Conversation
Signed-off-by: Ilya Buziuk <ibuziuk@redhat.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: ibuziuk The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
📝 WalkthroughWalkthroughBoth universal/ubi10/Dockerfile and universal/ubi9/Dockerfile add a build step installing herdr v0.7.3, selecting a binary based on TARGETARCH (amd64/arm64), skipping unsupported architectures, downloading it to /usr/local/bin/herdr, and marking it executable. Changesherdr binary installation
Estimated code review effort: 1 (Trivial) | ~5 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
universal/ubi9/Dockerfile (1)
558-583: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd checksum verification for the herdr binary download.
Same as the ubi10 Dockerfile — the binary is downloaded without integrity verification. If herdr publishes checksums, adding SHA-256 verification would be consistent with the krew, helm, kustomize, and terraform installation blocks in this file.
🔒 Suggested checksum verification (if herdr publishes checksums)
HERDR_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/${HERDR_BIN}" +HERDR_CHECKSUM_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/checksums.txt" -curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr +curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr +curl -fsSL "${HERDR_CHECKSUM_URL}" -o checksums.txt +echo "$(grep "${HERDR_BIN}" checksums.txt | awk '{print $1}') /usr/local/bin/herdr" | sha256sum -c - chmod +x /usr/local/bin/herdr🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@universal/ubi9/Dockerfile` around lines 558 - 583, The herdr install block in the Dockerfile downloads the binary without integrity verification. Update the `RUN` heredoc that sets `HERDR_VERSION`, `HERDR_BIN`, and `HERDR_URL` to also fetch the published SHA-256 checksum for the same release, verify the downloaded file before making it executable, and only proceed if the checksum matches. Keep the existing architecture switch and unsupported-arch handling unchanged.universal/ubi10/Dockerfile (1)
591-616: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdd checksum verification for the herdr binary download.
The binary is downloaded from GitHub without any integrity verification. Several other tools in this Dockerfile (krew, helm, kustomize, terraform, etc.) verify SHA-256 checksums after download. If herdr publishes checksums in its release artifacts, adding verification would protect against supply chain tampering.
🔒 Suggested checksum verification (if herdr publishes checksums)
HERDR_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/${HERDR_BIN}" +HERDR_CHECKSUM_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/checksums.txt" -curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr +curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr +curl -fsSL "${HERDR_CHECKSUM_URL}" -o checksums.txt +echo "$(grep "${HERDR_BIN}" checksums.txt | awk '{print $1}') /usr/local/bin/herdr" | sha256sum -c - chmod +x /usr/local/bin/herdr🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@universal/ubi10/Dockerfile` around lines 591 - 616, The herdr install block in the Dockerfile downloads the binary without integrity checks; update the heredoc RUN step for the herdr setup to verify a published SHA-256 checksum before making it executable. Use the existing versioned variables like HERDR_VERSION, HERDR_ARCH, HERDR_BIN, and HERDR_URL to fetch the matching checksum artifact (if provided by the release), validate the downloaded file against it, and only then run chmod +x on /usr/local/bin/herdr.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@universal/ubi10/Dockerfile`:
- Around line 591-616: The herdr install block in the Dockerfile downloads the
binary without integrity checks; update the heredoc RUN step for the herdr setup
to verify a published SHA-256 checksum before making it executable. Use the
existing versioned variables like HERDR_VERSION, HERDR_ARCH, HERDR_BIN, and
HERDR_URL to fetch the matching checksum artifact (if provided by the release),
validate the downloaded file against it, and only then run chmod +x on
/usr/local/bin/herdr.
In `@universal/ubi9/Dockerfile`:
- Around line 558-583: The herdr install block in the Dockerfile downloads the
binary without integrity verification. Update the `RUN` heredoc that sets
`HERDR_VERSION`, `HERDR_BIN`, and `HERDR_URL` to also fetch the published
SHA-256 checksum for the same release, verify the downloaded file before making
it executable, and only proceed if the checksum matches. Keep the existing
architecture switch and unsupported-arch handling unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5ca5ca01-baf6-4b1a-9cb6-9908b4f76f54
📒 Files selected for processing (2)
universal/ubi10/Dockerfileuniversal/ubi9/Dockerfile
|
Hi! I'm che-ai-assistant — I help with your pull requests. Available commands:
|
|
Pull Request UBI 10 images published ✨ Base: quay.io/devfile/base-developer-image:ubi10-pr-261 |
|
Pull Request images published ✨ Base: quay.io/devfile/base-developer-image:pr-261 |
Summary by CodeRabbit
herdrcommand-line tool in UBI 9 and UBI 10 images.