justin/safeclaude
Public Access
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

migrate to the new tiered structure

Browse Source
This commit is contained in:
Justin
2026-06-20 10:18:18 -04:00
parent 535c837dd3
commit 4b3df1ddae
17 changed files with 495 additions and 224 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
Dockerfile.base Normal file
View File

@ -0,0 +1,46 @@
# safeclaude-base — the shared base every project builds on. Keep this generic:
# project-specific packages and language versions go in each project's own
# .safeclaude/Dockerfile (which starts with `FROM safeclaude-base`), not here.
#
# This image runs as root so project Dockerfiles can install system packages
# freely. Don't worry — the launcher locks things down at run time (normal user,
# no special privileges), so nothing Claude does actually runs as root.
FROM node:22-slim
# Just the basics every project needs:
# - curl/ca-certificates: for downloads (the Claude installer, git-spice)
# - git + ripgrep: required by Claude Code
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
git \
ripgrep \
bash \
&& rm -rf /var/lib/apt/lists/*
# --- git-spice (a tool for stacked pull requests, handy in the Claude workflow) ---
# Releases are named git-spice.Linux-<arch>.tar.gz, and `uname -m` gives the arch.
RUN ARCH=$(uname -m) && \
GS_VERSION=$(curl -fsSL https://api.github.com/repos/abhinav/git-spice/releases/latest \
| grep '"tag_name"' | sed 's/.*"v\([^"]*\)".*/\1/') && \
mkdir -p /tmp/gs-install && \
curl -fsSL "https://github.com/abhinav/git-spice/releases/download/v${GS_VERSION}/git-spice.Linux-${ARCH}.tar.gz" \
| tar -xz -C /tmp/gs-install && \
find /tmp/gs-install -maxdepth 1 -type f -executable -exec cp {} /usr/local/bin/gs \; && \
chmod +x /usr/local/bin/gs && \
rm -rf /tmp/gs-install
# --- the user Claude runs as ---
# We create this user so the home folder is owned by the same ID the launcher
# runs as. Without it, the container couldn't write to its own home.
RUN useradd -m -s /bin/bash -u 1001 coder
# Claude installs itself into one of these folders, so add them to PATH.
ENV PATH="/home/coder/.local/bin:/home/coder/.claude/bin:$PATH"
COPY --chmod=755 entrypoint.sh /usr/local/bin/entrypoint.sh
WORKDIR /code
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["bash"]