fix: drop container image digest pinning, unify uv version, bump Fedora to 44#781
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR upgrades Fedora base images from version 43 to 44 across CI workflows and Dockerfiles, and enhances Renovate to automatically track Fedora updates in shell scripts via a custom regex manager while disabling digest pinning. ChangesInfrastructure Updates
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/build-oci-bundle.yaml:
- Line 9: The podman fallback image in the script build_fits.sh is still
hardcoded to fedora:43 while the CI workflow uses container: fedora:44; update
the podman run invocation that references "fedora:43" in
python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh
to "fedora:44" (or add a clear comment documenting why 43 must be retained) so
local/manual builds match the CI environment.
In `@python/Dockerfile.utils`:
- Around line 1-4: The Dockerfile is missing a non-root runtime user, leaving
the container running as root; add creation of a dedicated unprivileged user
(e.g., "utils" or "appuser") and group during image build, ensure any
directories the runtime will need (WORKDIR, caches, or installed app
directories) are chowned to that user, and add a USER <username> directive near
the end of the Dockerfile (after installations and ownership changes) so the
container runs unprivileged by default; reference the Dockerfile build steps
that run dnf install and cleanup to locate where to add the user creation,
chown, and USER directives.
In `@renovate.json`:
- Around line 7-12: The file renovate.json contains C-style comments (//) which
break strict JSON parsers; either remove all comments to produce valid JSON
(keeping the "pinDigests": false value intact) or rename the file to
renovate.jsonc and update the workflow's paths-filter entry that currently
references renovate.json so the linter/CI and local Biome will accept JSONC;
ensure any references to helpers:pinGitHubActionDigests remain unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 4608b8f3-7c2d-4dce-ae75-84f9b1463619
📒 Files selected for processing (4)
.github/workflows/build-oci-bundle.yamlpython/Dockerfilepython/Dockerfile.utilsrenovate.json
88d2f41 to
3462daa
Compare
There was a problem hiding this comment.
🧹 Nitpick comments (1)
python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh (1)
7-7: ⚡ Quick winQuote
$(pwd)to prevent word splitting.The Fedora upgrade looks good, but since this line is already being modified, please quote the
$(pwd)expansion to prevent word splitting if the path contains spaces.♻️ Proposed fix
- exec podman run --rm -it -v $(pwd):/host:Z -w /host fedora:44 "$0" "$@" + exec podman run --rm -it -v "$(pwd)":/host:Z -w /host fedora:44 "$0" "$@"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh` at line 7, The podman invocation in build_fits.sh uses an unquoted command substitution $(pwd) which can suffer word-splitting for paths with spaces; update the exec podman run line so the volume mount uses a quoted expansion like "$(pwd)":/host:Z (i.e., replace $(pwd) with "$(pwd)") to ensure the current directory is passed as a single argument to -v.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In
`@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh`:
- Line 7: The podman invocation in build_fits.sh uses an unquoted command
substitution $(pwd) which can suffer word-splitting for paths with spaces;
update the exec podman run line so the volume mount uses a quoted expansion like
"$(pwd)":/host:Z (i.e., replace $(pwd) with "$(pwd)") to ensure the current
directory is passed as a single argument to -v.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 45e433c0-79dd-4015-afd9-7d97c2d0a2bf
📒 Files selected for processing (5)
.github/workflows/build-oci-bundle.yamlpython/Dockerfilepython/Dockerfile.utilspython/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.shrenovate.json
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/build-oci-bundle.yaml
109b82b to
302501e
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In
`@python/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.sh`:
- Line 8: The podman bind-mount uses unquoted command substitution which breaks
on paths with spaces; update the exec line in build_fits.sh (the podman run
invocation) to quote the host path or use $PWD so the -v argument is passed as a
single token (e.g., change -v $(pwd):/host:Z to use a quoted or $PWD form) to
avoid word splitting when the working directory contains whitespace.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 46b24725-d323-4c1e-a798-0d2f388f8d9a
📒 Files selected for processing (6)
.github/workflows/build-oci-bundle.yaml.github/workflows/lint.yamlpython/Dockerfilepython/Dockerfile.utilspython/packages/jumpstarter-driver-flashers/oci_bundles/aarch64-itb/build_fits.shrenovate.json5
✅ Files skipped from review due to trivial changes (1)
- .github/workflows/build-oci-bundle.yaml
2599a04 to
ea3e923
Compare
30fedcb to
6a2c982
Compare
kirkbrauer
left a comment
There was a problem hiding this comment.
