Skip to content

feat(examples): add Go and Rust runtime templates#735

Open
bqx619 wants to merge 1 commit into
TencentCloud:masterfrom
bqx619:feature/runtime-templates
Open

feat(examples): add Go and Rust runtime templates#735
bqx619 wants to merge 1 commit into
TencentCloud:masterfrom
bqx619:feature/runtime-templates

Conversation

@bqx619

@bqx619 bqx619 commented Jul 3, 2026

Copy link
Copy Markdown

Summary

  • Add template-authoring examples for Go and Rust runtimes based on cubesandbox-base.
  • Include Dockerfiles, sample workspaces, SDK smoke scripts, env examples, .dockerignore, and bilingual READMEs for both templates.
  • Register both examples in the English and Chinese examples index.

Verification

  • docker build --platform linux/amd64 -t cubesandbox-go-runtime:local examples/go-runtime-template
  • docker build --platform linux/amd64 -t cubesandbox-rust-runtime:local examples/rust-runtime-template
  • Python syntax check for both smoke.py scripts

Refs #645, #645 (comment)

@bqx619 bqx619 requested a review from tinklone as a code owner July 3, 2026 08:32
Comment thread examples/go-runtime-template/smoke.py Outdated
Comment thread examples/rust-runtime-template/smoke.py Outdated
package main

import "testing"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggestion: Consider adding a second test case for Greeting("Alice") to cover the non-empty name branch. As a template example meant to teach testing patterns, having only one test that covers only one conditional branch is incomplete. This also applies to the Rust lib.rs test.

Comment thread examples/rust-runtime-template/workspace/hello-rust/src/lib.rs
@cubesandboxbot

cubesandboxbot Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Review: Go and Rust Runtime Templates

Reviewed by: code-quality-reviewer, security-code-reviewer, test-coverage-reviewer, documentation-accuracy-reviewer, performance-reviewer

Overall: Clean, well-structured PR. 23 files added (0 modified, 0 deleted). Both Go and Rust templates follow their respective ecosystem conventions correctly. All issues below are minor; nothing blocking.


🔒 Security

Rust Dockerfile: curl | sh without checksum verification (examples/rust-runtime-template/Dockerfile:34-35)
The Rust toolchain installer is piped directly to sh with no checksum or signature check. If sh.rustup.rs were compromised, arbitrary code executes at build time. The Go template uses a safer pattern (download tarball to file, then extract). Recommend using the rustup-init binary with SHA-256 verification. (Security: medium/informational)


📖 Documentation

  1. README smoke command listings omit the test assertion — Both Go and Rust READMEs show cat /workspace/runtime-smoke/marker.txt but the actual smoke.py scripts additionally run test "..." = go-runtime-ok / rust-runtime-ok. The documented command list should include this assertion.

  2. "Example override" blocks use default values — The override examples override GO_VERSION=1.25.4 (Go) and RUST_TOOLCHAIN=1.89 (Rust), which are the same as the defaults. Using a non-default value would meaningfully demonstrate the pattern.


⚡ Performance

Go tarball download lacks checksum (examples/go-runtime-template/Dockerfile:39-42) — A ~150MB tarball is downloaded with no checksum validation. A corrupted download would waste a full rebuild cycle. Adding a SHA-256 check (Go publishes checksums with each release) would prevent this.

Rust curl could use --retry 3 (examples/rust-runtime-template/Dockerfile:34) — Adds transient network resilience without cost.


✅ Resolved favorably

  • rm -rf target/ in Rust Dockerfile — Confirmed it's in the same RUN layer, so build artifacts never commit to the final image. Correct.
  • Rust chown of RUSTUP_HOME / CARGO_HOME — Intentionally making toolchain paths writable by non-root user for runtime crate installation. Reasonable design.
  • Go and Rust tests — Adequate coverage of both default-name and provided-name code paths. Integration smoke tests validate full sandbox lifecycle.
  • Layer ordering — Both Dockerfiles correctly place mutable workspace code after toolchain installation, preserving layer cache for workspace changes.

Add template-authoring examples for Go and Rust runtimes built on
cubesandbox-base.

Refs TencentCloud#645
@bqx619 bqx619 force-pushed the feature/runtime-templates branch from e003d4d to 378df46 Compare July 3, 2026 15:01
pkg-config \
&& rm -rf /var/lib/apt/lists/*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supply-chain risk: curl | sh without checksum verification

The Rust installer is fetched and piped directly to sh without any checksum or signature verification. If sh.rustup.rs were compromised, arbitrary code would execute at build time.

The Go template avoids this by downloading a tarball to a file rather than piping to a shell. Consider using the rustup-init binary with SHA-256 verification published at static.rust-lang.org/rustup/dist/<arch>/rustup-init.sha256. For a template meant to be copied and reused, this defense-in-depth improvement would be valuable.

pkg-config \
&& rm -rf /var/lib/apt/lists/*

RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Supply-chain risk: curl | sh without checksum verification

The Rust installer is fetched and piped directly to sh without any checksum or signature verification. If sh.rustup.rs were compromised, arbitrary code would execute at build time.

The Go template avoids this by downloading a tarball to a file rather than piping to a shell. Consider using the rustup-init binary with SHA-256 verification published at static.rust-lang.org/rustup/dist/<arch>/rustup-init.sha256. For a template meant to be copied and reused, this defense-in-depth improvement would be valuable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant