igamenovoer/docker-pixi-project-offline
skills/air-gapped/docker/docker-pixi-project-offline/SKILL.md
Scripted process to build and verify a Pixi-managed project in Docker, then produce a portable WORKDIR/product directory for air-gapped use.
$ install --global
skillsauthnpx skillsauth add igamenovoer/magic-context docker-pixi-project-offlineInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:06 PM4.7s5 files scanned
SKILL.md
- name:
- docker-pixi-project-offline
- description:
- Scripted process to build and verify a Pixi-managed project in Docker, then produce a portable WORKDIR/product directory for air-gapped use.
Docker Pixi Project Offline
Prepare an existing Pixi-managed project for an air-gapped environment by:
- building and verifying it inside a Docker container (with network access), and
- producing a WORKDIR/product/ folder that can be packed and delivered.
This skill includes helper scripts under scripts/. Prefer using them (each supports --help) rather than retyping the manual steps.
What to ask the user
- Project source (pick one):
PROJECT_DIR: path to the Pixi project on the host (pixi.tomlorpyproject.toml), orPROJECT_PATH_IN_CONTAINER: path to the Pixi project already present inside a container
VERIFY_SPEC: one of:- a concrete command to run under Pixi (e.g.
python -m yourpkg --help) - a Pixi task name from the manifest (e.g.
smoke) - a script path (e.g.
./scripts/smoke.sh) plus what counts as success - a short description of what “success” means (you convert it into one or more commands)
- a concrete command to run under Pixi (e.g.
- Build execution target (pick one):
IMAGE: a Docker image that contains Pixi (recommended), orCONTAINER_ID: an already-running container to use
- Optional
RESOURCES_DIR: any extra runtime resources to bundle alongside the project (models, data files, binaries) - Optional
CONTAINER_WORKDIR_PATH: where the scripts stage files inside the container (use this if/workdiralready exists or is reserved in the image/container) - Optional
WORKDIR(host output dir): where the scripts write the generated workdir on the host (default:<workspace>/tmp/workdir-<ts>)
Preconditions
- Build machine has Docker and internet access.
- Use the provided Docker image/container. If it can run the project offline once packaged, that’s sufficient.
- Pixi is available inside the container (prebuilt image, or installed during image build).
- Air-gapped runtime must also have Pixi available (the product does not include the Pixi binary).
- For reproducibility:
pixi.lockexists and is up to date.
Outputs
WORKDIR/: a self-contained workspace holding the staged project, resources, Pixi cache, and logs/test outputs.WORKDIR/product/: the deliverable directory (you pack and ship this folder; archiving is out of scope for this skill).
Workdir layout
Use a single work directory so “inputs + outputs” are easy to copy/inspect:
WORKDIR/project/<project_name>/: staged project copy (input to product generation)WORKDIR/resources/: optional resources to include (input to product generation)WORKDIR/pixi-cache/: Pixi cache produced during the online build (input to product generation)WORKDIR/out/: logs and test outputs onlyWORKDIR/helpers/: helper scripts used during preparation (not shipped to air-gapped)WORKDIR/helpers/make-archive-ready-product.sh: creates/overwritesWORKDIR/product/
WORKDIR/product/: generated deliverable (created/overwritten byWORKDIR/helpers/make-archive-ready-product.sh)
Product layout (deliverable)
WORKDIR/product/ must be self-contained and include:
WORKDIR/product/<project_name>/: project directory containing Pixi manifest (pixi.tomlorpyproject.toml) and the minimal files needed to runWORKDIR/product/res/(optional): binary data/resources required at runtimeWORKDIR/product/pkg-cache/: Pixi package cache containing everything needed to install without internetWORKDIR/product/envs.sh: manual environment setup (users cansource envs.shbefore running Pixi commands)WORKDIR/product/bootstrap-project.sh: bootstraps the project (sourcesenvs.shthen runspixi installfor<project_name>/usingpkg-cache/)
Process
0) Scripts
All scripts are in this skill directory:
scripts/create-workdir-from-host.shscripts/create-workdir-from-container.shscripts/make-archive-ready-product.shscripts/final-verify-product.sh
Each script is intended to be manually invokable and provides --help.
The create-workdir-* scripts also copy scripts/make-archive-ready-product.sh into WORKDIR/helpers/ for portability.
