build(docker): unify per-platform deploys behind single GHCR image

Author: eleboucher

.github/workflows/docker.yml

@@ -0,0 +1,61 @@
+name: Docker
+
+on:
+  push:
+    branches: [main]
+    tags: ["v*"]
+  pull_request:
+    branches: [main]
+    paths:
+      - Dockerfile
+      - docker/**
+      - src/**
+      - iii-config*.yaml
+      - package.json
+      - tsdown.config.ts
+      - tsconfig.json
+      - .github/workflows/docker.yml
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
+            type=sha,prefix=sha-,format=short
+
+      - uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          provenance: false

Dockerfile

@@ -0,0 +1,56 @@
+# syntax=docker/dockerfile:1
+ARG NODE_VERSION=22-slim
+ARG III_VERSION=0.11.2
+
+FROM iiidev/iii:${III_VERSION} AS iii-image
+
+FROM node:${NODE_VERSION} AS builder
+WORKDIR /build
+
+COPY package.json tsdown.config.ts tsconfig.json ./
+RUN npm install --legacy-peer-deps --no-audit --no-fund
+
+COPY src/ src/
+COPY iii-config.yaml iii-config.docker.yaml ./
+RUN npm run build
+
+FROM node:${NODE_VERSION}
+ARG III_VERSION
+
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends \
+        ca-certificates curl openssl tini tzdata \
+ && rm -rf /var/lib/apt/lists/*
+
+COPY --from=iii-image /app/iii /usr/local/bin/iii
+
+WORKDIR /opt/agentmemory
+COPY --from=builder /build/dist ./dist
+COPY --from=builder /build/iii-config.yaml /build/iii-config.docker.yaml ./
+COPY --from=builder /build/package.json ./
+
+# iii-sdk caret range would otherwise resolve newer than the pinned engine.
+RUN node -e "const p=require('./package.json'); p.overrides=Object.assign({},p.overrides,{'iii-sdk':process.env.III_VERSION}); require('fs').writeFileSync('package.json',JSON.stringify(p,null,2));" \
+ && III_VERSION="${III_VERSION}" npm install --omit=dev --legacy-peer-deps --no-audit --no-fund \
+ && ln -s /opt/agentmemory/dist/cli.mjs /usr/local/bin/agentmemory \
+ && mkdir -p /data \
+ && chown -R node:node /data /opt/agentmemory
+
+ENV AGENTMEMORY_III_VERSION=${III_VERSION} \
+    AGENTMEMORY_DATA_DIR=/data \
+    AGENTMEMORY_HMAC_FILE=/data/.hmac \
+    AGENTMEMORY_VIEWER_HOST=0.0.0.0 \
+    NODE_ENV=production \
+    TINI_SUBREAPER=1
+
+COPY --chmod=0755 docker/entrypoint.sh /usr/local/bin/agentmemory-entrypoint.sh
+
+EXPOSE 3111 3112 3113
+VOLUME ["/data"]
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=30s --retries=3 \
+  CMD curl -fsS http://127.0.0.1:3111/agentmemory/livez || exit 1
+
+USER node:node
+
+ENTRYPOINT ["/usr/bin/tini", "--", "/usr/local/bin/agentmemory-entrypoint.sh"]

deploy/README.md

@@ -1,15 +1,9 @@
 # One-click deploy templates
 
-Stand up agentmemory on managed infrastructure without rolling your own
-Docker host. Each template ships a self-contained Dockerfile that pulls
-`@agentmemory/agentmemory` from npm at build time and copies the iii
-engine binary in from the official `iiidev/iii` image — no pre-built
-agentmemory image required. Storage mounts at `/data`; an HMAC secret
-is generated by the first-boot entrypoint and persisted to the volume.
-The entrypoint overwrites the npm-bundled iii config with a
-deploy-tuned one that binds `0.0.0.0` and uses absolute `/data` paths,
-then drops privileges from `root` to `node` via `gosu` before
-exec'ing the agentmemory CLI.
+Stand up agentmemory on managed infrastructure. Each template pulls
+[`ghcr.io/rohitg00/agentmemory:latest`](https://github.com/rohitg00/agentmemory/pkgs/container/agentmemory)
+and mounts a volume at `/data`. The image generates the HMAC secret on
+first boot and persists it to the volume.
 
 | Platform | Pitch | Cost floor |
 |----------|-------|------------|

deploy/coolify/Dockerfile

@@ -1,12 +1,20 @@
 services:
+  init:
+    # chown the named volume to uid 1000 so the (non-root) agentmemory
+    # container can write /data.
+    image: busybox:1.36
+    user: "0:0"
+    volumes:
+      - agentmemory-data:/data
+    entrypoint: ["sh", "-c", "chown -R 1000:1000 /data && chmod 755 /data"]
+    restart: "no"
+
   agentmemory:
-    build:
-      context: .
-      dockerfile: Dockerfile
-      args:
-        AGENTMEMORY_VERSION: "0.9.12"
-        III_VERSION: "0.11.2"
-        III_SDK_VERSION: "0.11.2"
+    # Pin to a semver tag for reproducible deploys; bump deliberately.
+    image: ghcr.io/rohitg00/agentmemory:0.9.12
+    depends_on:
+      init:
+        condition: service_completed_successfully
     restart: unless-stopped
     environment:
       - SERVICE_FQDN_AGENTMEMORY_3111