chore: harden Dockerfiles and add devops CODEOWNERS#535
Conversation
mpastecki
requested review from
KonradStaniec,
Lazar955,
RafilxTenfen and
gitferry
as code owners
There was a problem hiding this comment.
Pull request overview
This PR hardens the Dockerfiles by pinning package versions, upgrading base images, and applying hadolint best practices, while also adding CODEOWNERS rules for the DevOps team.
Changes:
- Upgraded proto/Dockerfile from golang:1.20.5-buster to golang:1.23-bookworm with pinned Debian packages and hadolint best practices (SHELL pipefail, --no-install-recommends, proper cleanup, quoted variables)
- Updated main Dockerfile to use Alpine 3.21 with pinned runtime package versions (bash, curl, jq) and improved shell variable quoting
- Added CODEOWNERS rules assigning @babylonlabs-io/devops ownership of .github/, CODEOWNERS file, and all Dockerfiles
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| proto/Dockerfile | Upgrades Go version and Debian base image, adds SHELL directive, pins package versions, improves quoting and layer merging |
| Dockerfile | Upgrades Alpine to 3.21, pins runtime packages, improves shell variable quoting, removes redundant cleanup commands |
| .github/CODEOWNERS | Adds DevOps team ownership rules for CI/CD and container configuration files |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| && go install "google.golang.org/grpc/cmd/protoc-gen-go-grpc@${PROTOC_GEN_GO_GRPC_VERSION}" \ | ||
| && go install "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-grpc-gateway@${GRPC_GATEWAY_VERSION}" \ | ||
| && go install "github.com/grpc-ecosystem/grpc-gateway/v2/protoc-gen-openapiv2@${GRPC_GATEWAY_VERSION}" \ | ||
| && go install golang.org/x/tools/cmd/goimports@v0.1.7 \ |
There was a problem hiding this comment.
This go install command is missing quotes around the package path with version, which is inconsistent with the quoting pattern applied to lines 31-34 above. For consistency with the hadolint best practice of shell variable quoting being applied throughout this file, this line should be: go install "golang.org/x/tools/cmd/goimports@v0.1.7"
| && go install golang.org/x/tools/cmd/goimports@v0.1.7 \ | |
| && go install "golang.org/x/tools/cmd/goimports@v0.1.7" \ |
.github/CODEOWNERS
Outdated
|
|
||
| # DevOps team owns CI/CD and container configuration | ||
| /.github/ @babylonlabs-io/devops | ||
| /.github/CODEOWNERS @babylonlabs-io/devops |
There was a problem hiding this comment.
The pattern /.github/CODEOWNERS is redundant because line 7 already specifies /.github/ which covers all files in the .github directory, including CODEOWNERS. This line can be removed for cleaner CODEOWNERS configuration.
| /.github/CODEOWNERS @babylonlabs-io/devops |
| # /make/builder.Dockerfile | ||
| # /tools/Dockerfile | ||
| FROM golang:1.20.5-buster | ||
| FROM golang:1.23-bookworm |
There was a problem hiding this comment.
The Go version in this Dockerfile (1.23) is inconsistent with the project's Go version. The main Dockerfile uses golang:1.25-alpine (line 2 of Dockerfile), go.mod specifies go 1.25.0, and .github/workflows/ci.yml uses go-version: '1.25'. This proto Dockerfile should be updated to golang:1.23-bookworm or golang:1.25-bookworm to match the project's Go version.
| FROM golang:1.23-bookworm | |
| FROM golang:1.25-bookworm |
Summary
SHELLpipefail,--no-cache/--no-install-recommends, shell variable quoting, mergedRUNlayers/.github/,/.github/CODEOWNERS, and**/Dockerfileowned by@babylonlabs-io/devops