CI: remove (future) deprecated --preserve-env flag#625
Conversation
|
Warning Review limit reached
More reviews will be available in 8 minutes and 49 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
WalkthroughThe PR updates CI build scripts to remove sudo's --preserve-env and instead pass needed environment variables explicitly into the spawned login shells. ci/tasks/build.sh now injects GEM_HOME plus UBUNTU_ADVANTAGE_TOKEN and UBUNTU_FIPS_USE_IAAS_KERNEL into the sudo-launched bash. ci/tasks/os-images/build.sh now uses sudo --set-home --user ubuntu -- with a here-doc and uses bracketed ${VAR} expansions for the rake task arguments. Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the Concourse stemcell build task to avoid using sudo --preserve-env (which now emits warnings / is ignored) by explicitly ensuring the RubyGems install location (GEM_HOME) is available when running bundle install as the ubuntu user.
Changes:
- Replaces
sudo --preserve-env ...with an invocation intended to passGEM_HOMEinto theubuntulogin shell during the build task.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
ci/tasks/build.sh (1)
80-87: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick winLGTM!
The sudo invocation change correctly addresses the deprecated
--preserve-envissue by explicitly passingGEM_HOME. The syntax is valid:VAR=valuebefore the command passes environment variables through sudo,--set-homesets HOME to ubuntu's home directory, and the--separator is good practice.🛡️ Optional: Add defensive validation
Consider adding a validation check before the sudo invocation to fail fast if
GEM_HOMEis not set in the parent environment:if [[ -z "${GEM_HOME:-}" ]]; then echo "ERROR: GEM_HOME environment variable must be set" >&2 exit 1 fi sudo --set-home --user ubuntu GEM_HOME="${GEM_HOME}" -- /bin/bash --login -i <<SUDOThis would provide a clearer error message if the Docker environment is misconfigured, rather than letting bundle install fail with permission errors.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@ci/tasks/build.sh` around lines 80 - 87, Add a defensive check that GEM_HOME is set before running the sudo block: verify the GEM_HOME environment variable is non-empty and if it is empty print a clear error to stderr and exit non-zero, then proceed to the existing sudo invocation (the sudo --set-home --user ubuntu GEM_HOME="${GEM_HOME}" -- /bin/bash --login -i <<SUDO block) so bundle install and the subsequent bundle exec rake stemcell:build[...] don't run with a missing GEM_HOME.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@ci/tasks/build.sh`:
- Around line 80-87: Add a defensive check that GEM_HOME is set before running
the sudo block: verify the GEM_HOME environment variable is non-empty and if it
is empty print a clear error to stderr and exit non-zero, then proceed to the
existing sudo invocation (the sudo --set-home --user ubuntu
GEM_HOME="${GEM_HOME}" -- /bin/bash --login -i <<SUDO block) so bundle install
and the subsequent bundle exec rake stemcell:build[...] don't run with a missing
GEM_HOME.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 7cf582ef-afda-4853-8f61-a820b6524813
📒 Files selected for processing (1)
ci/tasks/build.sh
aramprice
dismissed stale reviews from coderabbitai[bot] and julian-hj
via
12773f4
aramprice
dismissed stale reviews from julian-hj and coderabbitai[bot]
via
2c64dba
aramprice
force-pushed
the
sudo-fix
branch
2 times, most recently
from
2c64dba to
c0c031c
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@ci/tasks/build.sh`:
- Line 82: Change the variable expansion for UBUNTU_ADVANTAGE_TOKEN in the env
assignment to use the non-assigning default operator ":-" instead of ":=" so the
current shell variable is not modified; locate the env line that sets
UBUNTU_ADVANTAGE_TOKEN (the one using
UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:=}") and replace the operator
so it reads as a default-only expansion
UBUNTU_ADVANTAGE_TOKEN="${UBUNTU_ADVANTAGE_TOKEN:-}" to match the other lines
and maintain consistency.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: a7e48558-e183-403d-908a-f0a8d2e92da6
📒 Files selected for processing (2)
ci/tasks/build.shci/tasks/os-images/build.sh
Explicitly pass: - GEM_HOME - BUILD_TIME - UBUNTU_ADVANTAGE_TOKEN - UBUNTU_FIPS_USE_IAAS_KERNEL Fixes: ``` sudo: preserving the entire environment is not supported, '--preserve-env' is ignored ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$ set -e ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$ ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5$ cd "/tmp/build/44575cf5/bosh-linux-stemcell-builder" ubuntu@21f652d6-b208-4386-b0c0-097e26578228:/tmp/build/44575cf5/bosh-linux-stemcell-builder$ bundle install Bundler 4.0.13 is running, but your lockfile was generated with 2.5.23. Installing Bundler 2.5.23 and restarting using that version. Fetching gem metadata from https://rubygems.org/. Fetching bundler 2.5.23 Retrying download gem from https://rubygems.org/ due to error (2/4): Bundler::PermissionError There was an error while trying to write to `/usr/local/lib/ruby/gems/3.3.0/cache/bundler-2.5.23.gem`. It is likely that you need to grant write permissions for that path. ``` ^ https://bosh.ci.cloudfoundry.org/teams/stemcell/pipelines/ubuntu-resolute-builder/jobs/build-os-image/builds/1#L6a052874:4:13
Fixes:
^ https://bosh.ci.cloudfoundry.org/teams/stemcell/pipelines/ubuntu-resolute-builder/jobs/build-os-image/builds/1#L6a052874:4:13