NO-ISSUE: Bump the docker-dependencies group across 1 directory with 2 updates#671
NO-ISSUE: Bump the docker-dependencies group across 1 directory with 2 updates#671dependabot[bot] wants to merge 1 commit into
Conversation
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
Pipeline controller notification For optional jobs, comment This repository is configured in: LGTM mode |
|
@dependabot[bot]: This pull request explicitly references no jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #671 +/- ##
==========================================
+ Coverage 61.74% 62.13% +0.38%
==========================================
Files 27 27
Lines 1767 1793 +26
==========================================
+ Hits 1091 1114 +23
- Misses 510 512 +2
- Partials 166 167 +1 🚀 New features to boost your workflow:
|
c14ab93 to
78d0b62
Compare
ffb0c90 to
f69938b
Compare
f69938b to
07c0f34
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
07c0f34 to
367a326
Compare
WalkthroughBuild-stage Go toolset image tags updated to ChangesDockerfile base-image and runtime pinning
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Important Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional. ❌ Failed checks (1 error, 1 warning)
✅ Passed checks (13 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
Dockerfile.image-service-build (1)
1-30: Add a non-rootUSERdirective in the final stage.This Dockerfile currently runs as root at runtime. The final stage (lines 9–29) lacks an explicit non-root user, which weakens the least-privilege posture. Consider adding a
USERdirective to run the container with reduced privileges.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.image-service-build` around lines 1 - 30, The final stage runs as root; create and switch to a non-root user by adding steps after the existing RUN chmod lines to (1) create a dedicated user/group (e.g., "appuser"), (2) set a home directory and ensure ownership of GOROOT and GOPATH (use the ENV names GOROOT and GOPATH), and (3) add a USER appuser directive so the container runs with reduced privileges; ensure any files/dirs the image needs at runtime are chown'd to that user before the USER line.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@Dockerfile.image-service-build`:
- Around line 1-30: The final stage runs as root; create and switch to a
non-root user by adding steps after the existing RUN chmod lines to (1) create a
dedicated user/group (e.g., "appuser"), (2) set a home directory and ensure
ownership of GOROOT and GOPATH (use the ENV names GOROOT and GOPATH), and (3)
add a USER appuser directive so the container runs with reduced privileges;
ensure any files/dirs the image needs at runtime are chown'd to that user before
the USER line.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 13c3680d-0ae1-4782-8282-2a61c8cd3273
📒 Files selected for processing (3)
Dockerfile.image-serviceDockerfile.image-service-buildDockerfile.image-service-mce
367a326 to
17639d2
Compare
|
Caution Failed to replace (edit) comment. This is likely due to insufficient permissions or the comment being deleted. Error details |
17639d2 to
aa4d7f9
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile.image-service-build`:
- Line 1: The Dockerfile uses registry.access.redhat.com/ubi9/go-toolset:9.7
which provides Go 1.17.7 and conflicts with the module's go version go1.25.5;
update the FROM line in Dockerfile.image-service-build to a tag that includes Go
1.25.x (for example use registry.access.redhat.com/ubi9/go-toolset:1.25 or a
later 1.25.* tag) so the build toolchain matches the go.mod requirement and
avoids incompatible compiler behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: b9e09f01-e195-4b79-806d-048c6d3c0c56
📒 Files selected for processing (3)
Dockerfile.image-serviceDockerfile.image-service-buildDockerfile.image-service-mce
✅ Files skipped from review due to trivial changes (2)
- Dockerfile.image-service-mce
- Dockerfile.image-service
| @@ -1,4 +1,4 @@ | |||
| FROM registry.access.redhat.com/ubi9/go-toolset:1.25 AS golang | |||
| FROM registry.access.redhat.com/ubi9/go-toolset:9.7 AS golang | |||
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
What Go version is included in Red Hat UBI9 go-toolset 9.7 image?
💡 Result:
The Go version included in the Red Hat UBI9 go-toolset 9.7 image is Go 1.17.7. This is based on official Red Hat documentation for RHEL 9 / UBI9 go-toolset packages, which specify go-toolset-1.17.7 as the package providing Go 1.17. The image tags like 9.7-1776962329 correspond to UBI 9.7 base with the go-toolset module installed, and documentation confirms this version for RHEL9/UBI9. Newer docs for Go 1.22/1.25 toolsets exist but are not tied to the specific 9.7 tag.
Citations:
- 1: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.17.7_toolset/assembly_container-images-with-go-toolset
- 2: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html-single/using_go_1.17.7_toolset/index
🌐 Web query:
Red Hat UBI9 go-toolset versioning scheme documentation
💡 Result:
Red Hat UBI9 go-toolset follows a rolling versioning scheme as part of the Red Hat Enterprise Linux (RHEL) Application Streams. Go Toolset is classified as a "Rolling Application Stream," meaning Red Hat releases updates to the latest upstream Go versions through asynchronous errata, typically within 3 months of each upstream Go release (which occurs every 6 months). Only the latest version is supported; previous versions are retired after a short maintenance period. Key aspects of the versioning scheme: - Package name: go-toolset (no major version prefix like gcc-toolset; the Go version is specified in documentation). - Installation in UBI9: Use yum install -y go-toolset on registry.access.redhat.com/ubi9/ubi base image, or pull registry.access.redhat.com/ubi9/go-toolset directly. - Updates track upstream Go releases (e.g., Go 1.19.6, 1.20.10, 1.21.0, 1.25 in various docs; latest noted as Go 1.25.3 available in RHEL 9.7 as of Dec 2025). - Life cycle: Rolling, with support only for the current version per RHEL minor release. See retired streams for past versions (e.g., Go 1.17.x to 1.18.4 retired). - Official tracking: Red Hat Go Toolset Development Status Page and Application Streams Life Cycle document. For the most current version, check the Red Hat Ecosystem Catalog or pull the latest image tag.
