Skip to content

Use dev image #419

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Matts966 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Use dev image #419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
d15c34e
Use dev image
Matts966 Apr 10, 2026
bd08f71
Try pr-3448 image
Matts966 Apr 15, 2026
303b5a4
Revert "Try pr-3448 image"
Matts966 Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/e2e.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ jobs:
e2e:
runs-on: ubuntu-latest
container:
image: ghcr.io/vdaas/vald/vald-ci-container:nightly
image: ghcr.io/vdaas/vald/vald-dev-container:nightly
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "e2e.yaml" -path "*/.github/workflows/*" 2>/dev/null | head -5

Repository: vdaas/vald-client-java

Length of output: 48

🏁 Script executed:

git ls-files | grep -E "\.github/workflows.*\.ya?ml" | head -20

Repository: vdaas/vald-client-java

Length of output: 332

🏁 Script executed:

cat -n .github/workflows/e2e.yaml | head -50

Repository: vdaas/vald-client-java

Length of output: 1330

🏁 Script executed:

cat .github/workflows/e2e.yaml

Repository: vdaas/vald-client-java

Length of output: 1092

Pin the workflow container image by digest, not :nightly.

Using a mutable tag makes the E2E runtime non-reproducible and can silently introduce unreviewed image changes. Prefer an immutable digest (@sha256:...) and update it intentionally.

Suggested change 
-      image: ghcr.io/vdaas/vald/vald-dev-container:nightly
+      image: ghcr.io/vdaas/vald/vald-dev-container@sha256:<approved_digest>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/e2e.yaml at line 28, Replace the mutable image tag
"ghcr.io/vdaas/vald/vald-dev-container:nightly" with an immutable digest
reference; fetch the current image digest from the registry (e.g.,
ghcr.io/vdaas/vald/vald-dev-container@sha256:<digest>) and update the workflow
image line to use that `@sha256`:... form so the E2E job runs a reproducible,
pinned container image.

options: "--add-host host.docker.internal:host-gateway"
steps:
- uses: actions/checkout@v3
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/fossa.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ jobs:
name: 'trigger FOSSA scan'
runs-on: ubuntu-latest
container:
image: vdaas/vald-ci-container:nightly
image: vdaas/vald-dev-container:nightly
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Apr 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, explore the workflows directory structure
find .github/workflows -type f -name "*.yml" -o -name "*.yaml" | head -20

Repository: vdaas/vald-client-java

Length of output: 332

🏁 Script executed:

# Check the specific file mentioned in the review
cat -n .github/workflows/fossa.yml | head -30

Repository: vdaas/vald-client-java

Length of output: 1149

🏁 Script executed:

# Check e2e.yaml to compare image reference format
cat -n .github/workflows/e2e.yaml | grep -A 2 -B 2 "image:"

Repository: vdaas/vald-client-java

Length of output: 274

🏁 Script executed:

# Search for all image references in workflow files to understand patterns
rg "image:\s+" .github/workflows/ -A 1 -B 1

Repository: vdaas/vald-client-java

Length of output: 552

🏁 Script executed:

# Check all image references in workflows
rg "image:" .github/workflows/ | grep -v "actions/" | sort -u

Repository: vdaas/vald-client-java

Length of output: 225

🏁 Script executed:

# Look for any docs about image or container standards
find . -type f \( -name "*.md" -o -name "*.txt" \) | xargs grep -l "vald-dev-container\|container.*image" 2>/dev/null | head -5

Repository: vdaas/vald-client-java

Length of output: 48

Align image reference format with canonical registry path and remove mutable tag.

The fossa.yml workflow uses vdaas/vald-dev-container:nightly, which differs from e2e.yaml's ghcr.io/vdaas/vald/vald-dev-container:nightly in two ways: the shorthand registry reference (vulnerable to registry confusion attacks) and the mutable :nightly tag. For consistency, supply-chain security, and reproducibility, use the canonical registry path and pin by digest.

Suggested change 
-      image: vdaas/vald-dev-container:nightly
+      image: ghcr.io/vdaas/vald/vald-dev-container@sha256:<approved_digest>
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/fossa.yml at line 15, Replace the mutable, shorthand image
reference "vdaas/vald-dev-container:nightly" with the canonical registry path
and a pinned digest used elsewhere (e.g., use
ghcr.io/vdaas/vald/vald-dev-container@sha256:<actual-digest>), updating the
image line in the workflow to that exact digest; ensure you obtain and insert
the current sha256 digest for the same image version referenced in e2e.yaml so
the workflow uses the immutable, canonical image.

if: github.ref == 'refs/heads/main' || github.event.action == 'labeled' && github.event.label.name == 'actions/fossa'
steps:
- uses: actions/checkout@v3
Expand Down
Loading