carverauto/serviceradar

Fork 0

changing to latest tags #2665

Merged

mfreeman451 merged 1 commit from refs/pull/2665/head into staging

2026-01-14 06:24:57 +00:00

mfreeman451 commented

2026-01-14 06:23:49 +00:00

(Migrated from github.com)

Owner

Imported from GitHub pull request.

Original GitHub pull request: #2285
Original author: @mfreeman451
Original URL: https://github.com/carverauto/serviceradar/pull/2285
Original created: 2026-01-14T06:23:49Z
Original updated: 2026-01-14T06:25:31Z
Original head: carverauto/serviceradar:chore/switch-to-latest-tags
Original base: staging
Original merged: 2026-01-14T06:24:57Z by @mfreeman451

User description

IMPORTANT: Please sign the Developer Certificate of Origin

Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include
a DCO sign-off statement indicating the DCO acceptance in one commit message. Here
is an example DCO Signed-off-by line in a commit message:

Signed-off-by: J. Doe <j.doe@domain.com>

Describe your changes

Issue ticket number and link

Code checklist before requesting a review

I have signed the DCO?
The build completes without errors?
All tests are passing when running make test?

PR Type

Enhancement, Documentation

Description

Switch default image tags from pinned versions to latest for dev environments
Add validation script to enforce latest tag defaults across configs
Update documentation to clarify latest defaults and optional pinning workflow
Mark all implementation tasks as complete in openspec checklist

Diagram Walkthrough

flowchart LR
  A["Dev Config Files"] -->|"Update to latest"| B["Helm values & Docker Compose"]
  C["Validation Script"] -->|"Enforce consistency"| B
  D["Documentation"] -->|"Clarify defaults & pinning"| E["User Guidance"]
  B -->|"Enable mutable tag tracking"| F["Latest Image Deployments"]

File Walkthrough

Relevant files

Enhancement

2 files

check-dev-image-tags.sh `New validation script for image tag defaults`	+37/-0
Makefile `Add check-dev-image-tags validation target`	+4/-0

Configuration changes

2 files

.env.example `Update default APP_TAG to latest`	+3/-3
values-demo-staging.yaml `Change imageTag from pinned SHA to latest`	+1/-1

Documentation

6 files

README-Docker.md `Document latest tag defaults and APP_TAG pinning`	+3/-1
README.md `Add Helm latest tag default documentation`	+2/-0
docker-setup.md `Simplify startup and update version references`	+11/-6
helm-configuration.md `Clarify default latest tag behavior`	+1/-0
README.md `Update Helm dev deployment examples`	+8/-1
tasks.md `Mark all implementation tasks as complete`	+5/-5

