carverauto/serviceradar

Fork 0

Updates/k8s buildbuddy #2442

Merged

mfreeman451 merged 7 commits from refs/pull/2442/head into main

2025-11-21 05:02:47 +00:00

mfreeman451 commented

2025-11-21 03:58:25 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1974
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1974
Original created: 2025-11-21T03:58:25Z
Original updated: 2025-11-21T05:02:51Z
Original head: carverauto/serviceradar:updates/k8s_buildbuddy
Original base: main
Original merged: 2025-11-21T05:02:47Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Pass GITHUB_TOKEN into RBE image build for authentication
Make CNPG image preload optional with fallback logic
Add error handling for missing credentials or failed pulls
Support authenticated and unauthenticated image pull scenarios

Diagram Walkthrough

flowchart LR
  A["RBE Build Workflow"] -->|"Pass GITHUB_TOKEN"| B["Docker Build"]
  B -->|"Build Args & Secrets"| C["Dockerfile.rbe"]
  C -->|"Check Token & Username"| D{"Credentials Available?"}
  D -->|"Yes"| E["Pull with Auth"]
  D -->|"No"| F["Try Unauthenticated Pull"]
  F -->|"Success"| G["Load CNPG Image"]
  F -->|"Fail"| H["Skip Preload with Warning"]
  E --> G

File Walkthrough

Relevant files

Configuration changes

build-rbe-image.yml

Pass GitHub token and actor to Docker build

.github/workflows/build-rbe-image.yml

Add build-args to pass GitHub actor username to Docker build
Add secrets to pass GITHUB_TOKEN to Docker build context
Enable authentication for private image registry access

+4/-0

Enhancement

Dockerfile.rbe

Make CNPG preload optional with fallback logic

docker/Dockerfile.rbe

Make ghcr_token secret optional instead of required
Add conditional logic to skip CNPG preload if image not set
Implement fallback to unauthenticated pull if credentials missing
Add warning message when CNPG preload is skipped
Improve error handling with graceful degradation

