Created
March 13, 2026 20:03
-
-
Save fortytw2/b7209e056bbeacd7afdd4df5288eba95 to your computer and use it in GitHub Desktop.
docker sandbox for bazel
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| FROM docker/sandbox-templates:claude-code | |
| USER root | |
| RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| ca-certificates \ | |
| curl \ | |
| zip \ | |
| unzip \ | |
| && rm -rf /var/lib/apt/lists/* | |
| RUN update-ca-certificates | |
| # Install bazelisk as "bazel" so it picks up .bazelversion automatically. | |
| ARG BAZELISK_VERSION=1.25.0 | |
| ARG TARGETARCH | |
| RUN curl -fsSL "https://github.com/bazelbuild/bazelisk/releases/download/v${BAZELISK_VERSION}/bazelisk-linux-${TARGETARCH}" \ | |
| -o /usr/local/bin/bazel \ | |
| && chmod +x /usr/local/bin/bazel | |
| # Pre-warm bazel 8.5.1 at build time so sandbox startup is fast. | |
| COPY .bazelversion /tmp/.bazelversion | |
| RUN cd /tmp && bazel version | |
| # Prepare Bazel proxy CA trust: copy the embedded JDK truststore to a | |
| # mutable location and configure Bazel to use it. At runtime, the sandbox | |
| # injects a proxy CA at /usr/local/share/ca-certificates/proxy-ca.crt that | |
| # intercepts TLS. Modifying the embedded cacerts in-place triggers Bazel's | |
| # install corruption check, so we use an external copy instead. | |
| RUN JAVA_HOME="$(bazel info java-home 2>/dev/null)" \ | |
| && mkdir -p /home/agent/.bazel-ssl \ | |
| && cp "$JAVA_HOME/lib/security/cacerts" /home/agent/.bazel-ssl/cacerts \ | |
| && echo 'startup --host_jvm_args=-Djavax.net.ssl.trustStore=/home/agent/.bazel-ssl/cacerts --host_jvm_args=-Djavax.net.ssl.trustStorePassword=changeit' \ | |
| >> /home/agent/.bazelrc | |
| # At runtime, import the proxy CA into the copied truststore if present. | |
| # This runs as part of the persistent env so it executes once on first | |
| # bash invocation. | |
| RUN echo 'if [ -f /usr/local/share/ca-certificates/proxy-ca.crt ] && [ ! -f /home/agent/.bazel-ssl/.ca-imported ]; then \ | |
| JAVA_HOME="$(bazel info java-home 2>/dev/null)" && \ | |
| "$JAVA_HOME/bin/keytool" -importcert -trustcacerts \ | |
| -keystore /home/agent/.bazel-ssl/cacerts \ | |
| -storepass changeit -noprompt -alias proxy-ca \ | |
| -file /usr/local/share/ca-certificates/proxy-ca.crt >/dev/null 2>&1 && \ | |
| touch /home/agent/.bazel-ssl/.ca-imported; \ | |
| fi' >> /etc/sandbox-persistent.sh | |
| USER agent |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment