DRAFT: Address CVE in Dockerfile

[davidjeddy]

What does this PR do?

(Provide a description of what this PR does.)

Test Plan

(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work.)

Related PRs and Issues

(If this PR is related to any other PR or resolves any issue or related to any issue link all related PR and issues here.)

Have you read the Contributing Guidelines on issues?

(Write your answer here.)

Summary by CodeRabbit

• Documentation

  • Updated prerequisites section with clearer Docker runtime requirements
  • Reorganized build and deployment instructions with multi-architecture build support
  • Refreshed command examples for building, running, and pushing containers

• Chores

  • Added automated security vulnerability scanning for pull requests
  • Updated ignore patterns and Docker configuration files

[coderabbitai]

Walkthrough

The pull request updates Docker configuration, documentation, and CI/CD workflows. Changes include adding a new .dockerignore file with exclusion patterns, updating .gitignore with additional ignore rules for logs and scan results, applying a capitalization fix to the Dockerfile, substantially reorganizing README.md documentation with updated build instructions and badges, removing the container-structure-test GitHub Actions workflow, adding a new PR Security Scan workflow that integrates Trivy vulnerability scanning with automated comment reporting, and renaming the scheduled Trivy workflow for clarity.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title 'DRAFT: Address CVE in Dockerfile' is misleading. The actual changes span multiple files (.dockerignore, .gitignore, README.md, Dockerfile, and GitHub workflows) and primarily add Trivy vulnerability scanning infrastructure, not just address CVE in the Dockerfile.	Revise the title to reflect the full scope of changes, such as 'Add Trivy security scanning and update Docker configuration' or similar to accurately represent the multi-faceted nature of this PR.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch clo-4095-cve-maintenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile`:
- Line 82: The patch only adds the comment "## Maxminddb Extension" and does not
actually remediate the CVE; update the Dockerfile to remediate by pinning an
updated base image or installing a patched MaxMind library/extension: replace
the vulnerable base image tag with a fixed tag (or add an explicit apt/yum
install of a fixed libmaxminddb package), and ensure any PHP/pecl maxminddb
extension installation steps (the section currently titled "## Maxminddb
Extension") install a non-vulnerable version; also verify and update any related
package manager commands (apt-get/yum/pecl) and their version constraints so the
CVE is addressed and rebuilds will pull the fixed packages.

In `@README.md`:
- Around line 45-49: Update the multi-arch build example command in README.md by
adding the --push flag to the docker buildx build invocation (the line
containing "docker buildx build --platform
linux/amd64,linux/arm64/v8,linux/ppc64le --tag appwrite/base:latest .") so the
multi-platform image is pushed to a registry, and either remove or clarify the
separate "Push" section to state it only applies to single-platform builds (or
note that multi-arch builds require buildx --push).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6dd2ec0-f1cb-49d1-bdc4-c8a472a2e3cc

📥 Commits

Reviewing files that changed from the base of the PR and between 7700869 and 79c1eea.

📒 Files selected for processing (4)

• .dockerignore
• .gitignore
• Dockerfile
• README.md

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (2)

.github/workflows/pull-request.yml (1)

83-89: Consider updating peter-evans/find-comment to v4 as well.

For consistency with the recommended update to create-or-update-comment, consider updating find-comment to v4.

Suggested fix

     - name: Find Comment
-      uses: peter-evans/find-comment@v3
+      uses: peter-evans/find-comment@v4
       id: fc

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 83 - 89, Update the GitHub
Action step named "Find Comment" (id: fc) to use peter-evans/find-comment@v4 by
changing the uses entry from `@v3` to `@v4`; after updating, verify that the
existing inputs (issue-number, comment-author, body-includes) are still
supported by v4 and adjust any input names or behavior if needed to preserve the
current lookup logic for "Security Scan Results for PR".

README.md (1)

69-73: Clarify that the separate Push section applies to single-platform builds only.

With the multi-arch build command now including --push, this separate "Push" section could be confusing. Consider adding a note that docker push is for single-platform builds, while multi-arch builds should use buildx --push (as shown in line 48).

Suggested clarification

 ## Push

+For single-platform builds only. Multi-arch builds should use `docker buildx build --push` as shown above.
+
 ```bash
 docker push appwrite/base:latest

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against the current code and only fix it if needed.

In @README.md around lines 69 - 73, Update the "## Push" section to clarify that
the shown docker push example (docker push appwrite/base:latest) is for
single-platform images only; add a brief note stating that multi-architecture
builds use the buildx --push workflow (as used in the multi-arch build command
earlier) and should not rely on docker push, and adjust the example text
accordingly to avoid confusion.

</details>

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pull-request.yml:

• Around line 11-21: The build job currently only checks out code but never
  builds or publishes the Docker image that the scan job expects (pr_image:${{
  github.sha }}); add a step in the build job to run a docker build that tags the
  image as pr_image:${{ github.sha }} and then either push it to a registry (e.g.,
  GHCR) or save it as an artifact/job output so downstream jobs can access it;
  update the build job to include the docker build (and optional docker/login +
  docker push or upload-artifact) so the scan job can reference the produced image
  by the expected tag.
• Around line 5-8: The env variable TAG is set to an event-specific value
  (github.event.release.tag_name) that will be empty for pull_request workflows;
  update the env block so TAG is either removed or assigned a PR-appropriate value
  (e.g., replace TAG: ${{ github.event.release.tag_name }} with TAG: ${{
  github.sha }} or TAG: ${{ github.head_ref }}), and ensure any downstream steps
  that reference TAG are adjusted to use the new value or removed if no longer
  needed.
• Around line 22-31: The "scan" job references a non-existent image tag
  pr_image:${{ github.sha }} and runs without depending on the build job, causing
  Trivy to fail; update the workflow so the build job actually builds and
  tags/pushes the image (or produces a registry/CI artifact) and make the "scan"
  job depend on it by adding needs: build, then point image-ref in the "scan" job
  to the artifact/registry image name produced by the build (or to the same tag
  created by the build job) so Trivy scans a valid image.
• Around line 22-97: The scan job is missing a GitHub Actions permissions block;
  add a permissions mapping under the job named "scan" specifying only the needed
  write access for PR comments (e.g., pull-requests: write) to follow
  least-privilege. Locate the job block starting with "scan:" in the workflow and
  insert a permissions: { pull-requests: write } entry directly under it (before
  steps:) so the "Process Trivy scan results" and "Create or update comment" steps
  can post/update PR comments safely.
• Around line 99-111: The "test" job is missing a workspace checkout and a
  dependency so the Dockerfile and tests.yaml aren't available and it runs in
  parallel with build/scan; update the "test" job to include an initial checkout
  step (e.g., add a step using actions/checkout) before the
  container-structure-test setup and add a needs: entry (e.g., needs: [build,
  scan] or the actual build/scan job names) so it runs after those jobs.
• Around line 91-97: Update the GitHub Action usage for the Create or update
  comment step by changing the action reference string in the workflow from
  peter-evans/create-or-update-comment@v3 to
  peter-evans/create-or-update-comment@v5 (the line containing "uses:
  peter-evans/create-or-update-comment@v3"); leave the rest of the step inputs
  (issue-number, comment-id, body, edit-mode) unchanged and ensure the workflow
  YAML remains valid after the update.

In @README.md:

• Line 13: The sentence "These instructions will cover usage information to help
  your run Appwrite's base docker container." contains a grammar typo; update the
  phrase "help your run" to "help you run" in the README line so it reads "These
  instructions will cover usage information to help you run Appwrite's base docker
  container." Reference the exact sentence in README.md to locate and correct the
  typo.
• Line 3: The README CI badge points to Travis (the markdown image URL
  https://img.shields.io/travis/com/appwrite/docker-base) but the repo uses GitHub
