Add multi-arch build tooling for rebasebot image#36
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughThis PR introduces a complete container build infrastructure for rebasebot. It defines a UBI9-based Python 3.12 container image with multi-architecture support (amd64/arm64), provides a Bash script that orchestrates the Podman multi-arch build and optional registry push to quay.io, and wraps the automation with convenient Make targets for developers. ChangesContainer Build Pipeline
🎯 2 (Simple) | ⏱️ ~10 minutes
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@tools/build-rebasebot/build.sh`:
- Around line 7-38: Replace the fixed CLONE_DIR with a unique temporary
workspace created at runtime (use mktemp -d) and register a trap to remove it on
EXIT to avoid cross-run collisions; update usages of CLONE_DIR (the git
clone/fetch/checkout/reset blocks) to operate on this temp dir and ensure the
script still respects REBASEBOT_REPO, and remove reliance on a persistent
/tmp/rebasebot directory so concurrent runs won’t clobber each other.
In `@tools/build-rebasebot/Containerfile`:
- Around line 11-13: Update the Containerfile download block that uses
GO_VERSION and ARCH: after downloading /tmp/go.tar.gz with curl, also curl the
corresponding .sha256 file from
https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz.sha256, compute the
SHA-256 of /tmp/go.tar.gz (e.g., via sha256sum or shasum -a 256), compare it to
the expected digest from the downloaded .sha256 file, and abort the build (exit
non‑zero) if they differ; only proceed to tar -C /usr/local -xzf /tmp/go.tar.gz
and rm -f /tmp/go.tar.gz when the checksum matches, and ensure any temporary
checksum files are cleaned up on both success and failure.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 626ec505-af35-49c9-aa9e-45e243e8fd45
📒 Files selected for processing (3)
tools/build-rebasebot/Containerfiletools/build-rebasebot/Makefiletools/build-rebasebot/build.sh
| CLONE_DIR="/tmp/rebasebot" | ||
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | ||
|
|
||
| DRY_RUN=false | ||
| for arg in "$@"; do | ||
| case "$arg" in | ||
| --dry-run) DRY_RUN=true ;; | ||
| --help|-h) | ||
| echo "Usage: $0 [--dry-run]" | ||
| echo "" | ||
| echo "Build and push a multi-arch rebasebot container image." | ||
| echo "" | ||
| echo "Options:" | ||
| echo " --dry-run Build the image but don't push to quay.io" | ||
| echo " --help Show this help message" | ||
| exit 0 | ||
| ;; | ||
| *) | ||
| echo "Unknown option: $arg" | ||
| exit 1 | ||
| ;; | ||
| esac | ||
| done | ||
|
|
||
| echo "==> Cloning/updating rebasebot source..." | ||
| if [[ -d "$CLONE_DIR" ]]; then | ||
| git -C "$CLONE_DIR" fetch origin | ||
| git -C "$CLONE_DIR" checkout main | ||
| git -C "$CLONE_DIR" reset --hard origin/main | ||
| else | ||
| git clone "$REBASEBOT_REPO" "$CLONE_DIR" | ||
| fi |
There was a problem hiding this comment.
Avoid shared /tmp/rebasebot; use an isolated temp workspace per run.
Line 7 creates cross-run state that can be clobbered by another invocation while this script is building/pushing. Make the clone directory unique and auto-cleaned.
Proposed fix
-CLONE_DIR="/tmp/rebasebot"
+CLONE_DIR="$(mktemp -d /tmp/rebasebot.XXXXXX)"
+trap 'rm -rf "$CLONE_DIR"' EXIT
@@
-echo "==> Cloning/updating rebasebot source..."
-if [[ -d "$CLONE_DIR" ]]; then
- git -C "$CLONE_DIR" fetch origin
- git -C "$CLONE_DIR" checkout main
- git -C "$CLONE_DIR" reset --hard origin/main
-else
- git clone "$REBASEBOT_REPO" "$CLONE_DIR"
-fi
+echo "==> Cloning rebasebot source..."
+git clone --depth 1 "$REBASEBOT_REPO" "$CLONE_DIR"📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| CLONE_DIR="/tmp/rebasebot" | |
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | |
| DRY_RUN=false | |
| for arg in "$@"; do | |
| case "$arg" in | |
| --dry-run) DRY_RUN=true ;; | |
| --help|-h) | |
| echo "Usage: $0 [--dry-run]" | |
| echo "" | |
| echo "Build and push a multi-arch rebasebot container image." | |
| echo "" | |
| echo "Options:" | |
| echo " --dry-run Build the image but don't push to quay.io" | |
| echo " --help Show this help message" | |
| exit 0 | |
| ;; | |
| *) | |
| echo "Unknown option: $arg" | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| echo "==> Cloning/updating rebasebot source..." | |
| if [[ -d "$CLONE_DIR" ]]; then | |
| git -C "$CLONE_DIR" fetch origin | |
| git -C "$CLONE_DIR" checkout main | |
| git -C "$CLONE_DIR" reset --hard origin/main | |
| else | |
| git clone "$REBASEBOT_REPO" "$CLONE_DIR" | |
| fi | |
| CLONE_DIR="$(mktemp -d /tmp/rebasebot.XXXXXX)" | |
| trap 'rm -rf "$CLONE_DIR"' EXIT | |
| SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" | |
| DRY_RUN=false | |
| for arg in "$@"; do | |
| case "$arg" in | |
| --dry-run) DRY_RUN=true ;; | |
| --help|-h) | |
| echo "Usage: $0 [--dry-run]" | |
| echo "" | |
| echo "Build and push a multi-arch rebasebot container image." | |
| echo "" | |
| echo "Options:" | |
| echo " --dry-run Build the image but don't push to quay.io" | |
| echo " --help Show this help message" | |
| exit 0 | |
| ;; | |
| *) | |
| echo "Unknown option: $arg" | |
| exit 1 | |
| ;; | |
| esac | |
| done | |
| echo "==> Cloning rebasebot source..." | |
| git clone --depth 1 "$REBASEBOT_REPO" "$CLONE_DIR" |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tools/build-rebasebot/build.sh` around lines 7 - 38, Replace the fixed
CLONE_DIR with a unique temporary workspace created at runtime (use mktemp -d)
and register a trap to remove it on EXIT to avoid cross-run collisions; update
usages of CLONE_DIR (the git clone/fetch/checkout/reset blocks) to operate on
this temp dir and ensure the script still respects REBASEBOT_REPO, and remove
reliance on a persistent /tmp/rebasebot directory so concurrent runs won’t
clobber each other.
