carverauto/serviceradar

Fork 0

Update/dockerfile rbe debian #2453

Merged

mfreeman451 merged 3 commits from refs/pull/2453/head into main

2025-11-23 16:24:37 +00:00

mfreeman451 commented

2025-11-23 16:24:30 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1985
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1985
Original created: 2025-11-23T16:24:30Z
Original updated: 2025-11-23T16:26:05Z
Original head: carverauto/serviceradar:update/dockerfile_rbe_debian
Original base: main
Original merged: 2025-11-23T16:24:37Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Migrate RBE executor image from Oracle Linux 9 to Ubuntu 24.04
Update container image version to v1.0.15 across configurations
Switch release workflow to use remote Bazel configuration
Preserve Oracle Linux 9 Dockerfile as alternative option

Diagram Walkthrough

flowchart LR
  OL9["Oracle Linux 9<br/>Dockerfile.rbe-ora9"] -- "archived as" --> ALT["Alternative<br/>RBE Image"]
  Ubuntu["Ubuntu 24.04<br/>Dockerfile.rbe"] -- "becomes" --> PRIMARY["Primary RBE<br/>Executor v1.0.15"]
  PRIMARY -- "updates" --> BUILD["BUILD.bazel<br/>MODULE.bazel<br/>buildbuddy.yaml"]
  BUILD -- "enables" --> REMOTE["Remote Bazel<br/>Execution"]
  REMOTE -- "used by" --> RELEASE["release.yml<br/>Workflow"]

File Walkthrough

Relevant files

Configuration changes

Dockerfile.rbe `Migrate RBE Dockerfile to Ubuntu 24.04` docker/Dockerfile.rbe Changed base image from `oraclelinux:9` to `ubuntu:24.04` Replaced DNF package manager with APT for Ubuntu compatibility Simplified GCC toolchain setup (Ubuntu 24.04 defaults to GCC 13+) Updated PostgreSQL repository setup for Ubuntu using official APT sources Adjusted environment variables for Ubuntu library paths	+62/-51
BUILD.bazel `Update RBE platform container image version` BUILD.bazel Updated RBE platform container image from `v1.0.14` to `v1.0.15` Maintains existing platform constraints and exec properties	+1/-1
MODULE.bazel `Update BuildBuddy toolchain image version` MODULE.bazel Updated BuildBuddy toolchain container image from `v1.0.14` to `v1.0.15` Aligns with new Ubuntu-based RBE executor image	+1/-1
buildbuddy.yaml `Update BuildBuddy execution config image version` buildbuddy.yaml Updated execution platform container image from `v1.0.14` to `v1.0.15` Maintains platform properties and execution timeout settings	+1/-1
release.yml `Enable remote Bazel execution in release workflow` .github/workflows/release.yml Changed Bazel configuration from `--config=no_remote` to `--config=remote` Removed RPM build availability flag `--@rules_pkg//toolchains/rpm:is_rpmbuild_available=1` Simplified toolchain configuration for remote execution Removed comment about local package building requirement	+2/-3

Enhancement

Dockerfile.rbe-ora9

Add Oracle Linux 9 RBE Dockerfile variant

docker/Dockerfile.rbe-ora9

New file preserving original Oracle Linux 9 RBE executor configuration
Contains complete DNF-based build environment with gcc-toolset-13
Includes RPM building tools and Oracle Linux specific dependencies
Serves as alternative/fallback RBE image option

+123/-0

Imported from GitHub pull request. Original GitHub pull request: #1985 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1985 Original created: 2025-11-23T16:24:30Z Original updated: 2025-11-23T16:26:05Z Original head: carverauto/serviceradar:update/dockerfile_rbe_debian Original base: main Original merged: 2025-11-23T16:24:37Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Migrate RBE executor image from Oracle Linux 9 to Ubuntu 24.04 - Update container image version to v1.0.15 across configurations - Switch release workflow to use remote Bazel configuration - Preserve Oracle Linux 9 Dockerfile as alternative option ___ ### Diagram Walkthrough ```mermaid flowchart LR OL9["Oracle Linux 9 Dockerfile.rbe-ora9"] -- "archived as" --> ALT["Alternative RBE Image"] Ubuntu["Ubuntu 24.04 Dockerfile.rbe"] -- "becomes" --> PRIMARY["Primary RBE Executor v1.0.15"] PRIMARY -- "updates" --> BUILD["BUILD.bazel MODULE.bazel buildbuddy.yaml"] BUILD -- "enables" --> REMOTE["Remote Bazel Execution"] REMOTE -- "used by" --> RELEASE["release.yml Workflow"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>Dockerfile.rbe<dd><code>Migrate RBE Dockerfile to Ubuntu 24.04</code>                                      </dd></summary> <hr> docker/Dockerfile.rbe <ul><li>Changed base image from <code>oraclelinux:9</code> to <code>ubuntu:24.04</code> <li> Replaced DNF package manager with APT for Ubuntu compatibility <li> Simplified GCC toolchain setup (Ubuntu 24.04 defaults to GCC 13+) <li> Updated PostgreSQL repository setup for Ubuntu using official APT sources <li> Adjusted environment variables for Ubuntu library paths</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2">+62/-51</a>  </td> </tr> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Update RBE platform container image version</code>                            </dd></summary> <hr> BUILD.bazel <ul><li>Updated RBE platform container image from <code>v1.0.14</code> to <code>v1.0.15</code> <li> Maintains existing platform constraints and exec properties</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-7fc57714ef13c3325ce2a1130202edced92fcccc0c6db34a72f7b57f60d552a3">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary>MODULE.bazel<dd><code>Update BuildBuddy toolchain image version</code>                                </dd></summary> <hr> MODULE.bazel <ul><li>Updated BuildBuddy toolchain container image from <code>v1.0.14</code> to <code>v1.0.15</code> <li> Aligns with new Ubuntu-based RBE executor image</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary>buildbuddy.yaml<dd><code>Update BuildBuddy execution config image version</code>                  </dd></summary> <hr> buildbuddy.yaml <ul><li>Updated execution platform container image from <code>v1.0.14</code> to <code>v1.0.15</code> <li> Maintains platform properties and execution timeout settings</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-455c97ce748484a181e002949dbe70422aedc497a358e023dc162776ce940751">+1/-1</a>      </td> </tr> <tr> <td> <details> <summary>release.yml<dd><code>Enable remote Bazel execution in release workflow</code>                </dd></summary> <hr> .github/workflows/release.yml <ul><li>Changed Bazel configuration from <code>--config=no_remote</code> to <code>--config=remote</code> <li> Removed RPM build availability flag <code>--@rules_pkg//toolchains/rpm:is_rpmbuild_available=1</code> <li> Simplified toolchain configuration for remote execution <li> Removed comment about local package building requirement</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34">+2/-3</a>      </td> </tr> </table></td></tr><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>Dockerfile.rbe-ora9<dd><code>Add Oracle Linux 9 RBE Dockerfile variant</code>                                </dd></summary> <hr> docker/Dockerfile.rbe-ora9 <ul><li>New file preserving original Oracle Linux 9 RBE executor configuration <li> Contains complete DNF-based build environment with gcc-toolset-13 <li> Includes RPM building tools and Oracle Linux specific dependencies <li> Serves as alternative/fallback RBE image option</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834d">+123/-0</a>  </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 16:25:07 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1985#issuecomment-3568126259
Original created: 2025-11-23T16:25:07Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret handling in build Description: The build uses a secret mount 'ghcr_token' in a Dockerfile RUN step, which risks leaking credentials via layer caching or command output if not carefully controlled in CI; ensure BuildKit is enforced, layers are not pushed to public registries, and commands avoid echoing secrets. Dockerfile.rbe [91-96] Referred Code `RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0`
