Simplify workflow: build CLI only in GitHub Actions, image built by Portainer

- Removed Docker build job from workflow (image built when deploying)
- Updated paths filter to only trigger on opencode/** changes
- Added artifact cleanup to keep only latest CLI build
- Added multi-stage Dockerfile to build CLI from source during Docker build
- Simplified permissions (removed packages write)

Dockerfile

@@ -1,20 +1,73 @@
 # Web-based PowerShell + SST OpenCode terminal
 # x86_64 architecture support only
-FROM ubuntu:24.04
+FROM ubuntu:24.04 AS builder
+
+ARG PWSH_VERSION=7.4.6
+ARG NODE_VERSION=20.18.1
+ARG TTYD_VERSION=1.7.7
+ARG BUN_VERSION=1.3.8
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    TERM=xterm-256color \
+    LANG=C.UTF-8 \
+    LC_ALL=C.UTF-8
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        wget \
+        git \
+        tar \
+        xz-utils \
+        gzip \
+        libicu-dev \
+        libssl-dev \
+        unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -fsSL -o /tmp/bun.zip "https://github.com/oven-sh/bun/releases/download/bun-v${BUN_VERSION}/bun-linux-x64.zip" \
+    && unzip -q /tmp/bun.zip -d /usr/local/bin \
+    && chmod +x /usr/local/bin/bun \
+    && rm /tmp/bun.zip
+
+RUN curl -fsSL -o /tmp/powershell.tar.gz \
+    "https://github.com/PowerShell/PowerShell/releases/download/v${PWSH_VERSION}/powershell-${PWSH_VERSION}-linux-x64.tar.gz" \
+    && mkdir -p /opt/microsoft/powershell/7 \
+    && tar -xzf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 \
+    && chmod +x /opt/microsoft/powershell/7/pwsh \
+    && ln -sf /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh \
+    && rm -f /tmp/powershell.tar.gz
+
+RUN curl -fsSL -o /usr/local/bin/ttyd \
+    "https://github.com/tsl0922/ttyd/releases/download/${TTYD_VERSION}/ttyd.x86_64" \
+    && chmod +x /usr/local/bin/ttyd
+
+RUN curl -fsSL -o /tmp/node.tar.xz \
+    "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
+    && tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 \
+    && ln -sf /usr/local/bin/node /usr/bin/node \
+    && ln -sf /usr/local/bin/npm /usr/bin/npm \
+    && rm -f /tmp/node.tar.xz
+
+COPY opencode /opt/opencode-src
+
+WORKDIR /opt/opencode-src
+
+RUN bun install \
+    && bun run ./packages/opencode/script/build.ts --single
+
+FROM ubuntu:24.04
 
 ARG PWSH_VERSION=7.4.6
 ARG NODE_VERSION=20.18.1
 ARG TTYD_VERSION=1.7.7
-ARG TARGETARCH
-ARG BUILDPLATFORM
-ARG TARGETPLATFORM
 
 ENV DEBIAN_FRONTEND=noninteractive \
     TERM=xterm-256color \
     LANG=C.UTF-8 \
     LC_ALL=C.UTF-8
 
-# Install minimal system dependencies only (no PowerShell or Node.js from apt)
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
         ca-certificates \
@@ -29,90 +82,52 @@ RUN apt-get update \
         libssl-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Install PowerShell 7.x from official binary release (architecture-aware)
-# Prefer Docker build args (TARGETARCH) so cross-arch builds work reliably in Portainer/buildx.
-RUN ARCH="${TARGETARCH:-}" && \
-    if [ -z "$ARCH" ]; then ARCH="$(dpkg --print-architecture)"; fi && \
-    if [ "$ARCH" = "amd64" ]; then \
-        PWSH_ARCH="x64"; \
-    elif [ "$ARCH" = "arm64" ]; then \
-        PWSH_ARCH="arm64"; \
-    else \
-        echo "Unsupported architecture: $ARCH (TARGETPLATFORM=${TARGETPLATFORM:-unknown}, BUILDPLATFORM=${BUILDPLATFORM:-unknown})" && exit 1; \
-    fi && \
-    curl -fsSL -o /tmp/powershell.tar.gz \
-    "https://github.com/PowerShell/PowerShell/releases/download/v${PWSH_VERSION}/powershell-${PWSH_VERSION}-linux-${PWSH_ARCH}.tar.gz" \
+RUN curl -fsSL -o /tmp/powershell.tar.gz \
+    "https://github.com/PowerShell/PowerShell/releases/download/v${PWSH_VERSION}/powershell-${PWSH_VERSION}-linux-x64.tar.gz" \
     && mkdir -p /opt/microsoft/powershell/7 \
     && tar -xzf /tmp/powershell.tar.gz -C /opt/microsoft/powershell/7 \
     && chmod +x /opt/microsoft/powershell/7/pwsh \
     && ln -sf /opt/microsoft/powershell/7/pwsh /usr/bin/pwsh \
     && rm -f /tmp/powershell.tar.gz
 
