RHAIENG-3052: Update RStudio IDE version and R packages

[ayush17]

Summary

• Update RStudio Server from 2025.09.0-387 to 2026.01.1-403 (from https://download2.rstudio.org/server/rhel9/x86_64/)
• Update R packages in install_packages.R:
  • Rcpp: 1.0.14 → 1.1.1
  • vetiver: 0.2.5 → 0.2.7
  • devtools: 2.4.5 → 2.5.0

Files Updated

• rstudio/c9s-python-3.12/Dockerfile.cpu
• rstudio/c9s-python-3.12/Dockerfile.cuda
• rstudio/c9s-python-3.12/install_packages.R
• rstudio/rhel9-python-3.12/Dockerfile.cpu
• rstudio/rhel9-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda
• rstudio/rhel9-python-3.12/install_packages.R

Jira Ticket

https://issues.redhat.com/browse/RHAIENG-3052

Test plan

• Build RStudio c9s CPU image
• Build RStudio c9s CUDA image
• Build RStudio RHEL9 CPU image
• Build RStudio RHEL9 CUDA image
• Verify RStudio Server version shows 2026.01.1-403
• Verify R packages are installed with correct versions

Made with Cursor

Summary by CodeRabbit

• Chores
  • Updated RStudio Server to 2026.01.1 across CPU and CUDA images for multiple platforms
  • Bumped R package dependencies: Rcpp, vetiver, and devtools
  • Removed redundant Copilot language-server binaries from the RStudio images to reduce footprint

[github-actions]

@ayush17 — This PR is from a fork.
The build-rhoai CI job was skipped because subscription
builds (RHEL, AIPCC) need secrets unavailable to forks.
ODH builds and code quality checks still ran.

Recommended: Push your branch to the main repo for full CI:

git remote add upstream https://github.com/opendatahub-io/notebooks.git
git push upstream HEAD:ayush17/your-branch-name

Then open a new PR from that branch.

No push access? A maintainer will cherry-pick and test your changes.

See CONTRIBUTING.md for details.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated RStudio Server RPM pin from rstudio-server-rhel-2025.09.0-387-x86_64.rpm to rstudio-server-rhel-2026.01.1-403-x86_64.rpm in multiple Dockerfiles across c9s-python-3.12 and rhel9-python-3.12 (CPU, CUDA, konflux variants). After install, some Dockerfiles also remove two copilot-language-server-js rg binaries for linux/arm64 and linux/x64. Two R package install scripts updated pinned versions: Rcpp 1.0.14 → 1.1.1, vetiver 0.2.5 → 0.2.7, devtools 2.4.5 → 2.5.0. No other control flow or install logic changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Security & Actionability

• Missing compatibility/validation evidence: confirm Rcpp 1.1.1, vetiver 0.2.7, devtools 2.5.0 are compatible with the runtime/R version and RStudio Server 2026.01.1-403 before merge. Action: run the repository's test suite and a smoke test of RStudio UI and key IDE features.

• No CVE audit provided: perform vulnerability scans (OS packages and RStudio RPM) and confirm no known CVEs affect RStudio Server 2026.01.1-403 or the updated R packages. Action: run OS-level scanner (e.g., OSV/NVD), and include scan report in the PR.

• Removal of static rg binaries: verify that deleting those files does not break expected functionality. Action: test copilot-language-server/js features that may rely on rg. If removal is intended as mitigation, document reason in PR.

• Authentication/network service risk: upgrading a network-facing service (RStudio Server) requires verifying auth/config defaults. Check for issues related to missing or misconfigured auth and access control (relevant CWE examples: CWE-306 Missing Authentication, CWE-284 Improper Access Control). Action: validate configuration, confirm strong defaults, and include any required config changes.

• Shell command audit: Dockerfiles run rm -f against fixed paths—ensure paths are correct and no unintended file removals occur. Verify Dockerfiles still perform safe package cleanup (no leftover credentials or caches).

Required next steps before merge:

1. Run automated tests + manual smoke tests of RStudio UI and any language server integrations.
2. Produce and attach a vuln-scan report (OS/RPM and R package check).
3. Document why rg binaries are removed and confirm no regressions.
4. If scans reveal issues, address them or pin to a safe version; reference NVD/CVE IDs in the PR when any are found.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title uses imperative mood and includes the required RHAIENG-3052 ticket reference, clearly summarizing the main changes (RStudio update and R package versions).
Description check	✅ Passed	Description provides a clear summary of changes with concrete version numbers, lists all modified files, and includes a test plan with specific verification steps, though the self-checklist items are unchecked.
Branch Prefix Policy	✅ Passed	The PR title correctly targets the main branch without a branch prefix and includes a valid JIRA reference (RHAIENG-3052).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 3.34%. Comparing base (715a38f) to head (429b8ed).
⚠️ Report is 14 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #3307   +/-   ##
=====================================
  Coverage   3.34%   3.34%           
=====================================
  Files         31      31           
  Lines       3562    3562           
  Branches     572     572           
=====================================
  Hits         119     119           
  Misses      3441    3441           
  Partials       2       2           

Flag	Coverage Δ
python	3.34% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 715a38f...429b8ed. Read the comment docs.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda (1)

128-134: ⚠️ Potential issue | 🟠 Major

CWE-494: Downloaded RStudio RPM lacks integrity verification.

The RPM is fetched via wget without checksum validation. While dnf can verify GPG signatures, there is no explicit GPG key configuration or checksum verification in the build.

Add SHA256 verification before installation:

Proposed fix

ARG RSTUDIO_RPM=rstudio-server-rhel-2026.01.1-403-x86_64.rpm
+ARG RSTUDIO_RPM_SHA256=<obtain-from-rstudio-release-page>
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM}
+echo "${RSTUDIO_RPM_SHA256}  ${RSTUDIO_RPM}" | sha256sum -c -
dnf install -y ${RSTUDIO_RPM}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda` around lines 128 - 134,
The Dockerfile currently downloads RSTUDIO_RPM with wget and installs it without
explicit integrity checks; add explicit integrity verification by introducing a
build ARG (e.g., RSTUDIO_SHA256) for the trusted SHA256, download the RPM as you
already do (RSTUDIO_RPM), then verify the downloaded file against RSTUDIO_SHA256
using sha256sum -c (or compute sha256sum and compare) and exit non-zero on
mismatch; additionally import the RStudio/GPG signing public key before calling
dnf install (so dnf/rpm can verify package signatures) and ensure the RUN block
that performs these steps (the heredoc /bin/bash block that uses RSTUDIO_RPM)
fails the build if either the checksum or the GPG signature verification fails.

🧹 Nitpick comments (1)

rstudio/rhel9-python-3.12/install_packages.R (1)

16-20: Identical to c9s-python-3.12/install_packages.R.

Consider consolidating into a single shared script to avoid drift.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rstudio/rhel9-python-3.12/install_packages.R` around lines 16 - 20, This file
duplicates package installation logic (multiple remotes::install_version calls
for Rcpp, tidyverse, tidymodels, vetiver, devtools) that is identical to another
script; create a single shared installation script (e.g., define a packages
vector of names and versions and a small loop calling
remotes::install_version(pkg, version, lib = lib, dependencies = TRUE, upgrade =
"never")) and replace the duplicated blocks in both
rstudio/rhel9-python-3.12/install_packages.R and
c9s-python-3.12/install_packages.R with a single
source("shared-install_packages.R") call so both use the same source of truth.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda`:
- Around line 128-134: The Dockerfile currently downloads RSTUDIO_RPM with wget
and installs it without explicit integrity checks; add explicit integrity
verification by introducing a build ARG (e.g., RSTUDIO_SHA256) for the trusted
SHA256, download the RPM as you already do (RSTUDIO_RPM), then verify the
downloaded file against RSTUDIO_SHA256 using sha256sum -c (or compute sha256sum
and compare) and exit non-zero on mismatch; additionally import the RStudio/GPG
signing public key before calling dnf install (so dnf/rpm can verify package
signatures) and ensure the RUN block that performs these steps (the heredoc
/bin/bash block that uses RSTUDIO_RPM) fails the build if either the checksum or
the GPG signature verification fails.

---

Nitpick comments:
In `@rstudio/rhel9-python-3.12/install_packages.R`:
- Around line 16-20: This file duplicates package installation logic (multiple
remotes::install_version calls for Rcpp, tidyverse, tidymodels, vetiver,
devtools) that is identical to another script; create a single shared
installation script (e.g., define a packages vector of names and versions and a
small loop calling remotes::install_version(pkg, version, lib = lib,
dependencies = TRUE, upgrade = "never")) and replace the duplicated blocks in
both rstudio/rhel9-python-3.12/install_packages.R and
c9s-python-3.12/install_packages.R with a single
source("shared-install_packages.R") call so both use the same source of truth.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: a1d66265-4919-4468-9890-bfcc38949ae0

📥 Commits

Reviewing files that changed from the base of the PR and between 715a38f and e1734ec.

📒 Files selected for processing (8)

• rstudio/c9s-python-3.12/Dockerfile.cpu
• rstudio/c9s-python-3.12/Dockerfile.cuda
• rstudio/c9s-python-3.12/install_packages.R
• rstudio/rhel9-python-3.12/Dockerfile.cpu
• rstudio/rhel9-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda
• rstudio/rhel9-python-3.12/install_packages.R

[jiridanek]

looks legit

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jiridanek

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [jiridanek]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[jiridanek]

F0408 06:49:52.333366  125644 main.go:294] Error: run failed
---- Failure Report
+----------------+---------------------------------------------------------------------------+--------------------------------------+
| RPM NAME       | EXECUTABLE NAME                                                           | STATUS                               |
+----------------+---------------------------------------------------------------------------+--------------------------------------+
| rstudio-server | /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg | executable is not dynamically linked |
| rstudio-server | /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/x64/rg   | executable is not dynamically linked |
+----------------+---------------------------------------------------------------------------+--------------------------------------+
Error: Process completed with exit code 255.

@ayush17 please allowlist that, so it does not keep failing, thanks, cc @coderabbitai

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

Let me find the allowlist configuration for the binary checker.

---

🏁 Script executed:

#!/bin/bash
# Find allowlist or similar config files for the RPM/binary checker
rg -rn "allowlist\|allow_list\|skiplist\|skip_list\|dynamically linked\|not dynamically" --type yaml --type json --type toml -l 2>/dev/null | head -20

# Search for existing rg or copilot-language-server allowlist entries
rg -rn "copilot-language-server\|arm64/rg\|linux/x64/rg" -l 2>/dev/null | head -20

# Look for any YAML/JSON config files that reference rstudio-server binary exceptions
rg -rn "rstudio-server" --type yaml --type json -l 2>/dev/null | head -20

# Find files that look like binary check configs
fd -e yaml -e json -e toml "allow\|skip\|exempt\|ignore" --type f 2>/dev/null | head -20

# Try to find the go binary checker config
fd "check" --type f -e yaml -e json -e toml 2>/dev/null | head -30

Repository: opendatahub-io/notebooks
Length of output: 358

---

🏁 Script executed:

#!/bin/bash
# Search for the binary checker script/config - look for "dynamically" or "check-rpms" style tooling
rg -rn "dynamically\|check.rpm\|rpm.*check\|binary.*check" --type sh --type yaml --type makefile -l 2>/dev/null | head -20

# Look for GitHub Actions workflow files that run the binary checker
fd -e yml -e yaml . .github/ --type f 2>/dev/null | xargs grep -l "rg\|dynamically\|rstudio-server\|rpm" 2>/dev/null | head -20

# List all workflow files
fd . .github/workflows/ --type f 2>/dev/null | head -30

# Search for allowlist patterns across all file types
rg -rn "allowlist\|AllowList\|allow_list\|whitelist\|Allowlist" -l 2>/dev/null | head -20

