carverauto/serviceradar

Fork 0

1700 create app for demo #2273

Merged

mfreeman451 merged 4 commits from refs/pull/2273/head into main

2025-10-05 02:45:15 +00:00

mfreeman451 commented

2025-10-05 02:33:51 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1701
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1701
Original created: 2025-10-05T02:33:51Z
Original updated: 2025-10-05T02:45:18Z
Original head: carverauto/serviceradar:1700-create-app-for-demo
Original base: main
Original merged: 2025-10-05T02:45:15Z by @mfreeman451

PR Type

Enhancement, Other

Description

Add ArgoCD application for demo production deployment
Integrate Alpine network utilities (ping, nmap, netcat) into Docker images
Update image tags to specific versions for demo environments
Configure Bazel build with Go pure mode

Diagram Walkthrough

flowchart LR
  A["ArgoCD Application"] --> B["Demo Prod Deployment"]
  C["Alpine APK Downloads"] --> D["Network Utils Layer"]
  D --> E["Enhanced Docker Images"]
  F["Bazel Config"] --> G["Go Pure Mode Build"]
  H["Image Tags"] --> I["Version Updates"]

File Walkthrough

Relevant files

Configuration changes

7 files

.bazelrc `Add Go pure mode configuration`	+2/-0
kustomization.yaml `Add secret generator job resource`	+1/-0
serviceradar-core.yaml `Update core image to specific version`	+2/-2
ingress.yaml `Update hostname from staging to production`	+2/-2
kustomization.yaml `Update image tags and remove empty patches`	+10/-11
resources.yaml `Remove production resource patches content`	+2/-37
kustomization.yaml `Update core image tag to specific version`	+1/-1

Dependencies

1 files

MODULE.bazel
Add Alpine network utility APK downloads +24/-0

Enhancement

2 files

BUILD.bazel `Integrate network utilities into Docker images`	+127/-8
demo-prod.yaml `Create ArgoCD application for demo production`	+29/-0

Bug fix

1 files

secret-generator-job.yaml
Fix shell command syntax +1/-2

Formatting

1 files

serviceradar-proton.yaml
Add missing newline at file end +1/-1

Imported from GitHub pull request. Original GitHub pull request: #1701 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1701 Original created: 2025-10-05T02:33:51Z Original updated: 2025-10-05T02:45:18Z Original head: carverauto/serviceradar:1700-create-app-for-demo Original base: main Original merged: 2025-10-05T02:45:15Z by @mfreeman451 --- ### **PR Type** Enhancement, Other ___ ### **Description** - Add ArgoCD application for demo production deployment - Integrate Alpine network utilities (ping, nmap, netcat) into Docker images - Update image tags to specific versions for demo environments - Configure Bazel build with Go pure mode ___ ### Diagram Walkthrough ```mermaid flowchart LR A["ArgoCD Application"] --> B["Demo Prod Deployment"] C["Alpine APK Downloads"] --> D["Network Utils Layer"] D --> E["Enhanced Docker Images"] F["Bazel Config"] --> G["Go Pure Mode Build"] H["Image Tags"] --> I["Version Updates"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Configuration changes</strong></td><td><details><summary>7 files</summary><table> <tr> <td><strong>.bazelrc</strong><dd><code>Add Go pure mode configuration</code>                                                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-544556920c45b42cbfe40159b082ce8af6bd929e492d076769226265f215832f">+2/-0</a>      </td> </tr> <tr> <td><strong>kustomization.yaml</strong><dd><code>Add secret generator job resource</code>                                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-c4260176971b950ef1b967a2631b446225071906172f56287c465ad2e29788d9">+1/-0</a>      </td> </tr> <tr> <td><strong>serviceradar-core.yaml</strong><dd><code>Update core image to specific version</code>                                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-2f484d8fe3bae65aace437568f6dd660c92f57b452f7bd1608083a8fe3716ba3">+2/-2</a>      </td> </tr> <tr> <td><strong>ingress.yaml</strong><dd><code>Update hostname from staging to production</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-d96e18b44fecc10112cc02dc42b8deeba6aaed070dfd88771921e228465d4257">+2/-2</a>      </td> </tr> <tr> <td><strong>kustomization.yaml</strong><dd><code>Update image tags and remove empty patches</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-0527e7f19d087f3576d5755a79554797ffbab78b1a7efaa38984b4f3241f6fc9">+10/-11</a>  </td> </tr> <tr> <td><strong>resources.yaml</strong><dd><code>Remove production resource patches content</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-f35cf8010ae1a028cfc4d2bfea3aa6925d5936379314fb32b6b14195cb2df860">+2/-37</a>    </td> </tr> <tr> <td><strong>kustomization.yaml</strong><dd><code>Update core image tag to specific version</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-ae7d8d4134a595a9d278924988f58e1843ad4d5d24b4df3b2c976dd3610a1b64">+1/-1</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Dependencies</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>MODULE.bazel</strong><dd><code>Add Alpine network utility APK downloads</code>                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-6136fc12446089c3db7360e923203dd114b6a1466252e71667c6791c20fe6bdc">+24/-0</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Enhancement</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>BUILD.bazel</strong><dd><code>Integrate network utilities into Docker images</code>                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80">+127/-8</a>  </td> </tr> <tr> <td><strong>demo-prod.yaml</strong><dd><code>Create ArgoCD application for demo production</code>                        </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-8969edef5dbf942365ae86b189a0b5225e613b2a99c431014a0073e6e7dc4108">+29/-0</a>    </td> </tr> </table></details></td></tr><tr><td><strong>Bug fix</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>secret-generator-job.yaml</strong><dd><code>Fix shell command syntax</code>                                                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-b73cf77d0215c7f4ed9d500237d690a1dcb8fc821b6410854373756654dce1f6">+1/-2</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Formatting</strong></td><td><details><summary>1 files</summary><table> <tr> <td><strong>serviceradar-proton.yaml</strong><dd><code>Add missing newline at file end</code>                                                    </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/1701/files#diff-d8814c9cdfa0f83548605468ce867dc550b5d51a4afdc46074f91420d1218686">+1/-1</a>      </td> </tr> </table></details></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-10-05 02:34:57 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1701#issuecomment-3368693469
Original created: 2025-10-05T02:34:57Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance

⚪

Network recon tools

Description: Adding network tools (ping, nmap, netcat) into multiple runtime images increases attack
surface and can be abused for network reconnaissance if containers are compromised;
consider limiting to a dedicated tools image or gating via debug-only builds.
BUILD.bazel [210-956]

Referred Code

    name = "agent_image_amd64",
    base = "@alpine_3_20_linux_amd64//:alpine_3_20_linux_amd64",
    tars = [":alpine_netutils_rootfs_amd64", ":common_tools_amd64", ":agent_layer_amd64"],
    cmd = ["/usr/local/bin/serviceradar-agent", "-config", "/etc/serviceradar/agent.json"],
    env = {
        "PATH": "/usr/local/bin:/usr/bin:/bin",
    },
    workdir = "/var/lib/serviceradar",
    exposed_ports = ["50051/tcp"],
    labels = {
        "org.opencontainers.image.title": "serviceradar-agent",
    },
)

oci_load(
    name = "agent_image_amd64_tar",
    image = ":agent_image_amd64",
    repo_tags = ["ghcr.io/carverauto/serviceradar-agent:local"],
)

pkg_tar(


 ... (clipped 726 lines)

Public ingress exposure

Description: Public ingress to demo.serviceradar.cloud is enabled; ensure no sensitive backends are
exposed and rate limiting/WAF are configured as annotations do not include security
protections like auth, rate limits, or WAF.
ingress.yaml [4-29]

