[feat] Add Docker support with GHCR publishing

chris-freeman-glean · chris-freeman-glean · commit 4ab0f8625af7 · 2025-11-17T16:08:42.000-07:00
- Add Dockerfile for multi-arch Docker image support (amd64/arm64)
- Create GitHub Actions workflow to publish images to GHCR on releases
- Add docker-test workflow for CI validation
- Simplify Docker documentation to use published GHCR images
- Remove .dockerignore (no longer needed with npm install approach)

Docker images will be automatically published to ghcr.io/gleanwork/local-mcp-server
when releases are created, providing users with a sandboxed execution environment
that abstracts over local environment differences.
diff --git a/.env.example b/.env.example
@@ -0,0 +1,5 @@
+# Glean instance name (required)
+GLEAN_INSTANCE=your-instance-name
+
+# Glean API token (required)
+GLEAN_API_TOKEN=your-api-token
diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml
@@ -0,0 +1,57 @@
+name: Docker Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  test:
+    name: Build and Test Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Build Docker image
+        run: docker build -t glean-mcp-server:test .
+
+      - name: Test image structure
+        run: |
+          docker run --rm glean-mcp-server:test node --version
+          docker run --rm glean-mcp-server:test which npx
+
+      - name: Verify MCP server starts with stdio
+        run: |
+          container_id=$(docker run -d -i glean-mcp-server:test)
+          sleep 2
+          if docker ps | grep -q "$container_id"; then
+            echo "Container is running"
+            docker logs "$container_id"
+            docker stop "$container_id"
+          else
+            echo "Container failed to start"
+            docker logs "$container_id" || true
+            exit 1
+          fi
+
+      - name: Test with security constraints
+        run: |
+          container_id=$(docker run -d -i \
+            --cpus="1.0" \
+            --memory="2g" \
+            --read-only \
+            --tmpfs /tmp \
+            --cap-drop=ALL \
+            --security-opt=no-new-privileges:true \
+            glean-mcp-server:test)
+          sleep 2
+          if docker ps | grep -q "$container_id"; then
+            echo "Container is running with security constraints"
+            docker logs "$container_id"
+            docker stop "$container_id"
+          else
+            echo "Container failed to start with security constraints"
+            docker logs "$container_id" || true
+            exit 1
+          fi
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -0,0 +1,51 @@
+name: Publish Docker Image
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+
+jobs:
+  publish:
+    name: Build and Publish Multi-Arch Docker Image
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/gleanwork/local-mcp-server
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=raw,value=latest
+
+      - name: Build and push multi-architecture image
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,19 @@
+# Use Alpine-based Node.js 20 for minimal image size and security
+FROM node:20-alpine
+
+# Create non-root user for security best practices
+# uid/gid 1001 is a common convention for application users
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S mcpserver -u 1001
+
+# Switch to non-root user before installing packages
+# This ensures npm global installs go to user space, not /usr/local
+USER mcpserver
+
+# Install the published @gleanwork/local-mcp-server package from npm
+# Using -g installs it globally in the user's home directory
+RUN npm install -g @gleanwork/local-mcp-server
+
+# Run the MCP server
+# The server uses stdio transport and keeps running until terminated
+CMD ["local-mcp-server"]
diff --git a/README.md b/README.md
@@ -10,6 +10,8 @@ This monorepo contains packages for Glean's local MCP server. For more details s
 - [@gleanwork/configure-mcp-server](https://github.com/gleanwork/configure-mcp-server) for configuring the local MCP server with popular MCP clients.
 - [@gleanwork/local-mcp-server](https://github.com/gleanwork/mcp-server/tree/main/packages/local-mcp-server) on running the local MCP server.
 
+The local MCP server can be run via npx or Docker. See the [@gleanwork/local-mcp-server README](https://github.com/gleanwork/mcp-server/tree/main/packages/local-mcp-server#docker-deployment) for Docker deployment instructions.
+
 ## Contributing
 
 Please see [CONTRIBUTING.md](CONTRIBUTING.md) for development setup and guidelines.
diff --git a/packages/local-mcp-server/README.md b/packages/local-mcp-server/README.md
@@ -70,6 +70,49 @@ To manually configure an MCP client (such as Claude Desktop, Windsurf, Cursor, e
 
 Replace the environment variable values with your actual Glean credentials.
 
+## Docker Deployment
+
+As an alternative to npx, you can run the Glean MCP server in a Docker container. This provides isolation and consistent runtime environments.
+
+Multi-architecture Docker images are published to GitHub Container Registry and work on both Intel/AMD (amd64) and Apple Silicon (arm64) systems.
+
+### Pull the Image
+
+```bash
+docker pull ghcr.io/gleanwork/local-mcp-server:latest
+```
+
+### MCP Client Configuration
+
+Configure your MCP client to use the Docker image:
+
+```json
+{
+  "mcpServers": {
+    "glean": {
+      "command": "docker",
+      "args": [
+        "run",
+        "-i",
+        "--rm",
+        "ghcr.io/gleanwork/local-mcp-server:latest"
+      ],
+      "env": {
+        "GLEAN_INSTANCE": "your-instance",
+        "GLEAN_API_TOKEN": "your-token"
+      }
+    }
+  }
+}
+```
+
+**Important:** The `-i` flag is required for stdio transport communication.
+
+### Environment Variables
+
+- `GLEAN_INSTANCE` (required): Your Glean instance name
+- `GLEAN_API_TOKEN` (required): Your Glean API token
+
 ### Debugging
 
 Since MCP servers communicate over stdio, debugging can be challenging. We recommend using the [MCP Inspector](https://github.com/modelcontextprotocol/inspector), which is available as a package script:
