carverauto/serviceradar

Fork 0

bazel updates for rh9 build targets/RBE platform #2534

Merged

mfreeman451 merged 12 commits from refs/pull/2534/head into main

2025-12-10 04:46:44 +00:00

mfreeman451 commented

2025-12-09 19:18:42 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2093
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2093
Original created: 2025-12-09T19:18:42Z
Original updated: 2025-12-10T04:51:44Z
Original head: carverauto/serviceradar:chore/alma9_sysmon_issues
Original base: main
Original merged: 2025-12-10T04:46:44Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Tests

Description

Add EL9 (Enterprise Linux 9) Bazel build configuration for RHEL/AlmaLinux/Rocky/Oracle Linux 9 compatibility
Create GitHub Actions workflow for building and pushing RBE executor Docker image
Define new rbe_linux_el9 platform with Oracle Linux 9 RBE executor container
Refactor sysmon Dockerfile to use separate musl and Rocky 9 build stages for universal binary compatibility

Diagram Walkthrough

flowchart LR
  A["Bazel Configuration"] -->|"el9 config"| B["EL9 Build Target"]
  C["RBE Platform Definition"] -->|"rbe_linux_el9"| B
  D["GitHub Actions Workflow"] -->|"builds & pushes"| E["RBE Executor Image"]
  F["Sysmon Dockerfile"] -->|"musl + Rocky 9 stages"| G["Universal Binaries"]
  B -->|"uses"| E
  E -->|"container-image"| C

File Walkthrough

Relevant files

Configuration changes

.bazelrc `Add EL9 Bazel build configuration` .bazelrc Added new `el9` build configuration for EL9-compatible builds Configured remote caching with BuildBuddy remote cache Set host and target platforms to `rbe_linux_el9` Set 10-minute remote timeout for build operations	+8/-0
build-rbe-image-el9.yml `New workflow for EL9 RBE executor image` .github/workflows/build-rbe-image-el9.yml New GitHub Actions workflow for building and pushing RBE executor image Builds Docker image from `docker/Dockerfile.rbe-ora9` on main branch and PRs Pushes to GHCR with versioning tags (branch, PR, SHA, v1.0.20, latest) Uses Docker Buildx for multi-platform builds targeting linux/amd64 Implements GitHub Actions cache for faster builds	+67/-0
BUILD.bazel `Define rbe_linux_el9 platform for EL9 builds` build/platforms/BUILD.bazel Added new `rbe_linux_el9` platform definition for Oracle Linux 9 Configured platform constraints for Linux x86_64 architecture Set exec properties including container image, OS family, architecture, and pool Made platform publicly visible for use across the build system	+18/-0

Enhancement

Dockerfile.rpm.sysmon

Refactor sysmon build with musl and Rocky 9 stages

docker/rpm/Dockerfile.rpm.sysmon

Refactored into separate musl-builder stage using Alpine Rust for
static universal binaries
Added new zfs-builder stage using Rocky Linux 9 for ZFS-enabled
EL9-compatible binaries
Musl builder produces fully static non-ZFS binary compatible with any
Linux distro
ZFS builder installs ZFS dependencies and produces dynamically linked
EL9 binary
Updated rpm-builder stage to copy binaries from both builder stages
Removed verbose build flags and added binary stripping and
verification steps