-# Install Node.js 20.x from official binary release (architecture-aware)
-RUN ARCH="${TARGETARCH:-}" && \
-    if [ -z "$ARCH" ]; then ARCH="$(dpkg --print-architecture)"; fi && \
-    if [ "$ARCH" = "amd64" ]; then \
-        NODE_ARCH="x64"; \
-    elif [ "$ARCH" = "arm64" ]; then \
-        NODE_ARCH="arm64"; \
-    else \
-        echo "Unsupported architecture: $ARCH (TARGETPLATFORM=${TARGETPLATFORM:-unknown}, BUILDPLATFORM=${BUILDPLATFORM:-unknown})" && exit 1; \
-    fi && \
-    curl -fsSL -o /tmp/node.tar.xz \
-    "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-${NODE_ARCH}.tar.xz" \
+RUN curl -fsSL -o /usr/local/bin/ttyd \
+    "https://github.com/tsl0922/ttyd/releases/download/${TTYD_VERSION}/ttyd.x86_64" \
+    && chmod +x /usr/local/bin/ttyd
+
+RUN curl -fsSL -o /tmp/node.tar.xz \
+    "https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
     && tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 \
     && ln -sf /usr/local/bin/node /usr/bin/node \
     && ln -sf /usr/local/bin/npm /usr/bin/npm \
     && rm -f /tmp/node.tar.xz
 
-# Install ttyd (static binary, architecture-aware)
-RUN ARCH="${TARGETARCH:-}" && \
-    if [ -z "$ARCH" ]; then ARCH="$(dpkg --print-architecture)"; fi && \
-    if [ "$ARCH" = "amd64" ]; then \
-        TTYD_ARCH="x86_64"; \
-    elif [ "$ARCH" = "arm64" ]; then \
-        TTYD_ARCH="aarch64"; \
-    else \
-        echo "Unsupported architecture: $ARCH (TARGETPLATFORM=${TARGETPLATFORM:-unknown}, BUILDPLATFORM=${BUILDPLATFORM:-unknown})" && exit 1; \
-    fi && \
-    curl -fsSL -o /usr/local/bin/ttyd \
-    "https://github.com/tsl0922/ttyd/releases/download/${TTYD_VERSION}/ttyd.${TTYD_ARCH}" \
-    && chmod +x /usr/local/bin/ttyd
+COPY --from=builder /opt/opencode-src/opencode/packages/opencode/dist/opencode-linux-x64/bin/opencode /usr/local/bin/opencode
 
-# Install OpenCode from locally built CLI artifacts
-# CI builds these binaries from the opencode folder.
-COPY opencode /opt/opencode-src
-COPY opencode/packages/opencode/dist/bin/opencode /usr/local/bin/opencode
 RUN chmod +x /usr/local/bin/opencode
 
-# Removed Gemini CLI - not needed for Shopify AI App Builder
-
-# Add Windows-like PowerShell profile (aliases and PSReadLine style)
 RUN mkdir -p /root/.config/powershell
 COPY profile/Microsoft.PowerShell_profile.ps1 /root/.config/powershell/Microsoft.PowerShell_profile.ps1
 RUN chmod 644 /root/.config/powershell/Microsoft.PowerShell_profile.ps1
 
-# Copy entrypoint, health check, and diagnostic logger scripts
 COPY scripts/entrypoint.sh /usr/local/bin/entrypoint.sh
 COPY scripts/healthcheck.sh /usr/local/bin/healthcheck.sh
 COPY scripts/diagnostic-logger.sh /usr/local/bin/diagnostic-logger.sh
 RUN chmod +x /usr/local/bin/entrypoint.sh /usr/local/bin/healthcheck.sh /usr/local/bin/diagnostic-logger.sh
 
-# Chat web service assets
 COPY chat /opt/webchat
 RUN cd /opt/webchat && npm install --production && chmod -R 755 /opt/webchat
+
 COPY chat_v2 /opt/webchat_v2
 RUN chmod -R 755 /opt/webchat_v2
 
-# Create workspace directory and set as workdir so pwsh starts where repo/workspace is mounted
 RUN mkdir -p /home/web/data \
     && mkdir -p /var/log/shopify-ai \
     && chown -R root:root /home/web/data /var/log/shopify-ai
+
 WORKDIR /home/web/data
 
-# Container defaults - Shopify AI App Builder
-# Port 4500: Web UI (chat/builder interface)
 EXPOSE 4500
+
 HEALTHCHECK --interval=30s --timeout=15s --start-period=60s --retries=5 \
     CMD /usr/local/bin/healthcheck.sh || exit 1