	Remote execution trust Description: Switching Bazel to '--config=remote' for release publishing increases supply-chain risk if remote execution credentials or workers are compromised; publishing artifacts during release should avoid untrusted remote executors or enforce strict CAS integrity and authenticated, isolated RBE. release.yml [266-273] Referred Code `bazel run \ --config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}"`
	Unpinned package installs Description: Installing numerous development tools (podman, skopeo, rpm, compilers) in the RBE image broadens the attack surface and, without pinning APT package versions or enabling 'apt-get' verification beyond GPG keys, can lead to non-reproducible or vulnerable builds. Dockerfile.rbe [14-67] Referred Code RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines)
	Host network exposure Description: Enabling host networking for RBE jobs via 'dockerNetwork: "host"' can expose the host network from the executor to builds, allowing potential lateral movement or data exfiltration if build steps are compromised. buildbuddy.yaml [20-25] Referred Code `container-image: "docker://ghcr.io/carverauto/serviceradar/rbe-executor:v1.0.15" OSFamily: "linux" Arch: "amd64" max_execution_timeout_seconds: 3600 default_exec_properties: dockerNetwork: "host"`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The changes introduce remote execution configuration but add no logging of critical actions within the workflow or tooling, making it unclear if critical actions are auditable. Referred Code `--config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}"` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Pull fallback: The skopeo image preload step lacks explicit error handling beyond set -euo and may skip preload silently if GHCR_CNPG_IMAGE is unset, which could impact builds without a clear fallback strategy. Referred Code `RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Remote exec risks: Switching to --config=remote introduces dependency on remote execution without showing validation or safeguards for external inputs and credentials in this diff. Referred Code `--config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}"` Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1985#issuecomment-3568126259 Original created: 2025-11-23T16:25:07Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=4>⚪</td> <td><details><summary>Secret handling in build </summary> Description: The build uses a secret mount 'ghcr_token' in a Dockerfile RUN step, which risks leaking credentials via layer caching or command output if not carefully controlled in CI; ensure BuildKit is enforced, layers are not pushed to public registries, and commands avoid echoing secrets. <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R91-R96'>Dockerfile.rbe [91-96]</a> <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then echo "CNPG image not set; skipping preload" exit 0 ``` </details></details></td></tr> <tr><td><details><summary>Remote execution trust </summary> Description: Switching Bazel to '--config=remote' for release publishing increases supply-chain risk if remote execution credentials or workers are compromised; publishing artifacts during release should avoid untrusted remote executors or enforce strict CAS integrity and authenticated, isolated RBE. <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R266-R273'>release.yml [266-273]</a> <details open><summary>Referred Code</summary> ```yaml bazel run \ --config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` </details></details></td></tr> <tr><td><details><summary>Unpinned package installs </summary> Description: Installing numerous development tools (podman, skopeo, rpm, compilers) in the RBE image broadens the attack surface and, without pinning APT package versions or enabling 'apt-get' verification beyond GPG keys, can lead to non-reproducible or vulnerable builds. <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R14-R67'>Dockerfile.rbe [14-67]</a> <details open><summary>Referred Code</summary> ```txt RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ && install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ && apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ gcc \ g++ \ clang \ llvm \ llvm-dev \ make \ cmake \ pkg-config \ ... (clipped 33 lines) ``` </details></details></td></tr> <tr><td><details><summary>Host network exposure </summary> Description: Enabling host networking for RBE jobs via 'dockerNetwork: "host"' can expose the host network from the executor to builds, allowing potential lateral movement or data exfiltration if build steps are compromised. <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-455c97ce748484a181e002949dbe70422aedc497a358e023dc162776ce940751R20-R25'>buildbuddy.yaml [20-25]</a> <details open><summary>Referred Code</summary> ```yaml container-image: "docker://ghcr.io/carverauto/serviceradar/rbe-executor:v1.0.15" OSFamily: "linux" Arch: "amd64" max_execution_timeout_seconds: 3600 default_exec_properties: dockerNetwork: "host" ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=3>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=3>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R267-R273'>No