jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

seamless sandboxing (just set GEMINI_CODE_SANDBOX=true in .env) (#76)

This commit is contained in:
Olcan 2025-04-21 07:50:18 -07:00 committed by GitHub
parent bfb064024e
commit 39bdedab9c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 89 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
package.json
View File

@ -7,8 +7,8 @@
"packages/*" "packages/*"
], ],
"scripts": { "scripts": {
"build": "npm run build --workspaces", "build": "scripts/build.sh",
"clean": "rm -rf node_modules && npm run clean --workspaces", "clean": "scripts/clean.sh",
"test": "npm run test --workspaces", "test": "npm run test --workspaces",
"start": "scripts/start.sh", "start": "scripts/start.sh",
"debug": "scripts/debug.sh", "debug": "scripts/debug.sh",

16
scripts/build.sh Executable file
View File

@ -0,0 +1,16 @@
#!/bin/bash
set -euo pipefail
# npm install if node_modules was removed (e.g. via npm run clean or scripts/clean.sh)
if [ ! -d "node_modules" ]; then
npm install
fi
# build all workspaces/packages
npm run build --workspaces
# also build container image if GEMINI_CODE_SANDBOX is set (can be in .env file)
# skip (-s) npm install + build since we did that above
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; then
scripts/build_sandbox.sh -s
fi

23
scripts/build_container.sh
View File

@ -1,23 +0,0 @@
#!/bin/bash
set -euo pipefail
IMAGE=gemini-code-sandbox
# use docker if installed, otherwise try to use podman instead
if command -v docker &> /dev/null; then
CMD=docker
elif command -v podman &> /dev/null; then
CMD=podman
else
echo "ERROR: docker or podman must be installed"
exit 1
fi
npm install
npm run build
rm -f packages/cli/dist/gemini-code-cli-*.tgz
npm pack -w @gemini-code/cli --pack-destination ./packages/cli/dist
rm -f packages/server/dist/gemini-code-server-*.tgz
npm pack -w @gemini-code/server --pack-destination ./packages/server/dist
$CMD build -t "$IMAGE" .

51
scripts/build_sandbox.sh Executable file
View File

@ -0,0 +1,51 @@
#!/bin/bash
set -euo pipefail
IMAGE=gemini-code-sandbox
SKIP_NPM_INSTALL_BUILD=false
while getopts "s" opt; do
case ${opt} in
s) SKIP_NPM_INSTALL_BUILD=true ;;
\?)
echo "usage: $(basename "$0") [-s]"
echo " -s: skip npm install + npm run build"
exit 1
;;
esac
done
shift $((OPTIND - 1))
# use docker if installed, otherwise try to use podman instead
if command -v docker &> /dev/null; then
CMD=docker
elif command -v podman &> /dev/null; then
CMD=podman
else
echo "ERROR: missing docker or podman for sandboxing"
exit 1
fi
echo "using $CMD for sandboxing"
# npm install + npm run build unless skipping via -s option
if [ "$SKIP_NPM_INSTALL_BUILD" = false ]; then
npm install
npm run build
fi
# pack cli
echo "packing @gemini-code/cli ..."
rm -f packages/cli/dist/gemini-code-cli-*.tgz
npm pack -w @gemini-code/cli --pack-destination ./packages/cli/dist &> /dev/null
# pack server
echo "packing @gemini-code/server ..."
rm -f packages/server/dist/gemini-code-server-*.tgz
npm pack -w @gemini-code/server --pack-destination ./packages/server/dist &> /dev/null
# build container image & prune older unused images
# use empty --authfile to skip unnecessary auth refresh overhead
echo "building $IMAGE ... (can be slow first time)"
$CMD build --authfile <(echo '{}') -t "$IMAGE" . >/dev/null
$CMD image prune -f
echo "built $IMAGE"

6
scripts/clean.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/bash
set -euo pipefail
# remove npm install/build artifacts
rm -rf node_modules
npm run clean --workspaces

11
scripts/start.sh
View File

@ -1,5 +1,14 @@
#!/bin/bash #!/bin/bash
set -euo pipefail set -euo pipefail
# check build status, write warnings to file for app to display if needed
node ./scripts/check-build-status.js node ./scripts/check-build-status.js
node node_modules/@gemini-code/cli "$@"
# if GEMINI_CODE_SANDBOX is set (can be in .env file), start in sandbox container
if [[ "${GEMINI_CODE_SANDBOX:-}" =~ ^(1|true)$ ]] || grep -qiE '^GEMINI_CODE_SANDBOX *= *(1|true)' .env; then
echo "Running in sandbox container ..."
scripts/start_sandbox.sh "$@"
else
echo "WARNING: running outside of sandbox. Set GEMINI_CODE_SANDBOX to enable sandbox."
node node_modules/@gemini-code/cli "$@"
fi

6
scripts/start_container.sh → scripts/start_sandbox.sh
View File

@ -11,8 +11,10 @@ if command -v docker &> /dev/null; then
elif command -v podman &> /dev/null; then elif command -v podman &> /dev/null; then
CMD=podman CMD=podman
else else
echo "ERROR: docker or podman must be installed" echo "ERROR: missing docker or podman for sandboxing"
exit 1 exit 1
fi fi
$CMD run -it --rm -v"$PWD:$WORKDIR" --workdir "$WORKDIR" "$IMAGE" node "$CLI_DIST" # run gemini-code in sandbox container
# use empty --authfile to skip unnecessary auth refresh overhead
$CMD run -it --rm --authfile <(echo '{}') -v"$PWD:$WORKDIR" --workdir "$WORKDIR" "$IMAGE" node "$CLI_DIST"