Repository: opendatahub-io/notebooks
Length of output: 2099

---

🏁 Script executed:

#!/bin/bash
# Check the security scan workflow and build template for the RPM checker
cat .github/workflows/sec-scan.yml
echo "---"
cat .github/workflows/security.yaml
echo "---"
# Search for the specific tool invocation pattern
rg -rn "not dynamically\|dynamically linked\|check-rpm\|rpm-check\|allowlist\|allow_list" 2>/dev/null | head -40

Repository: opendatahub-io/notebooks
Length of output: 6695

---

🏁 Script executed:

#!/bin/bash
# The error looks like it comes from a Konflux/RHTAP pipeline check
# Look for konflux pipeline configs, tekton tasks, or similar
fd -e yaml "konflux\|pipeline\|task\|check" --type f 2>/dev/null | head -20

# Look for .tekton directory
ls -la .tekton/ 2>/dev/null || echo "No .tekton dir"

# Search for the specific Go tool - "not dynamically linked" check
rg -rn "not dynamically\|dynamically.linked\|check-payload\|check_payload\|payload.check" 2>/dev/null | head -20

# Check if there's an allowlist in any RPM-related config
fd -e yaml -e json -e toml -e cfg -e conf 2>/dev/null | xargs grep -l "allowlist\|allow_list\|rg\b" 2>/dev/null | head -20

# Look for any config files under rstudio directories
find rstudio/ -type f | head -30

Repository: opendatahub-io/notebooks
Length of output: 10274

---

🏁 Script executed:

#!/bin/bash
# Look at the rstudio rhel9 pull-request pipeline (most likely to have the check)
cat .tekton/odh-workbench-rstudio-minimal-cpu-py312-rhel9-odh-main-pull-request.yaml
echo "==="
# Search for allowlist/check-payload in all tekton files
rg -rn "allowlist\|allow_list\|check.payload\|dynamically\|filter\|exclude\|skip" .tekton/ 2>/dev/null | head -40
echo "==="
# Look at the combined pipeline for rstudio-related allowlist entries
grep -n -A5 -B5 "rstudio\|allowlist\|allow_list\|filter_by\|exclude" .tekton/multiarch-odh-main-combined-pipeline.yaml | head -80

Repository: opendatahub-io/notebooks
Length of output: 2783

---

🏁 Script executed:

#!/bin/bash
# Look for the check task in the combined pipeline
grep -n "check\|verify\|validate\|payload\|rpm\|filter\|allowlist" .tekton/multiarch-odh-main-combined-pipeline.yaml | head -60

echo "==="
# Check rstudio Dockerfiles for existing allowlist patterns
find rstudio/ -name "*.yaml" -o -name "*.yml" -o -name "*.json" -o -name "*.conf" | xargs grep -l "allowlist\|allow_list\|filter\|exclude" 2>/dev/null

echo "==="
# Look for existing allowlist patterns in codeserver (which also has complex binaries)
find codeserver/ -name "*.yaml" -o -name "*.yml" | xargs grep -l "allowlist\|allow_list\|rg\b\|not dynamically" 2>/dev/null

echo "==="
# Search the whole repo for patterns that look like binary allowlists
rg -rn "copilot\|language.server\|arm64.*rg\|x64.*rg\|rg.*arm64\|rg.*x64" 2>/dev/null | head -20

echo "==="
# Check the codeserver konflux dockerfiles for similar patterns (codeserver also ships rg binaries)
fd "Dockerfile.konflux" --type f | head -10

Repository: opendatahub-io/notebooks
Length of output: 3642

---

🏁 Script executed:

#!/bin/bash
# Get the full rpms-signature-scan task definition from the combined pipeline
grep -n -A 50 "name: rpms-signature-scan" .tekton/multiarch-odh-main-combined-pipeline.yaml | head -60

echo "==="
# Check codeserver konflux dockerfile for any allowlist or filter patterns  
cat codeserver/ubi9-python-3.12/Dockerfile.konflux.cpu

echo "==="
# Also look at the rstudio rhel9 konflux cpu dockerfile
cat rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu

Repository: opendatahub-io/notebooks
Length of output: 33499

---

@jiridanek, I've dug into the codebase. Here's the analysis:

Root cause: The rstudio-server RPM (version 2026.01.1-403) ships pre-built, statically-linked rg (ripgrep) binaries as part of its GitHub Copilot language server for multi-arch support:

• /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg
• /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/x64/rg

These are caught by the Konflux rpms-signature-scan task's check-payload check which requires all executables in the image to be dynamically linked.

The rpms-signature-scan task in .tekton/multiarch-odh-main-combined-pipeline.yaml does not expose an allowlist parameter, so the fix needs to be in the Dockerfile itself.

Recommended fix for @ayush17: Since GitHub Copilot is disabled by default in RStudio Server, these binaries are not needed. Remove them after installing rstudio-server in the Dockerfiles:

# Install RStudio
ARG RSTUDIO_RPM=rstudio-server-rhel-2026.01.1-403-x86_64.rpm
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM}
dnf install -y ${RSTUDIO_RPM}
rm ${RSTUDIO_RPM}
dnf -y clean all  --enablerepo='*'
# Remove statically-linked Copilot language server binaries (disabled by default,
# flagged by check-payload as not dynamically linked)
rm -rf /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg \
       /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/x64/rg
...
EOF

This needs to be applied to all four Dockerfiles:

• rstudio/rhel9-python-3.12/Dockerfile.cpu
• rstudio/rhel9-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda
• rstudio/c9s-python-3.12/Dockerfile.cpu
• rstudio/c9s-python-3.12/Dockerfile.cuda

[openshift-ci]

New changes are detected. LGTM label has been removed.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@rstudio/rhel9-python-3.12/Dockerfile.cpu`:
- Around line 131-135: The Dockerfile currently downloads ${RSTUDIO_RPM} and
installs it directly; update the RUN block that handles RSTUDIO_RPM to verify
integrity before installing by fetching a trusted checksum or signature
alongside the RPM, validating it (e.g., compare a pinned SHA256 checksum or
verify a GPG signature with rpm --checksig or gpg and rpm --import of a trusted
key), and only proceeding to dnf install ${RSTUDIO_RPM} if verification succeeds
otherwise exit non‑zero; ensure the verification step uses a pinned checksum
value or trusted key material embedded or ARG/BUILDARG-provided and remove the
RPM on failure.
- Around line 136-138: The removal step uses a silent `rm -f` on the
copilot-language-server-js `rg` binaries which masks missing or moved paths;
change the step that references
"/usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg" and
the x64 `rg` to first discover any matching files (for example with `find`/glob)
and assert that none remain, and if any are found fail the build (exit non‑zero)
so the pipeline fails fast; update the block that mentions
`copilot-language-server-js` and `rg` to perform discovery and an explicit
assertion rather than using `rm -f`.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Repository UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: b2782b3a-d1cf-497f-a4d7-fc6d89ee32d4

📥 Commits

Reviewing files that changed from the base of the PR and between e1734ec and 429b8ed.

📒 Files selected for processing (6)

• rstudio/c9s-python-3.12/Dockerfile.cpu
• rstudio/c9s-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.cpu
• rstudio/rhel9-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda

🚧 Files skipped from review as they are similar to previous changes (5)

• rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda
• rstudio/rhel9-python-3.12/Dockerfile.cuda
• rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu
• rstudio/c9s-python-3.12/Dockerfile.cuda
• rstudio/c9s-python-3.12/Dockerfile.cpu

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Enforce RPM integrity verification before install (CWE-494).

Severity: High.
Exploit scenario: Line 133 downloads an RPM over the network, and Line 134 installs it as root. If the mirror/CDN path is compromised, a tampered package gets root execution during build.
Remediation: pin and verify a trusted checksum (or signature) before dnf install.