Referred Code

metadata:
  name: serviceradar-ingress
  annotations:
    cert-manager.io/cluster-issuer: "carverauto-issuer"
    external-dns.alpha.kubernetes.io/hostname: "demo.serviceradar.cloud"
    metallb.universe.tf/allow-shared-ip: "true"
    metallb.universe.tf/address-pool: k3s-pool
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
    nginx.ingress.kubernetes.io/proxy-buffer-size: "128k"
    nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "86400"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "86400"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "60"
spec:
  tls:
  - hosts:
    - demo.serviceradar.cloud
    secretName: serviceradar-prod-tls
  rules:
  - host: demo.serviceradar.cloud


 ... (clipped 5 lines)

Secret job hardening

Description: The secret generator runs with /bin/sh and executes an inline script; ensure secrets are
not logged and job pod has least privileges as current manifest does not show
securityContext or restricted permissions.
secret-generator-job.yaml [17-24]

Referred Code

- name: secret-generator
  image: ghcr.io/carverauto/serviceradar-tools:latest
  command: ["/bin/sh", "-c"]
  args:
  - |
    set -e

    echo "🔐 ServiceRadar Secret Generator"

Ticket Compliance

🟡

🎫 #1700

🟢	Create an ArgoCD Application to deploy the demo production environment.
	Integrate Alpine network utilities (ping, nmap, netcat) into Docker images used for demo.
	Configure Bazel/Go builds to use Go pure mode.
🔴	Update image tags to specific pinned versions suitable for demo environments.

Codebase Duplication Compliance

⚪

Codebase context is not defined

Follow the guide to enable codebase context checks.

Custom Compliance

⚪

No custom compliance provided

Follow the guide to enable custom compliance check.

