Bump redhat-services-prod/openshift/boilerplate from image-v8.3.4 to image-v8.3.6 in /build

[dependabot]

Bumps redhat-services-prod/openshift/boilerplate from image-v8.3.4 to image-v8.3.6.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated the Docker builder stage base image version from v8.3.4 to v8.3.6.

[coderabbitai]

Walkthrough

Builder stage base image dependency updated from version 8.3.4 to 8.3.6 in the Dockerfile. No other build configuration, commands, or runtime image settings were modified.

Changes

Builder image version update

Layer / File(s)	Summary
Builder image version bump build/Dockerfile	Builder stage FROM image tag updated from boilerplate:image-v8.3.4 to boilerplate:image-v8.3.6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping a Docker base image from v8.3.4 to v8.3.6 in the /build directory, which matches the Dockerfile modification.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only modifies build/Dockerfile (Docker config), not test files. No Ginkgo test declarations present; check does not apply to this PR.
Test Structure And Quality	✅ Passed	PR only modifies Dockerfile (Docker base image bump), not any Ginkgo test code. The test quality check is inapplicable to non-test files.
Microshift Test Compatibility	✅ Passed	PR only modifies build/Dockerfile (boilerplate base image bump from v8.3.4 to v8.3.6); no new Ginkgo e2e tests are added, so the MicroShift Test Compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR only updates the Docker base image version in build/Dockerfile from v8.3.4 to v8.3.6. No Ginkgo e2e tests are added or modified, so the SNO test compatibility check does not apply.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only bumps boilerplate base image (v8.3.4→v8.3.6) in Dockerfile builder stage; no deployment manifests, operator code, controllers, or scheduling constraints are modified or added.
Ote Binary Stdout Contract	✅ Passed	PR only modifies Dockerfile (base image version bump from v8.3.4 to v8.3.6); no Go code changes, so OTE Binary Stdout Contract is not affected.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates Dockerfile base image from v8.3.4 to v8.3.6; no new Ginkgo e2e tests are added, making the check inapplicable.
No-Weak-Crypto	✅ Passed	PR only updates Docker base image version; no weak crypto patterns (MD5, SHA1, DES, RC4, etc.), custom crypto, or non-constant-time comparisons present in Dockerfile.
Container-Privileges	✅ Passed	No privileged settings found. The Dockerfile runs as non-root user (UID 1000), has no privileged: true, hostPID/Network/IPC, SYS_ADMIN, or allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs	✅ Passed	PR only updates base image version (v8.3.4 to v8.3.6) with no logging statements added that could expose sensitive data.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/docker/build/redhat-services-prod/openshift/boilerplate-image-v8.3.6

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dependabot[bot]
Once this PR has been reviewed and has the lgtm label, please assign typeid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

build/Dockerfile (3)

7-7: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Avoid copying the entire build context.

The COPY . . command copies the entire build context, which may include sensitive files, secrets, or unnecessary files. As per coding guidelines, you should copy specific files or directories instead.

Consider using .dockerignore or explicitly listing required directories.

🔒 Suggested approach

-COPY . .
+COPY cmd/ ./cmd/
+COPY pkg/ ./pkg/
+COPY internal/ ./internal/
+# Add other specific directories as needed

Or ensure .dockerignore excludes sensitive files.

As per coding guidelines: "COPY specific files, not entire context"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 7, Replace the unsafe "COPY . ." in the Dockerfile
by copying only the required artifacts (e.g., COPY package*.json, yarn.lock, and
the source/build directories used at runtime) and ensure a .dockerignore exists
to exclude secrets and dev files; update the Dockerfile's build steps (the COPY
invocation) to reference those specific files/directories instead of the entire
context and confirm that any temporary build outputs are copied explicitly after
they are produced.

---

10-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Use floating tags for Red Hat base images.

The runtime image uses what appears to be a pinned tag (9.7-1776833838) for a Red Hat UBI image. As per coding guidelines, Red Hat images should use floating tags to receive managed security updates from Red Hat.

🔒 Recommended fix

-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776833838
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7

Or use a more general floating tag like 9-latest or latest depending on your update strategy.

As per coding guidelines: "Red Hat images: use floating tags (Red Hat manages updates)"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` at line 10, The Dockerfile’s FROM instruction is using a
pinned Red Hat UBI tag; update the FROM line that references
registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776833838 to use a floating tag
(for example :9, :9-latest or :latest) so Red Hat can manage updates—locate the
Dockerfile and the FROM registry.access.redhat.com/ubi9/ubi-minimal entry and
replace the specific build tag with the chosen floating tag.

---

10-25: 🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add HEALTHCHECK instruction.

The Dockerfile lacks a HEALTHCHECK instruction. As per coding guidelines, a HEALTHCHECK should be defined to allow container orchestrators to monitor and manage container health.