Imported from GitHub pull request. Original GitHub pull request: #2285 Original author: @mfreeman451 Original URL: https://github.com/carverauto/serviceradar/pull/2285 Original created: 2026-01-14T06:23:49Z Original updated: 2026-01-14T06:25:31Z Original head: carverauto/serviceradar:chore/switch-to-latest-tags Original base: staging Original merged: 2026-01-14T06:24:57Z by @mfreeman451 --- ### **User description** ## IMPORTANT: Please sign the Developer Certificate of Origin Thank you for your contribution to ServiceRadar. Please note, when contributing, the developer must include a [DCO sign-off statement]( https://developercertificate.org/) indicating the DCO acceptance in one commit message. Here is an example DCO Signed-off-by line in a commit message: ``` Signed-off-by: J. Doe <j.doe@domain.com> ``` ## Describe your changes ## Issue ticket number and link ## Code checklist before requesting a review - [ ] I have signed the DCO? - [ ] The build completes without errors? - [ ] All tests are passing when running make test? ___ ### **PR Type** Enhancement, Documentation ___ ### **Description** - Switch default image tags from pinned versions to `latest` for dev environments - Add validation script to enforce `latest` tag defaults across configs - Update documentation to clarify `latest` defaults and optional pinning workflow - Mark all implementation tasks as complete in openspec checklist ___ ### Diagram Walkthrough ```mermaid flowchart LR A["Dev Config Files"] -->|"Update to latest"| B["Helm values & Docker Compose"] C["Validation Script"] -->|"Enforce consistency"| B D["Documentation"] -->|"Clarify defaults & pinning"| E["User Guidance"] B -->|"Enable mutable tag tracking"| F["Latest Image Deployments"] ``` <details><summary><h3>File Walkthrough</h3></summary> <table><thead><tr><th></th><th align="left">Relevant files</th></tr></thead><tbody><tr><td><strong>Enhancement</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>check-dev-image-tags.sh</strong><dd><code>New validation script for image tag defaults</code>                          </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-36acf73816569095a08af1f080e5b317311f96e6e82253f28fde82197b73c36c">+37/-0</a>    </td> </tr> <tr> <td><strong>Makefile</strong><dd><code>Add check-dev-image-tags validation target</code>                              </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52">+4/-0</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Configuration changes</strong></td><td><details><summary>2 files</summary><table> <tr> <td><strong>.env.example</strong><dd><code>Update default APP_TAG to latest</code>                                                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-a3046da0d15a27e89f2afe639b25748a7ad4d9290af3e7b1b6c1a5533c8f0a8c">+3/-3</a>      </td> </tr> <tr> <td><strong>values-demo-staging.yaml</strong><dd><code>Change imageTag from pinned SHA to latest</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-923e7e4134431f4ec89c77f227e8fc9546bcfdefc836c26da86f30e7847f0d3c">+1/-1</a>      </td> </tr> </table></details></td></tr><tr><td><strong>Documentation</strong></td><td><details><summary>6 files</summary><table> <tr> <td><strong>README-Docker.md</strong><dd><code>Document latest tag defaults and APP_TAG pinning</code>                  </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-9fd61d24482efe68c22d8d41e2a1dcc440f39195aa56e7a050f2abe598179efd">+3/-1</a>      </td> </tr> <tr> <td><strong>README.md</strong><dd><code>Add Helm latest tag default documentation</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5">+2/-0</a>      </td> </tr> <tr> <td><strong>docker-setup.md</strong><dd><code>Simplify startup and update version references</code>                      </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-8604269dffb3ce4133e48cab374ca8e97745d0efbdef67cad792aeb5945fe5ec">+11/-6</a>    </td> </tr> <tr> <td><strong>helm-configuration.md</strong><dd><code>Clarify default latest tag behavior</code>                                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-51555a7c78ec9263c9ef8d0962899612840cb45463536072ab97a2cae256068f">+1/-0</a>      </td> </tr> <tr> <td><strong>README.md</strong><dd><code>Update Helm dev deployment examples</code>                                            </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-c8e7e7621289da2f10b4ffd1c0ca4fd7321a19a4f18d01cc84b5fd3d06dea105">+8/-1</a>      </td> </tr> <tr> <td><strong>tasks.md</strong><dd><code>Mark all implementation tasks as complete</code>                                </dd></td> <td><a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-713866ecbcb528ed787f04339107af1d25ac2e551f855c59148322b7c33bd105">+5/-5</a>      </td> </tr> </table></details></td></tr></tbody></table> </details> ___

qodo-code-review[bot] commented

2026-01-14 06:24:27 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747988487
Original created: 2026-01-14T06:24:27Z

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Mutable image tag risk Description: Switching the demo-staging deployment to a mutable `latest` image tag combined with `imagePullPolicy: Always` can enable supply-chain/rollback risk (e.g., a compromised registry account or overwritten `latest` can introduce unintended/unreviewed code into the environment on restart/redeploy). values-demo-staging.yaml [7-8] Referred Code `imageTag: "latest" imagePullPolicy: Always`
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747988487 Original created: 2026-01-14T06:24:27Z --- ## PR Compliance Guide 🔍  Below is a summary of compliance checks for this PR:<br> <table><tbody><tr><td colspan='2'><strong>Security Compliance</strong></td></tr> <tr><td rowspan=1>⚪</td> <td><details><summary><strong>Mutable image tag risk </strong></summary><br> <b>Description:</b> Switching the demo-staging deployment to a mutable <code>latest</code> image tag combined with <br><code>imagePullPolicy: Always</code> can enable supply-chain/rollback risk (e.g., a compromised <br>registry account or overwritten <code>latest</code> can introduce unintended/unreviewed code into the <br>environment on restart/redeploy).<br> <strong><a href='https://github.com/carverauto/serviceradar/pull/2285/files#diff-923e7e4134431f4ec89c77f227e8fc9546bcfdefc836c26da86f30e7847f0d3cR7-R8'>values-demo-staging.yaml [7-8]</a></strong><br> <details open><summary>Referred Code</summary> ```yaml imageTag: "latest" imagePullPolicy: Always ``` </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue  </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=6>🟢</td><td> <details><summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> **Objective:** To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Robust Error Handling and Edge Case Management</strong></summary><br> **Objective:** Ensure comprehensive error handling that provides meaningful context and graceful <br>degradation<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Error Handling</strong></summary><br> **Objective:** To prevent the leakage of sensitive system information through error messages while <br>providing sufficient detail for internal debugging.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Logging Practices</strong></summary><br> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td align="center" colspan="2">   </td></tr></tbody></table> <details><summary>Compliance status legend</summary> 🟢 - Fully Compliant<br> 🟡 - Partial Compliant<br> 🔴 - Not Compliant<br> ⚪ - Requires Further Human Verification<br> 🏷️ - Compliance label<br> </details>