+65/-32

Imported from GitHub pull request. Original GitHub pull request: #2093 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2093 Original created: 2025-12-09T19:18:42Z Original updated: 2025-12-10T04:51:44Z Original head: carverauto/serviceradar:chore/alma9_sysmon_issues Original base: main Original merged: 2025-12-10T04:46:44Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Tests ___ ### **Description** - Add EL9 (Enterprise Linux 9) Bazel build configuration for RHEL/AlmaLinux/Rocky/Oracle Linux 9 compatibility - Create GitHub Actions workflow for building and pushing RBE executor Docker image - Define new `rbe_linux_el9` platform with Oracle Linux 9 RBE executor container - Refactor sysmon Dockerfile to use separate musl and Rocky 9 build stages for universal binary compatibility ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Bazel Configuration"] -->|"el9 config"| B["EL9 Build Target"] C["RBE Platform Definition"] -->|"rbe_linux_el9"| B D["GitHub Actions Workflow"] -->|"builds & pushes"| E["RBE Executor Image"] F["Sysmon Dockerfile"] -->|"musl + Rocky 9 stages"| G["Universal Binaries"] B -->|"uses"| E E -->|"container-image"| C ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>.bazelrc<dd><code>Add EL9 Bazel build configuration</code>                                                </dd></summary> <hr> .bazelrc <ul><li>Added new <code>el9</code> build configuration for EL9-compatible builds <li> Configured remote caching with BuildBuddy remote cache <li> Set host and target platforms to <code>rbe_linux_el9</code> <li> Set 10-minute remote timeout for build operations</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832f">+8/-0</a>      </td> </tr> <tr> <td> <details> <summary>build-rbe-image-el9.yml<dd><code>New workflow for EL9 RBE executor image</code>                                    </dd></summary> <hr> .github/workflows/build-rbe-image-el9.yml <ul><li>New GitHub Actions workflow for building and pushing RBE executor image <li> Builds Docker image from <code>docker/Dockerfile.rbe-ora9</code> on main branch and PRs <li> Pushes to GHCR with versioning tags (branch, PR, SHA, v1.0.20, latest) <li> Uses Docker Buildx for multi-platform builds targeting linux/amd64 <li> Implements GitHub Actions cache for faster builds</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5">+67/-0</a>    </td> </tr> <tr> <td> <details> <summary>BUILD.bazel<dd><code>Define rbe_linux_el9 platform for EL9 builds</code>                          </dd></summary> <hr> build/platforms/BUILD.bazel <ul><li>Added new <code>rbe_linux_el9</code> platform definition for Oracle Linux 9 <li> Configured platform constraints for Linux x86_64 architecture <li> Set exec properties including container image, OS family, architecture, and pool <li> Made platform publicly visible for use across the build system</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467e">+18/-0</a>    </td> </tr> </table></td></tr><tr><td>Enhancement</td><td><table> <tr> <td> <details> <summary>Dockerfile.rpm.sysmon<dd><code>Refactor sysmon build with musl and Rocky 9 stages</code>              </dd></summary> <hr> docker/rpm/Dockerfile.rpm.sysmon <ul><li>Refactored into separate <code>musl-builder</code> stage using Alpine Rust for static universal binaries <li> Added new <code>zfs-builder</code> stage using Rocky Linux 9 for ZFS-enabled EL9-compatible binaries <li> Musl builder produces fully static non-ZFS binary compatible with any Linux distro <li> ZFS builder installs ZFS dependencies and produces dynamically linked EL9 binary <li> Updated rpm-builder stage to copy binaries from both builder stages <li> Removed verbose build flags and added binary stripping and verification steps</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-7227b4c80aa4ab7d44c3ce924facce7189dc752319462f3829b11070d3c4ac61">+65/-32</a>  </td> </tr> </table></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-12-09 19:19:16 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2093#issuecomment-3633892209
Original created: 2025-12-09T19:19:16Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	CI secrets misuse Description: The workflow logs into GHCR using `${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\|` `secrets.GITHUB_TOKEN }}`, which may push images on non-default branches and exposes registry write access during PR-triggered runs; this increases supply-chain risk because forked PRs cannot access repo secrets and defaulting to `GITHUB_TOKEN` can still enable unintended publishing if branch protections or environment restrictions are misconfigured. build-rbe-image-el9.yml [38-40] Referred Code `username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME \|\| github.actor }} password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\| secrets.GITHUB_TOKEN }}`
