Use dev image

[Matts966]

Summary by CodeRabbit

• Chores
  • Updated container images for CI/CD workflows used in automated testing and security scanning operations.

[coderabbitai]

📝 Walkthrough

Walkthrough

Two GitHub Actions workflows updated to use the vald-dev-container:nightly image instead of vald-ci-container:nightly for their respective jobs. Container image configuration changes only; no workflow logic, step ordering, or triggering conditions were modified.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Container Updates .github/workflows/e2e.yaml, .github/workflows/fossa.yml	Updated container image registry reference from vald-ci-container:nightly to vald-dev-container:nightly across E2E and FOSSA scan jobs, affecting the runtime environment for test execution and security scanning.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

type/ci

Poem

🐳 Dev containers now lead the way,
CI pipelines dance and play,
Nightly builds with fresher gear,
Workflows spring to life so clear! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Use dev image' is vague and non-descriptive, failing to communicate which container image is being changed or why the switch from CI to dev container matters.	Consider a more specific title like 'Switch E2E and FOSSA workflows to use dev container image' to clearly indicate the scope and purpose of the changes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hotfix/use-dev-image

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/e2e.yaml:
- Line 28: Replace the mutable image tag
"ghcr.io/vdaas/vald/vald-dev-container:nightly" with an immutable digest
reference; fetch the current image digest from the registry (e.g.,
ghcr.io/vdaas/vald/vald-dev-container@sha256:<digest>) and update the workflow
image line to use that `@sha256`:... form so the E2E job runs a reproducible,
pinned container image.

In @.github/workflows/fossa.yml:
- Line 15: Replace the mutable, shorthand image reference
"vdaas/vald-dev-container:nightly" with the canonical registry path and a pinned
digest used elsewhere (e.g., use
ghcr.io/vdaas/vald/vald-dev-container@sha256:<actual-digest>), updating the
image line in the workflow to that exact digest; ensure you obtain and insert
the current sha256 digest for the same image version referenced in e2e.yaml so
the workflow uses the immutable, canonical image.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8493f9b7-3f32-4f5a-8467-d612092966df

📥 Commits

Reviewing files that changed from the base of the PR and between 1df691e and 303b5a4.

📒 Files selected for processing (2)

• .github/workflows/e2e.yaml
• .github/workflows/fossa.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "e2e.yaml" -path "*/.github/workflows/*" 2>/dev/null | head -5

Repository: vdaas/vald-client-java

Length of output: 48

---

🏁 Script executed:

git ls-files | grep -E "\.github/workflows.*\.ya?ml" | head -20

Repository: vdaas/vald-client-java

Length of output: 332

---

🏁 Script executed:

cat -n .github/workflows/e2e.yaml | head -50

Repository: vdaas/vald-client-java

Length of output: 1330

---

🏁 Script executed:

cat .github/workflows/e2e.yaml

Repository: vdaas/vald-client-java

Length of output: 1092

---

Pin the workflow container image by digest, not :nightly.

Using a mutable tag makes the E2E runtime non-reproducible and can silently introduce unreviewed image changes. Prefer an immutable digest (@sha256:...) and update it intentionally.

Suggested change

-      image: ghcr.io/vdaas/vald/vald-dev-container:nightly
+      image: ghcr.io/vdaas/vald/vald-dev-container@sha256:<approved_digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 28, Replace the mutable image tag
"ghcr.io/vdaas/vald/vald-dev-container:nightly" with an immutable digest
reference; fetch the current image digest from the registry (e.g.,
ghcr.io/vdaas/vald/vald-dev-container@sha256:<digest>) and update the workflow
image line to use that `@sha256`:... form so the E2E job runs a reproducible,
pinned container image.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, explore the workflows directory structure
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | head -20

Repository: vdaas/vald-client-java

Length of output: 332

---

🏁 Script executed:

# Check the specific file mentioned in the review
cat -n .github/workflows/fossa.yml | head -30

Repository: vdaas/vald-client-java

Length of output: 1149

---

🏁 Script executed:

# Check e2e.yaml to compare image reference format
cat -n .github/workflows/e2e.yaml | grep -A 2 -B 2 "image:"

Repository: vdaas/vald-client-java

Length of output: 274

---

🏁 Script executed:

# Search for all image references in workflow files to understand patterns
rg "image:\s+" .github/workflows/ -A 1 -B 1

Repository: vdaas/vald-client-java

Length of output: 552

---

🏁 Script executed:

# Check all image references in workflows
rg "image:" .github/workflows/ | grep -v "actions/" | sort -u

Repository: vdaas/vald-client-java

Length of output: 225

---

🏁 Script executed:

# Look for any docs about image or container standards
find . -type f \( -name "*.md" -o -name "*.txt" \) | xargs grep -l "vald-dev-container\|container.*image" 2>/dev/null | head -5

Repository: vdaas/vald-client-java

Length of output: 48

---

Align image reference format with canonical registry path and remove mutable tag.

The fossa.yml workflow uses vdaas/vald-dev-container:nightly, which differs from e2e.yaml's ghcr.io/vdaas/vald/vald-dev-container:nightly in two ways: the shorthand registry reference (vulnerable to registry confusion attacks) and the mutable :nightly tag. For consistency, supply-chain security, and reproducibility, use the canonical registry path and pin by digest.

Suggested change

-      image: vdaas/vald-dev-container:nightly
+      image: ghcr.io/vdaas/vald/vald-dev-container@sha256:<approved_digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/fossa.yml at line 15, Replace the mutable, shorthand image
reference "vdaas/vald-dev-container:nightly" with the canonical registry path
and a pinned digest used elsewhere (e.g., use
ghcr.io/vdaas/vald/vald-dev-container@sha256:<actual-digest>), updating the
image line in the workflow to that exact digest; ensure you obtain and insert
the current sha256 digest for the same image version referenced in e2e.yaml so
the workflow uses the immutable, canonical image.