qodo-code-review[bot] commented

2026-01-14 06:24:43 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747989230
Original created: 2026-01-14T06:24:43Z

CI Feedback 🧐

A test triggered by this PR failed. Here is an AI-generated analysis of the failure:

Action: build

Failed stage: Configure SRQL fixture database for tests [❌]

Failed test name: ""

Failure summary:

The action failed during environment/setup because a required secret for the test database TLS was
not provided.
- The job explicitly aborts with: SRQL_TEST_DATABASE_CA_CERT secret must be configured
to verify SRQL fixture TLS.
- The step then exits with code 1, causing the workflow to fail.

Relevant error logs:

1:  Runner name: 'arc-runner-set-hk6mk-runner-s6kwj'
2:  Runner group name: 'Default'
...

139:  ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m
140:  ^[[36;1m  sudo apt-get update^[[0m
141:  ^[[36;1m  sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m
142:  ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m
143:  ^[[36;1m  sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
144:  ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m
145:  ^[[36;1m  sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
146:  ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m
147:  ^[[36;1m  sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m
148:  ^[[36;1melse^[[0m
149:  ^[[36;1m  echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m
150:  ^[[36;1m  exit 1^[[0m
151:  ^[[36;1mfi^[[0m
152:  ^[[36;1m^[[0m
153:  ^[[36;1mensure_pkg_config^[[0m
154:  ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m
155:  shell: /usr/bin/bash -e {0}
...

316:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
317:  env:
318:  BUILDBUDDY_ORG_API_KEY: ***
319:  SRQL_TEST_DATABASE_URL: ***
320:  SRQL_TEST_ADMIN_URL: ***
321:  SRQL_TEST_DATABASE_CA_CERT: 
322:  DOCKERHUB_USERNAME: ***
323:  DOCKERHUB_TOKEN: ***
324:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
325:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
326:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
327:  ##[endgroup]
328:  ##[group]Run : install rustup if needed
329:  ^[[36;1m: install rustup if needed^[[0m
330:  ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m
331:  ^[[36;1m  curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m
332:  ^[[36;1m  echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m
...

472:  shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
473:  env:
474:  BUILDBUDDY_ORG_API_KEY: ***
475:  SRQL_TEST_DATABASE_URL: ***
476:  SRQL_TEST_ADMIN_URL: ***
477:  SRQL_TEST_DATABASE_CA_CERT: 
478:  DOCKERHUB_USERNAME: ***
479:  DOCKERHUB_TOKEN: ***
480:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
481:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
482:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
483:  CARGO_HOME: /home/runner/.cargo
484:  CARGO_INCREMENTAL: 0
485:  CARGO_TERM_COLOR: always
486:  ##[endgroup]
487:  ##[group]Run : work around spurious network errors in curl 8.0
488:  ^[[36;1m: work around spurious network errors in curl 8.0^[[0m
489:  ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m
...

