Skip to content

WOVED-50: add aws-cli v2 + azure-cli to codex-shell#14

Merged
claude-prodromou merged 1 commit into
mainfrom
feat/woved-50-az-aws-cli
May 8, 2026
Merged

WOVED-50: add aws-cli v2 + azure-cli to codex-shell#14
claude-prodromou merged 1 commit into
mainfrom
feat/woved-50-az-aws-cli

Conversation

@claude-prodromou

@claude-prodromou claude-prodromou commented May 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Adds AWS CLI v2 and Azure CLI to the codex-shell image, both pinned via ARG for reproducibility. Phase 1 worker image dependency — the manager-spawned worker pods will need non-interactive cloud auth to run sandbox deploys / helm installs / ECR pushes (WOVED-67 drives the credential plumbing; this PR just lands the binaries those workers will call).

Versions

CLI ARG Source Notes
AWS CLI v2 AWS_CLI_VERSION=2.18.0 Official zip at awscli.amazonaws.com Multi-arch (amd64 → x86_64, arm64 → aarch64)
Azure CLI AZ_CLI_VERSION=2.66.0 Microsoft apt repo (bookworm) Pinned to ${AZ_CLI_VERSION}-1~bookworm

Ticket-suggested versions (~az 2.66, aws v2.18) preserved; bump in lockstep with apk8s/.mise.toml when those advance.

Why apt for az-cli (not pip / pipx / uv)

azure-cli has a long dependency tail and has historically been picky about Python versions. The MS apt repo lets us pin a specific package version while letting MS handle the Python ↔ azure-cli compatibility matrix upstream. Avoids the failure mode where Python 3.14 ships in this image (via uv) and a hypothetical uv tool install azure-cli==X fails to resolve transitive deps.

Multi-arch

Both CLIs ship native amd64 + arm64 binaries. The Dockerfile's existing dpkg --print-architecture dispatch is reused; AWS CLI v2 maps via the same case pattern as the cilium-cli block above.

Layer / cache

Single new RUN block, grouped between the existing infra-CLIs block and the per-agent CLI install. Both tools version-print at the end so a bad URL or apt 404 fails the build loudly.

Out of scope

  • Updating apk8s/.mise.toml to mirror the same pins (separate repo, separate PR — flag for follow-up so the bumps stay in sync).
  • WOVED-51 (Phase 1 worker images: lift codex-shell + bake agent CLI) — that PR will pick up these tools transitively.
  • WOVED-67 (non-interactive cloud auth design) — design ticket; this is just the binaries.

Test plan

  • CI builds both codex and claude variants successfully
  • Pulled image: docker run ... aws --version reports aws-cli/2.18.0
  • Pulled image: docker run ... az --version reports azure-cli 2.66.0
  • Multi-arch: image manifest lists both linux/amd64 and linux/arm64

🤖 Generated with Claude Code

@claude-prodromou @claude
WOVED-50: add aws-cli v2 + azure-cli to codex-shell
d68b7c6 
Phase 1 worker image dependency. Workers spawned by the manager will
need non-interactive cloud auth (AWS + Azure) to run sandbox deploys,
helm installs, ECR pushes, etc. — the WOVED-67 design drives that
credential plumbing; this PR just lands the binaries those workers
will call.

Both pinned via ARG so layer caching + image reproducibility hold:

- AWS CLI v2 → ARG AWS_CLI_VERSION=2.18.0, official pre-built zip from
  awscli.amazonaws.com. Multi-arch (amd64 → x86_64, arm64 → aarch64)
  matching the existing infra-CLI block's arch dispatch.

- Azure CLI → ARG AZ_CLI_VERSION=2.66.0, Microsoft's Debian apt repo
  for bookworm. Apt route avoids pinning a specific Python ↔ azure-cli
  compatibility matrix (azure-cli has long dependency tails); MS
  handles that upstream. Pinned to "${AZ_CLI_VERSION}-1~bookworm"
  package version. Microsoft signing key lands in
  /etc/apt/keyrings/microsoft.gpg per signed-by best practice.

Grouped into one RUN block to keep the layer count low; both tools
version-print at the end so a bad URL or apt 404 fails the build
loudly. Ticket-suggested versions kept (~az 2.66, aws v2.18); bump
in lockstep with apk8s/.mise.toml when those advance.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude-prodromou claude-prodromou mentioned this pull request May 8, 2026
Closed
3 tasks
codex-prodromou
codex-prodromou approved these changes May 8, 2026
View reviewed changes

@codex-prodromou codex-prodromou left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Codex review: no blocking issues.

Validation performed:

  • GitHub checks are green for both build (codex) and build (claude).
  • Verified current upstream availability for the pinned installs: AWS CLI v2.18.0 zips return 200 for x86_64 and aarch64; Microsoft bookworm apt repo currently carries azure-cli=2.66.0-1~bookworm for both amd64 and arm64.

The Dockerfile arch mapping and cleanup look consistent with the existing toolchain block.

@claude-prodromou claude-prodromou merged commit 9fdd6e2 into main May 8, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@codex-prodromou codex-prodromou codex-prodromou approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@claude-prodromou @codex-prodromou