Suggested fix

 ARG RSTUDIO_RPM=rstudio-server-rhel-2026.01.1-403-x86_64.rpm
+ARG RSTUDIO_RPM_SHA256=<vendor-published-sha256>
 RUN set -Eeuxo pipefail && \
-    wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
+    curl -fsSLo ${RSTUDIO_RPM} --retry 3 https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
+    echo "${RSTUDIO_RPM_SHA256}  ${RSTUDIO_RPM}" | sha256sum -c - && \
     dnf install -y ${RSTUDIO_RPM} && \
     rm ${RSTUDIO_RPM} && \

As per coding guidelines, **: REVIEW PRIORITIES: 1. Security vulnerabilities (provide severity, exploit scenario, and remediation code).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ARG RSTUDIO_RPM=rstudio-server-rhel-2026.01.1-403-x86_64.rpm
	RUN set -Eeuxo pipefail && \
	wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
	dnf install -y ${RSTUDIO_RPM} && \
	rm ${RSTUDIO_RPM} && \
	ARG RSTUDIO_RPM=rstudio-server-rhel-2026.01.1-403-x86_64.rpm
	ARG RSTUDIO_RPM_SHA256=<vendor-published-sha256>
	RUN set -Eeuxo pipefail && \
	curl -fsSLo ${RSTUDIO_RPM} --retry 3 https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
	echo "${RSTUDIO_RPM_SHA256} ${RSTUDIO_RPM}" | sha256sum -c - && \
	dnf install -y ${RSTUDIO_RPM} && \
	rm ${RSTUDIO_RPM} && \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rstudio/rhel9-python-3.12/Dockerfile.cpu` around lines 131 - 135, The
Dockerfile currently downloads ${RSTUDIO_RPM} and installs it directly; update
the RUN block that handles RSTUDIO_RPM to verify integrity before installing by
fetching a trusted checksum or signature alongside the RPM, validating it (e.g.,
compare a pinned SHA256 checksum or verify a GPG signature with rpm --checksig
or gpg and rpm --import of a trusted key), and only proceeding to dnf install
${RSTUDIO_RPM} if verification succeeds otherwise exit non‑zero; ensure the
verification step uses a pinned checksum value or trusted key material embedded
or ARG/BUILDARG-provided and remove the RPM on failure.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Make static-binary cleanup fail fast instead of silently ignoring drift.

Line 137-138 uses rm -f, which succeeds even if paths change. That hides breakage until a later pipeline scan. Replace with discovery + assertion so this step fails immediately when rg binaries remain.

Suggested fix

-    rm -f /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg \
-          /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/x64/rg && \
+    find /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux -type f -name rg -delete && \
+    test -z "$(find /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux -type f -name rg -print -quit)" && \

As per coding guidelines, **: REVIEW PRIORITIES: 3. Bug-prone patterns and error handling gaps.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Remove statically-linked Copilot language server binaries (disabled by default, flagged by check-payload) \
	rm -f /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg \
	/usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/x64/rg && \
	# Remove statically-linked Copilot language server binaries (disabled by default, flagged by check-payload) \
	find /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux -type f -name rg -delete && \
	test -z "$(find /usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux -type f -name rg -print -quit)" && \

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rstudio/rhel9-python-3.12/Dockerfile.cpu` around lines 136 - 138, The removal
step uses a silent `rm -f` on the copilot-language-server-js `rg` binaries which
masks missing or moved paths; change the step that references
"/usr/lib/rstudio-server/bin/copilot-language-server-js/bin/linux/arm64/rg" and
the x64 `rg` to first discover any matching files (for example with `find`/glob)
and assert that none remain, and if any are found fail the build (exit non‑zero)
so the pipeline fails fast; update the block that mentions
`copilot-language-server-js` and `rg` to perform discovery and an explicit
assertion rather than using `rm -f`.

[ysok]

It failed to build RStudio on both Konflux and GitHub. As we’ve discussed, we’ve lowered the priority of RStudio work. Therefore, I suggest not merging unless you can successfully build it. @atheo89