Build for Linux in Buildkite + EC2 + Docker#3346
Open
twstokes wants to merge 1 commit intoadd-buildkite-linux-build-groupfrom
Open
Build for Linux in Buildkite + EC2 + Docker#3346twstokes wants to merge 1 commit intoadd-buildkite-linux-build-groupfrom
twstokes wants to merge 1 commit intoadd-buildkite-linux-build-groupfrom
Conversation
twstokes
force-pushed
the
twstokes/add-buildkite-linux-build-group
branch
from
5616e21 to
f759f38
Compare
twstokes
changed the title
twstokes
changed the title
Contributor
Author
|
Tested on an ARM64 Debian VM: 
|
twstokes
force-pushed
the
twstokes/add-buildkite-linux-build-group
branch
2 times, most recently
from
7003adc to
1c0ef93
Compare
twstokes
force-pushed
the
twstokes/add-buildkite-linux-build-group
branch
from
1c0ef93 to
792f331
Compare
mokagio
reviewed
May 6, 2026
Comment on lines
+176
to
+181
| # `--maxsockets 1` works around npm/cli#4652 (ECONNRESETs on Linux); | ||
| # see install-node-dependencies.sh for the original rationale. | ||
| # TODO: restore the Buildkite npm cache used on Mac/Windows. The | ||
| # toolkit's cache helpers live on the host, so wiring them around a | ||
| # Docker step needs extra plumbing or a persistent agent volume. | ||
| npm ci --unsafe-perm --no-audit --no-progress --maxsockets 1 |
Contributor
There was a problem hiding this comment.
Alternatively, we could add some platform introspection in the install script, to opt-out of the caching flow. Just to keep the npm ci options usage consistent.
mokagio
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
AINFRA-2352
Related issues
make:linux-x64/make:linux-arm64scripts)How AI was used in this PR
AI-assisted throughout. Claude inspected the existing
.buildkite/pipeline.yml, surveyed thebuildkite-ciTerraform repo to map available queues, and cross-referenced pipelines in other projects to identify the right pattern. A self-review pass added the Linux ECONNRESET workaround, dynamic Node image derivation from.nvmrc, and the shell/apt hardening below.Proposed Changes
Adds a `📦 Build for Linux` group to `.buildkite/pipeline.yml`, mirroring the existing Mac and Windows groups: input gate (skipped on `trunk` and tagged release builds), group dependency on the input, and a 2-arch matrix (`x64`, `arm64`) that runs `npm run make:linux-{{matrix}}` and uploads the resulting `.deb`.
Build runs inside a Node Docker container. Amazon Linux is RPM-based; `dpkg` isn't in its default repos and `fakeroot` is only available via EPEL. Both are hard prerequisites of `electron-forge`'s `MakerDeb`. Wrapping the step in a Debian container — using the Buildkite Docker plugin, an established A8C pattern — sidesteps the AMI mismatch cleanly.
Image is derived from `.nvmrc`. `shared-pipeline-vars` reads `.nvmrc` and exports `NODE_DOCKER_IMAGE="node:${VERSION}-bookworm"`, which `pipeline.yml` references as `$NODE_DOCKER_IMAGE`. Bumping `.nvmrc` moves the Linux container in lockstep with the NVM-installed Node on Mac/Windows agents, so `$NVM_PLUGIN` isn't needed on this step.
`git remote set-url origin https://...` inside the container. The host buildkite-agent clones over SSH and `prepare-dev-build-version.mjs` calls `git fetch --tags --force`. The container has no `~/.ssh/known_hosts` or deploy key, so SSH hangs on the host-key prompt. Studio is a public repo, so swapping to anonymous HTTPS for the in-container fetch is the simplest fix and avoids exposing the agent's deploy key inside the container.
Inline shell hardening. `set -euo pipefail` at the top of the command; `apt-get -o Acquire::Retries=3 update` to ride out flaky Debian mirrors; `npm ci --maxsockets 1` to avoid the [BUG] Getting constant
Client network socket disconnected before secure TLS connection was establishednpm/cli#4652 ECONNRESETs that `install-node-dependencies.sh` already documents on Linux.Adds `DOCKER_PLUGIN="docker#5.13.0"` and `NODE_DOCKER_IMAGE` to `.buildkite/shared-pipeline-vars`.
Known follow-up
The Linux step currently does not restore the Buildkite npm cache that `install-node-dependencies.sh` provides on Mac/Windows. The toolkit's cache helpers run on the host, so wiring them around a Docker step needs either two pipeline steps (host install → container build) or a persistent host volume mounted into the container — both larger than the scope here. Tracked as a TODO in `pipeline.yml`.
Testing Instructions
Note: `Distribute Dev Builds` (`.buildkite/pipeline.yml:205`) is intentionally not yet wired to depend on the Linux group — Linux distribution via Fastlane is out of scope for this PR. The `.deb` artifacts are reachable directly from the Buildkite build page.
Pre-merge Checklist