540:  SRQL_TEST_DATABASE_CA_CERT: 
541:  DOCKERHUB_USERNAME: ***
542:  DOCKERHUB_TOKEN: ***
543:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
544:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
545:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
546:  CARGO_HOME: /home/runner/.cargo
547:  CARGO_INCREMENTAL: 0
548:  CARGO_TERM_COLOR: always
549:  ##[endgroup]
550:  Attempting to download 1.x...
551:  Acquiring v1.27.0 from https://github.com/bazelbuild/bazelisk/releases/download/v1.27.0/bazelisk-linux-amd64
552:  Adding to the cache ...
553:  Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.27.0/x64
554:  Added bazelisk to the path
555:  ##[warning]Failed to restore: Cache service responded with 400
556:  Restored bazelisk cache dir @ /home/runner/.cache/bazelisk
...

622:  env:
623:  BUILDBUDDY_ORG_API_KEY: ***
624:  SRQL_TEST_DATABASE_URL: ***
625:  SRQL_TEST_ADMIN_URL: ***
626:  SRQL_TEST_DATABASE_CA_CERT: 
627:  DOCKERHUB_USERNAME: ***
628:  DOCKERHUB_TOKEN: ***
629:  TEST_CNPG_DATABASE: serviceradar_web_ng_test
630:  INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp
631:  INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir
632:  CARGO_HOME: /home/runner/.cargo
633:  CARGO_INCREMENTAL: 0
634:  CARGO_TERM_COLOR: always
635:  ##[endgroup]
636:  SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS.
637:  ##[error]Process completed with exit code 1.
638:  Post job cleanup.

