chore(deps): refresh infrastructure baselines#197
Merged
Conversation
PR SummaryMedium Risk Overview Bumps the Rust workspace to The canary container workflow gains SBOM + max provenance on build, Trivy vulnerability reporting (non-blocking), Anchore SPDX SBOM artifacts, extra OIDC/actions permissions, and a job summary documenting digest, base image, and scan output. Reviewed by Cursor Bugbot for commit 81452c2. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
Warning Review limit reached
More reviews will be available in 33 minutes and 44 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (10)
WalkthroughPinned container and base images were updated; the canary image build now emits SBOM/provenance and adds a Trivy vulnerability scan plus SPDX SBOM artifact and a security-audit summary; docs build tooling and pnpm/node pins were bumped; workspace crate versions were raised. ChangesDevops & Tooling
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@devops/docker/compose/compose.yml`:
- Line 49: Verify the ngrok image tag and config schema compatibility: confirm
the Docker image tag ngrok/ngrok:3.39.6-alpine exists and supports the target
architectures (or switch to an architecture-specific tag like
3.39.6-alpine-<arch> if needed), then ensure the generated /tmp/ngrok.yml uses
Agent Config v3 fields (top-level "version: 3" and the v3-specific keys your
code emits). To validate, run the container from image ngrok/ngrok:3.39.6-alpine
and use the agent's config/validate commands (or ngrok --version and ngrok
config check) against /tmp/ngrok.yml to catch schema/compatibility issues; if
validation fails, update the generated config to match v3 schema or pick a
compatible ngrok image tag.
In `@devops/docker/compose/services/trogon-gateway/Dockerfile`:
- Line 29: Update the Dockerfile runtime base reference (the FROM
debian:bookworm-20260518-slim AS runtime line) by confirming the specific Debian
snapshot tag exists on the registry and then treat security verification as an
image-level task: after building the image, generate an SBOM and run a
vulnerability/package scan (or compare installed package versions vs the
previous base) to validate the patched package versions in the built image
rather than relying on the external security-tracker data alone; document the
scan/SBOM results in your CI step that builds the trogon-gateway image so the
security-update audit is scoped to the produced image.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 297ef62b-b848-47b8-9eee-4ca570442d68
📒 Files selected for processing (2)
devops/docker/compose/compose.ymldevops/docker/compose/services/trogon-gateway/Dockerfile
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/canary-container-images.yml (1)
85-99: 💤 Low valueOptional: avoid direct
${{ }}expansion inside the run block and reduce base-image drift.Two nits in the summary step:
- zizmor flags
${{ steps.image.outputs.name }}(Line 91) as a template-injection vector. Risk is low here since the value derives fromrepository_owner/matrix, but the idiomatic fix is to pass these throughenv:and reference$VARSin the script.- The runtime base
debian:bookworm-20260518-slim(Line 92) is hardcoded and will silently diverge from the value in the gateway Dockerfile. Consider deriving it from the build (or reading it from the Dockerfile) so the audit note stays accurate.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/canary-container-images.yml around lines 85 - 99, Avoid using GitHub template expansion directly inside the run block: expose steps.image.outputs.name and matrix.service as env variables (e.g., IMAGE_NAME, SERVICE) and reference them as shell variables in the heredoc that appends to GITHUB_STEP_SUMMARY; similarly, stop hardcoding "debian:bookworm-20260518-slim" by deriving the runtime base from the build step or by parsing the gateway Dockerfile into an env var (e.g., BASE_IMAGE) so the summary uses $BASE_IMAGE, and ensure the script still cats trivy-results.txt into the summary.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/canary-container-images.yml:
- Around line 68-83: Replace mutable action tags with pinned commit SHAs: update
the aquasecurity/trivy-action reference (currently
aquasecurity/trivy-action@0.32.0) to use the corresponding commit SHA for that
release (e.g., aquasecurity/trivy-action@<TRIVY_COMMIT_SHA>) and append a
trailing comment containing the original "0.32.0"; likewise replace
anchore/sbom-action@v0.20.6 with
anchore/sbom-action@f8bdd1d8ac5e901a77a92f111440fdb1b593736b and keep "v0.20.6"
as a trailing comment. Ensure these changes occur where the actions are
referenced (the aquasecurity/trivy-action and anchore/sbom-action uses) so the
workflow uses immutable SHAs while preserving the human-readable version in
comments.
In @.github/workflows/docs-pages.yml:
- Around line 27-35: Move the "Enable Corepack" step to run before the "Setup
Node" step (or alternatively add a pnpm setup step such as using
pnpm/action-setup before actions/setup-node) so the pnpm executable is on PATH
when the setup-node step runs with cache: pnpm; also consider changing the
node-version in the "Setup Node" step from 26 to 24 to target an Active LTS
release.
---
Nitpick comments:
In @.github/workflows/canary-container-images.yml:
- Around line 85-99: Avoid using GitHub template expansion directly inside the
run block: expose steps.image.outputs.name and matrix.service as env variables
(e.g., IMAGE_NAME, SERVICE) and reference them as shell variables in the heredoc
that appends to GITHUB_STEP_SUMMARY; similarly, stop hardcoding
"debian:bookworm-20260518-slim" by deriving the runtime base from the build step
or by parsing the gateway Dockerfile into an env var (e.g., BASE_IMAGE) so the
summary uses $BASE_IMAGE, and ensure the script still cats trivy-results.txt
into the summary.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 149f39d7-ef22-4f49-913e-c322e3d5c144
⛔ Files ignored due to path filters (1)
rsworkspace/Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (6)
.github/workflows/canary-container-images.yml.github/workflows/docs-pages.yml.mise.tomldevops/docker/compose/services/trogon-gateway/Dockerfiledocs/package.jsonrsworkspace/Cargo.toml
✅ Files skipped from review due to trivial changes (1)
- docs/package.json
🚧 Files skipped from review as they are similar to previous changes (1)
- devops/docker/compose/services/trogon-gateway/Dockerfile
Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
Keep local/CI toolchain reproducible by bumping Rust, Node, pnpm, Python, uv, buf, and protoc-gen-buffa pins, with matching buffa runtime deps. Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
Pin the Rust builder to Bookworm to match the runtime glibc, scan trogon-gateway canary images with Trivy/SBOM in CI, and keep docs builds on Corepack-managed pnpm with frozen installs. Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
yordis
force-pushed
the
yordis/chore-create-pr-v7
branch
from
a06ff70 to
500d98b
Compare
yordis
changed the title
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
.github/workflows/canary-container-images.yml (2)
88-99: 💤 Low valueAvoid direct template expansion inside the
runblock (zizmor: template-injection).The expansions here resolve from
matrix.service(static) andsteps.image.outputs.name(derived from the repo owner and an in-repo config), so this is not currently attacker-controllable. Still, moving them toenvand referencing shell variables clears the static-analysis finding and hardens against future changes.🛡️ Proposed change
- name: Document image security audit shell: bash + env: + SERVICE: ${{ matrix.service }} + IMAGE_NAME: ${{ steps.image.outputs.name }} run: | { - echo "## Image security audit: \`${{ matrix.service }}\`" + echo "## Image security audit: \`${SERVICE}\`" echo "" - echo "- Image: \`${{ steps.image.outputs.name }}:canary\`" + echo "- Image: \`${IMAGE_NAME}:canary\`" echo "- Runtime base: \`debian:bookworm-20260518-slim\`" - echo "- SBOM artifact: \`sbom-${{ matrix.service }}-spdx\` (SPDX JSON)" + echo "- SBOM artifact: \`sbom-${SERVICE}-spdx\` (SPDX JSON)" echo "" echo "### Vulnerability scan (Trivy, image packages)" echo '```text' cat trivy-results.txt echo '```' } >> "$GITHUB_STEP_SUMMARY"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/canary-container-images.yml around lines 88 - 99, The run block is directly expanding GitHub Actions templates (matrix.service and steps.image.outputs.name) which triggers template-injection warnings; update the step to set those values as environment variables (e.g., IMAGE_NAME and SERVICE_NAME via env: IMAGE_NAME: ${{ steps.image.outputs.name }} SERVICE_NAME: ${{ matrix.service }}) and then reference them inside the shell block as shell variables ($IMAGE_NAME and $SERVICE_NAME) when writing to GITHUB_STEP_SUMMARY and building the text; locate the run block that echoes the summary (the block that references matrix.service and steps.image.outputs.name) and replace direct template expansions with the env-based variables.