Citations:
- 1: https://access.redhat.com/articles/7116095
- 2: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html-single/using_go_1.25_toolset/using_go_1.25_toolset
- 3: https://access.redhat.com/node/4079021/
- 4: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.25_toolset/container-images-with-go-toolset
- 5: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.20.10_toolset/assembly_container-images-with-go-toolset_using-go-toolset
- 6: https://docs.redhat.com/en/documentation/red_hat_developer_tools/1/html/using_go_1.19.6_toolset/assembly_container-images-with-go-toolset
- 7: https://access.redhat.com/errata/RHBA-2026:3989
This base image contains Go 1.17.7, which is incompatible with your go.mod requirement of Go 1.25.5.
The UBI9 go-toolset tag 9.7 contains Go 1.17.7 (per Red Hat official documentation), not the Go 1.25 you need. Your go.mod specifies toolchain go1.25.5, so switching to this image will cause your build to fail with toolchain version errors or silently build with an incompatible Go version that doesn't support 1.25 features.
Use registry.access.redhat.com/ubi9/go-toolset:1.25 or a more recent tag that includes Go 1.25.x.
🧰 Tools
🪛 Trivy (0.69.3)
[error] 1-1: Image user should not be 'root'
Specify at least 1 USER command in Dockerfile with non-root user as argument
Rule: DS-0002
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.image-service-build` at line 1, The Dockerfile uses
registry.access.redhat.com/ubi9/go-toolset:9.7 which provides Go 1.17.7 and
conflicts with the module's go version go1.25.5; update the FROM line in
Dockerfile.image-service-build to a tag that includes Go 1.25.x (for example use
registry.access.redhat.com/ubi9/go-toolset:1.25 or a later 1.25.* tag) so the
build toolchain matches the go.mod requirement and avoids incompatible compiler
behavior.
…2 updates Bumps the docker-dependencies group with 2 updates in the / directory: ubi9/go-toolset and ubi9/ubi-minimal. Updates `ubi9/go-toolset` from 1.25 to 9.8 Updates `ubi9/ubi-minimal` from `6fc28bc` to `ae09ecc` --- updated-dependencies: - dependency-name: ubi9/go-toolset dependency-version: '9.7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: docker-dependencies - dependency-name: ubi9/ubi-minimal dependency-version: latest dependency-type: direct:production dependency-group: docker-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>
aa4d7f9 to
bf4d3da
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@Dockerfile.image-service`:
- Line 48: The Dockerfile currently pins the Red Hat base image by digest in the
FROM line (the entry starting with "FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:…"); change this to
use a floating tag managed by Red Hat (e.g., replace the digest form with
":latest" or a UBI version tag like ":9.8") so the image receives upstream
updates and complies with the Red Hat images guideline.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 84e3473a-3bb0-4228-a436-6f1deb4ee35a
📒 Files selected for processing (3)
Dockerfile.image-serviceDockerfile.image-service-buildDockerfile.image-service-mce
🚧 Files skipped from review as they are similar to previous changes (1)
- Dockerfile.image-service-mce
|
|
||
| ## Runtime | ||
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:6fc28bcb6776e387d7a35a2056d9d2b985dc4e26031e98a2bd35a7137cd6fd71 | ||
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc |
There was a problem hiding this comment.
Red Hat images should use floating tags, not digest pins.
The ubi-minimal image is from Red Hat (registry.access.redhat.com), so per coding guidelines it should use a floating tag like :latest or :9.8 to allow Red Hat to manage updates. Pinning by digest (:latest@sha256:ae09ec...) prevents automatic security updates and violates the guideline: "Red Hat images: use floating tags (Red Hat manages updates)."
🔧 Suggested fix
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latestOr use a specific UBI version tag:
-FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.8📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:ae09ecc3d754bc1726cbda3e2599cc7839e09fe1cc547ce173cf669b645be3cc | |
| FROM registry.access.redhat.com/ubi9/ubi-minimal:latest |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@Dockerfile.image-service` at line 48, The Dockerfile currently pins the Red
Hat base image by digest in the FROM line (the entry starting with "FROM
registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:…"); change this to
use a floating tag managed by Red Hat (e.g., replace the digest form with
":latest" or a UBI version tag like ":9.8") so the image receives upstream
updates and complies with the Red Hat images guideline.
Source: Coding guidelines
|
@dependabot[bot]: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Bumps the docker-dependencies group with 2 updates in the / directory: ubi9/go-toolset and ubi9/ubi-minimal.
Updates
ubi9/go-toolsetfrom 1.25 to 9.8Updates
ubi9/ubi-minimalfrom6fc28bctoae09eccSummary by CodeRabbit