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747989230 Original created: 2026-01-14T06:24:43Z --- ## CI Feedback 🧐 A test triggered by this PR failed. Here is an AI-generated analysis of the failure: <table><tr><td> **Action:** build</td></tr> <tr><td> **Failed stage:** [Configure SRQL fixture database for tests](https://github.com/carverauto/serviceradar/actions/runs/20984646845/job/60316269080) [❌] </td></tr> <tr><td> **Failed test name:** "" </td></tr> <tr><td> **Failure summary:** The action failed during environment/setup because a required secret for the test database TLS was <br>not provided.<br> - The job explicitly aborts with: <code>SRQL_TEST_DATABASE_CA_CERT secret must be configured </code><br><code>to verify SRQL fixture TLS.</code><br> - The step then exits with code <code>1</code>, causing the workflow to fail.<br> </td></tr> <tr><td> <details><summary>Relevant error logs:</summary> ```yaml 1: Runner name: 'arc-runner-set-hk6mk-runner-s6kwj' 2: Runner group name: 'Default' ... 139: ^[[36;1mif command -v apt-get >/dev/null 2>&1; then^[[0m 140: ^[[36;1m sudo apt-get update^[[0m 141: ^[[36;1m sudo apt-get install -y build-essential pkg-config libssl-dev protobuf-compiler cmake flex bison^[[0m 142: ^[[36;1melif command -v dnf >/dev/null 2>&1; then^[[0m 143: ^[[36;1m sudo dnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 144: ^[[36;1melif command -v yum >/dev/null 2>&1; then^[[0m 145: ^[[36;1m sudo yum install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 146: ^[[36;1melif command -v microdnf >/dev/null 2>&1; then^[[0m 147: ^[[36;1m sudo microdnf install -y gcc gcc-c++ make openssl-devel protobuf-compiler cmake flex bison^[[0m 148: ^[[36;1melse^[[0m 149: ^[[36;1m echo "Unsupported package manager; please install gcc, g++ (or clang), make, OpenSSL headers, pkg-config, and protoc manually." >&2^[[0m 150: ^[[36;1m exit 1^[[0m 151: ^[[36;1mfi^[[0m 152: ^[[36;1m^[[0m 153: ^[[36;1mensure_pkg_config^[[0m 154: ^[[36;1mprotoc --version || (echo "protoc installation failed" && exit 1)^[[0m 155: shell: /usr/bin/bash -e {0} ... 316: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 317: env: 318: BUILDBUDDY_ORG_API_KEY: *** 319: SRQL_TEST_DATABASE_URL: *** 320: SRQL_TEST_ADMIN_URL: *** 321: SRQL_TEST_DATABASE_CA_CERT: 322: DOCKERHUB_USERNAME: *** 323: DOCKERHUB_TOKEN: *** 324: TEST_CNPG_DATABASE: serviceradar_web_ng_test 325: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 326: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 327: ##[endgroup] 328: ##[group]Run : install rustup if needed 329: ^[[36;1m: install rustup if needed^[[0m 330: ^[[36;1mif ! command -v rustup &>/dev/null; then^[[0m 331: ^[[36;1m curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused --location --silent --show-error --fail https://sh.rustup.rs | sh -s -- --default-toolchain none -y^[[0m 332: ^[[36;1m echo "$CARGO_HOME/bin" >> $GITHUB_PATH^[[0m ... 472: shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0} 473: env: 474: BUILDBUDDY_ORG_API_KEY: *** 475: SRQL_TEST_DATABASE_URL: *** 476: SRQL_TEST_ADMIN_URL: *** 477: SRQL_TEST_DATABASE_CA_CERT: 478: DOCKERHUB_USERNAME: *** 479: DOCKERHUB_TOKEN: *** 480: TEST_CNPG_DATABASE: serviceradar_web_ng_test 481: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 482: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 483: CARGO_HOME: /home/runner/.cargo 484: CARGO_INCREMENTAL: 0 485: CARGO_TERM_COLOR: always 486: ##[endgroup] 487: ##[group]Run : work around spurious network errors in curl 8.0 488: ^[[36;1m: work around spurious network errors in curl 8.0^[[0m 489: ^[[36;1m# https://rust-lang.zulipchat.com/#narrow/stream/246057-t-cargo/topic/timeout.20investigation^[[0m ... 540: SRQL_TEST_DATABASE_CA_CERT: 541: DOCKERHUB_USERNAME: *** 542: DOCKERHUB_TOKEN: *** 543: TEST_CNPG_DATABASE: serviceradar_web_ng_test 544: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 545: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 546: CARGO_HOME: /home/runner/.cargo 547: CARGO_INCREMENTAL: 0 548: CARGO_TERM_COLOR: always 549: ##[endgroup] 550: Attempting to download 1.x... 551: Acquiring v1.27.0 from https://github.com/bazelbuild/bazelisk/releases/download/v1.27.0/bazelisk-linux-amd64 552: Adding to the cache ... 553: Successfully cached bazelisk to /home/runner/_work/_tool/bazelisk/1.27.0/x64 554: Added bazelisk to the path 555: ##[warning]Failed to restore: Cache service responded with 400 556: Restored bazelisk cache dir @ /home/runner/.cache/bazelisk ... 622: env: 623: BUILDBUDDY_ORG_API_KEY: *** 624: SRQL_TEST_DATABASE_URL: *** 625: SRQL_TEST_ADMIN_URL: *** 626: SRQL_TEST_DATABASE_CA_CERT: 627: DOCKERHUB_USERNAME: *** 628: DOCKERHUB_TOKEN: *** 629: TEST_CNPG_DATABASE: serviceradar_web_ng_test 630: INSTALL_DIR_FOR_OTP: /home/runner/_work/_temp/.setup-beam/otp 631: INSTALL_DIR_FOR_ELIXIR: /home/runner/_work/_temp/.setup-beam/elixir 632: CARGO_HOME: /home/runner/.cargo 633: CARGO_INCREMENTAL: 0 634: CARGO_TERM_COLOR: always 635: ##[endgroup] 636: SRQL_TEST_DATABASE_CA_CERT secret must be configured to verify SRQL fixture TLS. 637: ##[error]Process completed with exit code 1. 638: Post job cleanup. ``` </details></td></tr></table>

qodo-code-review[bot] commented

2026-01-14 06:25:31 +00:00

(Migrated from github.com)

Author

Owner

Imported GitHub PR comment.

Original author: @qodo-code-review[bot]
Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747992309
Original created: 2026-01-14T06:25:31Z

