Gemini inside a container

Author: binarypie

.github/workflows/build-ai-dev.yml

@@ -0,0 +1,88 @@
+# Build and publish ai-dev container image
+# Triggered on changes to dot_files/ai-dev/ or manual dispatch
+# Image published to: ghcr.io/binarypie-dev/ai-dev:latest
+
+name: Build ai-dev Image
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - 'dot_files/ai-dev/**'
+      - '.github/workflows/build-ai-dev.yml'
+  pull_request:
+    paths:
+      - 'dot_files/ai-dev/**'
+      - '.github/workflows/build-ai-dev.yml'
+  workflow_dispatch:
+  schedule:
+    # Rebuild daily to get updated packages
+    - cron: '0 6 * * *'
+
+env:
+  IMAGE_NAME: ai-dev
+  IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }}
+
+jobs:
+  build:
+    runs-on: ubuntu-latest-m
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=sha,prefix=
+            type=ref,event=pr
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: dot_files/ai-dev
+          file: dot_files/ai-dev/Containerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      - name: Generate build summary
+        if: github.event_name != 'pull_request'
+        run: |
+          echo "## ai-dev Image Built" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "**Image:** \`${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest\`" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "### Usage" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY
+          echo "# Run Claude Code" >> $GITHUB_STEP_SUMMARY
+          echo "podman run --rm -it --user root --security-opt label=disable \\" >> $GITHUB_STEP_SUMMARY
+          echo "  -e HOST_UID=\$(id -u) -e HOST_GID=\$(id -g) -e HOME=\$HOME \\" >> $GITHUB_STEP_SUMMARY
+          echo "  -v \"\$(pwd):\$(pwd):rw\" -w \"\$(pwd)\" \\" >> $GITHUB_STEP_SUMMARY
+          echo "  ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest claude" >> $GITHUB_STEP_SUMMARY
+          echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

.github/workflows/build-nvim-dev.yml

@@ -1,6 +1,6 @@
 # Build and publish nvim-dev container image
 # Triggered on changes to dot_files/nvim/ or manual dispatch
-# Image published to: ghcr.io/binarypie/nvim-dev:latest
+# Image published to: ghcr.io/binarypie-dev/nvim-dev:latest
 
 name: Build nvim-dev Image
 
@@ -21,8 +21,8 @@ on:
       - '.github/workflows/build-nvim-dev.yml'
   workflow_dispatch:
   schedule:
-    # Rebuild weekly to get updated packages
-    - cron: '0 6 * * 0'
+    # Rebuild daily to get updated packages
+    - cron: '0 6 * * *'
 
 env:
   IMAGE_NAME: nvim-dev

.github/workflows/check-package-versions.yml

@@ -253,13 +253,14 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
         run: |
-          BRANCH="${{ steps.info.outputs.branch }}"
+          TITLE="${{ steps.info.outputs.title }}"
 
-          # Check for PR with this branch
-          EXISTING=$(gh pr list --head "$BRANCH" --json number --jq '.[0].number' 2>/dev/null) || EXISTING=""
+          # Check for open PR with the same title
+          EXISTING=$(gh pr list --state open --search "in:title $TITLE" --json number,title \
+            --jq ".[] | select(.title == \"$TITLE\") | .number" 2>/dev/null | head -1) || EXISTING=""
 
           if [[ -n "$EXISTING" ]]; then
-            echo "PR #$EXISTING already exists for this update group"
+            echo "PR #$EXISTING already exists with title: $TITLE"
             echo "exists=true" >> $GITHUB_OUTPUT
           else
             echo "exists=false" >> $GITHUB_OUTPUT

dot_files/ai-dev/Containerfile

@@ -0,0 +1,37 @@
+# AI Development Environment (Sandboxed Podman Container)
+# Pre-built image with Claude Code and Gemini CLI
+#
+# Build: podman build -t ai-dev .
+# Run:   podman run --rm -it --user 0:0 --security-opt label=disable \
+#          -e HOME=$HOME -v "$(pwd):$(pwd):rw" -w "$(pwd)" localhost/ai-dev
+
+FROM ghcr.io/binarypie-dev/nvim-dev:latest
+
+# =============================================================================
+# LAYER 1: Claude Code (native install)
+# =============================================================================
+USER linuxbrew
+WORKDIR /home/linuxbrew
+
+RUN curl -fsSL https://claude.ai/install.sh | bash
+
+# =============================================================================
+# LAYER 2: Gemini CLI via npm
+# =============================================================================
+RUN npm install -g @google/gemini-cli
+
+# =============================================================================
+# LAYER 3: Entrypoint script (sets PATH, execs command)
+# =============================================================================
+USER root
+COPY ai-entrypoint.sh /usr/local/bin/ai-entrypoint.sh
+RUN chmod +x /usr/local/bin/ai-entrypoint.sh
+
+# In rootless podman, --user 0:0 maps to host UID (no privilege escalation)
+ENTRYPOINT ["/usr/local/bin/ai-entrypoint.sh"]
+CMD ["bash"]
+
+# Labels for GitHub Container Registry
+LABEL org.opencontainers.image.source="https://github.com/binarypie/hypercube"
+LABEL org.opencontainers.image.description="AI development environment with Claude Code and Gemini CLI"
+LABEL org.opencontainers.image.licenses="MIT"