Update Dockerfile

[rabin-io]

Summary by CodeRabbit

• Chores
  • Grouped related environment variables into consolidated blocks for a cleaner build configuration.
  • Streamlined tool installation into single-step streaming downloads and in-place extraction, removing intermediate archives and temporary directories.
  • Condensed package install/cleanup steps to reduce image churn and build time, and increased install-time verbosity for clearer build logs.
  • Added final runtime setup steps (working dir, healthcheck, entrypoint) for more predictable container behavior.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[myakove-bot]

Report bugs in Issues

Welcome! 🎉

This pull request will be automatically processed with the following features:

🔄 Automatic Actions

• Reviewer Assignment: Reviewers are automatically assigned based on the "
  "OWNERS file in the repository root
  "
  "* Size Labeling: PR size labels (XS, S, M, L, XL, XXL) are "
  "automatically applied based on changes
  "
  f"* Issue Creation: A tracking issue is created for this PR and will be closed when the PR is merged or closed
  "
  "* Pre-commit Checks: pre-commit runs "
  "automatically if .pre-commit-config.yaml exists
  "
• Branch Labeling: Branch-specific labels are applied to track the target branch
• Auto-verification: Auto-verified users have their PRs automatically marked as verified

📋 Available Commands

PR Status Management

• /wip - Mark PR as work in progress (adds WIP: prefix to title)
• /wip cancel - Remove work in progress status
• /hold - Block PR merging (approvers only)
• /hold cancel - Unblock PR merging
• /verified - Mark PR as verified
• /verified cancel - Remove verification status
• /reprocess - Trigger complete PR workflow reprocessing (useful if webhook failed or configuration changed)

Review & Approval

• /lgtm - Approve changes (looks good to me)
• /approve - Approve PR (approvers only)
• /automerge - Enable automatic merging when all requirements are met (maintainers and approvers only)
• /assign-reviewers - Assign reviewers based on OWNERS file
• /assign-reviewer @username - Assign specific reviewer
• /check-can-merge - Check if PR meets merge requirements

Testing & Validation

• /retest tox - Run Python test suite with tox
• /retest build-container - Rebuild and test container image
• /retest python-module-install - Test Python package installation
• /retest pre-commit - Run pre-commit hooks and checks
• /retest conventional-title - Validate commit message format
• /retest all - Run all available tests

Container Operations

• /build-and-push-container - Build and push container image (tagged with PR number)
  • Supports additional build arguments: /build-and-push-container --build-arg KEY=value

Cherry-pick Operations

• /cherry-pick <branch> - Schedule cherry-pick to target branch when PR is merged
  • Multiple branches: /cherry-pick branch1 branch2 branch3

Label Management

• /<label-name> - Add a label to the PR
• /<label-name> cancel - Remove a label from the PR

✅ Merge Requirements

This PR will be automatically approved when the following conditions are met:

1. Approval: /approve from at least one approver
2. LGTM Count: Minimum 1 /lgtm from reviewers
3. Status Checks: All required status checks must pass
4. No Blockers: No WIP, hold, or conflict labels
5. Verified: PR must be marked as verified (if verification is enabled)

📊 Review Process

Approvers and Reviewers

Approvers:

• myakove
• rnetser

Reviewers:

• myakove
• rnetser

Available Labels

• hold
• verified
• wip
• lgtm
• approve
• automerge

💡 Tips

• WIP Status: Use /wip when your PR is not ready for review
• Verification: The verified label is automatically removed on each new commit
• Cherry-picking: Cherry-pick labels are processed when the PR is merged
• Container Builds: Container images are automatically tagged with the PR number
• Permission Levels: Some commands require approver permissions
• Auto-verified Users: Certain users have automatic verification and merge privileges

For more information, please refer to the project documentation or contact the maintainers.

[coderabbitai]

Walkthrough

Dockerfile refactors: ENV entries consolidated; package install/cleanup simplified; rosa/regctl/hub downloads switched to streamed curl/tar or direct curl into $BIN_DIR, removing intermediate archives and temp dirs; added set -ex, HEALTHCHECK, ENTRYPOINT, and file permission adjustments.

Changes

Cohort / File(s)	Summary
Dockerfile installation & ENV consolidation Dockerfile	Collapsed multiple ENV blocks into single multi-line ENVs; replaced multi-step install/extract/move sequences with condensed dnf RUN and streamed curl -vL piped to tar --strip-components or direct curl into $BIN_DIR for rosa, hub, and regctl; removed intermediate tarballs/temp dirs; added set -ex, final RUN to set permissions, WORKDIR, HEALTHCHECK, and ENTRYPOINT.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Confirm correct --strip-components values for rosa/hub.
• Ensure curl -v verbosity doesn't break piped tar in CI.
• Verify file ownership/permissions and that chmod +x is sufficient.
• Test execution of rosa, regctl, and hub inside the built image.

Possibly related PRs

• Do not run regctl in container #600 — also modifies Dockerfile placement/handling of regctl.
• Add docker to the container #540 — also adjusts the Dockerfile dnf package installation block.

Suggested reviewers

• rnetser

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Update Dockerfile' is vague and generic, lacking specificity about the actual changes made.	Replace with a more descriptive title that captures the main objective, such as 'Optimize Dockerfile with consolidated ENV blocks and streamlined dependency installation' or 'Refactor Dockerfile for improved build efficiency'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Dockerfile (1)

61-61: Remove unnecessary verbose flag from curl commands.

The -v flag on curl outputs verbose logging to stderr. Since the RUN layer already uses set -x (line 60), debug output is enabled at the shell level, making curl's -v redundant and potentially noisy in build logs.

Apply this diff to simplify:

-  && curl -vL https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz | tar -C $BIN_DIR -xzvf - rosa \
+  && curl -L https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz | tar -C $BIN_DIR -xzvf - rosa \
   && chmod +x $BIN_DIR/rosa \
-  && curl -vL https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 -o $BIN_DIR/regctl \
+  && curl -L https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 -o $BIN_DIR/regctl \
   && chmod +x $BIN_DIR/regctl \
-  && curl -vL https://github.com/mislav/hub/releases/download/v2.14.2/hub-linux-amd64-2.14.2.tgz | tar --strip-components=2 -C $BIN_DIR -xzvf - '*/bin/hub' \
+  && curl -L https://github.com/mislav/hub/releases/download/v2.14.2/hub-linux-amd64-2.14.2.tgz | tar --strip-components=2 -C $BIN_DIR -xzvf - '*/bin/hub' \
   && chmod +x $BIN_DIR/hub

Also applies to: 63-63, 65-65

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f075197 and e5d725e.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

Dockerfile (2)

61-67: Add error handling to curl and tar commands (set -e, --fail).

The RUN layer uses set -x (debugging) but not set -e (exit on error). If curl fails to download or tar fails to extract, the build layer may succeed with partial or missing binaries. Additionally, curl lacks the --fail flag, which causes curl to silently pass HTTP errors (4xx/5xx) to tar or the output file.

Update to use set -ex and add --fail to all curl invocations:

-RUN set -x \
+RUN set -ex \
     && curl -vL https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/rosa-linux.tar.gz | tar -C $BIN_DIR -xzvf - rosa \
     && chmod +x $BIN_DIR/rosa \
-    && curl -vL https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 >$BIN_DIR/regctl \
+    && curl --fail -vL https://github.com/regclient/regclient/releases/latest/download/regctl-linux-amd64 -o $BIN_DIR/regctl \
     && chmod +x $BIN_DIR/regctl \
-    && curl -vL https://github.com/mislav/hub/releases/download/v2.14.2/hub-linux-amd64-2.14.2.tgz | tar --strip-components=2 -C $BIN_DIR -xzvf - '*/bin/hub' \
+    && curl --fail -vL https://github.com/mislav/hub/releases/download/v2.14.2/hub-linux-amd64-2.14.2.tgz | tar --strip-components=2 -C $BIN_DIR -xzvf - '*/bin/hub' \
     && chmod +x $BIN_DIR/hub

Key improvements:

• set -ex: Exits immediately on any error and echoes commands for debugging.
• --fail on all curl commands: Causes curl to exit with non-zero status on HTTP 4xx/5xx errors.
• -o instead of > for regctl: Ensures curl detects and reports download failures before writing to the file.

---

61-67: Clarify versioning strategy for reproducibility.

The three tools use inconsistent versioning: rosa and regctl both use latest, while hub is pinned to v2.14.2. This makes builds non-deterministic—rosa and regctl may pull different versions on subsequent builds while hub remains fixed.

Choose a consistent strategy:

Option A: Pin all versions for full reproducibility

RUN set -ex \
    && curl --fail -vL https://mirror.openshift.com/pub/openshift-v4/clients/rosa/v1.X.X/rosa-linux.tar.gz | tar -C $BIN_DIR -xzvf - rosa \
    && chmod +x $BIN_DIR/rosa \
    && curl --fail -vL https://github.com/regclient/regclient/releases/download/vX.X.X/regctl-linux-amd64 -o $BIN_DIR/regctl \
    && chmod +x $BIN_DIR/regctl \
    && curl --fail -vL https://github.com/mislav/hub/releases/download/v2.14.2/hub-linux-amd64-2.14.2.tgz | tar --strip-components=2 -C $BIN_DIR -xzvf - '*/bin/hub' \
    && chmod +x $BIN_DIR/hub

Option B: Use "latest" for all, with documented maintenance policy
Add a clear comment explaining the rationale and commit to periodic reviews/updates.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6080310 and 1a8fb92.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

Dockerfile (1)

61-67: Versioning strategy remains inconsistent.

Rosa and Regctl downloads use latest, while Hub uses a pinned version (v2.14.2). This mix creates non-deterministic builds and makes version tracking difficult. This issue was raised in the previous review and remains unaddressed.

Choose one strategy:

• Option A (Recommended): Pin all versions explicitly
• Option B: Document the "latest" approach with explicit maintenance cadence

🧹 Nitpick comments (1)

Dockerfile (1)

58-58: Non-deterministic uv image tag undermines build reproducibility.

The COPY instruction uses ghcr.io/astral-sh/uv:latest, which can pull different versions on subsequent builds. This conflicts with the goal of reproducible builds, especially when tools like rosa and hub have versioning considerations.

Consider pinning to a specific version:

-COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx ${BIN_DIR}/
+COPY --from=ghcr.io/astral-sh/uv:0.5.0 /uv /uvx ${BIN_DIR}/

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf3b594 and 3b6100a.

📒 Files selected for processing (1)

• Dockerfile (3 hunks)

🔇 Additional comments (5)

Dockerfile (5)

5-10: ENV variable ordering fixed correctly.

The reordering now ensures $USERNAME is defined before $HOME_DIR and $BIN_DIR, resolving the earlier critical issue. Environment variable expansion should now work as intended.

---

14-34: Clean package installation consolidation.

The consolidation of dnf commands with consistent flags (--nodocs, install_weak_deps=False, --disable-repo) and extended cleanup (line 34) helps reduce image size and improves consistency. The cleanup targets appear appropriate for DNF/YUM artifact removal.

---

52-56: UV environment variables consolidated effectively.

Grouping UV-related variables in a single ENV block improves readability and reduces layer count.

---

61-67: Curl error handling properly implemented.

The use of set -ex (line 61), --fail on all curl commands (lines 62, 64, 66), and explicit -o for the regctl download ensure proper error propagation. This addresses the previous critical issue about missing error handling in download operations.

---

73-75: New operational improvements appreciated.

The addition of HEALTHCHECK (line 73) and explicit ENTRYPOINT (line 75) improve container observability and runtime behavior, making the image more production-ready.

[rabin-io]

/verified

[myakove-bot]

New container for ghcr.io/myk-org/github-webhook-server:latest published