  Actions; update the badge by replacing the Travis badge URL with a GitHub
  Actions status badge for the appropriate workflow (or remove the badge
  entirely). Locate the badge markdown in README.md and either swap the image/link
  to the GitHub Actions badge for the correct workflow name (using the actions
  badge format) or delete that badge line so it no longer references Travis CI.

---

Nitpick comments:
In @.github/workflows/pull-request.yml:

• Around line 83-89: Update the GitHub Action step named "Find Comment" (id: fc)
  to use peter-evans/find-comment@v4 by changing the uses entry from @v3 to @v4;
  after updating, verify that the existing inputs (issue-number, comment-author,
  body-includes) are still supported by v4 and adjust any input names or behavior
  if needed to preserve the current lookup logic for "Security Scan Results for
  PR".

In @README.md:

• Around line 69-73: Update the "## Push" section to clarify that the shown
  docker push example (docker push appwrite/base:latest) is for single-platform
  images only; add a brief note stating that multi-architecture builds use the
  buildx --push workflow (as used in the multi-arch build command earlier) and
  should not rely on docker push, and adjust the example text accordingly to avoid
  confusion.

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `6c693907-95ce-49c0-b2f9-74a7bd2c83b1`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 79c1eeae7f5e11a60655570ede80435dae39cad7 and 33274ad667e03a2789ecfbca8cc4c253caab321f.

</details>

<details>
<summary>📒 Files selected for processing (4)</summary>

* `.github/workflows/pull-request.yml`
* `.github/workflows/test.yml`
* `.gitignore`
* `README.md`

</details>

<details>
<summary>💤 Files with no reviewable changes (1)</summary>

* .github/workflows/test.yml

</details>

<details>
<summary>🚧 Files skipped from review as they are similar to previous changes (1)</summary>

* .gitignore

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Unused/invalid environment variable TAG.

github.event.release.tag_name is only populated for release events. Since this workflow triggers on pull_request, TAG will always be empty. Either remove this unused variable or replace it with a PR-relevant reference such as ${{ github.sha }} or ${{ github.head_ref }}.

Suggested fix

 env:
   REGISTRY: docker.io
   IMAGE_NAME: appwrite/base
-  TAG: ${{ github.event.release.tag_name }}
+  TAG: ${{ github.sha }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	env:
	REGISTRY: docker.io
	IMAGE_NAME: appwrite/base
	TAG: ${{ github.event.release.tag_name }}
	env:
	REGISTRY: docker.io
	IMAGE_NAME: appwrite/base
	TAG: ${{ github.sha }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 5 - 8, The env variable TAG
is set to an event-specific value (github.event.release.tag_name) that will be
empty for pull_request workflows; update the env block so TAG is either removed
or assigned a PR-appropriate value (e.g., replace TAG: ${{
github.event.release.tag_name }} with TAG: ${{ github.sha }} or TAG: ${{
github.head_ref }}), and ensure any downstream steps that reference TAG are
adjusted to use the new value or removed if no longer needed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Build job checks out code but never builds the image.

The build job only performs a checkout. The scan job expects an image named pr_image:${{ github.sha }} to exist, but no job actually builds it. Add a docker build step here to create the image and either use job outputs/artifacts or a shared tag convention so subsequent jobs can reference it.

Suggested fix

     - name: Check out code 
       uses: actions/checkout@v4
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: 0
+
+    - name: Build Docker image
+      run: docker build -t pr_image:${{ github.sha }} .

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write
	steps:
	- name: Check out code
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	fetch-depth: 0
	build:
	runs-on: ubuntu-latest
	permissions:
	contents: read
	pull-requests: write
	steps:
	- name: Check out code
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	fetch-depth: 0
	- name: Build Docker image
	run: docker build -t pr_image:${{ github.sha }} .

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 11 - 21, The build job
currently only checks out code but never builds or publishes the Docker image
that the scan job expects (pr_image:${{ github.sha }}); add a step in the build
job to run a docker build that tags the image as pr_image:${{ github.sha }} and
then either push it to a registry (e.g., GHCR) or save it as an artifact/job
output so downstream jobs can access it; update the build job to include the
