chore: verify xwin checksum#1099
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances supply-chain security by adding checksum verification for the xwin binary download. The changes refactor the Dockerfile to use a multi-stage build pattern that verifies the integrity of downloaded xwin artifacts before installation.
Changes:
- Added architecture-specific downloader stages with SHA256 checksum verification for xwin downloads
- Refactored xwin installation to use a multi-stage build pattern with separate downloader and extractor stages
- Moved the XWIN_VERSION ARG to the top of the Dockerfile for better organization
Contributor
✅
|
| Descriptor | Linter | Files | Fixed | Errors | Warnings | Elapsed time |
|---|---|---|---|---|---|---|
| ✅ ACTION | actionlint | 20 | 0 | 0 | 0.53s | |
| ✅ DOCKERFILE | hadolint | 3 | 0 | 0 | 0.74s | |
| ✅ GHERKIN | gherkin-lint | 6 | 0 | 0 | 2.51s | |
| ✅ JSON | npm-package-json-lint | yes | no | no | 0.44s | |
| ✅ JSON | prettier | 21 | 4 | 0 | 0 | 0.54s |
| ✅ JSON | v8r | 21 | 0 | 0 | 7.59s | |
| ✅ MARKDOWN | markdownlint | 12 | 0 | 0 | 0 | 0.99s |
| ✅ MARKDOWN | markdown-table-formatter | 12 | 0 | 0 | 0 | 0.25s |
| ✅ REPOSITORY | checkov | yes | no | no | 18.8s | |
| ✅ REPOSITORY | gitleaks | yes | no | no | 0.52s | |
| ✅ REPOSITORY | git_diff | yes | no | no | 0.01s | |
| ✅ REPOSITORY | grype | yes | no | no | 30.41s | |
| ✅ REPOSITORY | secretlint | yes | no | no | 0.96s | |
| ✅ REPOSITORY | syft | yes | no | no | 1.95s | |
| ✅ REPOSITORY | trivy | yes | no | no | 6.07s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | no | 0.26s | |
| ✅ REPOSITORY | trufflehog | yes | no | no | 2.43s | |
| lychee | 80 | 5 | 0 | 37.71s | ||
| ✅ YAML | prettier | 28 | 0 | 0 | 0 | 0.98s |
| ✅ YAML | v8r | 28 | 0 | 0 | 8.32s | |
| ✅ YAML | yamllint | 28 | 0 | 0 | 0.81s |
Detailed Issues
⚠️ SPELL / lychee - 5 errors
[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Error (cached)
[ERROR] https://docs.sigstore.dev/cosign/signing/overview/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/signing/overview/) Maybe a certificate error?
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....119
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........5
Errors in .github/CONTRIBUTING.md
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?
Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
Errors in .github/workflows/pr-conventional-title.yml
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Network error: error sending request for url (https://www.conventionalcommits.org/en/v1.0.0/) Maybe a certificate error?
Errors in README.md
[ERROR] https://www.conventionalcommits.org/en/v1.0.0/ | Error (cached)
[ERROR] https://docs.sigstore.dev/cosign/signing/overview/ | Network error: error sending request for url (https://docs.sigstore.dev/cosign/signing/overview/) Maybe a certificate error?
See detailed reports in MegaLinter artifacts
Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)
- Documentation: Custom Flavors
- Command:
npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
Contributor
📦 Container Size AnalysisNote Comparing 📈 Size Comparison Table
|
Contributor
André Jordan (andjordan)
approved these changes
Jan 22, 2026
|
Contributor
Pull Request Report (#1099)Static measures
Time related measures
Status check related measures
|
Contributor
|
🎉 Hooray! The changes in this pull request went live with the release of v6.7.1 🎉 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 Hey, I have created a Pull Request
Description of changes
This pull request refactors the installation process for the
xwintool in the.devcontainer/cpp/Dockerfileto improve cross-architecture support and caching efficiency. The changes introduce multi-stage builds to download and extract the correctxwinbinary for either AMD64 or ARM64 architectures, and move the installation logic into an earlier build stage. This also removes the previous direct download and extraction ofxwinin the main image build step.Key improvements to multi-architecture support and build efficiency:
downloader-amd64,downloader-arm64,extractor) to download and extract the appropriatexwinbinary for the target architecture, using checksums for verification. (.devcontainer/cpp/Dockerfile)xwinto an earlier stage and now copy the extracted binary into the final image, instead of downloading and extracting it during the main build step. (.devcontainer/cpp/Dockerfile)xwinandccache, now only installingccachedirectly in the final image. (.devcontainer/cpp/Dockerfile)✔️ Checklist