# syntax=docker/dockerfile:1 # # Multi-stage so the private-module credentials (used to fetch the majordomo # dependency) live ONLY in the build stage via BuildKit secrets and never land # in the final image. Mirrors mort's Dockerfile secret idiom. FROM golang:1.26 AS build ARG GIT_HOST=gitea.stevedudenhoeffer.com ENV CGO_ENABLED=0 \ GOFLAGS=-mod=mod \ GOSUMDB=off \ GOTOOLCHAIN=auto ENV GOPRIVATE=${GIT_HOST}/* GONOSUMDB=${GIT_HOST}/* WORKDIR /src COPY go.mod go.sum ./ RUN --mount=type=secret,id=REGISTRY_USER \ --mount=type=secret,id=REGISTRY_PASSWORD \ --mount=type=cache,target=/go/pkg/mod \ git config --global url."https://$(cat /run/secrets/REGISTRY_USER):$(cat /run/secrets/REGISTRY_PASSWORD)@${GIT_HOST}/".insteadOf "https://${GIT_HOST}/" \ && go mod download COPY . . RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ go build -trimpath -ldflags="-s -w" -o /out/gadfly ./cmd/gadfly FROM alpine:3.20 RUN apk add --no-cache bash git curl jq ca-certificates nodejs npm # Bundle the Claude Code CLI so the `claude-code` review engine works out of the # box (GADFLY_MODELS=claude-code or claude-code/). This adds Node + the # CLI to the image (notably larger); ollama-only users pay the size but nothing # else. Auth is provided at runtime via CLAUDE_CODE_OAUTH_TOKEN / ANTHROPIC_API_KEY. RUN npm install -g @anthropic-ai/claude-code && npm cache clean --force COPY --from=build /out/gadfly /usr/local/bin/gadfly COPY scripts /app/scripts COPY entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh /app/scripts/run.sh /app/scripts/status-board.sh /usr/local/bin/gadfly ENTRYPOINT ["/entrypoint.sh"]