feat(sandbox): use package config to dictate sandbox image name (#624)

package.json

@@ -30,7 +30,7 @@
     "build:server": "npm run build --workspace packages/server",
     "build:packages": "npm run build:server && npm run build:cli",
     "build:docker": "scripts/build_sandbox.sh -s",
-    "tag:docker": "docker tag gemini-code-sandbox:latest ${SANDBOX_IMAGE_REGISTRY:?SANDBOX_IMAGE_REGISTRY not set}/${SANDBOX_IMAGE_NAME:?SANDBOX_IMAGE_NAME not set}:$npm_package_version",
+    "tag:docker": "docker tag gemini-cli-sandbox ${SANDBOX_IMAGE_REGISTRY:?SANDBOX_IMAGE_REGISTRY not set}/${SANDBOX_IMAGE_NAME:?SANDBOX_IMAGE_NAME not set}:$npm_package_version",
     "prepare:cli-packagejson": "node scripts/prepare-cli-packagejson.js",
     "publish:sandbox": "scripts/publish-sandbox.sh",
     "publish:npm": "npm publish --workspaces ${NPM_PUBLISH_TAG:+--tag=$NPM_PUBLISH_TAG} ${NPM_DRY_RUN:+--dry-run}",

packages/cli/package.json

@@ -25,6 +25,9 @@
   "files": [
     "dist"
   ],
+  "config": {
+    "sandboxImageUri": "gemini-cli-sandbox"
+  },
   "dependencies": {
     "@gemini-code/server": "0.1.0",
     "diff": "^7.0.0",

packages/cli/src/utils/sandbox.ts

@@ -10,6 +10,7 @@ import path from 'node:path';
 import fs from 'node:fs';
 import { readFile } from 'node:fs/promises';
 import { quote } from 'shell-quote';
+import { readPackageUp } from 'read-package-up';
 import {
   USER_SETTINGS_DIR,
   SETTINGS_DIRECTORY_NAME,
@@ -70,6 +71,18 @@ async function shouldUseCurrentUserInSandbox(): Promise<boolean> {
   return false; // Default to false if no other condition is met
 }
 
+async function getSandboxImageName(): Promise<string> {
+  const packageJsonResult = await readPackageUp();
+  const packageJsonConfig = packageJsonResult?.packageJson.config as
+    | { sandboxImageUri?: string }
+    | undefined;
+  return (
+    process.env.GEMINI_SANDBOX_IMAGE ??
+    packageJsonConfig?.sandboxImageUri ??
+    'gemini-cli-sandbox'
+  );
+}
+
 // node.js equivalent of scripts/sandbox_command.sh
 export function sandbox_command(sandbox?: string | boolean): string {
   // note environment variable takes precedence over argument (from command line or settings)
@@ -257,7 +270,7 @@ export async function start_sandbox(sandbox: string) {
   // determine full path for gemini-code to distinguish linked vs installed setting
   const gcPath = execSync(`realpath $(which gemini)`).toString().trim();
 
-  const image = process.env.GEMINI_SANDBOX_IMAGE ?? 'gemini-code-sandbox';
+  const image = await getSandboxImageName();
   const workdir = process.cwd();
 
   // if BUILD_SANDBOX is set, then call scripts/build_sandbox.sh under gemini-code repo
@@ -362,23 +375,19 @@ export async function start_sandbox(sandbox: string) {
   }
 
   // name container after image, plus numeric suffix to avoid conflicts
-  const containerName = parseImageName(image);
+  const imageName = parseImageName(image);
   let index = 0;
   while (
     execSync(
-      `${sandbox} ps -a --format "{{.Names}}" | grep "${containerName}-${index}" || true`,
+      `${sandbox} ps -a --format "{{.Names}}" | grep "${imageName}-${index}" || true`,
     )
       .toString()
       .trim()
   ) {
     index++;
   }
-  args.push(
+  const containerName = `${imageName}-${index}`;
-    '--name',
+  args.push('--name', containerName, '--hostname', containerName);
-    `${containerName}-${index}`,
-    '--hostname',
-    `${containerName}-${index}`,
-  );
 
   // copy GEMINI_API_KEY
   if (process.env.GEMINI_API_KEY) {
@@ -437,7 +446,7 @@ export async function start_sandbox(sandbox: string) {
   }
 
   // set SANDBOX as container name
-  args.push('--env', `SANDBOX=${containerName}-${index}`);
+  args.push('--env', `SANDBOX=${containerName}`);
 
   // for podman only, use empty --authfile to skip unnecessary auth refresh overhead
   if (sandbox === 'podman') {

scripts/build_sandbox.sh

@@ -26,7 +26,7 @@ fi
 CMD=$(scripts/sandbox_command.sh)
 echo "using $CMD for sandboxing"
 
-IMAGE=gemini-cli-sandbox:latest
+IMAGE=gemini-cli-sandbox
 DOCKERFILE=Dockerfile
 
 SKIP_NPM_INSTALL_BUILD=false

scripts/prepare-cli-packagejson.js

@@ -23,10 +23,10 @@ const version = process.env.npm_package_version;
 
 // Get Docker registry and image name directly from PUBLISH_ environment variables.
 // These are expected to be set by the CI/build environment.
-const dockerRegistry = process.env.SANDBOX_IMAGE_REGISTRY;
+const containerImageRegistry = process.env.SANDBOX_IMAGE_REGISTRY;
-const dockerImageName = process.env.SANDBOX_IMAGE_NAME;
+const containerImageName = process.env.SANDBOX_IMAGE_NAME;
 
-if (!version || !dockerRegistry || !dockerImageName) {
+if (!version || !containerImageRegistry || !containerImageName) {
   console.error(
     'Error: Missing required environment variables. Need: ' +
       'npm_package_version, SANDBOX_IMAGE_REGISTRY, and SANDBOX_IMAGE_NAME.',
@@ -38,15 +38,13 @@ if (!version || !dockerRegistry || !dockerImageName) {
   process.exit(1);
 }
 
-const dockerImageUri = `${dockerRegistry}/${dockerImageName}:${version}`;
+const containerImageUri = `${containerImageRegistry}/${containerImageName}:${version}`;
 
 // Add or update fields in cliPackageJson.config to store this information
 if (!cliPackageJson.config) {
   cliPackageJson.config = {};
 }
-cliPackageJson.config.dockerImageUri = dockerImageUri;
+cliPackageJson.config.sandboxImageUri = containerImageUri;
-cliPackageJson.config.dockerRegistry = dockerRegistry;
-cliPackageJson.config.dockerImageName = dockerImageName;
 
 // Remove 'prepublishOnly' from scripts if it exists
 if (cliPackageJson.scripts && cliPackageJson.scripts.prepublishOnly) {
@@ -61,6 +59,6 @@ fs.writeFileSync(
 console.log(
   `Updated ${path.relative(process.cwd(), cliPackageJsonPath)} with Docker image details:`,
 );
-console.log(`  URI: ${dockerImageUri}`);
+console.log(`  URI: ${containerImageUri}`);
-console.log(`  Registry: ${dockerRegistry}`);
+console.log(`  Registry: ${containerImageRegistry}`);
-console.log(`  Image Name: ${dockerImageName}`);
+console.log(`  Image Name: ${containerImageName}`);