audit logs</a>: The changes introduce remote execution configuration but add no logging of critical actions within the workflow or tooling, making it unclear if critical actions are auditable. <details open><summary>Referred Code</summary> ```yaml --config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R91-R94'>Pull fallback</a>: The skopeo image preload step lacks explicit error handling beyond set -euo and may skip preload silently if GHCR_CNPG_IMAGE is unset, which could impact builds without a clear fallback strategy. <details open><summary>Referred Code</summary> ```txt RUN --mount=type=secret,id=ghcr_token <<'EOF' set -euo pipefail TOKEN_FILE="/run/secrets/ghcr_token" if [[ -z "${GHCR_CNPG_IMAGE:-}" ]]; then ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1985/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R267-R273'>Remote exec risks</a>: Switching to --config=remote introduces dependency on remote execution without showing validation or safeguards for external inputs and credentials in this diff. <details open><summary>Referred Code</summary> ```yaml --config=remote \ --host_platform=@local_config_platform//:host \ --platforms=//build/platforms:linux_pkg_local \ --@rules_pkg//toolchains/rpm \ --stamp \ //release:publish_packages \ -- "${args[@]}" ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 16:26:05 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1985#issuecomment-3568127076
Original created: 2025-11-23T16:26:05Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Safely prepend to path environment variable Safely prepend to the `PKG_CONFIG_PATH` environment variable by conditionally adding the separator, preventing a trailing colon that could lead to non-hermetic builds. docker/Dockerfile.rbe [82] `-PKG_CONFIG_PATH=/usr/lib/postgresql/16/lib/pkgconfig:$PKG_CONFIG_PATH +PKG_CONFIG_PATH="/usr/lib/postgresql/16/lib/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}"` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a potential non-hermetic build issue with `PKG_CONFIG_PATH` and provides a robust fix using standard shell parameter expansion.	Medium
High-level	Remove the archived Oracle Linux Dockerfile The suggestion recommends removing the newly added `docker/Dockerfile.rbe-ora9`. This file archives the old Oracle Linux configuration but is not integrated into any build or test process, creating a maintenance burden. Examples: docker/Dockerfile.rbe-ora9 [1-123] `# syntax=docker/dockerfile:1 # Custom RBE executor image based on Oracle Linux 9 with development tooling. # This image provides a hermetic build environment for BuildBuddy RBE with RPM building support. FROM --platform=linux/amd64 oraclelinux:9 SHELL ["/bin/bash", "-lc"] # Install build dependencies RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ ... (clipped 113 lines)` Solution Walkthrough: Before: `# File structure before docker/ Dockerfile.rbe # Updated to Ubuntu 24.04 Dockerfile.rbe-ora9 # New file, archived from old Dockerfile.rbe .github/workflows/ release.yml # Uses new RBE image ... # other config files updated to v1.0.15` After: `# File structure after docker/ Dockerfile.rbe # Updated to Ubuntu 24.04 # Dockerfile.rbe-ora9 is removed .github/workflows/ release.yml # Uses new RBE image ... # other config files updated to v1.0.15` Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that the archived `Dockerfile.rbe-ora9` lacks any usage or testing mechanism, creating future maintenance overhead without a clear benefit.	Low
General	Split package installation for better caching Split the single large `RUN` instruction for package installation into multiple `RUN` layers to improve Docker layer caching, readability, and maintainability. docker/Dockerfile.rbe [14-67] +# 1. Install basic setup tools for repository handling RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ - && install -d /usr/share/postgresql-common/pgdg \ + && rm -rf /var/lib/apt/lists/* + +# 2. Setup PostgreSQL official repo for version 16 +RUN install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ - && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ - && apt-get update && apt-get install -y --no-install-recommends \ + && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' + +# 3. Install main development packages +RUN apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ -... + gcc \ + g++ \ + clang \ + llvm \ + llvm-dev \ + make \ + cmake \ + pkg-config \ + # Container Tools + skopeo \ + podman \ + podman-docker \ + slirp4netns \ + fuse-overlayfs \ + iptables \ + # Database / Libs + postgresql-server-dev-16 \ + libpq-dev \ + libssl-dev \ + zlib1g-dev \ + liblz4-dev \ + libzstd-dev \ + libgmp-dev \ + libev-dev \ + libbpf-dev \ + linux-tools-generic \ + protobuf-compiler \ + libprotobuf-dev \ + # Utils + git \ + patch \ + unzip \ + rsync \ + tar \ + m4 \ + perl \ # RPM Building on Debian rpm \ createrepo-c \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* `[To ensure code accuracy, apply this suggestion manually]` Suggestion importance[1-10]: 6 __ Why: The suggestion correctly proposes splitting the `RUN` command to improve Docker layer caching and readability, which is a valid and beneficial best practice.