docker build (and optional docker/login + docker push or upload-artifact) so the
scan job can reference the produced image by the expected tag.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Scan job references non-existent image and lacks job dependency.

The scan job attempts to scan pr_image:${{ github.sha }}, but:

1. No job builds this image (the build job only checks out code)
2. There's no needs: build directive, so this job runs in parallel

Without a dependency and a valid image, Trivy will fail immediately.

Suggested fix

   scan:
     runs-on: ubuntu-latest
+    needs: build
     steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    - name: Build Docker image for scanning
+      run: docker build -t pr_image:${{ github.sha }} .
+
     - name: Run Trivy vulnerability scanner on image

Note: Alternatively, use Docker layer caching or registry artifacts between jobs if you want to avoid rebuilding.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 22 - 31, The "scan" job
references a non-existent image tag pr_image:${{ github.sha }} and runs without
depending on the build job, causing Trivy to fail; update the workflow so the
build job actually builds and tags/pushes the image (or produces a registry/CI
artifact) and make the "scan" job depend on it by adding needs: build, then
point image-ref in the "scan" job to the artifact/registry image name produced
by the build (or to the same tag created by the build job) so Trivy scans a
valid image.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Missing permissions block on scan job.

Static analysis flagged that this job lacks an explicit permissions block. Since this job posts PR comments, it needs pull-requests: write. Add a permissions block to follow the principle of least privilege.

Suggested fix

   scan:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:

🧰 Tools

🪛 actionlint (1.7.11)

[error] 92-92: the runner of "peter-evans/create-or-update-comment@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 22 - 97, The scan job is
missing a GitHub Actions permissions block; add a permissions mapping under the
job named "scan" specifying only the needed write access for PR comments (e.g.,
pull-requests: write) to follow least-privilege. Locate the job block starting
with "scan:" in the workflow and insert a permissions: { pull-requests: write }
entry directly under it (before steps:) so the "Process Trivy scan results" and
"Create or update comment" steps can post/update PR comments safely.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

peter-evans/create-or-update-comment latest version GitHub Action

💡 Result:

Latest peter-evans/create-or-update-comment GitHub Action version is v5.0.0 (tag v5). [1]

Use:

• Major tag (recommended for most workflows): peter-evans/create-or-update-comment@v5 [2]
• Exact pin: peter-evans/create-or-update-comment@v5.0.0 [1]

Sources
[1] GitHub Releases – peter-evans/create-or-update-comment (shows latest release v5.0.0): (github.com)
[2] Repo README usage example (@v5): (github.com)

Citations:

• 1: https://github.com/peter-evans/create-or-update-comment/releases?utm_source=openai
• 2: https://github.com/peter-evans/create-or-update-comment?utm_source=openai

---

Update action to v5: peter-evans/create-or-update-comment@v5.

The action version @v3 is outdated. Update to the latest stable version @v5.

Suggested fix

     - name: Create or update comment
-      uses: peter-evans/create-or-update-comment@v3
+      uses: peter-evans/create-or-update-comment@v5
       with:
         issue-number: ${{ github.event.pull_request.number }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Create or update comment
	uses: peter-evans/create-or-update-comment@v3
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-id: ${{ steps.fc.outputs.comment-id }}
	body: ${{ steps.process-results.outputs.comment-body }}
	edit-mode: replace
	- name: Create or update comment
	uses: peter-evans/create-or-update-comment@v5
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-id: ${{ steps.fc.outputs.comment-id }}
	body: ${{ steps.process-results.outputs.comment-body }}
	edit-mode: replace

🧰 Tools

🪛 actionlint (1.7.11)

[error] 92-92: the runner of "peter-evans/create-or-update-comment@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue

(action)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 91 - 97, Update the GitHub
Action usage for the Create or update comment step by changing the action
reference string in the workflow from peter-evans/create-or-update-comment@v3 to
peter-evans/create-or-update-comment@v5 (the line containing "uses:
peter-evans/create-or-update-comment@v3"); leave the rest of the step inputs
(issue-number, comment-id, body, edit-mode) unchanged and ensure the workflow
YAML remains valid after the update.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Test job missing checkout step and job dependency.

The test job runs docker build -t appwrite-base-test . but there's no checkout step, so the Dockerfile and tests.yaml won't exist in the runner's workspace. Additionally, without needs: this job runs in parallel with build/scan.

Suggested fix

   test:
     runs-on: ubuntu-latest
+    needs: build
+    permissions:
+      contents: read
     steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ github.event.pull_request.head.sha }}
+
     - name: Setup container structure test
       run: |
         curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	test:
	runs-on: ubuntu-latest
	steps:
	- name: Setup container structure test
	run: |
	curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
	chmod +x container-structure-test-linux-amd64
	sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
	- name: Run container structure test
	run: |
	docker build -t appwrite-base-test .
	container-structure-test test --image appwrite-base-test --config tests.yaml
	test:
	runs-on: ubuntu-latest
	needs: build
	permissions:
	contents: read
	steps:
	- name: Check out code
	uses: actions/checkout@v4
	with:
	ref: ${{ github.event.pull_request.head.sha }}
	- name: Setup container structure test
	run: |
	curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
	chmod +x container-structure-test-linux-amd64
	sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
	- name: Run container structure test
	run: |
	docker build -t appwrite-base-test .
	container-structure-test test --image appwrite-base-test --config tests.yaml

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 100-111: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{}}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pull-request.yml around lines 99 - 111, The "test" job is
missing a workspace checkout and a dependency so the Dockerfile and tests.yaml
aren't available and it runs in parallel with build/scan; update the "test" job
to include an initial checkout step (e.g., add a step using actions/checkout)
before the container-structure-test setup and add a needs: entry (e.g., needs:
[build, scan] or the actual build/scan job names) so it runs after those jobs.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if there are any Travis CI configuration files in the repository
fd -t f '.travis.yml' || echo "No Travis CI config found"
# Check for GitHub Actions workflows
fd -t f -e yml -e yaml . .github/workflows/ 2>/dev/null || echo "No GitHub workflows directory"

Repository: appwrite/docker-base

Length of output: 163

---

🏁 Script executed:

head -n 5 README.md

Repository: appwrite/docker-base

Length of output: 479

---

Update CI badge to reflect current CI system.

The badge on line 3 references Travis CI (https://img.shields.io/travis/com/appwrite/docker-base), but the repository uses GitHub Actions (evidenced by workflows in .github/workflows/). Either update the badge to reference the GitHub Actions workflow or remove it entirely.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 3, The README CI badge points to Travis (the markdown
image URL https://img.shields.io/travis/com/appwrite/docker-base) but the repo
uses GitHub Actions; update the badge by replacing the Travis badge URL with a
GitHub Actions status badge for the appropriate workflow (or remove the badge
entirely). Locate the badge markdown in README.md and either swap the image/link
to the GitHub Actions badge for the correct workflow name (using the actions
badge format) or delete that badge line so it no longer references Travis CI.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix grammar typo: "help your run" → "help you run".

Suggested fix

-These instructions will cover usage information to help your run Appwrite's base docker container.
+These instructions will cover usage information to help you run Appwrite's base docker container.

🧰 Tools

🪛 LanguageTool

[grammar] ~13-~13: Ensure spelling is correct
Context: ...ns will cover usage information to help your run Appwrite's base docker container. ...

(QB_NEW_EN_ORTHOGRAPHY_ERROR_IDS_1)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 13, The sentence "These instructions will cover usage
information to help your run Appwrite's base docker container." contains a
grammar typo; update the phrase "help your run" to "help you run" in the README
line so it reads "These instructions will cover usage information to help you
