Opensandbox (#6657)

* Opensandbox (#6651)

* volumn manager

* feat: opensandbox volumn

* perf: action (#6654)

* perf: action

* doc

* doc

* deploy tml

* update template

projects/code-sandbox/Dockerfile

@@ -0,0 +1,59 @@
+# --------- Build Stage -----------
+FROM oven/bun:1-alpine AS builder
+WORKDIR /app
+
+ARG proxy
+
+# 安装 pnpm
+RUN apk add --no-cache nodejs npm && npm install -g pnpm@9
+
+# 复制 workspace 配置和依赖包
+COPY pnpm-lock.yaml pnpm-workspace.yaml package.json ./
+COPY packages/global ./packages/global
+COPY packages/service ./packages/service
+COPY projects/code-sandbox/ ./projects/code-sandbox/
+
+RUN [ -z "$proxy" ] || sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+RUN apk add --no-cache curl ca-certificates && update-ca-certificates
+
+# 安装所有依赖（包括 devDependencies 用于编译）
+RUN if [ -z "$proxy" ]; then \
+        pnpm install --frozen-lockfile --ignore-scripts; \
+    else \
+        pnpm install --frozen-lockfile --ignore-scripts --registry=https://registry.npmmirror.com; \
+    fi
+
+# 编译主入口文件
+RUN cd /app/projects/code-sandbox && pnpm build
+
+# ===== Runner Stage =====
+FROM oven/bun:1-alpine AS runner
+WORKDIR /app
+
+ARG proxy
+
+# 复制编译产物（包含 worker 文件，不需要 node_modules）
+COPY --from=builder /app/projects/code-sandbox/dist /app/code-sandbox
+
+RUN [ -z "$proxy" ] || sed -i 's/dl-cdn.alpinelinux.org/mirrors.ustc.edu.cn/g' /etc/apk/repositories
+
+# 安装 Python、依赖包及工具
+RUN apk add --no-cache python3 py3-pip libffi util-linux && \
+    apk add --no-cache --virtual .build-deps gcc g++ musl-dev python3-dev libffi-dev
+COPY projects/code-sandbox/requirements.txt /tmp/requirements.txt
+RUN pip3 install --no-cache-dir --break-system-packages -r /tmp/requirements.txt && \
+    rm /tmp/requirements.txt && \
+    apk del .build-deps
+
+
+# 创建非 root 用户运行沙箱
+RUN addgroup -S sandbox && adduser -S sandbox -G sandbox && \
+    chown -R sandbox:sandbox /app
+USER sandbox
+
+ENV NODE_ENV=production
+ENV SANDBOX_PORT=3000
+
+EXPOSE 3000
+
+CMD ["bun", "/app/code-sandbox/index.js"]