1) Decide what “verification” means
Acceptable forms:
- Pixi task:
smoke(run aspixi run smoke) - Script:
./scripts/smoke.sh(define success: exit code 0, expected output, created files, etc.) - Command:
python -c "import yourpkg; print('ok')" - Description: “Running the CLI help works and prints version” (convert into one or more commands)
When executing, capture output into WORKDIR/out/ so the workdir contains the proof.
2) Create WORKDIR/
Use exactly one of the following paths:
2a) From a host project dir (recommended)
This stages a filtered copy of the project into WORKDIR/project/<project_name>/, runs pixi install, and runs verification (optional):
./scripts/create-workdir-from-host.sh --help
./scripts/create-workdir-from-host.sh \
--image your-pixi-image:tag \
--project-dir /path/to/project \
--resources-dir /path/to/resources \
--container-workdir-path /tmp/workdir \
--verify-run -- python -c 'import yourpkg; print("ok")'
2b) From an existing container project dir
If the project directory already exists in a running container, create /workdir in that container and copy it back to the host:
./scripts/create-workdir-from-container.sh --help
./scripts/create-workdir-from-container.sh \
--container-id <CONTAINER_ID> \
--project-path-in-container /path/to/project \
--container-workdir-path /tmp/workdir \
--verify-task smoke
3) Create the deliverable WORKDIR/product/
./tmp/pixi-offline-work/helpers/make-archive-ready-product.sh --help
./tmp/pixi-offline-work/helpers/make-archive-ready-product.sh \
--workdir ./tmp/pixi-offline-work --project-name <project_name>
4) Final verification (offline product)
Verify the product (not the staged project) in an offline/no-network container. This is the final verification step.
./scripts/final-verify-product.sh --help
./scripts/final-verify-product.sh \
--image your-pixi-image:tag \
--product-dir ./tmp/pixi-offline-work/product \
--out-dir ./tmp/pixi-offline-work/out \
--project-name <project_name> \
--verify-run -- python -c 'import yourpkg; print("ok")'
If this passes with networking disabled, it demonstrates that pixi install is satisfied by product/pkg-cache/.
After WORKDIR/product/ is created and verified, the remaining steps (packing, transferring, extracting, and running in the air-gapped environment) are the user’s responsibility.
Pitfalls / Notes
- Offline meaning: if “offline” means “no network”, prove it by running
./bootstrap-project.shand thenpixi run ...with--network none. - Secrets: staging matters—don’t accidentally package
.env, credentials, SSH keys, or tokens. - Multiple Pixi envs: verify/package the environment(s) you actually need.
Future automation (not implemented here)
When you want this to be push-button, add a small orchestrator that:
- stages with consistent excludes
- runs the container build/verify
- emits a manifest (image digest, pixi version, lockfile hash)
- wraps the
scripts/in a single command
Related Skills
igamenovoer/mermaid-graphing
data-ai
VerifiedTrustedCommunity
Create readable Mermaid diagrams inside Markdown files. Use for flowcharts and sequence diagrams that must render cleanly in common Markdown renderers (e.g., GitHub) without horizontal scrolling. Covers fenced mermaid blocks, init/theme styling, label wrapping with <br/>, and sequenceDiagram layout rules (short IDs, wrapped labels, don’t break identifiers).
7SKILL.mdUpdated Apr 5, 2026
igamenovoer/make-program-tutorial
development
VerifiedTrustedCommunity
Manual invocation only; use only when the user explicitly requests `make-program-tutorial` by exact name, OR when the user asks to use a skill to create an SDK/API/library tutorial. Create a clear, reproducible, step-by-step tutorial for a specific API/SDK/library (or a set of functions/classes), with runnable examples, expected outputs, and basic troubleshooting.
7SKILL.mdUpdated Apr 5, 2026
igamenovoer/pixi-make-offline-channel
testing
VerifiedTrustedCommunity
Use when the user wants to create a self-hosted, offline-installable Conda channel (mirror) containing a specific subset of packages using Pixi.
7SKILL.mdUpdated Apr 5, 2026
igamenovoer/pixi-make-cu-build-env
tools
VerifiedTrustedCommunity
Guides the agent to setup a new or existing Pixi environment for compiling C++ and CUDA code. It ensures the correct compilers, toolkits, and CMake configurations are in place for a robust user-space build.
7SKILL.mdUpdated Apr 5, 2026