. -# DNS proxy config is handled by env/yarn-proxy.env (maps OpenShell's -# HTTP_PROXY to YARN_HTTP_PROXY). +# Proxy config is baked into the image via YARN_HTTP(S)_PROXY env vars. # # Build (native arch): # podman build -t rhdh-fullsend-code:local \ @@ -24,26 +23,20 @@ FROM ${BASE_IMAGE} USER root # --------------------------------------------------------------------------- -# corepack + yarn — the sandbox filesystem policy makes /usr read-only, -# so `corepack enable` fails at runtime. Pre-enable it here and -# pre-download yarn so agents get yarn on PATH with zero startup cost. +# corepack + yarn — pre-enable corepack and pre-download yarn so agents +# get yarn on PATH with zero startup cost. corepack's own shim lands in +# /usr/local/bin and is the only yarn binary — no wrapper script needed. # -# COREPACK_HOME is set to a writable location that persists across -# the sandbox session. The shim symlinks land in /usr/local/bin -# (writable during build, read-only at runtime — which is fine, -# they're already there). -ENV COREPACK_HOME=/usr/local/share/corepack +# COREPACK_HOME=/tmp/corepack — writable under every sandbox policy. +# YARN_HTTP(S)_PROXY — hardcoded OpenShell proxy; inherited by all child +# processes (including git hook subprocesses), replacing the old wrapper. +ENV COREPACK_HOME=/tmp/corepack +ENV YARN_HTTP_PROXY=http://10.200.0.1:3128 +ENV YARN_HTTPS_PROXY=http://10.200.0.1:3128 + RUN mkdir -p "$COREPACK_HOME" \ && corepack enable \ && corepack prepare yarn@stable --activate \ && yarn --version -# --------------------------------------------------------------------------- -# Wrapper for git hooks (husky) — hooks run in subprocesses without -# the agent's PATH modifications. This wrapper in /usr/local/bin -# (on default PATH) ensures `yarn lint-staged` etc. work. -RUN printf '#!/bin/bash\nexport COREPACK_HOME=/usr/local/share/corepack\nexec /usr/bin/corepack yarn "$@"\n' \ - > /usr/local/bin/yarn \ - && chmod +x /usr/local/bin/yarn - USER sandbox