💚 Suggested addition

Add before the ENTRYPOINT:

HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ["/usr/local/bin/ocm-agent", "healthcheck"] || exit 1

Adjust the healthcheck command based on your application's health endpoint or mechanism.

As per coding guidelines: "HEALTHCHECK defined"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 10 - 25, The Dockerfile is missing a
HEALTHCHECK; add a HEALTHCHECK instruction just before ENTRYPOINT that
periodically runs your app's health probe (e.g., call /usr/local/bin/ocm-agent
healthcheck) with sensible flags (--interval, --timeout, --start-period,
--retries) and ensure the command returns non‑zero on failure so orchestrators
can mark the container unhealthy; place it before ENTRYPOINT [
"/usr/local/bin/entrypoint" ] and reference the existing binary path
(/usr/local/bin/ocm-agent) and existing ENTRYPOINT/USER_UID setup when
implementing.

🧹 Nitpick comments (1)

build/Dockerfile (1)

10-25: ⚡ Quick win

Consider enabling read-only root filesystem.

The runtime image does not configure a read-only root filesystem. As per coding guidelines, read-only rootfs should be enabled where possible to improve security posture.

If the application requires write access, mount specific volumes for those paths.

🔒 Implementation approach

In your deployment manifest (not Dockerfile), add:

securityContext:
  readOnlyRootFilesystem: true

If the application needs writable directories, add volume mounts:

volumes:
  - name: tmp
    emptyDir: {}
volumeMounts:
  - name: tmp
    mountPath: /tmp

As per coding guidelines: "Read-only rootfs where possible"

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@build/Dockerfile` around lines 10 - 25, Enable a read-only root filesystem at
runtime by setting securityContext.readOnlyRootFilesystem: true in the
deployment manifest, and ensure any paths the container must write to (e.g.,
/tmp or directories created/used by /usr/local/bin/user_setup or the process run
by ENTRYPOINT /usr/local/bin/entrypoint) are provided as writable volume mounts
(emptyDir, persistentVolumeClaim, or tmpfs) with correct ownership for USER_UID;
verify the Dockerfile does not bake in required writable state and that the
entrypoint and user_setup scripts use only those mounted writable paths.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@build/Dockerfile`:
- Line 7: Replace the unsafe "COPY . ." in the Dockerfile by copying only the
required artifacts (e.g., COPY package*.json, yarn.lock, and the source/build
directories used at runtime) and ensure a .dockerignore exists to exclude
secrets and dev files; update the Dockerfile's build steps (the COPY invocation)
to reference those specific files/directories instead of the entire context and
confirm that any temporary build outputs are copied explicitly after they are
produced.
- Line 10: The Dockerfile’s FROM instruction is using a pinned Red Hat UBI tag;
update the FROM line that references
registry.access.redhat.com/ubi9/ubi-minimal:9.7-1776833838 to use a floating tag
(for example :9, :9-latest or :latest) so Red Hat can manage updates—locate the
Dockerfile and the FROM registry.access.redhat.com/ubi9/ubi-minimal entry and
replace the specific build tag with the chosen floating tag.
- Around line 10-25: The Dockerfile is missing a HEALTHCHECK; add a HEALTHCHECK
instruction just before ENTRYPOINT that periodically runs your app's health
probe (e.g., call /usr/local/bin/ocm-agent healthcheck) with sensible flags
(--interval, --timeout, --start-period, --retries) and ensure the command
returns non‑zero on failure so orchestrators can mark the container unhealthy;
place it before ENTRYPOINT [ "/usr/local/bin/entrypoint" ] and reference the
existing binary path (/usr/local/bin/ocm-agent) and existing ENTRYPOINT/USER_UID
setup when implementing.

---

Nitpick comments:
In `@build/Dockerfile`:
- Around line 10-25: Enable a read-only root filesystem at runtime by setting
securityContext.readOnlyRootFilesystem: true in the deployment manifest, and
ensure any paths the container must write to (e.g., /tmp or directories
created/used by /usr/local/bin/user_setup or the process run by ENTRYPOINT
/usr/local/bin/entrypoint) are provided as writable volume mounts (emptyDir,
persistentVolumeClaim, or tmpfs) with correct ownership for USER_UID; verify the
Dockerfile does not bake in required writable state and that the entrypoint and
user_setup scripts use only those mounted writable paths.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b510ed89-09b2-4b1c-b456-18ca88a67c46

📥 Commits

Reviewing files that changed from the base of the PR and between b7992c3 and 3f76519.

📒 Files selected for processing (1)

• build/Dockerfile

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.67%. Comparing base (b7992c3) to head (3f76519).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #238   +/-   ##
=======================================
  Coverage   55.67%   55.67%           
=======================================
  Files          23       23           
  Lines        1895     1895           
=======================================
  Hits         1055     1055           
  Misses        785      785           
  Partials       55       55           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[openshift-ci]

@dependabot[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.