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Defaulting to 'latest' tag risks inconsistencies Instead of defaulting to the mutable 'latest' tag, use immutable, per-commit tags (e.g., `sha-`) to ensure reproducible development environments. A helper script could be provided for developers to easily update to the latest commit's tag. Examples: .env.example [8-10] `# ServiceRadar image tag (used by docker-compose.yml) # Default: latest APP_TAG=latest` helm/serviceradar/values-demo-staging.yaml [6-7] `global: imageTag: "latest"` Solution Walkthrough: Before: `// .env.example # ServiceRadar image tag (used by docker-compose.yml) # Default: latest APP_TAG=latest // helm/serviceradar/values-demo-staging.yaml global: imageTag: "latest" imagePullPolicy: Always // scripts/check-dev-image-tags.sh // ... script logic to enforce "latest" tag in dev configs` After: `// .env.example # ServiceRadar image tag (used by docker-compose.yml) # Default: sha-<githash> APP_TAG=sha-abcdef1 // helm/serviceradar/values-demo-staging.yaml global: imageTag: "sha-abcdef1" imagePullPolicy: IfNotPresent // scripts/update-to-latest-commit.sh (new script) LATEST_SHA=$(git rev-parse --short HEAD) // logic to update APP_TAG and imageTag in config files // to the new sha-<githash>` Suggestion importance[1-10]: 8 __ Why: The suggestion addresses a fundamental design choice in the PR, highlighting the significant risk of non-reproducible builds by using the mutable `latest` tag and proposing a robust alternative.	Medium
Possible issue	Prevent false positives in script To prevent false positives in the `check-dev-image-tags.sh` script, add a check to ensure the `matched` variable is not empty before filtering its content. scripts/check-dev-image-tags.sh [18-20] `matched=$(rg -n 'image:\s+ghcr.io/carverauto/serviceradar-' "$file" \|\| true) -matched=$(printf '%s\n' "$matched" \| rg -v 'serviceradar-cnpg' \|\| true) -matched=$(printf '%s\n' "$matched" \| rg -F -v '${APP_TAG:-latest}' \|\| true) +if [[ -n "$matched" ]]; then + matched=$(printf '%s\n' "$matched" \| rg -v 'serviceradar-cnpg' \|\| true) + matched=$(printf '%s\n' "$matched" \| rg -F -v '${APP_TAG:-latest}' \|\| true) +fi` Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a subtle bug in the new validation script that could lead to false-positive failures, and the proposed fix is accurate.	Medium
General	invoke script with bash In the `Makefile`, invoke the `check-dev-image-tags.sh` script explicitly with `bash` for better portability. Makefile [118] `-@scripts/check-dev-image-tags.sh +@bash scripts/check-dev-image-tags.sh` Apply / Chat Suggestion importance[1-10]: 4 __ Why: This is a good practice that improves the robustness and portability of the `Makefile` target by removing the dependency on the script's executable bit.	Low
General	broaden anchor regex match In `check-dev-image-tags.sh`, update the `rg` regex to be more flexible regarding whitespace and optional quotes to prevent validation failures from minor formatting changes. scripts/check-dev-image-tags.sh [6] `-if ! rg -n 'appTag: &appTag "latest"' helm/serviceradar/values.yaml >/dev/null; then +if ! rg -n 'appTag:\s&appTag\s"?(latest)"?' helm/serviceradar/values.yaml >/dev/null; then` Apply / Chat Suggestion importance[1-10]: 3 __ Why: The suggestion makes the regex in the validation script more robust against minor formatting changes, which is a minor improvement for maintainability.	Low
More

