CI fix for ubuntu runner

[dragosv]

Description

CI fix

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• CI/CD changes

Summary by CodeRabbit

• Chores
  • Enhanced Linux continuous integration environment configuration
  • Added containerized build support for project deployment

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces infrastructure for containerized Zig project builds. A new CI step enables io_uring on Linux runners before Zig setup, and a new Dockerfile configures an Ubuntu 24.04 environment with Zig 0.15.2 for aarch64 architecture to execute integration tests.

Changes

Cohort / File(s)	Summary
CI/CD Workflow .github/workflows/ci.yml	Added a new Linux-specific CI step that enables io_uring via sysctl and disables AppArmor restrictions, executed before Zig setup.
Docker Configuration Dockerfile	New Dockerfile establishing an Ubuntu 24.04-based environment, installing Zig 0.15.2 for aarch64, and setting the default command to run integration tests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 Hop, hop! A Docker stage appears,
With Zig at last, no more delays or fears,
io_uring hops along with care,
Ubuntu's nest awaits us there!
Build and test with fluffy flair! 🏗️✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is largely incomplete. It only contains a brief 'CI fix' summary and marks CI/CD changes as a type, but is missing most required template sections including detailed description, testing approach, and additional context.	Expand the description with details about what the CI fix addresses, how the io_uring and Dockerfile changes work, testing performed, and any other relevant context about the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'CI fix for ubuntu runner' is directly related to the main changes in the pull request, which focus on enabling io_uring and adding a Dockerfile for Ubuntu-based CI/CD environments.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci-fix-ubuntu

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (1)

Dockerfile (1)

2-2: Harden and slim apt install step.

Consider --no-install-recommends and cleanup to reduce image size/attack surface.

Suggested fix

-RUN apt-get update && apt-get install -y curl xz-utils
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends curl xz-utils ca-certificates && \
+    rm -rf /var/lib/apt/lists/*

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` at line 2, Update the Dockerfile RUN instruction that installs
packages (the line with RUN apt-get update && apt-get install -y curl xz-utils)
to use --no-install-recommends and perform post-install cleanup: run apt-get
clean and remove /var/lib/apt/lists/* (and keep update/install/cleanup in a
single RUN with &&) so the image is smaller and has fewer unnecessary packages;
ensure the install remains non-interactive.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 24-26: The CI workflow currently swallows sysctl failures by
appending "|| true" to the kernel setup commands (the lines running "sudo sysctl
-w kernel.io_uring_disabled=0" and "sudo sysctl -w
kernel.apparmor_restrict_unprivileged_userns=0"), which can hide
misconfiguration; remove the "|| true" and instead let the step fail (or
explicitly check and exit non‑zero with a clear error message) so CI fails fast
on misconfigured kernels rather than proceeding in a bad state.

In `@Dockerfile`:
- Around line 1-9: The Dockerfile currently runs as root; create a non-root user
and switch to it before CMD: add steps to create a user/group (e.g., "app" or
"ziguser"), chown the WORKDIR (/app) and any required installed binaries
(/opt/zig and /usr/local/bin/zig) to that user, and add a USER directive so the
container runs the zig build command as the non-root user; update references in
the Dockerfile around WORKDIR, the installation steps for /opt/zig, and the
final CMD to ensure correct ownership and permissions.
- Around line 3-6: The RUN step currently hardcodes the aarch64 Zig tarball
causing failures on amd64; update the RUN command that downloads and installs
Zig (the line using curl, tar, mv to /opt/zig and ln -s /opt/zig/zig
/usr/local/bin/zig) to choose the correct archive using Docker's TARGETARCH
variable (e.g., build the filename or URL with ${TARGETARCH} mapped to zig's
naming convention) so the artifact matches the build architecture before
extracting and symlinking.
- Around line 3-4: The Dockerfile currently downloads and directly extracts the
Zig tarball (the RUN line that fetches zig-aarch64-linux-0.15.2.tar.xz and then
tar xf), which is unsafe; change the RUN step to also download the corresponding
.minisig signature file (zig-aarch64-linux-0.15.2.tar.xz.minisig), install or
include the minisign verifier, import the Zig minisign public key, run minisign
-Vm against the downloaded tarball using the .minisig and the known Zig public
key, and only proceed to tar xf if verification succeeds (exit non-zero on
failure) so extraction happens only after signature verification.

---

Nitpick comments:
In `@Dockerfile`:
- Line 2: Update the Dockerfile RUN instruction that installs packages (the line
with RUN apt-get update && apt-get install -y curl xz-utils) to use
--no-install-recommends and perform post-install cleanup: run apt-get clean and
remove /var/lib/apt/lists/* (and keep update/install/cleanup in a single RUN
with &&) so the image is smaller and has fewer unnecessary packages; ensure the
install remains non-interactive.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 37f3e7ce-9fa0-4284-a776-bec296fb0a3d

📥 Commits

Reviewing files that changed from the base of the PR and between b5de801 and d81522c.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• Dockerfile

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Avoid fail-open kernel setup in CI.

Line 25 and Line 26 swallow failures with || true, so CI can proceed in a misconfigured state and fail later in harder-to-diagnose ways.

Suggested fix

       - name: Enable io_uring (Linux)
         if: runner.os == 'Linux'
         run: |
-          sudo sysctl -w kernel.io_uring_disabled=0 || true
-          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+          set -euo pipefail
+          sudo sysctl -w kernel.io_uring_disabled=0
+          if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
+            sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+          fi

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: |
	sudo sysctl -w kernel.io_uring_disabled=0 || true
	sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
	run: |
	set -euo pipefail
	sudo sysctl -w kernel.io_uring_disabled=0
	if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
	sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
	fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 24 - 26, The CI workflow currently
swallows sysctl failures by appending "|| true" to the kernel setup commands
(the lines running "sudo sysctl -w kernel.io_uring_disabled=0" and "sudo sysctl
-w kernel.apparmor_restrict_unprivileged_userns=0"), which can hide
misconfiguration; remove the "|| true" and instead let the step fail (or
explicitly check and exit non‑zero with a clear error message) so CI fails fast
on misconfigured kernels rather than proceeding in a bad state.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Run the container as a non-root user.

No USER is set, so tests run as root by default.

Suggested fix

 WORKDIR /app
 COPY . .
+RUN useradd --create-home --uid 10001 appuser && chown -R appuser:appuser /app
+USER appuser
 CMD ["zig", "build", "integration-test", "--summary", "all"]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	FROM ubuntu:24.04
	RUN apt-get update && apt-get install -y curl xz-utils
	RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
	tar xf zig-aarch64-linux-0.15.2.tar.xz && \
	mv zig-aarch64-linux-0.15.2 /opt/zig && \
	ln -s /opt/zig/zig /usr/local/bin/zig
	WORKDIR /app
	COPY . .
	CMD ["zig", "build", "integration-test", "--summary", "all"]
	FROM ubuntu:24.04
	RUN apt-get update && apt-get install -y curl xz-utils
	RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
	tar xf zig-aarch64-linux-0.15.2.tar.xz && \
	mv zig-aarch64-linux-0.15.2 /opt/zig && \
	ln -s /opt/zig/zig /usr/local/bin/zig
	WORKDIR /app
	COPY . .
	RUN useradd --create-home --uid 10001 appuser && chown -R appuser:appuser /app
	USER appuser
	CMD ["zig", "build", "integration-test", "--summary", "all"]

🧰 Tools

🪛 Trivy (0.69.1)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

---

[error] 2-2: 'apt-get' missing '--no-install-recommends'

'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y curl xz-utils'

Rule: DS-0029

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 1 - 9, The Dockerfile currently runs as root; create
a non-root user and switch to it before CMD: add steps to create a user/group
(e.g., "app" or "ziguser"), chown the WORKDIR (/app) and any required installed
binaries (/opt/zig and /usr/local/bin/zig) to that user, and add a USER
directive so the container runs the zig build command as the non-root user;
update references in the Dockerfile around WORKDIR, the installation steps for
/opt/zig, and the final CMD to ensure correct ownership and permissions.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat Dockerfile

Repository: dragosv/testcontainers-zig

Length of output: 446

---

🏁 Script executed:

# Verify if Zig download integrity checks exist elsewhere in the repo
find . -name "*.sha256" -o -name "*.sig" 2>/dev/null | head -20
git ls-files | grep -i "checksum\|hash\|integrity" | head -20

Repository: dragosv/testcontainers-zig

Length of output: 52

---

Use architecture-aware Zig artifact selection.

The Dockerfile hardcodes the aarch64 tarball. On amd64 builds, this fails at runtime with format errors. Use Docker's TARGETARCH variable to select the correct artifact.

Suggested fix

 FROM ubuntu:24.04
+ARG ZIG_VERSION=0.15.2
+ARG TARGETARCH=amd64
 RUN apt-get update && apt-get install -y curl xz-utils
-RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
-    tar xf zig-aarch64-linux-0.15.2.tar.xz && \
-    mv zig-aarch64-linux-0.15.2 /opt/zig && \
+RUN case "${TARGETARCH}" in \
+      amd64) ZIG_ARCH=x86_64 ;; \
+      arm64) ZIG_ARCH=aarch64 ;; \
+      *) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
+    esac && \
+    curl -fsSLO "https://ziglang.org/download/${ZIG_VERSION}/zig-${ZIG_ARCH}-linux-${ZIG_VERSION}.tar.xz" && \
+    tar xf "zig-${ZIG_ARCH}-linux-${ZIG_VERSION}.tar.xz" && \
+    mv "zig-${ZIG_ARCH}-linux-${ZIG_VERSION}" /opt/zig && \
     ln -s /opt/zig/zig /usr/local/bin/zig

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 3 - 6, The RUN step currently hardcodes the aarch64
Zig tarball causing failures on amd64; update the RUN command that downloads and
installs Zig (the line using curl, tar, mv to /opt/zig and ln -s /opt/zig/zig
/usr/local/bin/zig) to choose the correct archive using Docker's TARGETARCH
variable (e.g., build the filename or URL with ${TARGETARCH} mapped to zig's
naming convention) so the artifact matches the build architecture before
extracting and symlinking.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -i dockerfile | head -20

Repository: dragosv/testcontainers-zig

Length of output: 80

---

🌐 Web query:

Zig 0.15.2 official checksums download aarch64 linux

💡 Result:

Zig 0.15.2 for Linux aarch64 is published as:

• zig-aarch64-linux-0.15.2.tar.xz
• signature: zig-aarch64-linux-0.15.2.tar.xz.minisig (same directory)
• ZSF minisign public key (from the official download page):
  RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U [1]

Zig’s official download pages emphasize verifying the .minisig signature (not a published SHA256 list) using that public key. [2]

Verify on Linux:

minisign -Vm zig-aarch64-linux-0.15.2.tar.xz \
  -P RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U

(minisign -Vm ... -P <pubkey> is the standard verification form.) [3]

Sources: [1] Zig download page, [2] Zig community mirrors security notice, [3] minisign README/usage.

---

🏁 Script executed:

cat -n Dockerfile

Repository: dragosv/testcontainers-zig

Length of output: 509

---

Verify Zig tarball integrity before extraction.

The downloaded archive is extracted without signature verification, creating a supply-chain risk. Zig provides minisig signatures alongside releases; use the official verification method instead of SHA256.

Suggested fix

-RUN apt-get update && apt-get install -y curl xz-utils
+RUN apt-get update && apt-get install -y curl xz-utils minisign
-RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
+RUN curl -fsSLO "https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz" && \
+    curl -fsSLO "https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz.minisig" && \
+    minisign -Vm zig-aarch64-linux-0.15.2.tar.xz -P RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U && \
     tar xf zig-aarch64-linux-0.15.2.tar.xz && \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 3 - 4, The Dockerfile currently downloads and
directly extracts the Zig tarball (the RUN line that fetches
zig-aarch64-linux-0.15.2.tar.xz and then tar xf), which is unsafe; change the
RUN step to also download the corresponding .minisig signature file
(zig-aarch64-linux-0.15.2.tar.xz.minisig), install or include the minisign
verifier, import the Zig minisign public key, run minisign -Vm against the
downloaded tarball using the .minisig and the known Zig public key, and only
proceed to tar xf if verification succeeds (exit non-zero on failure) so
extraction happens only after signature verification.