feat: INFRA-6582 Cronos testnet image upgrade v1.6.0

[Spich3000]

Cronos testnet image upgrade v1.6.0
INFRA-6582 Cronos v1.6.0 Upgrades across clusters

Summary by CodeRabbit

• Chores
  • Updated Docker image to use Cronos v1.6.0-testnet (previously v1.5.4)

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Dockerfile's cronos binary tarball source is updated from version 1.5.4 to version 1.6.0-testnet. The download URL, tarball filename, and associated cleanup commands are modified accordingly to fetch and extract the new release, with extraction and installation paths remaining unchanged.

Changes

Cohort / File(s)	Change Summary
Dockerfile version bump Dockerfile	Update cronos tarball from v1.5.4 to v1.6.0-testnet; modify wget URL, tarball filename, and rm command to reflect new release

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• feat: INFRA-6296 Cronos testnet image upgrade v1.5.4 #90: Bumps cronos tarball from v1.5.4 to v1.6.0-testnet with matching URL, filename, and cleanup changes
• feat: INFRA-6244 Cronos mainnet image upgrade v1.5.3 #87: Updates cronos version to v1.6.0-testnet with corresponding tarball URL and extraction modifications
• Cronos mainnet image bump v1.5.0 #81: Modifies cronos tarball download and installation for a new release version

Suggested reviewers

• agrevtsev
• naviat

Poem

🐰 A tarball hops from old to new,
v1.6.0-testnet in morning's dew,
The URLs dance, filenames align,
Cronos containers now will shine!
bounces excitedly 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: upgrading the Cronos testnet Docker image from v1.5.4 to v1.6.0, which matches the Dockerfile modifications shown in the raw summary.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-6582-testnet

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Dockerfile (1)

11-12: Consider adding tarball integrity verification.

The download does not verify the integrity of the fetched tarball via checksums or GPG signatures. While this is not a regression from the previous version, adding checksum verification would improve supply chain security for the image build process.

If checksums are available for the release, consider adding verification:

 RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.6.0/cronos_1.6.0-testnet_Linux_x86_64.tar.gz \
+    && echo "<expected_sha256_checksum>  cronos_1.6.0-testnet_Linux_x86_64.tar.gz" | sha256sum -c - \
     && tar -xvf cronos_1.6.0-testnet_Linux_x86_64.tar.gz \
     && rm cronos_1.6.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b15f15c and adefa62.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove --no-check-certificate from wget to prevent MITM attacks.

The --no-check-certificate flag disables SSL/TLS certificate validation during the download, which introduces a vulnerability to man-in-the-middle attacks. This is a security best practice violation and should be removed.

The debian:bullseye-slim base image includes certificate bundles by default, so certificate validation should work without additional configuration.

Apply this diff to remove the --no-check-certificate flag:

 # Download and verify tarball
-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.6.0/cronos_1.6.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.6.0-testnet_Linux_x86_64.tar.gz \
+RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.6.0/cronos_1.6.0-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.6.0-testnet_Linux_x86_64.tar.gz \
      && rm cronos_1.6.0-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/

If certificate validation fails due to missing or expired certificates in the container, consider updating the certificate bundle (ca-certificates package) rather than disabling validation.

Committable suggestion skipped: line range outside the PR's diff.

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 11 to 12, the wget invocation uses the insecure
--no-check-certificate flag; remove that flag so TLS certificates are validated,
and ensure the image has up-to-date root CAs by installing or updating the
ca-certificates package (e.g., add an apt-get update && apt-get install -y
ca-certificates step earlier in the Dockerfile if not already present) so the
download succeeds without disabling certificate checks.