Imported GitHub PR comment. Original author: @qodo-code-review[bot] Original URL: https://github.com/carverauto/serviceradar/pull/2285#issuecomment-3747992309 Original created: 2026-01-14T06:25:31Z --- ## PR Code Suggestions ✨  Explore these optional code suggestions: <table><thead><tr><td><strong>Category</strong></td><td align=left><strong>Suggestion                                                                                                                                    </strong></td><td align=center><strong>Impact</strong></td></tr><tbody><tr><td rowspan=1>High-level</td> <td> <details><summary>Defaulting to 'latest' tag risks inconsistencies</summary> ___ **Instead of defaulting to the mutable 'latest' tag, use immutable, per-commit <br>tags (e.g., <code>sha-<githash></code>) to ensure reproducible development environments. A helper <br>script could be provided for developers to easily update to the latest commit's <br>tag.** ### Examples: <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-a3046da0d15a27e89f2afe639b25748a7ad4d9290af3e7b1b6c1a5533c8f0a8cR8-R10">.env.example [8-10]</a> </summary> ```dotenv # ServiceRadar image tag (used by docker-compose.yml) # Default: latest APP_TAG=latest ``` </details> <details> <summary> <a href="https://github.com/carverauto/serviceradar/pull/2285/files#diff-923e7e4134431f4ec89c77f227e8fc9546bcfdefc836c26da86f30e7847f0d3cR6-R7">helm/serviceradar/values-demo-staging.yaml [6-7]</a> </summary> ```yaml global: imageTag: "latest" ``` </details> ### Solution Walkthrough: #### Before: ```yaml // .env.example # ServiceRadar image tag (used by docker-compose.yml) # Default: latest APP_TAG=latest // helm/serviceradar/values-demo-staging.yaml global: imageTag: "latest" imagePullPolicy: Always // scripts/check-dev-image-tags.sh // ... script logic to enforce "latest" tag in dev configs ``` #### After: ```yaml // .env.example # ServiceRadar image tag (used by docker-compose.yml) # Default: sha-<githash> APP_TAG=sha-abcdef1 // helm/serviceradar/values-demo-staging.yaml global: imageTag: "sha-abcdef1" imagePullPolicy: IfNotPresent // scripts/update-to-latest-commit.sh (new script) LATEST_SHA=$(git rev-parse --short HEAD) // logic to update APP_TAG and imageTag in config files // to the new sha-<githash> ``` <details><summary>Suggestion importance[1-10]: 8</summary> __ Why: The suggestion addresses a fundamental design choice in the PR, highlighting the significant risk of non-reproducible builds by using the mutable `latest` tag and proposing a robust alternative. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=1>Possible issue</td> <td> <details><summary>Prevent false positives in script</summary> ___ **To prevent false positives in the <code>check-dev-image-tags.sh</code> script, add a check to <br>ensure the <code>matched</code> variable is not empty before filtering its content.** [scripts/check-dev-image-tags.sh [18-20]](https://github.com/carverauto/serviceradar/pull/2285/files#diff-36acf73816569095a08af1f080e5b317311f96e6e82253f28fde82197b73c36cR18-R20) ```diff matched=$(rg -n 'image:\s+ghcr.io/carverauto/serviceradar-' "$file" || true) -matched=$(printf '%s\n' "$matched" | rg -v 'serviceradar-cnpg' || true) -matched=$(printf '%s\n' "$matched" | rg -F -v '${APP_TAG:-latest}' || true) +if [[ -n "$matched" ]]; then + matched=$(printf '%s\n' "$matched" | rg -v 'serviceradar-cnpg' || true) + matched=$(printf '%s\n' "$matched" | rg -F -v '${APP_TAG:-latest}' || true) +fi ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 7</summary> __ Why: The suggestion correctly identifies a subtle bug in the new validation script that could lead to false-positive failures, and the proposed fix is accurate. </details></details></td><td align=center>Medium </td></tr><tr><td rowspan=2>General</td> <td> <details><summary>invoke script with bash</summary> ___ **In the <code>Makefile</code>, invoke the <code>check-dev-image-tags.sh</code> script explicitly with <code>bash</code> <br>for better portability.** [Makefile [118]](https://github.com/carverauto/serviceradar/pull/2285/files#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52R118-R118) ```diff -@scripts/check-dev-image-tags.sh +@bash scripts/check-dev-image-tags.sh ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 4</summary> __ Why: This is a good practice that improves the robustness and portability of the `Makefile` target by removing the dependency on the script's executable bit. </details></details></td><td align=center>Low </td></tr><tr><td> <details><summary>broaden anchor regex match</summary> ___ **In <code>check-dev-image-tags.sh</code>, update the <code>rg</code> regex to be more flexible regarding <br>whitespace and optional quotes to prevent validation failures from minor <br>formatting changes.** [scripts/check-dev-image-tags.sh [6]](https://github.com/carverauto/serviceradar/pull/2285/files#diff-36acf73816569095a08af1f080e5b317311f96e6e82253f28fde82197b73c36cR6-R6) ```diff -if ! rg -n 'appTag: &appTag "latest"' helm/serviceradar/values.yaml >/dev/null; then +if ! rg -n 'appTag:\s*&appTag\s*"?(latest)"?' helm/serviceradar/values.yaml >/dev/null; then ``` - [ ] **Apply / Chat**  <details><summary>Suggestion importance[1-10]: 3</summary> __ Why: The suggestion makes the regex in the validation script more robust against minor formatting changes, which is a minor improvement for maintainability. </details></details></td><td align=center>Low </td></tr> <tr><td align="center" colspan="2"> - [ ] More  </td><td></td></tr></tbody></table>