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1701#issuecomment-3368693469 Original created: 2025-10-05T02:34:57Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=3>⚪</td> <td><details><summary><strong>Network recon tools </strong></summary><br> <b>Description:</b> Adding network tools (ping, nmap, netcat) into multiple runtime images increases attack <br>surface and can be abused for network reconnaissance if containers are compromised; <br>consider limiting to a dedicated tools image or gating via debug-only builds.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1701/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80R210-R956'>BUILD.bazel [210-956]</a></strong><br> <details open><summary>Referred Code</summary> ```txt name = "agent_image_amd64", base = "@alpine_3_20_linux_amd64//:alpine_3_20_linux_amd64", tars = [":alpine_netutils_rootfs_amd64", ":common_tools_amd64", ":agent_layer_amd64"], cmd = ["/usr/local/bin/serviceradar-agent", "-config", "/etc/serviceradar/agent.json"], env = { "PATH": "/usr/local/bin:/usr/bin:/bin", }, workdir = "/var/lib/serviceradar", exposed_ports = ["50051/tcp"], labels = { "org.opencontainers.image.title": "serviceradar-agent", }, ) oci_load( name = "agent_image_amd64_tar", image = ":agent_image_amd64", repo_tags = ["ghcr.io/carverauto/serviceradar-agent:local"], ) pkg_tar( ... (clipped 726 lines) ``` </details></details></td></tr> <tr><td><details><summary><strong>Public ingress exposure </strong></summary><br> <b>Description:</b> Public ingress to demo.serviceradar.cloud is enabled; ensure no sensitive backends are <br>exposed and rate limiting/WAF are configured as annotations do not include security <br>protections like auth, rate limits, or WAF.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1701/files#diff-d96e18b44fecc10112cc02dc42b8deeba6aaed070dfd88771921e228465d4257R4-R29'>ingress.yaml [4-29]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml metadata: name: serviceradar-ingress annotations: cert-manager.io/cluster-issuer: "carverauto-issuer" external-dns.alpha.kubernetes.io/hostname: "demo.serviceradar.cloud" metallb.universe.tf/allow-shared-ip: "true" metallb.universe.tf/address-pool: k3s-pool nginx.ingress.kubernetes.io/proxy-body-size: "100m" nginx.ingress.kubernetes.io/proxy-buffer-size: "128k" nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "256k" nginx.ingress.kubernetes.io/proxy-read-timeout: "86400" nginx.ingress.kubernetes.io/proxy-send-timeout: "86400" nginx.ingress.kubernetes.io/proxy-connect-timeout: "60" spec: tls: - hosts: - demo.serviceradar.cloud secretName: serviceradar-prod-tls rules: - host: demo.serviceradar.cloud ... (clipped 5 lines) ``` </details></details></td></tr> <tr><td><details><summary><strong>Secret job hardening </strong></summary><br> <b>Description:</b> The secret generator runs with /bin/sh and executes an inline script; ensure secrets are <br>not logged and job pod has least privileges as current manifest does not show <br>securityContext or restricted permissions.<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/1701/files#diff-b73cf77d0215c7f4ed9d500237d690a1dcb8fc821b6410854373756654dce1f6R17-R24'>secret-generator-job.yaml [17-24]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml - name: secret-generator image: ghcr.io/carverauto/serviceradar-tools:latest command: ["/bin/sh", "-c"] args: - | set -e echo "🔐 ServiceRadar Secret Generator" ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>🟡</td> <td> <details> <summary>🎫 <a href=https://github.com/carverauto/serviceradar/issues/1700>#1700</a></summary> <table width='100%'><tbody> <tr><td rowspan=3>🟢</td> <td>Create an ArgoCD Application to deploy the demo production environment.</td></tr> <tr><td>Integrate Alpine network utilities (ping, nmap, netcat) into Docker images used for demo.</td></tr> <tr><td>Configure Bazel/Go builds to use Go pure mode.</td></tr> <tr><td rowspan=1>🔴</td> <td>Update image tags to specific pinned versions suitable for demo environments.</td></tr> </tbody></table> </details> </td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>No custom compliance provided</strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/'>guide</a> to enable custom compliance check. </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2025-10-05 02:36:01 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1701#issuecomment-3368693904
Original created: 2025-10-05T02:36:01Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Pin production deployment to a stable branch For the production ArgoCD application, change the `source.targetRevision` from the feature branch `1700-create-app-for-demo` to a stable reference like `HEAD` or `main`. k8s/argocd/applications/demo-prod.yaml [8-13] `spec: project: default source: repoURL: https://github.com/carverauto/serviceradar.git - targetRevision: 1700-create-app-for-demo + targetRevision: HEAD path: k8s/demo/prod` Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies a critical issue in the production deployment configuration where an ephemeral feature branch is used as the source, which is unstable and against best practices.	Medium