92-92: 💤 Low valueHardcoded runtime base can drift from the Dockerfile.
debian:bookworm-20260518-slimduplicates the gateway Dockerfile's runtime base. If the Dockerfile is bumped, this audit summary silently becomes inaccurate. Consider deriving it from the build (or service config) instead of hardcoding, or drop the line to avoid a misleading audit record.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/canary-container-images.yml at line 92, The echoed hardcoded runtime base string ("debian:bookworm-20260518-slim") in the workflow can drift from the Dockerfile; change the audit line to derive the runtime base dynamically (e.g., read the build arg or image tag used to build the gateway or use a workflow input/env like RUNTIME_BASE used by the Docker build) or remove the echo entirely. Locate the echo statement in the canary-container-images.yml job (the line that prints "- Runtime base: `debian:bookworm-20260518-slim`") and replace the literal with the variable that holds the runtime base (for example ${ { env.RUNTIME_BASE } } or the image tag produced by the build step) or drop it to avoid misleading audit output.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/canary-container-images.yml:
- Around line 68-83: The Trivy and SBOM steps currently reference the mutable
tag `${{ steps.image.outputs.name }}:canary` so they may scan/attest a different
image than what was built; update the Trivy `image-ref` and Anchore `image` to
use the build step digest output (e.g., `${{ steps.build_image.outputs.digest
}}`) exposed by docker/build-push-action instead of the `:canary` tag, ensuring
the Trivy step, Anchore SBOM step and any other downstream steps point to the
same immutable `${{ steps.build_image.outputs.digest }}` value (replace
occurrences in the Trivy step `image-ref` and anchore step `image`).
---
Nitpick comments:
In @.github/workflows/canary-container-images.yml:
- Around line 88-99: The run block is directly expanding GitHub Actions
templates (matrix.service and steps.image.outputs.name) which triggers
template-injection warnings; update the step to set those values as environment
variables (e.g., IMAGE_NAME and SERVICE_NAME via env: IMAGE_NAME: ${{
steps.image.outputs.name }} SERVICE_NAME: ${{ matrix.service }}) and then
reference them inside the shell block as shell variables ($IMAGE_NAME and
$SERVICE_NAME) when writing to GITHUB_STEP_SUMMARY and building the text; locate
the run block that echoes the summary (the block that references matrix.service
and steps.image.outputs.name) and replace direct template expansions with the
env-based variables.
- Line 92: The echoed hardcoded runtime base string
("debian:bookworm-20260518-slim") in the workflow can drift from the Dockerfile;
change the audit line to derive the runtime base dynamically (e.g., read the
build arg or image tag used to build the gateway or use a workflow input/env
like RUNTIME_BASE used by the Docker build) or remove the echo entirely. Locate
the echo statement in the canary-container-images.yml job (the line that prints
"- Runtime base: `debian:bookworm-20260518-slim`") and replace the literal with
the variable that holds the runtime base (for example ${ { env.RUNTIME_BASE } }
or the image tag produced by the build step) or drop it to avoid misleading
audit output.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: eb251841-f98a-41c6-a0fe-8ddc90b161c9
⛔ Files ignored due to path filters (1)
rsworkspace/Cargo.lockis excluded by!**/*.lock
📒 Files selected for processing (7)
.github/workflows/canary-container-images.yml.github/workflows/docs-pages.yml.mise.tomldevops/docker/compose/compose.ymldevops/docker/compose/services/trogon-gateway/Dockerfiledocs/package.jsonrsworkspace/Cargo.toml
✅ Files skipped from review due to trivial changes (2)
- docs/package.json
- devops/docker/compose/services/trogon-gateway/Dockerfile
🚧 Files skipped from review as they are similar to previous changes (4)
- devops/docker/compose/compose.yml
- rsworkspace/Cargo.toml
- .mise.toml
- .github/workflows/docs-pages.yml
yordis
force-pushed
the
yordis/chore-create-pr-v7
branch
from
500d98b to
b34c03d
Compare
|
Code Coverage SummaryDetailsDiff against mainResults for commit: 81452c2 Minimum allowed coverage is ♻️ This comment has been updated with latest results |
yordis
force-pushed
the
yordis/chore-create-pr-v7
branch
3 times, most recently
from
f59c584 to
31c2e9b
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 31c2e9b. Configure here.
Signed-off-by: Yordis Prieto <yordis.prieto@gmail.com>
yordis
force-pushed
the
yordis/chore-create-pr-v7
branch
from
31c2e9b to
81452c2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.