6f931b8405
Adds a dedicated Docker environment for reviewing untrusted pull requests with codex/claude, keeping CLI auth state in volumes and using a separate scratch workspace for PR checkouts. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
34 lines
826 B
YAML
34 lines
826 B
YAML
services:
|
|
review:
|
|
build:
|
|
context: .
|
|
dockerfile: docker/untrusted-review/Dockerfile
|
|
init: true
|
|
tty: true
|
|
stdin_open: true
|
|
working_dir: /work
|
|
environment:
|
|
HOME: "/home/reviewer"
|
|
CODEX_HOME: "/home/reviewer/.codex"
|
|
CLAUDE_HOME: "/home/reviewer/.claude"
|
|
PAPERCLIP_HOME: "/home/reviewer/.paperclip-review"
|
|
OPENAI_API_KEY: "${OPENAI_API_KEY:-}"
|
|
ANTHROPIC_API_KEY: "${ANTHROPIC_API_KEY:-}"
|
|
GITHUB_TOKEN: "${GITHUB_TOKEN:-}"
|
|
ports:
|
|
- "${REVIEW_PAPERCLIP_PORT:-3100}:3100"
|
|
- "${REVIEW_VITE_PORT:-5173}:5173"
|
|
volumes:
|
|
- review-home:/home/reviewer
|
|
- review-work:/work
|
|
cap_drop:
|
|
- ALL
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
tmpfs:
|
|
- /tmp:mode=1777,size=1g
|
|
|
|
volumes:
|
|
review-home:
|
|
review-work:
|