feat: publish GHCR images with runner base images for --agent-base-image without --build-local #395
Description
Problem
The --agent-base-image feature (#214) only works with --build-local, which requires having the gh-aw-firewall source code checked out. For users who install via the binary or npm package, this flag is silently ignored with a warning:
⚠️ --agent-base-image is only used with --build-local. Ignoring.
This makes the feature unusable for the majority of users.
Current behavior
| Installation method | --agent-base-image works? |
|---|---|
Source checkout + --build-local |
✅ Yes |
Binary (awf-linux-x64) |
❌ No (ignored) |
NPM (awf.tgz) |
❌ No (ignored) |
| GHCR images (default) | ❌ No (ignored) |
Proposed solution
Publish additional GHCR images with different base images during release:
ghcr.io/githubnext/gh-aw-firewall/agent:0.11.0 # ubuntu:22.04 (default)
ghcr.io/githubnext/gh-aw-firewall/agent:0.11.0-runner # catthehacker/ubuntu:runner-22.04
ghcr.io/githubnext/gh-aw-firewall/agent:0.11.0-full # catthehacker/ubuntu:full-22.04
Then --agent-base-image could select between these pre-built images:
# Would pull agent:0.11.0-runner instead of building locally
awf --agent-base-image runner --allow-domains github.com -- your-commandAlternative solutions
- Error instead of warn: Make
--agent-base-imagewithout--build-localan error instead of silently ignoring it - Bundle Dockerfiles: Include Dockerfiles in the binary and auto-build when custom base is requested (increases complexity)
- Document limitation clearly: Just improve docs to make the limitation obvious (not ideal UX)
Impact
- Release workflow needs to build 3x images (increases CI time significantly due to large base images)
- Storage cost increases on GHCR
- Users get the feature without needing source code
References
- Original PR: feat: add configurable agent base image for GitHub Actions runner parity #214
- Release: v0.11.0