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1985#issuecomment-3568127076 Original created: 2025-11-23T16:26:05Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Safely prepend to path environment variable</summary> ___ **Safely prepend to the <code>PKG_CONFIG_PATH</code> environment variable by conditionally adding the separator, preventing a trailing colon that could lead to non-hermetic builds.** [docker/Dockerfile.rbe [82]](https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R82-R82) ```diff -PKG_CONFIG_PATH=/usr/lib/postgresql/16/lib/pkgconfig:$PKG_CONFIG_PATH +PKG_CONFIG_PATH="/usr/lib/postgresql/16/lib/pkgconfig${PKG_CONFIG_PATH:+:}${PKG_CONFIG_PATH}" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies a potential non-hermetic build issue with `PKG_CONFIG_PATH` and provides a robust fix using standard shell parameter expansion. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>High-level</td> <td> <details><summary>Remove the archived Oracle Linux Dockerfile</summary> ___ **The suggestion recommends removing the newly added <code>docker/Dockerfile.rbe-ora9</code>. This file archives the old Oracle Linux configuration but is not integrated into any build or test process, creating a maintenance burden.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/1985/files#diff-c4a73a282f345855c6c173679a1f3dcf26b8cc70e3a0f026bdb0ab0a40b6834dR1-R123">docker/Dockerfile.rbe-ora9 [1-123]</a> </summary> ```dockerfile # syntax=docker/dockerfile:1 # Custom RBE executor image based on Oracle Linux 9 with development tooling. # This image provides a hermetic build environment for BuildBuddy RBE with RPM building support. FROM --platform=linux/amd64 oraclelinux:9 SHELL ["/bin/bash", "-lc"] # Install build dependencies RUN dnf install -y oracle-epel-release-el9 oraclelinux-developer-release-el9 \ ... (clipped 113 lines) ``` </details> ### Solution Walkthrough: #### Before: ```dockerfile # File structure before docker/ Dockerfile.rbe # Updated to Ubuntu 24.04 Dockerfile.rbe-ora9 # New file, archived from old Dockerfile.rbe .github/workflows/ release.yml # Uses new RBE image ... # other config files updated to v1.0.15 ``` #### After: ```dockerfile # File structure after docker/ Dockerfile.rbe # Updated to Ubuntu 24.04 # Dockerfile.rbe-ora9 is removed .github/workflows/ release.yml # Uses new RBE image ... # other config files updated to v1.0.15 ``` <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies that the archived `Dockerfile.rbe-ora9` lacks any usage or testing mechanism, creating future maintenance overhead without a clear benefit. </details></details></td><td align=center>Low </td></tr><tr><td rowspan=1>General</td> <td> <details><summary>Split package installation for better caching</summary> ___ **Split the single large <code>RUN</code> instruction for package installation into multiple <code>RUN</code> layers to improve Docker layer caching, readability, and maintainability.** [docker/Dockerfile.rbe [14-67]](https://github.com/carverauto/serviceradar/pull/1985/files#diff-40936cbae5822a0a5fa8016befa08eb3a7836c93328e8043dcdfb3885a6201b2R14-R67) ```diff +# 1. Install basic setup tools for repository handling RUN apt-get update && apt-get install -y --no-install-recommends \ ca-certificates \ curl \ gnupg \ lsb-release \ wget \ software-properties-common \ - && install -d /usr/share/postgresql-common/pgdg \ + && rm -rf /var/lib/apt/lists/* + +# 2. Setup PostgreSQL official repo for version 16 +RUN install -d /usr/share/postgresql-common/pgdg \ && curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc \ - && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' \ - && apt-get update && apt-get install -y --no-install-recommends \ + && sh -c 'echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list' + +# 3. Install main development packages +RUN apt-get update && apt-get install -y --no-install-recommends \ # Build Tools & Compilers build-essential \ -... + gcc \ + g++ \ + clang \ + llvm \ + llvm-dev \ + make \ + cmake \ + pkg-config \ + # Container Tools + skopeo \ + podman \ + podman-docker \ + slirp4netns \ + fuse-overlayfs \ + iptables \ + # Database / Libs + postgresql-server-dev-16 \ + libpq-dev \ + libssl-dev \ + zlib1g-dev \ + liblz4-dev \ + libzstd-dev \ + libgmp-dev \ + libev-dev \ + libbpf-dev \ + linux-tools-generic \ + protobuf-compiler \ + libprotobuf-dev \ + # Utils + git \ + patch \ + unzip \ + rsync \ + tar \ + m4 \ + perl \ # RPM Building on Debian rpm \ createrepo-c \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* ``` `[To ensure code accuracy, apply this suggestion manually]` <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly proposes splitting the `RUN` command to improve Docker layer caching and readability, which is a valid and beneficial best practice. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>