run Appwrite's base docker container." Reference the exact sentence in README.md
to locate and correct the typo.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

README.md (1)

3-3: ⚠️ Potential issue | 🟡 Minor

README still advertises Travis CI.

The badge points to Travis, but this repo’s CI now lives under GitHub Actions. Updating or removing this badge will keep the header accurate.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` at line 3, The README's CI badge "[![Build
Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base)"
is outdated; replace or remove it so the header reflects GitHub Actions. Update
the badge URL/markup to the repository's GitHub Actions status badge (or remove
the badge entirely) by editing the README.md line containing the "[![Build
Status](" badge so it points to the correct GitHub Actions workflow badge URL
and link.

.github/workflows/pr-scan.yml (1)

100-101: ⚠️ Potential issue | 🟠 Major

create-or-update-comment@v3 is already breaking this workflow.

actionlint is flagging this exact step because the action’s runner is too old for GitHub Actions, so the PR comment update path will fail until this is moved to a supported release.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-scan.yml around lines 100 - 101, The workflow step
using the deprecated action tag "peter-evans/create-or-update-comment@v3" (step
name "Create or update comment") is flagged by actionlint because the runner
compatibility is outdated; update the uses line to a supported release (for
example replace with "peter-evans/create-or-update-comment@v4" or pin a current
commit SHA) so the action runs on the modern GitHub Actions runner, and re-run
actionlint to confirm the warning is resolved.

🧹 Nitpick comments (1)

.github/workflows/trivy.yml (1)

6-6: Workflow name is now misleading.

This job still runs on push and pull_request, so labeling it as “Scheduled” makes the non-cron runs look unexpected. Either narrow the triggers or rename it to something broader again.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/trivy.yml at line 6, The workflow name "Scheduled Trivy
Vulnerability Scanning" is misleading because the workflow still triggers on
push and pull_request; either rename the workflow via the name: value to
something broader like "Trivy Vulnerability Scanning" or restrict triggers under
the on: key to only scheduling (add a schedule cron and remove
push/pull_request) so the name accurately reflects when it runs; update the YAML
name: field or the on: section accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-scan.yml:
- Around line 3-27: The workflow is dangerously using pull_request_target and
checking out github.event.pull_request.head.sha to build untrusted PR code with
write permissions; change the trigger from pull_request_target to pull_request
(or another unprivileged trigger) for the scan job, remove/limit write
permissions (set permissions.contents: read only), and keep the Docker build
step (the step using docker/build-push-action@v5 and tag pr_image:${{ github.sha
}}) inside that unprivileged scan job; if you still need to post results, create
a separate privileged workflow/job that runs on pull_request_target which only
consumes an artifact produced by the unprivileged scan job and posts comments
(do not re-run or build PR code in the privileged context).

In `@README.md`:
- Around line 37-43: The "Build" section's command uses "docker buildx build
--tag appwrite/base:latest ." which does not guarantee the image is loaded into
the local Docker daemon; update the README's Build section to either use "docker
buildx build --load --tag appwrite/base:latest ." or replace with "docker build
--tag appwrite/base:latest ." and/or add a short note about required builder
driver configuration so subsequent Scan/Test/Run/Push steps that reference the
image "appwrite/base:latest" will find it locally.

---

Duplicate comments:
In @.github/workflows/pr-scan.yml:
- Around line 100-101: The workflow step using the deprecated action tag
"peter-evans/create-or-update-comment@v3" (step name "Create or update comment")
is flagged by actionlint because the runner compatibility is outdated; update
the uses line to a supported release (for example replace with
"peter-evans/create-or-update-comment@v4" or pin a current commit SHA) so the
action runs on the modern GitHub Actions runner, and re-run actionlint to
confirm the warning is resolved.

In `@README.md`:
- Line 3: The README's CI badge "[![Build
Status](https://img.shields.io/travis/com/appwrite/docker-base?style=flat-square)](https://travis-ci.com/appwrite/docker-base)"
is outdated; replace or remove it so the header reflects GitHub Actions. Update
the badge URL/markup to the repository's GitHub Actions status badge (or remove
the badge entirely) by editing the README.md line containing the "[![Build
Status](" badge so it points to the correct GitHub Actions workflow badge URL
and link.

---

Nitpick comments:
In @.github/workflows/trivy.yml:
- Line 6: The workflow name "Scheduled Trivy Vulnerability Scanning" is
misleading because the workflow still triggers on push and pull_request; either
rename the workflow via the name: value to something broader like "Trivy
Vulnerability Scanning" or restrict triggers under the on: key to only
scheduling (add a schedule cron and remove push/pull_request) so the name
accurately reflects when it runs; update the YAML name: field or the on: section
accordingly.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 02716387-bc69-4a4a-b781-ff2cc45345de

📥 Commits

Reviewing files that changed from the base of the PR and between 33274ad and b2cee1d.

📒 Files selected for processing (5)

• .github/workflows/pr-scan.yml
• .github/workflows/test.yml
• .github/workflows/trivy.yml
• .gitignore
• README.md

💤 Files with no reviewable changes (1)

• .github/workflows/test.yml

✅ Files skipped from review due to trivial changes (1)

• .gitignore

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cd /tmp && find . -name "pr-scan.yml" 2>/dev/null || echo "Not in /tmp, checking repo"

Repository: appwrite/docker-base

Length of output: 46

---

🏁 Script executed:

find . -name "pr-scan.yml" -type f 2>/dev/null

Repository: appwrite/docker-base

Length of output: 95

---

🏁 Script executed:

cat -n .github/workflows/pr-scan.yml 2>/dev/null || echo "File not found, listing directory"

Repository: appwrite/docker-base

Length of output: 4676

---

🏁 Script executed:

ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory"

Repository: appwrite/docker-base

Length of output: 363

---

Do not run untrusted PR code under pull_request_target.

This workflow checks out github.event.pull_request.head.sha and then builds the PR's Dockerfile while holding a token that can write PR comments. On forked PRs, that gives attacker-controlled build steps a privileged execution path. The safer pattern is an unprivileged pull_request scan workflow plus a separate privileged workflow that only posts the already-generated results.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-scan.yml around lines 3 - 27, The workflow is
dangerously using pull_request_target and checking out
github.event.pull_request.head.sha to build untrusted PR code with write
permissions; change the trigger from pull_request_target to pull_request (or
another unprivileged trigger) for the scan job, remove/limit write permissions
(set permissions.contents: read only), and keep the Docker build step (the step
using docker/build-push-action@v5 and tag pr_image:${{ github.sha }}) inside
that unprivileged scan job; if you still need to post results, create a separate
privileged workflow/job that runs on pull_request_target which only consumes an
artifact produced by the unprivileged scan job and posts comments (do not re-run
or build PR code in the privileged context).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

The build command does not reliably produce the local image used below.

The later Scan/Test/Run/Push sections all assume appwrite/base:latest exists locally, but docker buildx build only guarantees that when the builder/output is configured accordingly. Adding --load here, or documenting the required builder driver, would make the instructions consistent.

Suggested doc fix

-docker buildx build --tag appwrite/base:latest .
+docker buildx build --load --tag appwrite/base:latest .

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## Build
	```bash
	curl -LO https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64 && chmod +x container-structure-test-linux-amd64 && sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
	Typical building.
	```shell
	docker buildx build --tag appwrite/base:latest .
	```
	## Build
	Typical building.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@README.md` around lines 37 - 43, The "Build" section's command uses "docker
buildx build --tag appwrite/base:latest ." which does not guarantee the image is
loaded into the local Docker daemon; update the README's Build section to either
use "docker buildx build --load --tag appwrite/base:latest ." or replace with
"docker build --tag appwrite/base:latest ." and/or add a short note about
required builder driver configuration so subsequent Scan/Test/Run/Push steps
that reference the image "appwrite/base:latest" will find it locally.