	Avoid using 'latest' image tags In the production `kustomization.yaml`, replace the `latest` and pre-release image tags with specific, immutable version tags to ensure reproducible and stable deployments. k8s/demo/prod/kustomization.yaml [11-21] images: - name: ghcr.io/carverauto/serviceradar-core - newTag: v1.0.53-pre18 + newTag: v1.0.53 # Use a stable version - name: ghcr.io/carverauto/serviceradar-web - newTag: latest + newTag: v1.2.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-agent - newTag: latest + newTag: v1.1.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-poller - newTag: latest + newTag: v1.1.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-snmp-checker - newTag: latest + newTag: v1.1.0 # Use a stable version Apply / Chat Suggestion importance[1-10]: 8 __ Why: The suggestion highlights a critical anti-pattern of using `latest` and pre-release image tags in a production configuration, which undermines deployment stability and reproducibility.	Medium
	Prevent silent file overwrites during extraction In the `alpine_netutils_rootfs_amd64` genrule, add the `--keep-old-files` flag to the `tar -xzf` command to prevent silent overwrites when extracting multiple tarballs to the same directory. docker/images/BUILD.bazel [125-143] `genrule( name = "alpine_netutils_rootfs_amd64", srcs = [ ":apk_iputils_ping_rootfs_amd64.tar", ":apk_nmap_rootfs_amd64.tar", ":apk_netcat_rootfs_amd64.tar", ], outs = ["alpine_netutils_rootfs_amd64.tar"], cmd = """ set -euo pipefail ROOT=$(@D)/netutils_root rm -rf "$${ROOT}" mkdir -p "$${ROOT}" for tarfile in $(SRCS); do - tar -xzf "$${tarfile}" -C "$${ROOT}" + tar -xzf "$${tarfile}" -C "$${ROOT}" --keep-old-files done tar -czf "$@" -C "$${ROOT}" . """, )` Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies a potential for silent file overwrites when merging tarballs, which could lead to unpredictable image contents, and proposes a valid solution to prevent it.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1701#issuecomment-3368693904 Original created: 2025-10-05T02:36:01Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=3>Possible issue</td> <td> <details><summary>Pin production deployment to a stable branch</summary> ___ **For the production ArgoCD application, change the <code>source.targetRevision</code> from the <br>feature branch <code>1700-create-app-for-demo</code> to a stable reference like <code>HEAD</code> or <code>main</code>.** [k8s/argocd/applications/demo-prod.yaml [8-13]](https://github.com/carverauto/serviceradar/pull/1701/files#diff-8969edef5dbf942365ae86b189a0b5225e613b2a99c431014a0073e6e7dc4108R8-R13) ```diff spec: project: default source: repoURL: https://github.com/carverauto/serviceradar.git - targetRevision: 1700-create-app-for-demo + targetRevision: HEAD path: k8s/demo/prod ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion correctly identifies a critical issue in the production deployment configuration where an ephemeral feature branch is used as the source, which is unstable and against best practices. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Avoid using 'latest' image tags</summary> ___ **In the production <code>kustomization.yaml</code>, replace the <code>latest</code> and pre-release image <br>tags with specific, immutable version tags to ensure reproducible and stable <br>deployments.** [k8s/demo/prod/kustomization.yaml [11-21]](https://github.com/carverauto/serviceradar/pull/1701/files#diff-0527e7f19d087f3576d5755a79554797ffbab78b1a7efaa38984b4f3241f6fc9R11-R21) ```diff images: - name: ghcr.io/carverauto/serviceradar-core - newTag: v1.0.53-pre18 + newTag: v1.0.53 # Use a stable version - name: ghcr.io/carverauto/serviceradar-web - newTag: latest + newTag: v1.2.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-agent - newTag: latest + newTag: v1.1.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-poller - newTag: latest + newTag: v1.1.0 # Use a stable version - name: ghcr.io/carverauto/serviceradar-snmp-checker - newTag: latest + newTag: v1.1.0 # Use a stable version ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion highlights a critical anti-pattern of using `latest` and pre-release image tags in a production configuration, which undermines deployment stability and reproducibility. </details></details></td><td align=center>Medium </td></tr><tr><td> <details><summary>Prevent silent file overwrites during extraction</summary> ___ **In the <code>alpine_netutils_rootfs_amd64</code> genrule, add the <code>--keep-old-files</code> flag to <br>the <code>tar -xzf</code> command to prevent silent overwrites when extracting multiple <br>tarballs to the same directory.** [docker/images/BUILD.bazel [125-143]](https://github.com/carverauto/serviceradar/pull/1701/files#diff-0e4db31c224a8f72ae8e870a849e38a59d74a2c7f7b04347b0b3eb07e20c5a80R125-R143) ```diff genrule( name = "alpine_netutils_rootfs_amd64", srcs = [ ":apk_iputils_ping_rootfs_amd64.tar", ":apk_nmap_rootfs_amd64.tar", ":apk_netcat_rootfs_amd64.tar", ], outs = ["alpine_netutils_rootfs_amd64.tar"], cmd = """ set -euo pipefail ROOT=$(@D)/netutils_root rm -rf "$${ROOT}" mkdir -p "$${ROOT}" for tarfile in $(SRCS); do - tar -xzf "$${tarfile}" -C "$${ROOT}" + tar -xzf "$${tarfile}" -C "$${ROOT}" --keep-old-files done tar -czf "$@" -C "$${ROOT}" . """, ) ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 6</summary> __ Why: The suggestion correctly identifies a potential for silent file overwrites when merging tarballs, which could lead to unpredictable image contents, and proposes a valid solution to prevent it. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>