+15/-4

Imported from GitHub pull request. Original GitHub pull request: #1974 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1974 Original created: 2025-11-21T03:58:25Z Original updated: 2025-11-21T05:02:51Z Original head: carverauto/serviceradar:updates/k8s_buildbuddy Original base: main Original merged: 2025-11-21T05:02:47Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Pass GITHUB_TOKEN into RBE image build for authentication - Make CNPG image preload optional with fallback logic - Add error handling for missing credentials or failed pulls - Support authenticated and unauthenticated image pull scenarios ___ ### Diagram Walkthrough ```mermaid flowchart LR A["RBE Build Workflow"] -->|"Pass GITHUB_TOKEN"| B["Docker Build"] B -->|"Build Args & Secrets"| C["Dockerfile.rbe"] C -->|"Check Token & Username"| D{"Credentials Available?"} D -->|"Yes"| E["Pull with Auth"] D -->|"No"| F["Try Unauthenticated Pull"] F -->|"Success"| G["Load CNPG Image"] F -->|"Fail"| H["Skip Preload with Warning"] E --> G ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>build-rbe-image.yml<dd><code>Pass GitHub token and actor to Docker build</code>                            </dd></summary> <hr> .github/workflows/build-rbe-image.yml <ul><li>Add <code>build-args</code> to pass GitHub actor username to Docker build <li> Add <code>secrets</code> to pass GITHUB_TOKEN to Docker build context <li> Enable authentication for private image registry access</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1974/files#diff-267c8680ad3f655b43d9bc8d7c55af4cef338efacdc9c90b3264ef9856a22493">+4/-0</a>      </td> </tr> </table></td></tr><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>Dockerfile.rbe<dd><code>Make CNPG preload optional with fallback logic</code>                      </dd></summary> <hr> docker/Dockerfile.rbe <ul><li>Make <code>ghcr_token</code> secret optional instead of required <li> Add conditional logic to skip CNPG preload if image not set <li> Implement fallback to unauthenticated pull if credentials missing <li> Add warning message when CNPG preload is skipped <li> Improve error handling with graceful degradation</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1974/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+15/-4</a>    </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-21 03:58:45 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1974#issuecomment-3561295136
Original created: 2025-11-21T03:58:45Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unauthenticated image pull Description: The Docker build now conditionally pulls a container image without authentication, which can lead to non-reproducible builds and potential supply-chain risks if the image tag is mutable or the registry is untrusted; authenticated pulls should be enforced for private or security-sensitive images, or the image digest should be pinned. Dockerfile.rbe [80-94] Referred Code RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi
	Overprivileged token scope Description: Passing the GitHub token to docker/build-push-action as a build secret without restricting permissions or scope may overprivilege the build context; ensure the token has least-privilege (e.g., ephemeral GITHUB_TOKEN with minimal scopes) to avoid credential exposure via downstream tooling or image layer leaks. build-rbe-image.yml [62-65] Referred Code `build-args: \| GHCR_USERNAME=${{ github.actor }} secrets: \| ghcr_token=${{ secrets.GITHUB_TOKEN }}`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The new logic performs authenticated/unauthenticated image pulls and fallback handling without emitting structured audit logs of the actions or outcomes, which may limit traceability of critical build-time actions. Referred Code RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1974#issuecomment-3561295136 Original created: 2025-11-21T03:58:45Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=2>⚪</td> <td><details><summary>Unauthenticated image pull </summary> Description: The Docker build now conditionally pulls a container image without authentication, which can lead to non-reproducible builds and potential supply-chain risks if the image tag is mutable or the registry is untrusted; authenticated pulls should be enforced for private or security-sensitive images, or the image digest should be pinned. <a href='https://github.com/carverauto/serviceradar/pull/1974/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R80-R94'>Dockerfile.rbe [80-94]</a> <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi ``` </details></details></td></tr> <tr><td><details><summary>Overprivileged token scope </summary> Description: Passing the GitHub token to docker/build-push-action as a build secret without restricting permissions or scope may overprivilege the build context; ensure the token has least-privilege (e.g., ephemeral GITHUB_TOKEN with minimal scopes) to avoid credential exposure via downstream tooling or image layer leaks. <a href='https://github.com/carverauto/serviceradar/pull/1974/files#diff-267c8680ad3f655b43d9bc8d7c55af4cef338efacdc9c90b3264ef9856a22493R62-R65'>build-rbe-image.yml [62-65]</a> <details open><summary>Referred Code</summary> ```yaml build-args: | GHCR_USERNAME=${{ github.actor }} secrets: | ghcr_token=${{ secrets.GITHUB_TOKEN }} ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=5>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=1>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1974/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R80-R94'>Missing audit logs</a>: The new logic performs authenticated/unauthenticated image pulls and fallback handling without emitting structured audit logs of the actions or outcomes, which may limit traceability of critical build-time actions. <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-21 03:59:49 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1974#issuecomment-3561296889
Original created: 2025-11-21T03:59:49Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Dockerfile logic creates non-deterministic builds The Dockerfile's conditional logic results in non-deterministic builds, as the final image contents depend on the build environment. To ensure predictability, the build should fail explicitly if the image cannot be preloaded, or alternative Dockerfiles should be used for different contexts. Examples: docker/Dockerfile.rbe [80-95] `RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" ... (clipped 6 lines)` Solution Walkthrough: Before: # docker/Dockerfile.rbe RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail ... if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then # Attempt authenticated pull skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" ... elif skopeo copy "docker://$GHCR_CNPG_IMAGE" ...; then # Attempt unauthenticated pull echo "Pulled CNPG image without auth" else # If both fail, warn and continue, creating a different image echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi EOF After: `# docker/Dockerfile.rbe RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail ... # Define a function to attempt the pull pull_image() { if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" ... else skopeo copy "docker://$GHCR_CNPG_IMAGE" ... fi } # Execute the pull and fail the build if it's unsuccessful if ! pull_image; then echo "Error: Failed to preload CNPG image. Build failed." >&2 exit 1 fi EOF` Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical design flaw where the conditional logic in the `Dockerfile` leads to non-deterministic builds, which undermines the reliability of the build system and can cause hard-to-debug downstream failures.	High
Possible issue	Fix broken fallback logic for pull Fix the shell script's fallback logic by handling the potential failure of the authenticated `skopeo copy` command. The current implementation with `set -e` would cause the script to exit prematurely instead of attempting an unauthenticated pull. docker/Dockerfile.rbe [87-94] if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") - skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" + if skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then + echo "Pulled CNPG image with auth" + elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then + echo "Pulled CNPG image without auth (authenticated pull failed)" + else + echo "Warning: CNPG preload skipped (pull failed)" >&2 + fi elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else - echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 + echo "Warning: CNPG preload skipped (missing credentials and pull failed)" >&2 fi Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a critical bug where `set -e` would cause the script to exit on a failed authenticated pull, preventing the intended fallback to an unauthenticated pull. This fix is crucial for the reliability of the image build process.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1974#issuecomment-3561296889 Original created: 2025-11-21T03:59:49Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Dockerfile logic creates non-deterministic builds</summary> ___ **The Dockerfile's conditional logic results in non-deterministic builds, as the final image contents depend on the build environment. To ensure predictability, the build should fail explicitly if the image cannot be preloaded, or alternative Dockerfiles should be used for different contexts.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1974/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R80-R95">docker/Dockerfile.rbe [80-95]</a> </summary> ```dockerfile RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 fi if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" ... (clipped 6 lines) ``` </details> ### Solution Walkthrough: #### Before: ```dockerfile # docker/Dockerfile.rbe RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail ... if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then # Attempt authenticated pull skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" ... elif skopeo copy "docker://$GHCR_CNPG_IMAGE" ...; then # Attempt unauthenticated pull echo "Pulled CNPG image without auth" else # If both fail, warn and continue, creating a different image echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 fi EOF ``` #### After: ```dockerfile # docker/Dockerfile.rbe RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail ... # Define a function to attempt the pull pull_image() { if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" ... else skopeo copy "docker://$GHCR_CNPG_IMAGE" ... fi } # Execute the pull and fail the build if it's unsuccessful if ! pull_image; then echo "Error: Failed to preload CNPG image. Build failed." >&2 exit 1 fi EOF ``` <details><summary>Suggestion importance[1-10]: 9</summary> __ Why: The suggestion correctly identifies a critical design flaw where the conditional logic in the `Dockerfile` leads to non-deterministic builds, which undermines the reliability of the build system and can cause hard-to-debug downstream failures. </details></details></td><td align=center>High </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Fix broken fallback logic for pull</summary> ___ **Fix the shell script's fallback logic by handling the potential failure of the authenticated <code>skopeo copy</code> command. The current implementation with <code>set -e</code> would cause the script to exit prematurely instead of attempting an unauthenticated pull.** [docker/Dockerfile.rbe [87-94]](https://github.com/carverauto/serviceradar/pull/1974/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R87-R94) ```diff if [[ -f "$TOKEN_FILE" && -s "$TOKEN_FILE" && -n "${GHCR_USERNAME:-}" ]]; then TOKEN_VALUE=$(cat "$TOKEN_FILE") - skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE" + if skopeo copy --src-creds "$GHCR_USERNAME:$TOKEN_VALUE" "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then + echo "Pulled CNPG image with auth" + elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then + echo "Pulled CNPG image without auth (authenticated pull failed)" + else + echo "Warning: CNPG preload skipped (pull failed)" >&2 + fi elif skopeo copy "docker://$GHCR_CNPG_IMAGE" "docker-archive:/opt/cnpg_image.tar:$GHCR_CNPG_IMAGE"; then echo "Pulled CNPG image without auth" else - echo "Warning: CNPG preload skipped (missing credentials or pull failed)" >&2 + echo "Warning: CNPG preload skipped (missing credentials and pull failed)" >&2 fi ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies a critical bug where `set -e` would cause the script to exit on a failed authenticated pull, preventing the intended fallback to an unauthenticated pull. This fix is crucial for the reliability of the image build process. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>