Added a comment, overall, I think this looks good, switching to the Containerfile is nice, agnostic, and Red Hat friendly ;)
78bf408 to
7d67894
Compare
Standardize on the vendor-neutral Containerfile naming convention. Pure rename, no content changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…igrate to Fedora - Disable pinDigests in Renovate -- most registries prune untagged manifests within weeks, making pinned digests counterproductive - Rename renovate.json to renovate.jsonc to formally support comments - Centralize uv version in .uv-version -- Containerfiles install via curl at build time, CI workflows and e2e scripts read the same file - Migrate controller images from UBI9 to Fedora, install Go from .go-version via go.dev (replaces ubi9/go-toolset) - Use fedora-minimal for controller/operator runtime stages - Pin all Fedora images to registry.fedoraproject.org - Parameterize Python version from .py-version in devfile Containerfiles - Replace hardcoded podman fallback image in build_fits.sh with a Containerfile managed by Renovate natively - Bump Fedora from 43 to 44 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The base-developer-image runs as UID 10001 (non-root) by default. The curl-based uv installer writes to /root/.local/bin/ and the subsequent mv to /bin/ both require root permissions. Move USER root before the uv install block to prevent permission errors at build time. Generated-By: Forge/20260612_083017_669333_b6e93cd3
Replace the multi-stage ghcr.io/astral-sh/uv COPY-from pattern with curl-based install reading .uv-version. Update both builder and product stages from bare fedora:43 to fully qualified registry.fedoraproject.org/fedora:44 so the Renovate version cap rule applies correctly. Generated-By: Forge/20260612_083017_669333_b6e93cd3
…gistry Update from bare fedora:43 to registry.fedoraproject.org/fedora:44 so the Renovate allowedVersions constraint applies correctly. Generated-By: Forge/20260612_083017_669333_b6e93cd3
…tainer Replace COPY --from=ghcr.io/astral-sh/uv:0.11.19 with curl-based install reading .uv-version, centralizing the version and eliminating the hardcoded container image reference. Generated-By: Forge/20260612_083017_669333_b6e93cd3
The controller Containerfiles do not declare ARG GO_VERSION so the build-arg was silently ignored. Remove it from both controller Makefiles and the build-images CI workflow until the Containerfiles are ready to consume it. Generated-By: Forge/20260612_083017_669333_b6e93cd3
Move set -euo pipefail before the container detection branch so podman build failures abort the script instead of proceeding to podman run with a stale or nonexistent image. Also quote $(pwd) to prevent word splitting on paths containing spaces. Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add regex guards to reject version files containing unexpected content before they are interpolated into URLs or executable paths. This prevents accidental shell injection from malformed version files. Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add explicit semver versioning to match the pattern used by the .go-version and .py-version custom managers. Generated-By: Forge/20260612_083017_669333_b6e93cd3
Add registry.access.redhat.com/ubi9/go-toolset to the go-toolchain group with automerge disabled, preventing go-toolset patch bumps from being auto-merged without coordination with Go toolchain updates. Generated-By: Forge/20260612_083017_669333_b6e93cd3
…tion workflow The documentation.yaml workflow sets defaults.run.working-directory to python, causing `cat .uv-version` to look for python/.uv-version which does not exist. Add explicit working-directory: . to all three id: uv steps so they read .uv-version from the repository root. Generated-By: Forge/20260612_083017_669333_b6e93cd3
After the Dockerfile to Containerfile rename, Docker (which defaults to looking for Dockerfile) no longer finds the build file. The e2e workflow sets CONTAINER_TOOL=docker, so this breaks e2e controller image builds. Add -f Containerfile for compatibility with both Docker and Podman. Generated-By: Forge/20260612_083017_669333_b6e93cd3
The astral-sh/uv GitHub releases use v-prefixed tags (e.g. v0.11.19) but .uv-version stores the bare version (0.11.19). Without extractVersionTemplate, Renovate may fail to match versions or write the v-prefixed form into the file. Generated-By: Forge/20260612_083017_669333_b6e93cd3
…line - Strip @sha256: digest suffix from controller Containerfiles left by Renovate while pinDigests was still enabled - Use ${container:-} default expansion in build_fits.sh to prevent crash from set -euo pipefail when $container is unset - Add missing trailing newline to .devcontainer/Containerfile Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3911032 to
ff5d108
Compare
Replace curl-based uv installation with the official multi-stage COPY approach in all Containerfiles. Add Renovate package rule to group .uv-version and ghcr.io/astral-sh/uv updates into a single PR. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Renovate merges packageRules in order, so the later docker-base-images catch-all (matchPackageNames: ["**"]) was overriding the uv-toolchain groupName for ghcr.io/astral-sh/uv. Moving uv-toolchain after the catch-all ensures uv container image + version file updates land in the same PR. Verified with `npx renovate --dry-run`: ghcr.io/astral-sh/uv now routes to renovate/uv-toolchain instead of renovate/docker-base-images. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fedora prunes untagged manifests, but other registries (ghcr.io, registry.access.redhat.com, mcr.microsoft.com) keep them. Pin digests globally for supply-chain safety and disable only for Fedora. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
dc110b5 to
46bb088
Compare
| @@ -1,5 +1,5 @@ | |||
| # Build the manager binary | |||
| FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3@sha256:430cd439ea3bb4af3727a843c0302594bb1973211ecbfc98e4450a40798075df AS builder | |||
| FROM registry.access.redhat.com/ubi9/go-toolset:1.26.3 AS builder | |||
There was a problem hiding this comment.
