chore: harden Dockerfiles and add devops CODEOWNERS #487
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,4 @@ | ||
| * @jrwbabylonlab @jeremy-babylonlabs @kirugan | ||
|
|
||
| # DevOps team owns CI/CD workflows | ||
| /.github/workflows/ @babylonlabs-io/devops |
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
|
|
@@ -2,6 +2,7 @@ | |||||||
|
|
||||||||
| ARG VERSION="HEAD" | ||||||||
|
|
||||||||
| # hadolint ignore=DL3018 | ||||||||
| RUN apk add --no-cache \ | ||||||||
| make \ | ||||||||
| git \ | ||||||||
|
|
@@ -31,13 +32,13 @@ | |||||||
| make build | ||||||||
|
|
||||||||
| # Final minimal image with binary only | ||||||||
| FROM alpine:3.21 AS run | ||||||||
|
|
||||||||
|
There was a problem hiding this comment. According to the PR description, this change aims to apply hadolint best practices including the SHELL pipefail directive. However, the SHELL directive with pipefail is missing from the runtime stage. Consider adding
Suggested change
|
||||||||
| RUN addgroup --gid 1138 -S staking-api-service && adduser --uid 1138 -S staking-api-service -G staking-api-service | ||||||||
| RUN apk add --no-cache bash=5.2.37-r0 curl=8.14.1-r2 jq=1.7.1-r0 | ||||||||
|
There was a problem hiding this comment. The PR description mentions "Pin Debian runtime packages to exact versions (bookworm) where applicable" but no Debian-based Dockerfiles are present in the repository or modified in this PR. Only Alpine-based Dockerfiles exist. Consider updating the PR description to accurately reflect that only Alpine packages are being pinned, or clarify what "where applicable" means in this context. |
||||||||
|
|
||||||||
| # Label should match your github repo | ||||||||
| LABEL org.opencontainers.image.source="https://github.com/babylonlabs-io/staking-api-service:${VERSION}" | ||||||||
|
Check warning on line 41 in contrib/images/staking-api-service/Dockerfile
|
||||||||
|
|
||||||||
|
|
||||||||
| # Copy over binaries from the build-env | ||||||||
|
|
||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A hadolint ignore directive for DL3018 (pin versions in apk add) has been added to the builder stage, which contradicts the PR's goal of hardening Dockerfiles by pinning package versions. While build tools often don't need pinned versions since the image is ephemeral, for consistency with the runtime stage and the PR's stated objectives, consider either pinning these build dependencies or adding a comment explaining why pinning is not necessary for the builder stage.