carverauto/serviceradar

Fork 0

fixing docker pulls #2446

Merged

mfreeman451 merged 3 commits from refs/pull/2446/head into main

2025-11-23 02:56:52 +00:00

mfreeman451 commented

2025-11-23 02:19:07 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #1978
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/1978
Original created: 2025-11-23T02:19:07Z
Original updated: 2025-12-08T06:54:39Z
Original head: carverauto/serviceradar:updates/rbe_fix_docker_pulls
Original base: main
Original merged: 2025-11-23T02:56:52Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement

Description

Add Docker authentication configuration for Bazel pulls
Use GitHub secrets for DockerHub credentials
Execute setup script during CI workflow

Diagram Walkthrough

flowchart LR
  A["GitHub Secrets<br/>DOCKERHUB_USERNAME<br/>DOCKERHUB_TOKEN"] -->|"Pass credentials"| B["buildbuddy_setup_docker_auth.sh"]
  B -->|"Configure Docker auth"| C["Bazel pulls<br/>authenticated"]

File Walkthrough

Relevant files

Configuration changes

main.yml

Add Docker auth configuration step to CI workflow

.github/workflows/main.yml

Add new workflow step to configure Docker authentication for Bazel
Conditionally run setup script when DockerHub credentials are
available
Pass DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as environment variables
Execute buildbuddy_setup_docker_auth.sh script before test execution

+7/-0

Imported from GitHub pull request. Original GitHub pull request: #1978 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/1978 Original created: 2025-11-23T02:19:07Z Original updated: 2025-12-08T06:54:39Z Original head: carverauto/serviceradar:updates/rbe_fix_docker_pulls Original base: main Original merged: 2025-11-23T02:56:52Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement ___ ### **Description** - Add Docker authentication configuration for Bazel pulls - Use GitHub secrets for DockerHub credentials - Execute setup script during CI workflow ___ ### Diagram Walkthrough ```mermaid flowchart LR A["GitHub Secrets DOCKERHUB_USERNAME DOCKERHUB_TOKEN"] -->|"Pass credentials"| B["buildbuddy_setup_docker_auth.sh"] B -->|"Configure Docker auth"| C["Bazel pulls authenticated"] ``` <details> <summary><h3> File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td>Configuration changes</td><td><table> <tr> <td> <details> <summary>main.yml<dd><code>Add Docker auth configuration step to CI workflow</code>                </dd></summary> <hr> .github/workflows/main.yml <ul><li>Add new workflow step to configure Docker authentication for Bazel <li> Conditionally run setup script when DockerHub credentials are available <li> Pass DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as environment variables <li> Execute <code>buildbuddy_setup_docker_auth.sh</code> script before test execution</ul> </details> </td> <td><a href="https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3">+7/-0</a>      </td> </tr> </table></td></tr></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2025-11-23 02:19:28 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1978#issuecomment-3567391535
Original created: 2025-11-23T02:19:28Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret leakage in CI logs Description: GitHub Actions step directly exposes DockerHub credentials as environment variables to a shell script without restricting permissions or masking script output, risking accidental secret leakage via verbose logs or echo statements in the script; ensure the script avoids printing env vars, disables command echoing where appropriate (set +x), and least-privilege scopes are used. main.yml [76-81] Referred Code `- name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing audit logs: The new workflow step adds Docker auth configuration without any explicit logging of the action outcome, making it unclear whether critical authentication/configuration actions are auditable. Referred Code `- name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unhandled script failures: The step runs './buildbuddy_setup_docker_auth.sh' without explicit error handling or fallback, and it is unclear if failures are handled or surfaced with actionable context. Referred Code `- name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Potential secret leakage: If the called script outputs errors, it may inadvertently echo DockerHub credentials unless the script suppresses or masks them, which is not verifiable from this diff. Referred Code `env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secrets in env: Secrets are passed as environment variables to a script; without confirmation that the script avoids logging them, there is a risk of secret exposure in CI logs. Referred Code `env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh` Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Secret handling validation: The workflow passes external secret inputs to a shell script without visible validation or sanitization, and it is unclear whether the script securely handles and stores these credentials. Referred Code `env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh` Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1978#issuecomment-3567391535 Original created: 2025-11-23T02:19:28Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR: <table><tbody><tr><td colspan='2'>Security Compliance</td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary>Secret leakage in CI logs </summary> Description: GitHub Actions step directly exposes DockerHub credentials as environment variables to a shell script without restricting permissions or masking script output, risking accidental secret leakage via verbose logs or echo statements in the script; ensure the script avoids printing env vars, disables command echoing where appropriate (set +x), and least-privilege scopes are used. <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R76-R81'>main.yml [76-81]</a> <details open><summary>Referred Code</summary> ```yaml - name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details></details></td></tr> <tr><td colspan='2'>Ticket Compliance</td></tr> <tr><td>⚪</td><td><details><summary>🎫 No ticket provided </summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'>Codebase Duplication Compliance</td></tr> <tr><td>⚪</td><td><details><summary>Codebase context is not defined </summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'>Custom Compliance</td></tr> <tr><td rowspan=1>🟢</td><td> <details><summary>Generic: Meaningful Naming and Self-Documenting Code</summary> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code self-documenting **Status:** Passed > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=5>⚪</td> <td><details> <summary>Generic: Comprehensive Audit Trails</summary> **Objective:** To create a detailed and reliable record of critical system actions for security analysis and compliance. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R76-R81'>Missing audit logs</a>: The new workflow step adds Docker auth configuration without any explicit logging of the action outcome, making it unclear whether critical authentication/configuration actions are auditable. <details open><summary>Referred Code</summary> ```yaml - name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Robust Error Handling and Edge Case Management</summary> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful degradation **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R76-R81'>Unhandled script failures</a>: The step runs './buildbuddy_setup_docker_auth.sh' without explicit error handling or fallback, and it is unclear if failures are handled or surfaced with actionable context. <details open><summary>Referred Code</summary> ```yaml - name: Configure Docker auth for Bazel pulls if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Error Handling</summary> **Objective:** To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R78-R81'>Potential secret leakage</a>: If the called script outputs errors, it may inadvertently echo DockerHub credentials unless the script suppresses or masks them, which is not verifiable from this diff. <details open><summary>Referred Code</summary> ```yaml env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Secure Logging Practices</summary> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R78-R81'>Secrets in env</a>: Secrets are passed as environment variables to a script; without confirmation that the script avoids logging them, there is a risk of secret exposure in CI logs. <details open><summary>Referred Code</summary> ```yaml env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary>Generic: Security-First Input Validation and Data Handling</summary> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities **Status:** <a href='https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R78-R81'>Secret handling validation</a>: The workflow passes external secret inputs to a shell script without visible validation or sanitization, and it is unclear whether the script securely handles and stores these credentials. <details open><summary>Referred Code</summary> ```yaml env: DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} run: ./buildbuddy_setup_docker_auth.sh ``` </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant 🟡 - Partial Compliant 🔴 - Not Compliant ⚪ - Requires Further Human Verification 🏷️ - Compliance label </details>