The renovate config looks good, but this didn't pin back for some reason.
mangelajo
left a comment
There was a problem hiding this comment.
based on our conversation renovate will update those pinnings on a 2nd pass once the json is merged to main.
…ra to 44 (jumpstarter-dev#781) ## Summary ### Drop container image digest pinning - Disable `pinDigests` in Renovate config -- most container registries prune untagged manifests within weeks, so pinned digests break reproducibility instead of guaranteeing it and force an unsustainable biweekly update cycle - Keep `helpers:pinGitHubActionDigests` for GitHub Action commit-SHA pinning (those are permanent, not pruned) - Rename `renovate.json` to `renovate.jsonc` to formally support comments, add rationale for the `pinDigests` decision ### Unify uv version management - Add `.uv-version` as single source of truth for the uv toolchain version - Dockerfiles install uv via `curl` reading `.uv-version` at build time -- no hardcoded image tags or `ARG` defaults - CI workflows read `.uv-version` into a step output and pass it to `setup-uv` - E2e scripts (`setup-e2e.sh`, `compat/setup.sh`) pin the curl installer to `.uv-version` - Renovate tracks `.uv-version` via a custom regex manager using the `github-releases` datasource - Fixes a cross-platform build bug: the old `COPY --from=uv` copied the build-platform binary into the target-platform product stage ### Bump Fedora 43 to 44 - `python/Dockerfile`, `python/Dockerfile.utils`, `.github/workflows/build-oci-bundle.yaml` - `build_fits.sh` podman fallback: replaced hardcoded `fedora:44` with a `Containerfile` so Renovate's native dockerfile manager tracks it (no custom regex needed)
Summary
Drop container image digest pinning
pinDigestsin Renovate config -- most container registries prune untagged manifests within weeks, so pinned digests break reproducibility instead of guaranteeing it and force an unsustainable biweekly update cyclehelpers:pinGitHubActionDigestsfor GitHub Action commit-SHA pinning (those are permanent, not pruned)renovate.jsontorenovate.jsoncto formally support comments, add rationale for thepinDigestsdecisionUnify uv version management
.uv-versionas single source of truth for the uv toolchain versioncurlreading.uv-versionat build time -- no hardcoded image tags orARGdefaults.uv-versioninto a step output and pass it tosetup-uvsetup-e2e.sh,compat/setup.sh) pin the curl installer to.uv-version.uv-versionvia a custom regex manager using thegithub-releasesdatasourceCOPY --from=uvcopied the build-platform binary into the target-platform product stageBump Fedora 43 to 44
python/Dockerfile,python/Dockerfile.utils,.github/workflows/build-oci-bundle.yamlbuild_fits.shpodman fallback: replaced hardcodedfedora:44with aContainerfileso Renovate's native dockerfile manager tracks it (no custom regex needed)Test plan
renovate-config-validatorpasses@sha256:digest references remain in Dockerfiles, Containerfiles, or CI workflowsfedora:43references remain in tracked filesghcr.io/astral-sh/uv:references remain -- all read from.uv-versionsetup-uvversion pins unified at0.11.19via.uv-version