| curl -fLsS -o /tmp/go.tar.gz "https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz" && \ | ||
| tar -C /usr/local -xzf /tmp/go.tar.gz && \ | ||
| rm -f /tmp/go.tar.gz && \ |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the Containerfile around the referenced lines
echo "=== tools/build-rebasebot/Containerfile (lines 1-80) ==="
sed -n '1,80p' tools/build-rebasebot/Containerfile | cat -n
echo
echo "=== tools/build-rebasebot/Containerfile (lines 80-200) ==="
sed -n '80,200p' tools/build-rebasebot/Containerfile | cat -n
echo
echo "=== Search repo for go checksum / sha256 verification ==="
rg -n "go.*(sha256|checksum|checksums|SIGNATURE|gpg|verify)" -S . || true
echo
echo "=== Search repo for go tarball download pattern ==="
rg -n "go\.dev/dl/go\$\{?GO_VERSION\}?\..*\.tar\.gz" -S tools/build-rebasebot/Containerfile . || trueRepository: oadp-rebasebot/oadp-rebase
Length of output: 1491
🌐 Web query:
Official Go downloads checksum file format for *.sha256 (e.g., go1.22.3.linux-amd64.tar.gz.sha256) and recommended verification approach
💡 Result:
Official Go download checksum files use the plain-text SHA-256 hex digest for the corresponding archive, published at a URL formed by appending “.sha256” to the archive filename (e.g., .sha256, such as https://dl.google.com/go/go1.22.3.linux-amd64.tar.gz.sha256) [1][2]. The checksum value is the expected hexadecimal hash with no additional checksum metadata in that file; Go’s own download verification code reads the entire “.sha256” response as text, trims whitespace, and compares it to the computed SHA-256 of the downloaded archive [1][2]. Recommended verification approach (practical): 1) Download the archive. 2) Download the matching “.sha256” file. 3) Compute SHA-256 of the archive and compare to the expected hex string. - Example (Linux/macOS): - sha256sum go1.22.3.linux-amd64.tar.gz - Compare the resulting 64-hex-character digest to the contents you got from go1.22.3.linux-amd64.tar.gz.sha256 [1][2]. Notes / security best practice: - SHA-256 verification checks integrity (detects tampering/corruption) but doesn’t by itself establish publisher identity; for stronger assurance, also verify Go’s cryptographic signatures (the “.asc” files) when available, in addition to checksum verification [3][4].
Citations:
- 1: https://github.com/golang/dl/blob/master/internal/version/version.go
- 2: https://go.googlesource.com/tools/+/refs/tags/v0.5.0/cmd/getgo/download.go
- 3: https://github.com/golang/go/blob/85525c56ab5fdb214fee70b4b4cce8700344258b/doc/install.html
- 4: https://blog.orenfromberg.tech/install-golang-securely/
Verify Go tarball integrity before extraction in tools/build-rebasebot/Containerfile.
curl downloads https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz and tar extracts it without any integrity validation. Add verification using the archive-specific .sha256 published by Go for the exact version/arch, compare the computed SHA-256 to the expected hex digest, and abort the build on mismatch.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@tools/build-rebasebot/Containerfile` around lines 11 - 13, Update the
Containerfile download block that uses GO_VERSION and ARCH: after downloading
/tmp/go.tar.gz with curl, also curl the corresponding .sha256 file from
https://go.dev/dl/go${GO_VERSION}.linux-${ARCH}.tar.gz.sha256, compute the
SHA-256 of /tmp/go.tar.gz (e.g., via sha256sum or shasum -a 256), compare it to
the expected digest from the downloaded .sha256 file, and abort the build (exit
non‑zero) if they differ; only proceed to tar -C /usr/local -xzf /tmp/go.tar.gz
and rm -f /tmp/go.tar.gz when the checksum matches, and ensure any temporary
checksum files are cleaned up on both success and failure.
2 participants
Summary
tools/build-rebasebot/with a Containerfile, build script, and Makefile for building and pushing thequay.io/migtools/rebasebot:latestmulti-arch container image (linux/amd64 + linux/arm64).openshift-eng/rebasebotsource but uses our own Containerfile, so we control the build definition independently of upstream.make build(dry run) ormake push(build + push to quay.io).Context
The upstream rebasebot repo has a Containerfile but no multi-arch build process or CI that publishes to
quay.io/migtools/rebasebot. Previously the image was built and pushed manually with no repeatable process. This tooling captures the full multi-arch manifest workflow so it can be repeated whenever upstream changes land (e.g. openshift-eng/rebasebot#92).Test plan
make buildcompletes successfully, producing a manifest with both linux/amd64 and linux/arm64podman run --rm quay.io/migtools/rebasebot:latest --helpworks on the built imagemake pushpushes successfully to quay.io (pending push access)🤖 Generated with Claude Code
Summary by CodeRabbit