qodo-code-review[bot] commented

2025-11-23 02:20:11 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/1978#issuecomment-3567391970
Original created: 2025-11-23T02:20:11Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
General	Use official action for authentication Replace the custom `buildbuddy_setup_docker_auth.sh` script with the official `docker/login-action` for a more standard and robust approach to Docker authentication. .github/workflows/main.yml [76-81] `-- name: Configure Docker auth for Bazel pulls +- name: Log in to Docker Hub if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - run: ./buildbuddy_setup_docker_auth.sh + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }}` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly proposes replacing a custom script with the official `docker/login-action`, which is a more robust, secure, and standard practice for handling Docker authentication in GitHub Actions.	Medium
Update

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/1978#issuecomment-3567391970 Original created: 2025-11-23T02:20:11Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td>Category</td><td align=left>Suggestion                                                                                                                                    </td><td align=center>Impact</td></tr><tbody><tr><td rowspan=1>General</td> <td> <details><summary>Use official action for authentication</summary> ___ **Replace the custom <code>buildbuddy_setup_docker_auth.sh</code> script with the official <code>docker/login-action</code> for a more standard and robust approach to Docker authentication.** [.github/workflows/main.yml [76-81]](https://github.com/carverauto/serviceradar/pull/1978/files#diff-7829468e86c1cc5d5133195b5cb48e1ff6c75e3e9203777f6b2e379d9e4882b3R76-R81) ```diff -- name: Configure Docker auth for Bazel pulls +- name: Log in to Docker Hub if: ${{ secrets.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '' }} - env: - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - run: ./buildbuddy_setup_docker_auth.sh + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly proposes replacing a custom script with the official `docker/login-action`, which is a more robust, secure, and standard practice for handling Docker authentication in GitHub Actions. </details></details></td><td align=center>Medium </td></tr> <tr><td align="center" colspan="2"> - [ ] Update  </td><td></td></tr></tbody></table>