feat: INFRA-5557 Cronos testnet image bump v1.5.0

[Spich3000]

INFRA-5557 Cronos v1.5.0 Upgrades across clusters

Summary by CodeRabbit

• Chores
  • Docker image now uses the Cronos testnet binary by default, aligning the container with testnet environments.
  • Download, extraction, and startup flow remain unchanged; no modifications to entrypoint, user, or permissions.
  • Users running the image will connect to testnet out of the box; switch binaries if mainnet is required.

[coderabbitai]

Walkthrough

Switched the Dockerfile’s Cronos binary download from a mainnet artifact to the testnet v1.5.0 tarball. Updated the URL, extracted tarball name, cleanup target, and move destination accordingly. No other Dockerfile instructions changed.

Changes

Cohort / File(s)	Change Summary
Cronos binary source update Dockerfile	Replaced mainnet tarball URL with cronos_1.5.0-testnet_Linux_x86_64.tar.gz; adjusted extract, cleanup, and move filenames to match. All other Dockerfile steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• Cronos mainnet image bump v1.5.0 #81 — Similar Dockerfile edits swapping Cronos artifact (testnet vs mainnet bump).
• Cronos testnet image upgrade v1.4.7 #71 — Updates Dockerfile to a different testnet version via the same download/extract/move steps.
• feat: INFRA-5312 Cronos mainnet image upgrade v1.4.10 #80 — Alters the same Dockerfile flow to target a mainnet artifact instead.

Poem

A rabbit taps the Docker line, hop-hop—
Mainnet out, testnet in—flip-flop.
Tarballs twirl, extract, then glide,
Cleanup, move, neatly side-by-side.
Carrot-orange logs say “build all set,”
Version bumped—my fastest deploy yet! 🥕🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "feat: INFRA-5557 Cronos testnet image bump v1.5.0" is concise and accurately describes the main change—upgrading the Cronos testnet artifact to v1.5.0 in the Docker image—and includes the associated ticket reference, so it clearly relates to the Dockerfile modification in this PR.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-5557-testnet

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b4f2d47 and 3f20020.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue

🧩 Analysis chain

Remove TLS bypass; verify artifact; extract safely to target dir (avoid mv ./*).

Using wget --no-check-certificate is a supply‑chain risk and flagged by Checkov (CKV2_DOCKER_3). Also, extracting into /tmp then mv ./* can move unintended files and may break the expected /home/cronos/bin/cronosd path. Switch to a validated download and extract directly into /home/cronos; add -z to tar.

Apply this diff to Lines 7‑8:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0-testnet_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+    cd /tmp; \
+    curl -fsSLo cronos_1.5.0-testnet_Linux_x86_64.tar.gz https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz; \
+    tar -xzf cronos_1.5.0-testnet_Linux_x86_64.tar.gz -C /home/cronos; \
+    rm -f cronos_1.5.0-testnet_Linux_x86_64.tar.gz

Additionally, ensure CA trust is present (update Line 6 accordingly) and trim apt lists:

RUN apt-get update -y && apt-get install -y --no-install-recommends wget curl procps net-tools jq lz4 ca-certificates && rm -rf /var/lib/apt/lists/*

Optional but recommended: verify integrity by checking a known SHA256 (set CRONOS_SHA256 from the release):

ARG CRONOS_SHA256=<paste_sha256_here>
RUN echo "${CRONOS_SHA256}  cronos_1.5.0-testnet_Linux_x86_64.tar.gz" | sha256sum -c -

Please confirm the archive layout exposes bin/cronosd at the archive root so /home/cronos/bin/cronosd remains valid after direct extraction. If not, add --strip-components=1 to the tar command.

---

🏁 Script executed:

#!/bin/bash
set -euxo pipefail

# find Dockerfile
DOCKER_PATH=$(find . -type f -iname Dockerfile | head -n1 || true)
if [ -z "$DOCKER_PATH" ]; then
  echo "No Dockerfile found"
  exit 0
fi
echo "Using Dockerfile: $DOCKER_PATH"

echo "=== Dockerfile (lines 1..120) ==="
nl -ba "$DOCKER_PATH" | sed -n '1,120p' || true

echo "=== Search for patterns: wget --no-check-certificate, mv ./* /home/cronos, tar -xvf, apt-get install ==="
grep -n -E "wget --no-check-certificate|--no-check-certificate|mv \.\*/ /home/cronos|mv \.\* /home/cronos|tar -xv|tar -xvf|apt-get install" "$DOCKER_PATH" || true

# extract URL to tar.gz from Dockerfile (first match)
URL=$(grep -oE 'https?://[^ ]+cronos[^ ]+\.tar\.gz' "$DOCKER_PATH" | head -n1 || true)
echo "Detected URL: $URL"

if [ -n "$URL" ]; then
  TMPDIR=$(mktemp -d)
  ARCH="$TMPDIR/cronos.tar.gz"
  echo "Downloading $URL -> $ARCH"
  curl -fsSL -o "$ARCH" "$URL"
  echo "Downloaded file info:"
  ls -lh "$ARCH" || true

  echo "=== Tarball top-level prefixes (count) ==="
  tar -tzf "$ARCH" | awk -F/ '{print $1}' | uniq -c | sort -rn || true

  echo "=== Sample tar listing (first 200 lines) ==="
  tar -tzf "$ARCH" | sed -n '1,200p' || true
fi

echo "=== Done ==="

Length of output: 2722

---

Remove TLS bypass; extract directly to /home/cronos; add CA and integrity check.

File: Dockerfile (lines ~6–8)

wget --no-check-certificate is a supply‑chain risk — replace with a verified download, extract directly into /home/cronos (avoid mv ./*), install CA trust, and validate the archive checksum.

Apply this diff to Lines 7‑8:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.0-testnet_Linux_x86_64.tar.gz \
-     && rm cronos_1.5.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; \
+    cd /tmp; \
+    curl -fsSLo cronos_1.5.0-testnet_Linux_x86_64.tar.gz https://github.com/crypto-org-chain/cronos/releases/download/v1.5.0/cronos_1.5.0-testnet_Linux_x86_64.tar.gz; \
+    tar -xzf cronos_1.5.0-testnet_Linux_x86_64.tar.gz -C /home/cronos; \
+    rm -f cronos_1.5.0-testnet_Linux_x86_64.tar.gz

Ensure CA trust is installed (update the apt line) and trim apt lists:

RUN apt-get update -y && apt-get install -y --no-install-recommends wget curl procps net-tools jq lz4 ca-certificates && rm -rf /var/lib/apt/lists/*

Optional but recommended: verify integrity with a known SHA256:

ARG CRONOS_SHA256=<paste_sha256_here>
RUN echo "${CRONOS_SHA256}  cronos_1.5.0-testnet_Linux_x86_64.tar.gz" | sha256sum -c -

Verified: the archive contains ./bin/cronosd at the archive root, so direct extraction into /home/cronos will produce /home/cronos/bin/cronosd — no --strip-components required. Address the above changes before merging.

🧰 Tools

🪛 Checkov (3.2.334)

[high] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 7–8, remove the --no-check-certificate usage and
avoid moving files after extraction: update the apt-get install line to include
ca-certificates and use rm -rf /var/lib/apt/lists/* to trim caches; download the
cronos tarball without bypassing TLS (use wget/curl default), place a build ARG
for CRONOS_SHA256 and run a sha256sum -c check against the downloaded file, then
extract the archive directly into /home/cronos (so files land at
/home/cronos/bin/...) instead of extracting to /tmp and mv-ing; ensure the
commands fail on checksum mismatch and remove the downloaded archive after
verification.