carverauto/serviceradar

Fork 0

bazel/docker image builds #2256

Merged

mfreeman451 merged 8 commits from refs/pull/2256/head into main

2025-10-02 05:42:37 +00:00

mfreeman451 commented

2025-10-02 03:20:40 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1678
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1678
Original created: 2025-10-02T03:20:40Z
Original updated: 2025-10-02T05:42:41Z
Original head: carverauto/serviceradar:bazel/docker_image_builds
Original base: main
Original merged: 2025-10-02T05:42:37Z by @mfreeman451

PR Type

Enhancement

Description

Add Bazel-native Docker image build for core service
Update entrypoint script with improved portability and directory setup
Add external dependencies for jq and curl binaries
Create OCI image configuration with Ubuntu 22.04 base

Diagram Walkthrough

flowchart LR
  A["MODULE.bazel"] -- "adds dependencies" --> B["Ubuntu base image"]
  A -- "downloads" --> C["jq & curl binaries"]
  D["entrypoint-core.sh"] -- "improved" --> E["portable script"]
  F["BUILD.bazel files"] -- "creates" --> G["OCI image build"]
  B --> G
  C --> G
  E --> G
  G --> H["serviceradar-core:local"]

File Walkthrough

Relevant files

Enhancement

entrypoint-core.sh `Improve entrypoint script portability and setup` docker/compose/entrypoint-core.sh Change shebang to portable `#!/usr/bin/env bash` Add PATH export for `/usr/local/bin` Create required directories for serviceradar Add newline at end of file	+7/-2
BUILD.bazel `Define Bazel-native OCI image build` docker/images/BUILD.bazel Create pkg_tar layer with core binary and utilities Configure OCI image with Ubuntu base and proper permissions Set entrypoint, working directory, and exposed ports Create loadable tar for local Docker registry	+51/-0

Dependencies

MODULE.bazel

Add OCI dependencies and external binaries

MODULE.bazel

Add OCI extension for Ubuntu 22.04 base image
Download jq binaries for Linux AMD64/ARM64
Download curl static binaries for Linux AMD64/ARM64
Configure external dependencies with SHA256 verification

+51/-0

Configuration changes

BUILD.bazel

Expose compose assets to Bazel

docker/compose/BUILD.bazel

Export entrypoint shell scripts for Bazel targets
Export nginx configuration template
Set public visibility for compose assets

+11/-0

Imported from GitHub pull request. Original GitHub pull request: #1678 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1678 Original created: 2025-10-02T03:20:40Z Original updated: 2025-10-02T05:42:41Z Original head: carverauto/serviceradar:bazel/docker_image_builds Original base: main Original merged: 2025-10-02T05:42:37Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add Bazel-native Docker image build for core service - Update entrypoint script with improved portability and directory setup - Add external dependencies for jq and curl binaries - Create OCI image configuration with Ubuntu 22.04 base ___ ### Diagram Walkthrough ```mermaid flowchart LR A["MODULE.bazel"] -- "adds dependencies" --> B["Ubuntu base image"] A -- "downloads" --> C["jq & curl binaries"] D["entrypoint-core.sh"] -- "improved" --> E["portable script"] F["BUILD.bazel files"] -- "creates" --> G["OCI image build"] B --> G C --> G E --> G G --> H["serviceradar-core:local"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>entrypoint-core.sh</strong><dd><code>Improve entrypoint script portability and setup</code>                    </dd></summary> <hr> docker/compose/entrypoint-core.sh <ul><li>Change shebang to portable <code>#!/usr/bin/env bash</code><br> <li> Add PATH export for <code>/usr/local/bin</code><br> <li> Create required directories for serviceradar<br> <li> Add newline at end of file</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-8338c1aca698162657e6ec96bfa568dd1f27250c7939107c927c11685db1e051">+7/-2</a>      </td> </tr> <tr> <td> <details> <summary><strong>BUILD.bazel</strong><dd><code>Define Bazel-native OCI image build</code>                                            </dd></summary> <hr> docker/images/BUILD.bazel <ul><li>Create pkg_tar layer with core binary and utilities<br> <li> Configure OCI image with Ubuntu base and proper permissions<br> <li> Set entrypoint, working directory, and exposed ports<br> <li> Create loadable tar for local Docker registry</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80">+51/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Dependencies</strong></td><td><table> <tr> <td> <details> <summary><strong>MODULE.bazel</strong><dd><code>Add OCI dependencies and external binaries</code>                              </dd></summary> <hr> MODULE.bazel <ul><li>Add OCI extension for Ubuntu 22.04 base image<br> <li> Download jq binaries for Linux AMD64/ARM64<br> <li> Download curl static binaries for Linux AMD64/ARM64<br> <li> Configure external dependencies with SHA256 verification</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+51/-0</a>    </td> </tr> </table></td></tr><tr><td><strong>Configuration changes</strong></td><td><table> <tr> <td> <details> <summary><strong>BUILD.bazel</strong><dd><code>Expose compose assets to Bazel</code>                                                      </dd></summary> <hr> docker/compose/BUILD.bazel <ul><li>Export entrypoint shell scripts for Bazel targets<br> <li> Export nginx configuration template<br> <li> Set public visibility for compose assets</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-046caf5cc3d6fd4c553c077414d7a2514b61c45fb35bb1826c202a92f99d5962">+11/-0</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-02 03:21:36 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1678#issuecomment-3358878807
Original created: 2025-10-02T03:21:36Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
⚪	No custom compliance provided Follow the guide to enable custom compliance check.
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1678#issuecomment-3358878807 Original created: 2025-10-02T03:21:36Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td>🟢</td><td><details><summary><strong>No security concerns identified</strong></summary> No security vulnerabilities detected by AI analysis. Human verification advised for critical code. </details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </summary></strong> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-02 03:22:38 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1678#issuecomment-3358880699
Original created: 2025-10-02T03:22:38Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Use official packages instead of third-party binaries Instead of downloading pre-built `curl` and `jq` binaries from third-party sources, use official packages from the Ubuntu repository or build them from source to mitigate supply chain security risks. Examples: MODULE.bazel [628-662] `http_file( name = "jq_linux_amd64", urls = [ "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64", ], sha256 = "5942c9b0934e510ee61eb3e30273f1b3fe2590df93933a93d7c58b81d19c8ff5", executable = True, ) http_file( ... (clipped 25 lines)` docker/images/BUILD.bazel [13-14] `"@jq_linux_amd64//file": "usr/local/bin/jq", "@curl_linux_amd64//file": "usr/local/bin/curl",` Solution Walkthrough: Before: `# MODULE.bazel http_file( name = "jq_linux_amd64", urls = ["https://github.com/jqlang/jq/.../jq-linux-amd64"], sha256 = "...", ) http_file( name = "curl_linux_amd64", urls = ["https://github.com/moparisthebest/static-curl/.../curl-amd64"], sha256 = "...", ) # docker/images/BUILD.bazel pkg_tar( name = "core_layer_amd64", files = { "@jq_linux_amd64//file": "usr/local/bin/jq", "@curl_linux_amd64//file": "usr/local/bin/curl", ... }, )` After: `# MODULE.bazel # (http_file rules for jq and curl are removed) # Dependencies are managed by the base image's package manager. # docker/images/BUILD.bazel # A new layer is created to install trusted packages. pkg_deb( name = "deps", packages = [ "curl", "jq", ], ) oci_image( name = "core_image_amd64", base = "@ubuntu_jammy_linux_amd64//...", tars = [ ":core_layer_amd64", ":deps", # Add layer with packages from official repos ], ... )` Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a significant supply chain security risk by using pre-built `curl` and `jq` binaries from external sources, proposing more secure alternatives.	Medium
General	Remove redundant container setup steps Remove the redundant `PATH` export and directory creation from the entrypoint script, as these steps are already performed during the OCI image build process. docker/compose/entrypoint-core.sh [16-24] `set -e - -export PATH="/usr/local/bin:${PATH}" - -# Ensure expected directories exist even on minimal base images. -mkdir -p /etc/serviceradar /var/log/serviceradar /var/lib/serviceradar /data # Default config path CONFIG_PATH="${CONFIG_PATH:-/etc/serviceradar/core.json}"` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that the `PATH` export and `mkdir` command are redundant, as these are handled in the `docker/images/BUILD.bazel` file, thus improving code cleanliness.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1678#issuecomment-3358880699 Original created: 2025-10-02T03:22:38Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Use official packages instead of third-party binaries</summary> ___ **Instead of downloading pre-built <code>curl</code> and <code>jq</code> binaries from third-party sources, <br>use official packages from the Ubuntu repository or build them from source to <br>mitigate supply chain security risks.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdcR628-R662">MODULE.bazel [628-662]</a> </summary> ```starlark http_file( name = "jq_linux_amd64", urls = [ "https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64", ], sha256 = "5942c9b0934e510ee61eb3e30273f1b3fe2590df93933a93d7c58b81d19c8ff5", executable = True, ) http_file( ... (clipped 25 lines) ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1678/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80R13-R14">docker/images/BUILD.bazel [13-14]</a> </summary> ```starlark "@jq_linux_amd64//file": "usr/local/bin/jq", "@curl_linux_amd64//file": "usr/local/bin/curl", ``` </details> ### Solution Walkthrough: #### Before: ```starlark # MODULE.bazel http_file( name = "jq_linux_amd64", urls = ["https://github.com/jqlang/jq/.../jq-linux-amd64"], sha256 = "...", ) http_file( name = "curl_linux_amd64", urls = ["https://github.com/moparisthebest/static-curl/.../curl-amd64"], sha256 = "...", ) # docker/images/BUILD.bazel pkg_tar( name = "core_layer_amd64", files = { "@jq_linux_amd64//file": "usr/local/bin/jq", "@curl_linux_amd64//file": "usr/local/bin/curl", ... }, ) ``` #### After: ```starlark # MODULE.bazel # (http_file rules for jq and curl are removed) # Dependencies are managed by the base image's package manager. # docker/images/BUILD.bazel # A new layer is created to install trusted packages. pkg_deb( name = "deps", packages = [ "curl", "jq", ], ) oci_image( name = "core_image_amd64", base = "@ubuntu_jammy_linux_amd64//...", tars = [ ":core_layer_amd64", ":deps", # Add layer with packages from official repos ], ... ) ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies a significant supply chain security risk by using pre-built `curl` and `jq` binaries from external sources, proposing more secure alternatives. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Remove redundant container setup steps</summary> ___ **Remove the redundant <code>PATH</code> export and directory creation from the entrypoint <br>script, as these steps are already performed during the OCI image build process.** [docker/compose/entrypoint-core.sh [16-24]](https://github.com/carverauto/serviceradar/pull/1678/files#diff-8338c1aca698162657e6ec96bfa568dd1f27250c7939107c927c11685db1e051R16-R24) ```diff set -e - -export PATH="/usr/local/bin:${PATH}" - -# Ensure expected directories exist even on minimal base images. -mkdir -p /etc/serviceradar /var/log/serviceradar /var/lib/serviceradar /data # Default config path CONFIG_PATH="${CONFIG_PATH:-/etc/serviceradar/core.json}" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly identifies that the `PATH` export and `mkdir` command are redundant, as these are handled in the `docker/images/BUILD.bazel` file, thus improving code cleanliness. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>