Skip to content

feat: herdr#261

Open
ibuziuk wants to merge 1 commit into
mainfrom
herdr
Open

feat: herdr#261
ibuziuk wants to merge 1 commit into
mainfrom
herdr

Conversation

@ibuziuk

@ibuziuk ibuziuk commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features
    • Included the herdr command-line tool in UBI 9 and UBI 10 images.
    • Automatically installs the correct binary for common CPU architectures during image build.
    • Leaves unsupported architectures unchanged without failing the build.

Signed-off-by: Ilya Buziuk <ibuziuk@redhat.com>
@ibuziuk ibuziuk requested review from SDawley, dkwon17 and svor as code owners July 8, 2026 15:31
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ibuziuk

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Both universal/ubi10/Dockerfile and universal/ubi9/Dockerfile add a build step installing herdr v0.7.3, selecting a binary based on TARGETARCH (amd64/arm64), skipping unsupported architectures, downloading it to /usr/local/bin/herdr, and marking it executable.

Changes

herdr binary installation

Layer / File(s) Summary
Install herdr v0.7.3
universal/ubi10/Dockerfile, universal/ubi9/Dockerfile
Adds a RUN block mapping TARGETARCH to the correct binary name (amd64→x86_64, arm64→aarch64), skips unsupported architectures, downloads herdr v0.7.3 to /usr/local/bin/herdr, and chmods it executable.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Suggested reviewers: svor, dkwon17, SDawley

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is related to the main change because the pull request adds herdr to the Dockerfiles.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch herdr

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (2)
universal/ubi9/Dockerfile (1)

558-583: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add checksum verification for the herdr binary download.

Same as the ubi10 Dockerfile — the binary is downloaded without integrity verification. If herdr publishes checksums, adding SHA-256 verification would be consistent with the krew, helm, kustomize, and terraform installation blocks in this file.

🔒 Suggested checksum verification (if herdr publishes checksums)
 HERDR_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/${HERDR_BIN}"
+HERDR_CHECKSUM_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/checksums.txt"
 
-curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr
+curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr
+curl -fsSL "${HERDR_CHECKSUM_URL}" -o checksums.txt
+echo "$(grep "${HERDR_BIN}" checksums.txt | awk '{print $1}')  /usr/local/bin/herdr" | sha256sum -c -
 chmod +x /usr/local/bin/herdr
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@universal/ubi9/Dockerfile` around lines 558 - 583, The herdr install block in
the Dockerfile downloads the binary without integrity verification. Update the
`RUN` heredoc that sets `HERDR_VERSION`, `HERDR_BIN`, and `HERDR_URL` to also
fetch the published SHA-256 checksum for the same release, verify the downloaded
file before making it executable, and only proceed if the checksum matches. Keep
the existing architecture switch and unsupported-arch handling unchanged.
universal/ubi10/Dockerfile (1)

591-616: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Add checksum verification for the herdr binary download.

The binary is downloaded from GitHub without any integrity verification. Several other tools in this Dockerfile (krew, helm, kustomize, terraform, etc.) verify SHA-256 checksums after download. If herdr publishes checksums in its release artifacts, adding verification would protect against supply chain tampering.

🔒 Suggested checksum verification (if herdr publishes checksums)
 HERDR_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/${HERDR_BIN}"
+HERDR_CHECKSUM_URL="https://github.com/ogulcancelik/herdr/releases/download/v${HERDR_VERSION}/checksums.txt"
 
-curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr
+curl -fsSL "${HERDR_URL}" -o /usr/local/bin/herdr
+curl -fsSL "${HERDR_CHECKSUM_URL}" -o checksums.txt
+echo "$(grep "${HERDR_BIN}" checksums.txt | awk '{print $1}')  /usr/local/bin/herdr" | sha256sum -c -
 chmod +x /usr/local/bin/herdr
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@universal/ubi10/Dockerfile` around lines 591 - 616, The herdr install block
in the Dockerfile downloads the binary without integrity checks; update the
heredoc RUN step for the herdr setup to verify a published SHA-256 checksum
before making it executable. Use the existing versioned variables like
HERDR_VERSION, HERDR_ARCH, HERDR_BIN, and HERDR_URL to fetch the matching
checksum artifact (if provided by the release), validate the downloaded file
against it, and only then run chmod +x on /usr/local/bin/herdr.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@universal/ubi10/Dockerfile`:
- Around line 591-616: The herdr install block in the Dockerfile downloads the
binary without integrity checks; update the heredoc RUN step for the herdr setup
to verify a published SHA-256 checksum before making it executable. Use the
existing versioned variables like HERDR_VERSION, HERDR_ARCH, HERDR_BIN, and
HERDR_URL to fetch the matching checksum artifact (if provided by the release),
validate the downloaded file against it, and only then run chmod +x on
/usr/local/bin/herdr.

In `@universal/ubi9/Dockerfile`:
- Around line 558-583: The herdr install block in the Dockerfile downloads the
binary without integrity verification. Update the `RUN` heredoc that sets
`HERDR_VERSION`, `HERDR_BIN`, and `HERDR_URL` to also fetch the published
SHA-256 checksum for the same release, verify the downloaded file before making
it executable, and only proceed if the checksum matches. Keep the existing
architecture switch and unsupported-arch handling unchanged.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5ca5ca01-baf6-4b1a-9cb6-9908b4f76f54

📥 Commits

Reviewing files that changed from the base of the PR and between bacc1e9 and 5c72955.

📒 Files selected for processing (2)
  • universal/ubi10/Dockerfile
  • universal/ubi9/Dockerfile

@tolusha

tolusha commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant help — Show this help message

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Pull Request UBI 10 images published ✨

Base: quay.io/devfile/base-developer-image:ubi10-pr-261
UDI: quay.io/devfile/universal-developer-image:ubi10-pr-261

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

Pull Request images published ✨

Base: quay.io/devfile/base-developer-image:pr-261
UDI: quay.io/devfile/universal-developer-image:pr-261

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants