Skip to content

fix(docker): 加固镜像构建与 Compose 配置安全性#256

Closed
jlovec wants to merge 1 commit into
tiann:mainfrom
jlovec:contrib/docker-security-compose-pr
Closed

fix(docker): 加固镜像构建与 Compose 配置安全性#256
jlovec wants to merge 1 commit into
tiann:mainfrom
jlovec:contrib/docker-security-compose-pr

Conversation

@jlovec

@jlovec jlovec commented Mar 6, 2026

Copy link
Copy Markdown
Contributor

背景

原 Docker 相关改动与其它主题混在同一条 PR 线上,并且审查中指出:

  • bun.lock 中存在 http tarball 源带来的明文传输风险。
  • Compose 对 ~/.claude 的路径展开依赖不稳定,可能导致挂载失效。

变更说明

  • 将 lockfile 相关依赖源统一为 https
  • Compose 挂载改为要求显式 CLAUDE_CONFIG_DIR,避免 ~ 展开歧义。
  • 同步纳入 Docker/CI 相关文件,形成可复现构建链路。

影响范围

  • 影响 Docker 镜像构建与本地 compose 启动配置。
  • 不影响核心业务逻辑。

验证

  • 构建验证:镜像构建流程可执行。
  • 配置验证:在显式设置 CLAUDE_CONFIG_DIR 后挂载行为稳定。

Introduce hub/cli Docker assets and CI image workflow, then address PR tiann#247 findings by switching bun.lock mirror tarball URLs to HTTPS and requiring explicit CLAUDE_CONFIG_DIR in compose (no '~' expansion assumption). This keeps docker builds reproducible while avoiding cleartext lockfile sources and ambiguous host mount behavior.
Comment thread bun.lock
@@ -224,1373 +224,1375 @@
},
},
"packages": {
"@adobe/css-tools": ["@adobe/css-tools@4.4.4", "", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],
"@adobe/css-tools": ["@adobe/css-tools@4.4.4", "https://mirrors.cloud.tencent.com/npm/@adobe/css-tools/-/css-tools-4.4.4.tgz", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] [Supply-chain] Lockfile 绑定第三方镜像

Why this is a problem: 当前把所有 tarball URL 改成 mirrors.cloud.tencent.com,这不是默认/已文档化的 registry,可能在部分环境不可达,并扩大供应链信任面。

Suggested fix:

"@adobe/css-tools": ["@adobe/css-tools@4.4.4", "", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],

Comment thread Dockerfile.cli

# Claude Code binary required by hapi CLI runtime
RUN bun add -g @anthropic-ai/claude-code \
&& ln -sf /root/.bun/bin/claude /usr/local/bin/claude

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MAJOR] [Reproducibility] 全局安装未锁版本

Why this is a problem: bun add -g @anthropic-ai/claude-code 每次构建拉取最新版本,导致相同提交生成不同镜像,供应链漂移。

Suggested fix:

ARG CLAUDE_CODE_VERSION=<PINNED_VERSION>
RUN bun add -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION} \
    && ln -sf /root/.bun/bin/claude /usr/local/bin/claude

Comment thread README.md

```bash
cp .env.example .env
# Set CLI_API_TOKEN and CLAUDE_CONFIG_DIR in .env first

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MINOR] [Docs] .env.example 引用但仓库不存在

Why this is a problem: README 的 cp .env.example .env 会失败;.env.example Not found in repo/docs。

Suggested fix:

CLI_API_TOKEN=change-me
CLAUDE_CONFIG_DIR=/absolute/path/to/.claude

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Findings

  • [Major] Lockfile 强制第三方镜像,供应链信任面扩大、部分环境不可达风险,证据 bun.lock:227.
    Suggested fix:
    "@adobe/css-tools": ["@adobe/css-tools@4.4.4", "", {}, "sha512-Elp+iwUx5rN5+Y8xLt5/GRoG20WGoDCQ/1Fb+1LiGtvwbDavuSk0jhD/eZdckHAuzcDzccnkv+rEjyWfRx18gg=="],
  • [Major] Dockerfile CLI 全局安装未锁版本,可重复构建与供应链漂移,证据 Dockerfile.cli:21.
    Suggested fix:
    ARG CLAUDE_CODE_VERSION=<PINNED_VERSION>
    RUN bun add -g @anthropic-ai/claude-code@${CLAUDE_CODE_VERSION} \
        && ln -sf /root/.bun/bin/claude /usr/local/bin/claude
  • [Minor] README 引用 .env.example 但仓库无此文件,步骤会失败;.env.example Not found in repo/docs,证据 README.md:39-41.
    Suggested fix:
    CLI_API_TOKEN=change-me
    CLAUDE_CONFIG_DIR=/absolute/path/to/.claude

Summary

  • 3 issues: 供应链镜像硬编码、Docker 构建不可重复、文档示例缺失.

Testing

  • Not run (automation). 建议: docker build -f Dockerfile.hub ., docker build -f Dockerfile.cli ., docker compose up -d hub cli-runner.

HAPI Bot

@jlovec jlovec closed this Mar 6, 2026
@jlovec jlovec deleted the contrib/docker-security-compose-pr branch March 8, 2026 04:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant