carverauto/serviceradar

Fork 0

adding immutable image tags for docker images #2262

Merged

mfreeman451 merged 1 commit from refs/pull/2262/head into main

2025-10-03 04:44:45 +00:00

mfreeman451 commented

2025-10-03 04:43:30 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1686
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1686
Original created: 2025-10-03T04:43:30Z
Original updated: 2025-10-03T04:45:05Z
Original head: carverauto/serviceradar:1685-chorebazel-immutable-image-tags
Original base: main
Original merged: 2025-10-03T04:44:45Z by @mfreeman451

PR Type

Enhancement

Description

Add immutable image tagging system for Docker containers
Create helper rule to generate digest-based tags
Refactor GHCR push targets to use new tagging system
Replace hardcoded tags with dynamic tag generation

Diagram Walkthrough

flowchart LR
  A["Image Digest"] --> B["immutable_push_tags rule"]
  C["Commit Tags"] --> B
  D["Static Tags"] --> B
  B --> E["Generated Tag File"]
  E --> F["oci_push Target"]

File Walkthrough

Relevant files

Enhancement

container_tags.bzl `Add immutable container tagging rule` docker/images/container_tags.bzl Create new Bazel rule `immutable_push_tags` for generating container tags Implement shell script logic to combine digest, commit, and static tags Add validation for digest format and configurable tag prefixes Support optional commit-derived tags and customizable digest length	+94/-0
push_targets.bzl `Integrate immutable tagging into push targets` docker/images/push_targets.bzl Import new `immutable_push_tags` rule from container_tags.bzl Replace hardcoded tag template with separate commit tag generation Integrate immutable tagging system into GHCR push targets Maintain existing functionality while adding digest-based tags	+11/-6

Imported from GitHub pull request. Original GitHub pull request: #1686 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1686 Original created: 2025-10-03T04:43:30Z Original updated: 2025-10-03T04:45:05Z Original head: carverauto/serviceradar:1685-chorebazel-immutable-image-tags Original base: main Original merged: 2025-10-03T04:44:45Z by @mfreeman451 --- ### **PR Type** Enhancement ___ ### **Description** - Add immutable image tagging system for Docker containers - Create helper rule to generate digest-based tags - Refactor GHCR push targets to use new tagging system - Replace hardcoded tags with dynamic tag generation ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Image Digest"] --> B["immutable_push_tags rule"] C["Commit Tags"] --> B D["Static Tags"] --> B B --> E["Generated Tag File"] E --> F["oci_push Target"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><table> <tr> <td> <details> <summary><strong>container_tags.bzl</strong><dd><code>Add immutable container tagging rule</code>                                          </dd></summary> <hr> docker/images/container_tags.bzl <ul><li>Create new Bazel rule <code>immutable_push_tags</code> for generating container <br>tags<br> <li> Implement shell script logic to combine digest, commit, and static <br>tags<br> <li> Add validation for digest format and configurable tag prefixes<br> <li> Support optional commit-derived tags and customizable digest length</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3">+94/-0</a>    </td> </tr> <tr> <td> <details> <summary><strong>push_targets.bzl</strong><dd><code>Integrate immutable tagging into push targets</code>                        </dd></summary> <hr> docker/images/push_targets.bzl <ul><li>Import new <code>immutable_push_tags</code> rule from container_tags.bzl<br> <li> Replace hardcoded tag template with separate commit tag generation<br> <li> Integrate immutable tagging system into GHCR push targets<br> <li> Maintain existing functionality while adding digest-based tags</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1686/files#diff-4af33fe62caba04b6d479589c16cfb85babc39bae5c92595d4d4e31660738513">+11/-6</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-03 04:44:05 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1686#issuecomment-3364237330
Original created: 2025-10-03T04:44:05Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance

⚪

Shell command execution

Description: The rule executes an inline shell script using inputs that may be derived from the
repository (digest/commit tag files); if any of these can be influenced by untrusted
content, this could enable command injection or unintended execution in the build
environment.
container_tags.bzl [19-66]

Referred Code

    command = """
set -euo pipefail

digest=$(cat "$1")
if [[ "$digest" != sha256:* ]]; then
  echo "unexpected digest format: $digest" >&2
  exit 1
fi

prefix="$2"
length="$3"
out="$4"
commit_file="$5"
shift 5

short=$(printf '%s' "${digest#sha256:}" | cut -c1-"${length}")

{
  if [[ -n "$commit_file" ]]; then
    while IFS= read -r line || [[ -n "$line" ]]; do
      if [[ -n "$line" ]]; then


 ... (clipped 27 lines)

Ticket Compliance

🟢

🎫 #1685

🟢	Implement immutable image tags for OCI/Docker images in the Bazel build.
	Provide a helper/rule to generate digest-based tags, possibly combining commit and static tags.
	Refactor GHCR push targets to use the new immutable tagging system instead of hardcoded tags.
	Validate digest format and allow configurable tag prefix and digest length.

Codebase Duplication Compliance

⚪

Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance

⚪

No custom compliance provided

Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1686#issuecomment-3364237330 Original created: 2025-10-03T04:44:05Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary><strong>Shell command execution </strong></summary><br> <b>Description:</b> The rule executes an inline shell script using inputs that may be derived from the <br>repository (digest/commit tag files); if any of these can be influenced by untrusted <br>content, this could enable command injection or unintended execution in the build <br>environment.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3R19-R66'>container_tags.bzl [19-66]</a></strong><br> <details open><summary>Referred Code</summary> ```python command = """ set -euo pipefail digest=$(cat "$1") if [[ "$digest" != sha256:* ]]; then echo "unexpected digest format: $digest" >&2 exit 1 fi prefix="$2" length="$3" out="$4" commit_file="$5" shift 5 short=$(printf '%s' "${digest#sha256:}" | cut -c1-"${length}") { if [[ -n "$commit_file" ]]; then while IFS= read -r line || [[ -n "$line" ]]; do if [[ -n "$line" ]]; then ... (clipped 27 lines) ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>🟢</td> <td> <details> <summary>🎫 <a href=https://github.com/carverauto/serviceradar/issues/1685>#1685</a></summary> <table width='100%'><tbody> <tr><td rowspan=4>🟢</td> <td>Implement immutable image tags for OCI/Docker images in the Bazel build.</td></tr> <tr><td>Provide a helper/rule to generate digest-based tags, possibly combining commit and static <br>tags.</td></tr> <tr><td>Refactor GHCR push targets to use the new immutable tagging system instead of hardcoded <br>tags.</td></tr> <tr><td>Validate digest format and allow configurable tag prefix and digest length.</td></tr> </tbody></table> </details> </td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-03 04:45:05 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1686#issuecomment-3364239289
Original created: 2025-10-03T04:45:05Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Extract embedded shell script into a separate file The inline shell script within the `immutable_push_tags` rule should be extracted into a dedicated `.sh` file. This change will improve maintainability and testability. Examples: docker/images/container_tags.bzl [19-66] `command = """ set -euo pipefail digest=$(cat "$1") if [[ "$digest" != sha256:* ]]; then echo "unexpected digest format: $digest" >&2 exit 1 fi prefix="$2" ... (clipped 38 lines)` Solution Walkthrough: Before: `# docker/images/container_tags.bzl def _immutable_tag_file_impl(ctx): # ... command = """ set -euo pipefail digest=$(cat "$1") if [[ "$digest" != sha256:* ]]; then # ... exit 1 fi # ... more shell logic ... """ ctx.actions.run_shell( command = command, arguments = args, # ... )` After: `# docker/images/container_tags.bzl def _immutable_tag_file_impl(ctx): # ... ctx.actions.run( executable = ctx.executable._script, arguments = args, # ... ) immutable_push_tags = rule( implementation = _immutable_tag_file_impl, attrs = { # ... "_script": attr.label( default = "//docker/images:generate_tags.sh", allow_single_file = True, executable = True, cfg = "exec", ), }, # ... )` Suggestion importance[1-10]: 7 __ Why: This is a valid and significant suggestion that improves the design of the new `immutable_push_tags` rule by promoting better maintainability, testability, and separation of concerns.	Medium
Possible issue	Filter out whitespace-only tag lines To prevent whitespace-only tags from the `commit_file`, replace the `[[ -n "$line"` `]]` check with a regex `[[ "$line" =~ [^[:space:]] ]]` to ensure the line contains non-whitespace characters. docker/images/container_tags.bzl [39-41] `-if [[ -n "$line" ]]; then +if [[ "$line" =~ [^[:space:]] ]]; then printf '%s\\n' "$line" fi` Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a valid suggestion that improves the robustness of the script by preventing tags containing only whitespace from being generated from the `commit_file`, which could lead to invalid tags.	Low
Possible issue	Filter out whitespace-only static tags To prevent whitespace-only static tags, replace the `[[ -n "$tag" ]]` check with a regex `[[ "$tag" =~ [^[:space:]] ]]` to ensure the tag contains non-whitespace characters. docker/images/container_tags.bzl [46-48] `-if [[ -n "$tag" ]]; then +if [[ "$tag" =~ [^[:space:]] ]]; then printf '%s\\n' "$tag" fi` Apply / Chat Suggestion importance[1-10]: 6 __ Why: This is a valid suggestion that improves the robustness of the script by preventing `static_tags` containing only whitespace from being processed, which could lead to invalid tags.	Low
General	Use shell parameter expansion for substring Replace the `cut` command with the more efficient and reliable shell parameter expansion (`${variable:offset:length}`) for substring extraction. docker/images/container_tags.bzl [34] `-short=$(printf '%s' "${digest#sha256:}" \| cut -c1-"${length}") +digest_val="${digest#sha256:}" +short="${digest_val:0:${length}}"` Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion correctly points out that using shell parameter expansion is more efficient and a better practice than forking a `cut` process, which is a valid code quality improvement.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1686#issuecomment-3364239289 Original created: 2025-10-03T04:45:05Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Extract embedded shell script into a separate file</summary> ___ **The inline shell script within the <code>immutable_push_tags</code> rule should be extracted <br>into a dedicated <code>.sh</code> file. This change will improve maintainability and <br>testability.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3R19-R66">docker/images/container_tags.bzl [19-66]</a> </summary> ```python command = """ set -euo pipefail digest=$(cat "$1") if [[ "$digest" != sha256:* ]]; then echo "unexpected digest format: $digest" >&2 exit 1 fi prefix="$2" ... (clipped 38 lines) ``` </details> ### Solution Walkthrough: #### Before: ```python # docker/images/container_tags.bzl def _immutable_tag_file_impl(ctx): # ... command = """ set -euo pipefail digest=$(cat "$1") if [[ "$digest" != sha256:* ]]; then # ... exit 1 fi # ... more shell logic ... """ ctx.actions.run_shell( command = command, arguments = args, # ... ) ``` #### After: ```python # docker/images/container_tags.bzl def _immutable_tag_file_impl(ctx): # ... ctx.actions.run( executable = ctx.executable._script, arguments = args, # ... ) immutable_push_tags = rule( implementation = _immutable_tag_file_impl, attrs = { # ... "_script": attr.label( default = "//docker/images:generate_tags.sh", allow_single_file = True, executable = True, cfg = "exec", ), }, # ... ) ``` <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: This is a valid and significant suggestion that improves the design of the new `immutable_push_tags` rule by promoting better maintainability, testability, and separation of concerns. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>Possible issue</td> <td> <details><summary>Filter out whitespace-only tag lines</summary> ___ **To prevent whitespace-only tags from the <code>commit_file</code>, replace the <code>[[ -n "$line" </code><br><code>]]</code> check with a regex <code>[[ "$line" =~ [^[:space:]] ]]</code> to ensure the line contains <br>non-whitespace characters.** [docker/images/container_tags.bzl [39-41]](https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3R39-R41) ```diff -if [[ -n "$line" ]]; then +if [[ "$line" =~ [^[:space:]] ]]; then printf '%s\\n' "$line" fi ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: This is a valid suggestion that improves the robustness of the script by preventing tags containing only whitespace from being generated from the `commit_file`, which could lead to invalid tags. </details></details></td><td align=center>Low </td></tr><tr><td> <details><summary>Filter out whitespace-only static tags</summary> ___ **To prevent whitespace-only static tags, replace the <code>[[ -n "$tag" ]]</code> check with a <br>regex <code>[[ "$tag" =~ [^[:space:]] ]]</code> to ensure the tag contains non-whitespace <br>characters.** [docker/images/container_tags.bzl [46-48]](https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3R46-R48) ```diff -if [[ -n "$tag" ]]; then +if [[ "$tag" =~ [^[:space:]] ]]; then printf '%s\\n' "$tag" fi ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: This is a valid suggestion that improves the robustness of the script by preventing `static_tags` containing only whitespace from being processed, which could lead to invalid tags. </details></details></td><td align=center>Low </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Use shell parameter expansion for substring</summary> ___ **Replace the <code>cut</code> command with the more efficient and reliable shell parameter <br>expansion (<code>${variable:offset:length}</code>) for substring extraction.** [docker/images/container_tags.bzl [34]](https://github.com/carverauto/serviceradar/pull/1686/files#diff-9976c1b5a185e265900bc362d8e8bee2b4e94c354922c1c29c92687b7669c0c3R34-R34) ```diff -short=$(printf '%s' "${digest#sha256:}" | cut -c1-"${length}") +digest_val="${digest#sha256:}" +short="${digest_val:0:${length}}" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion correctly points out that using shell parameter expansion is more efficient and a better practice than forking a `cut` process, which is a valid code quality improvement. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>