spoon/docker/agent-worker.Dockerfile

FROM docker.io/oven/bun:1.3.10

ARG SPOON_BUILD_SHA=development
ARG SPOON_BUILD_CREATED_AT=unknown

ENV SPOON_BUILD_SHA=${SPOON_BUILD_SHA}
ENV SPOON_BUILD_CREATED_AT=${SPOON_BUILD_CREATED_AT}

RUN apt-get update \
  && apt-get install -y --no-install-recommends \
    bash \
    ca-certificates \
    curl \
    git \
    jq \
    openssh-client \
  && rm -rf /var/lib/apt/lists/*

# Docker CLI client only — the daemon is the host's, reached via the bind-mounted
# /var/run/docker.sock. The Debian `docker.io` package does NOT install the
# client under `--no-install-recommends` (trixie split it into `docker-cli`),
# which left the worker with no `docker` binary and silently broke every job.
# Install the official static client pinned to the host daemon's version.
ARG DOCKER_CLI_VERSION=29.5.3
RUN arch="$(uname -m)" \
  && curl -fsSL "https://download.docker.com/linux/static/stable/${arch}/docker-${DOCKER_CLI_VERSION}.tgz" -o /tmp/docker.tgz \
  && tar -xzf /tmp/docker.tgz -C /tmp \
  && install -m0755 /tmp/docker/docker /usr/local/bin/docker \
  && rm -rf /tmp/docker /tmp/docker.tgz \
  && docker --version

WORKDIR /app

COPY package.json bun.lock* turbo.json ./
COPY apps ./apps
COPY packages ./packages
COPY tools ./tools
COPY scripts ./scripts

RUN bun install --frozen-lockfile

CMD ["bun", "apps/agent-worker/src/index.ts"]