	Host network in RBE Description: The RBE platform sets `exec_properties` with `dockerNetwork: "host"`, which disables container network isolation and can allow the remote build executor to access host network services, increasing risk of lateral movement or data exfiltration if build steps are compromised. BUILD.bazel [100-105] Referred Code `"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20", "OSFamily": "linux", "Arch": "amd64", "dockerNetwork": "host", "Pool": "default", },`
	Unsigned downloads Description: The Dockerfile downloads and executes the Rust installer and protoc via curl without pinning checksums or signatures, making the build supply-chain vulnerable to MITM or tampered artifacts. Dockerfile.rpm.sysmon [44-51] Referred Code `RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Network install errors: Package installation and curl-based downloads lack explicit retry/backoff or failure handling, which may cause flaky builds without clear remediation. Referred Code RUN dnf install -y --allowerasing \ rpm-build rpmdevtools dnf-plugins-core git gcc make curl unzip \ && dnf config-manager --set-enabled crb \ && dnf install -y https://zfsonlinux.org/epel/zfs-release-2-3.el9.noarch.rpm \ && dnf install -y libzfs-devel \ && dnf clean all # Install Rust RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secret handling: The workflow references registry credentials and a ghcr_token secret; while masked by GitHub, ensure no steps echo these values to logs and validate least-privilege tokens. Referred Code - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME \|\| github.actor }} password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\| secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: \| type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image uses: docker/build-push-action@v6 ... (clipped 12 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unpinned downloads: The Dockerfile downloads toolchains and protoc via curl without checksums or signature verification, which lacks integrity validation for external inputs. Referred Code `RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip` Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2093#issuecomment-3633892209 Original created: 2025-12-09T19:19:16Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary>CI secrets misuse </summary> Description: The workflow logs into GHCR using <code>${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || </code> <code>secrets.GITHUB_TOKEN }}</code>, which may push images on non-default branches and exposes registry write access during PR-triggered runs; this increases supply-chain risk because forked PRs cannot access repo secrets and defaulting to <code>GITHUB_TOKEN</code> can still enable unintended publishing if branch protections or environment restrictions are misconfigured. <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5R38-R40'>build-rbe-image-el9.yml [38-40]</a> <details open><summary>Referred Code</summary> ```yaml username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME || github.actor }} password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }} ``` </details></details></td></tr> <tr><td><details><summary>Host network in RBE </summary> Description: The RBE platform sets <code>exec_properties</code> with <code>dockerNetwork: "host"</code>, which disables container network isolation and can allow the remote build executor to access host network services, increasing risk of lateral movement or data exfiltration if build steps are compromised. <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467eR100-R105'>BUILD.bazel [100-105]</a> <details open><summary>Referred Code</summary> ```txt "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20", "OSFamily": "linux", "Arch": "amd64", "dockerNetwork": "host", "Pool": "default", }, ``` </details></details></td></tr> <tr><td><details><summary>Unsigned downloads</summary> Description: The Dockerfile downloads and executes the Rust installer and protoc via curl without pinning checksums or signatures, making the build supply-chain vulnerable to MITM or tampered artifacts. <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-7227b4c80aa4ab7d44c3ce924facce7189dc752319462f3829b11070d3c4ac61R44-R51'>Dockerfile.rpm.sysmon [44-51]</a> <details open><summary>Referred Code</summary> ```txt RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=2>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=4>⚪</td> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-7227b4c80aa4ab7d44c3ce924facce7189dc752319462f3829b11070d3c4ac61R36-R51'>Network install errors</a>: Package installation and curl-based downloads lack explicit retry/backoff or failure handling, which may cause flaky builds without clear remediation. <details open><summary>Referred Code</summary> ```txt RUN dnf install -y --allowerasing \ rpm-build rpmdevtools dnf-plugins-core git gcc make curl unzip \ && dnf config-manager --set-enabled crb \ && dnf install -y https://zfsonlinux.org/epel/zfs-release-2-3.el9.noarch.rpm \ && dnf install -y libzfs-devel \ && dnf clean all # Install Rust RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5R34-R66'>Secret handling</a>: The workflow references registry credentials and a ghcr_token secret; while masked by GitHub, ensure no steps echo these values to logs and validate least-privilege tokens. <details open><summary>Referred Code</summary> ```yaml - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME || github.actor }} password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}} - name: Build and push Docker image uses: docker/build-push-action@v6 ... (clipped 12 lines) ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/2093/files#diff-7227b4c80aa4ab7d44c3ce924facce7189dc752319462f3829b11070d3c4ac61R44-R51'>Unpinned downloads</a>: The Dockerfile downloads toolchains and protoc via curl without checksums or signature verification, which lacks integrity validation for external inputs. <details open><summary>Referred Code</summary> ```txt RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.81.0 ENV PATH="/root/.cargo/bin:${PATH}" # Install protoc RUN curl -LO https://github.com/protocolbuffers/protobuf/releases/download/v27.2/protoc-27.2-linux-x86_64.zip \ && unzip protoc-27.2-linux-x86_64.zip -d /usr/local \ && chmod +x /usr/local/bin/protoc \ && rm protoc-27.2-linux-x86_64.zip ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-12-09 19:20:28 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2093#issuecomment-3633896001
Original created: 2025-12-09T19:20:28Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	✅ ~~Decouple RBE image version from code~~ Suggestion Impact: The workflow now defines a VERSION variable and generates multiple dynamic tags (including branch, PR, SHA, and latest on main) instead of a single hardcoded v1.0.20 tag. Although it still uses VERSION=v1.0.20 as the primary tag, it adds dynamic tagging, partially addressing the suggestion in the workflow. No Bazel platform changes are shown in this diff. code diff: + VERSION: v1.0.20 jobs: build-and-push: - runs-on: ubuntu-latest + runs-on: arc-runner-set permissions: contents: read packages: write @@ -28,40 +29,111 @@ - name: Checkout repository uses: actions/checkout@v6 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Install Buildah + run: \| + if command -v apt-get &> /dev/null; then + sudo apt-get update + sudo apt-get install -y buildah fuse-overlayfs + elif command -v dnf &> /dev/null; then + sudo dnf install -y buildah fuse-overlayfs + elif command -v yum &> /dev/null; then + sudo yum install -y buildah fuse-overlayfs + else + echo "No supported package manager found" + exit 1 + fi + + - name: Configure Buildah for rootless operation + run: \| + # Create config directories + mkdir -p ~/.config/containers + + # Configure storage to use vfs driver (works without privileges) + cat > ~/.config/containers/storage.conf << 'EOF' + [storage] + driver = "vfs" + runroot = "/tmp/containers-runroot" + graphroot = "/tmp/containers-storage" + EOF + + # Configure registries + cat > ~/.config/containers/registries.conf << 'EOF' + [registries.search] + registries = ['docker.io', 'ghcr.io'] + + [registries.insecure] + registries = [] + EOF + + # Verify configuration + buildah info - name: Log in to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME \|\| github.actor }} - password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\| secrets.GITHUB_TOKEN }} + run: \| + echo "${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\| secrets.GITHUB_TOKEN }}" \| \ + buildah login -u "${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME \|\| github.actor }}" \ + --password-stdin ${{ env.REGISTRY }} - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: \| - type=ref,event=branch - type=ref,event=pr - type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 - type=raw,value=latest,enable={{is_default_branch}} + - name: Generate image tags + id: tags + run: \| + REPO="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + TAGS="" - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - context: . - file: docker/Dockerfile.rbe-ora9 - platforms: linux/amd64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - build-args: \| - GHCR_USERNAME=${{ github.actor }} - secrets: \| - ghcr_token=${{ secrets.GITHUB_TOKEN }} - cache-from: type=gha - cache-to: type=gha,mode=max + # Version tag + TAGS="${REPO}:${{ env.VERSION }}" + + # SHA tag + TAGS="${TAGS} ${REPO}:sha-${GITHUB_SHA::7}" + + # Branch/PR tag + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + TAGS="${TAGS} ${REPO}:pr-${{ github.event.pull_request.number }}" + else + BRANCH_NAME="${GITHUB_REF_NAME}" + TAGS="${TAGS} ${REPO}:${BRANCH_NAME}" + # Latest tag only on main + if [[ "${BRANCH_NAME}" == "main" ]]; then + TAGS="${TAGS} ${REPO}:latest" + fi + fi + + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "Generated tags: ${TAGS}" + + - name: Build image with Buildah + run: \| + # Create secret file for GHCR token + echo "${GHCR_TOKEN}" > /tmp/ghcr_token + + buildah bud \ + --format docker \ + --layers \ + --isolation chroot \ + --build-arg GHCR_USERNAME=${{ github.actor }} \ + --secret id=ghcr_token,src=/tmp/ghcr_token \ + -f docker/Dockerfile.rbe-ora9 \ + -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} \ + . + + # Clean up secret file + rm -f /tmp/ghcr_token + env: + GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Tag image + run: \| + PRIMARY_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}" + for tag in ${{ steps.tags.outputs.tags }}; do + if [[ "${tag}" != "${PRIMARY_TAG}" ]]; then + buildah tag "${PRIMARY_TAG}" "${tag}" + fi + done + + - name: Push image + if: github.event_name != 'pull_request' + run: \| + for tag in ${{ steps.tags.outputs.tags }}; do + echo "Pushing ${tag}..." + buildah push "${tag}" + done The RBE executor image version is hardcoded in the GitHub workflow and Bazel platform definition, creating a maintenance issue. It should be replaced with a dynamic approach, like using a `latest` tag or image digests, to avoid manual updates in multiple files. Examples: .github/workflows/build-rbe-image-el9.yml [50] `type=raw,value=v1.0.20` build/platforms/BUILD.bazel [100] `"container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20",` Solution Walkthrough: Before: `# .github/workflows/build-rbe-image-el9.yml ... tags: \| type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}} ... # build/platforms/BUILD.bazel ... platform( name = "rbe_linux_el9", ... exec_properties = { "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20", ... }, )` After: `# .github/workflows/build-rbe-image-el9.yml # Remove hardcoded version tag ... tags: \| type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=latest,enable={{is_default_branch}} ... # build/platforms/BUILD.bazel # Use a floating tag like 'latest' or a variable ... platform( name = "rbe_linux_el9", ... exec_properties = { "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:latest", ... }, )` Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that hardcoding the RBE image version `v1.0.20` in both the Bazel platform and the GitHub workflow creates a significant maintenance burden and risk of build inconsistencies.	Medium
Possible issue	✅ ~~Avoid using a hardcoded mutable tag~~ Suggestion Impact: The workflow removed the docker/metadata-action block that included the hardcoded tag entry and replaced it with a custom tag generation step. Although a VERSION env var (v1.0.20) was introduced, the specific hardcoded tag within the metadata extraction was eliminated per the suggestion. code diff: - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: \| - type=ref,event=branch - type=ref,event=pr - type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 - type=raw,value=latest,enable={{is_default_branch}} + - name: Generate image tags + id: tags + run: \| + REPO="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + TAGS="" - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - context: . - file: docker/Dockerfile.rbe-ora9 - platforms: linux/amd64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - build-args: \| - GHCR_USERNAME=${{ github.actor }} - secrets: \| - ghcr_token=${{ secrets.GITHUB_TOKEN }} - cache-from: type=gha - cache-to: type=gha,mode=max + # Version tag + TAGS="${REPO}:${{ env.VERSION }}" + + # SHA tag + TAGS="${TAGS} ${REPO}:sha-${GITHUB_SHA::7}" + + # Branch/PR tag + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + TAGS="${TAGS} ${REPO}:pr-${{ github.event.pull_request.number }}" + else + BRANCH_NAME="${GITHUB_REF_NAME}" + TAGS="${TAGS} ${REPO}:${BRANCH_NAME}" + # Latest tag only on main + if [[ "${BRANCH_NAME}" == "main" ]]; then + TAGS="${TAGS} ${REPO}:latest" + fi + fi + + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "Generated tags: ${TAGS}" + Remove the hardcoded Docker tag `v1.0.20` from the metadata extraction step. Using a mutable, hardcoded tag is a bad practice that harms build reproducibility, especially since it is referenced elsewhere in the codebase. .github/workflows/build-rbe-image-el9.yml [41-51] `- name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: \| type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}}` `[Suggestion processed]` Suggestion importance[1-10]: 8 __ Why: This suggestion correctly identifies a critical issue with build reproducibility. Using a hardcoded, mutable tag (`v1.0.20`) that is also referenced in the Bazel build configuration (`build/platforms/BUILD.bazel`) can lead to inconsistent and non-reproducible builds. This is a significant architectural flaw that should be addressed.	Medium
General	Simplify container registry login credentials Simplify the `docker/login-action` step by removing the complex conditional logic for credentials. Instead, directly use `github.actor` for the username and `secrets.GITHUB_TOKEN` for the password, which is standard for GHCR. .github/workflows/build-rbe-image-el9.yml [34-39] `-- name: Log in to Container Registry +- name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME \|\| github.actor }} - password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN \|\| secrets.GITHUB_TOKEN }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }}` Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that the login logic can be simplified, improving readability and maintainability. While the original code offers more flexibility by allowing overrides via secrets, the proposed change aligns with the common and recommended practice for GHCR authentication in GitHub Actions.	Low
General	Remove rustup installer after use In the `zfs-builder` stage, remove the `rustup` installation files after installing Rust to reduce the Docker layer size. This can be done by adding `&& rm -rf` `/root/.rustup` to the same `RUN` command that installs Rust. docker/rpm/Dockerfile.rpm.sysmon [43-45] `# Install Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y --default-toolchain 1.81.0 +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y --default-toolchain 1.81.0 \ + && rm -rf /root/.rustup ENV PATH="/root/.cargo/bin:${PATH}"` Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion proposes a valid optimization to reduce the Docker image layer size by cleaning up the `rustup` installation files. This is a good practice for creating leaner builder images, although its impact is minor as it only affects an intermediate build stage.	Low
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2093#issuecomment-3633896001 Original created: 2025-12-09T19:20:28Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>✅ <s>Decouple RBE image version from code</s></summary> ___ <details><summary>Suggestion Impact:</summary>The workflow now defines a VERSION variable and generates multiple dynamic tags (including branch, PR, SHA, and latest on main) instead of a single hardcoded v1.0.20 tag. Although it still uses VERSION=v1.0.20 as the primary tag, it adds dynamic tagging, partially addressing the suggestion in the workflow. No Bazel platform changes are shown in this diff. code diff: ```diff + VERSION: v1.0.20 jobs: build-and-push: - runs-on: ubuntu-latest + runs-on: arc-runner-set permissions: contents: read packages: write @@ -28,40 +29,111 @@ - name: Checkout repository uses: actions/checkout@v6 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + - name: Install Buildah + run: | + if command -v apt-get &> /dev/null; then + sudo apt-get update + sudo apt-get install -y buildah fuse-overlayfs + elif command -v dnf &> /dev/null; then + sudo dnf install -y buildah fuse-overlayfs + elif command -v yum &> /dev/null; then + sudo yum install -y buildah fuse-overlayfs + else + echo "No supported package manager found" + exit 1 + fi + + - name: Configure Buildah for rootless operation + run: | + # Create config directories + mkdir -p ~/.config/containers + + # Configure storage to use vfs driver (works without privileges) + cat > ~/.config/containers/storage.conf << 'EOF' + [storage] + driver = "vfs" + runroot = "/tmp/containers-runroot" + graphroot = "/tmp/containers-storage" + EOF + + # Configure registries + cat > ~/.config/containers/registries.conf << 'EOF' + [registries.search] + registries = ['docker.io', 'ghcr.io'] + + [registries.insecure] + registries = [] + EOF + + # Verify configuration + buildah info - name: Log in to Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME || github.actor }} - password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }} + run: | + echo "${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }}" | \ + buildah login -u "${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME || github.actor }}" \ + --password-stdin ${{ env.REGISTRY }} - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 - type=raw,value=latest,enable={{is_default_branch}} + - name: Generate image tags + id: tags + run: | + REPO="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + TAGS="" - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - context: . - file: docker/Dockerfile.rbe-ora9 - platforms: linux/amd64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - build-args: | - GHCR_USERNAME=${{ github.actor }} - secrets: | - ghcr_token=${{ secrets.GITHUB_TOKEN }} - cache-from: type=gha - cache-to: type=gha,mode=max + # Version tag + TAGS="${REPO}:${{ env.VERSION }}" + + # SHA tag + TAGS="${TAGS} ${REPO}:sha-${GITHUB_SHA::7}" + + # Branch/PR tag + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + TAGS="${TAGS} ${REPO}:pr-${{ github.event.pull_request.number }}" + else + BRANCH_NAME="${GITHUB_REF_NAME}" + TAGS="${TAGS} ${REPO}:${BRANCH_NAME}" + # Latest tag only on main + if [[ "${BRANCH_NAME}" == "main" ]]; then + TAGS="${TAGS} ${REPO}:latest" + fi + fi + + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "Generated tags: ${TAGS}" + + - name: Build image with Buildah + run: | + # Create secret file for GHCR token + echo "${GHCR_TOKEN}" > /tmp/ghcr_token + + buildah bud \ + --format docker \ + --layers \ + --isolation chroot \ + --build-arg GHCR_USERNAME=${{ github.actor }} \ + --secret id=ghcr_token,src=/tmp/ghcr_token \ + -f docker/Dockerfile.rbe-ora9 \ + -t ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} \ + . + + # Clean up secret file + rm -f /tmp/ghcr_token + env: + GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Tag image + run: | + PRIMARY_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}" + for tag in ${{ steps.tags.outputs.tags }}; do + if [[ "${tag}" != "${PRIMARY_TAG}" ]]; then + buildah tag "${PRIMARY_TAG}" "${tag}" + fi + done + + - name: Push image + if: github.event_name != 'pull_request' + run: | + for tag in ${{ steps.tags.outputs.tags }}; do + echo "Pushing ${tag}..." + buildah push "${tag}" + done ``` </details> ___ **The RBE executor image version is hardcoded in the GitHub workflow and Bazel platform definition, creating a maintenance issue. It should be replaced with a dynamic approach, like using a <code>latest</code> tag or image digests, to avoid manual updates in multiple files.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5R50-R50">.github/workflows/build-rbe-image-el9.yml [50]</a> </summary> ```yaml type=raw,value=v1.0.20 ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2093/files#diff-d7da264d8f13c39aafc9e2343c3f9649ee1b143f653edda46521f21378a8467eR100-R100">build/platforms/BUILD.bazel [100]</a> </summary> ```starlark "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20", ``` </details> ### Solution Walkthrough: #### Before: ```starlark # .github/workflows/build-rbe-image-el9.yml ... tags: | type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}} ... # build/platforms/BUILD.bazel ... platform( name = "rbe_linux_el9", ... exec_properties = { "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:v1.0.20", ... }, ) ``` #### After: ```starlark # .github/workflows/build-rbe-image-el9.yml # Remove hardcoded version tag ... tags: | type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- type=raw,value=latest,enable={{is_default_branch}} ... # build/platforms/BUILD.bazel # Use a floating tag like 'latest' or a variable ... platform( name = "rbe_linux_el9", ... exec_properties = { "container-image": "docker://ghcr.io/carverauto/serviceradar/rbe-executor-el9:latest", ... }, ) ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies that hardcoding the RBE image version `v1.0.20` in both the Bazel platform and the GitHub workflow creates a significant maintenance burden and risk of build inconsistencies. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>✅ <s>Avoid using a hardcoded mutable tag</s></summary> ___ <details><summary>Suggestion Impact:</summary>The workflow removed the docker/metadata-action block that included the hardcoded tag entry and replaced it with a custom tag generation step. Although a VERSION env var (v1.0.20) was introduced, the specific hardcoded tag within the metadata extraction was eliminated per the suggestion. code diff: ```diff - - name: Extract metadata - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - type=ref,event=branch - type=ref,event=pr - type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 - type=raw,value=latest,enable={{is_default_branch}} + - name: Generate image tags + id: tags + run: | + REPO="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}" + TAGS="" - - name: Build and push Docker image - uses: docker/build-push-action@v6 - with: - context: . - file: docker/Dockerfile.rbe-ora9 - platforms: linux/amd64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - build-args: | - GHCR_USERNAME=${{ github.actor }} - secrets: | - ghcr_token=${{ secrets.GITHUB_TOKEN }} - cache-from: type=gha - cache-to: type=gha,mode=max + # Version tag + TAGS="${REPO}:${{ env.VERSION }}" + + # SHA tag + TAGS="${TAGS} ${REPO}:sha-${GITHUB_SHA::7}" + + # Branch/PR tag + if [[ "${{ github.event_name }}" == "pull_request" ]]; then + TAGS="${TAGS} ${REPO}:pr-${{ github.event.pull_request.number }}" + else + BRANCH_NAME="${GITHUB_REF_NAME}" + TAGS="${TAGS} ${REPO}:${BRANCH_NAME}" + # Latest tag only on main + if [[ "${BRANCH_NAME}" == "main" ]]; then + TAGS="${TAGS} ${REPO}:latest" + fi + fi + + echo "tags=${TAGS}" >> $GITHUB_OUTPUT + echo "Generated tags: ${TAGS}" + ``` </details> ___ **Remove the hardcoded Docker tag <code>v1.0.20</code> from the metadata extraction step. Using a mutable, hardcoded tag is a bad practice that harms build reproducibility, especially since it is referenced elsewhere in the codebase.** [.github/workflows/build-rbe-image-el9.yml [41-51]](https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5R41-R51) ```diff - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=pr type=sha,format=short,prefix=sha- - type=raw,value=v1.0.20 type=raw,value=latest,enable={{is_default_branch}} ``` `[Suggestion processed]` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: This suggestion correctly identifies a critical issue with build reproducibility. Using a hardcoded, mutable tag (`v1.0.20`) that is also referenced in the Bazel build configuration (`build/platforms/BUILD.bazel`) can lead to inconsistent and non-reproducible builds. This is a significant architectural flaw that should be addressed. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>General</td> <td> <details><summary>Simplify container registry login credentials</summary> ___ **Simplify the <code>docker/login-action</code> step by removing the complex conditional logic for credentials. Instead, directly use <code>github.actor</code> for the username and <code>secrets.GITHUB_TOKEN</code> for the password, which is standard for GHCR.** [.github/workflows/build-rbe-image-el9.yml [34-39]](https://github.com/carverauto/serviceradar/pull/2093/files#diff-5fbf1cb04c63cec170ffaea9b822106c30b08d20d3426bb39635e923345afdb5R34-R39) ```diff -- name: Log in to Container Registry +- name: Log in to the Container registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ secrets.GHCR_USERNAME != '' && secrets.GHCR_USERNAME || github.actor }} - password: ${{ secrets.GHCR_TOKEN != '' && secrets.GHCR_TOKEN || secrets.GITHUB_TOKEN }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 5</summary> __ Why: The suggestion correctly identifies that the login logic can be simplified, improving readability and maintainability. While the original code offers more flexibility by allowing overrides via secrets, the proposed change aligns with the common and recommended practice for GHCR authentication in GitHub Actions. </details></details></td><td align=center>Low </td></tr><tr><td> <details><summary>Remove rustup installer after use</summary> ___ **In the <code>zfs-builder</code> stage, remove the <code>rustup</code> installation files after installing Rust to reduce the Docker layer size. This can be done by adding <code>&& rm -rf </code> <code>/root/.rustup</code> to the same <code>RUN</code> command that installs Rust.** [docker/rpm/Dockerfile.rpm.sysmon [43-45]](https://github.com/carverauto/serviceradar/pull/2093/files#diff-7227b4c80aa4ab7d44c3ce924facce7189dc752319462f3829b11070d3c4ac61R43-R45) ```diff # Install Rust -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.81.0 +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.81.0 \ + && rm -rf /root/.rustup ENV PATH="/root/.cargo/bin:${PATH}" ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: The suggestion proposes a valid optimization to reduce the Docker image layer size by cleaning up the `rustup` installation files. This is a good practice for creating leaner builder images, although its impact is minor as it only affects an intermediate build stage. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>