Skip to content

.pr_agent_auto_best_practices

Jump to bottom
root edited this page Oct 2, 2025 · 1 revision

Pattern 1: Pin external tool versions and verify downloads with checksums when fetching binaries in Dockerfiles or shell scripts to ensure reproducible, secure builds.

Example code before:

RUN curl -LO "https://example.com/tool/latest/linux/amd64/tool" && \
    chmod +x tool && mv tool /usr/local/bin/

Example code after:

ARG TOOL_VERSION=v1.2.3
RUN TOOL_URL="https://example.com/tool/${TOOL_VERSION}/linux/amd64/tool" && \
    curl -LO "${TOOL_URL}" -LO "${TOOL_URL}.sha256" && \
    echo "$(cat tool.sha256) tool" | sha256sum --check && \
    install -m 0755 tool /usr/local/bin/tool && rm tool.sha256
Relevant past accepted suggestions:
Suggestion 1:

Pin version and add checksum validation

Pin the kubectl version and add checksum validation during download to improve security and ensure reproducible builds.

.tools/Dockerfile [7-11]

+ARG KUBECTL_VERSION=v1.30.3
 RUN apt-get update && apt-get install -y curl && \
-    curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$(dpkg --print-architecture)/kubectl" && \
+    KUBECTL_URL="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/$(dpkg --print-architecture)/kubectl" && \
+    curl -LO "${KUBECTL_URL}" && \
+    curl -LO "${KUBECTL_URL}.sha256" && \
+    echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
     chmod +x kubectl && \
     mv kubectl /usr/local/bin/ && \
+    rm kubectl.sha256 && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
Suggestion 2:

Verify Firefox ARM64 compatibility

The condition allows installing Firefox latest version on ARM64 without verifying if Firefox actually supports ARM64 for that version. Add explicit version check for ARM64 compatibility.

NodeFirefox/Dockerfile [24]

-if [ "$(dpkg --print-architecture)" = "amd64" ] || [ $FIREFOX_VERSION = "latest" ]; then \
+if [ "$(dpkg --print-architecture)" = "amd64" ] || ([ $FIREFOX_VERSION = "latest" ] && firefox --version >/dev/null 2>&1); then \

Pattern 2: Harden shell and YAML templating by fixing quoting, concatenation, and continuation syntax to handle special characters and correct field placement.

Example code before:

# Shell
NAME="$PREFIX_$(basename $file)"
apt-get update && apt-get install -y pkg \
echo "done"

# Helm YAML (misplaced field)
spec:
  containers: []
    tolerations:
      - key: foo

Example code after:

# Shell
NAME="${PREFIX}_$(basename "$file")"
apt-get update && apt-get install -y pkg && \
  echo "done"

# Helm YAML (correct placement)
spec:
  tolerations:
    - key: foo
  containers: []
Relevant past accepted suggestions:
Suggestion 1:

Fix tolerations placement in pod spec

The tolerations field should be at the pod spec level, not under the container. Move it to be a sibling of containers and volumes for proper Kubernetes pod scheduling.

charts/selenium-grid/templates/patch-keda/delete-keda-objects-job.yaml [39-41]

-{{- with $.Values.autoscaling.patchObjectFinalizers.tolerations  }}
-  tolerations : {{ toYaml . | nindent 12 }}
+{{- with $.Values.autoscaling.patchObjectFinalizers.tolerations }}
+  tolerations: {{ toYaml . | nindent 8 }}
 {{- end }}
Suggestion 2:

Fix missing command continuation

The command is missing a backslash continuation character after the package installation line, which will cause the echo command to fail. Add a backslash after the apt cleanup command.

Base/Dockerfile [76-81]

 RUN apt-get -qqy update \
     && apt-get upgrade -yq \
     && apt-get -qqy --no-install-recommends install \
     python3 python3-pip python3-venv \
     && rm -rf /var/lib/apt/lists/* /var/cache/apt/* \
-    echo "source $VENV_PATH/bin/activate" >> /etc/bash.bashrc
+    && echo "source $VENV_PATH/bin/activate" >> /etc/bash.bashrc
Suggestion 3:

Fix variable concatenation syntax

The ALIAS variable concatenation is incorrect. The underscore is part of the prefix instead of being a separator. Add a space before the underscore to properly separate prefix from filename.

charts/selenium-grid/certs/add-cert-helper.sh [78]

-ALIAS="$ALIAS_PREFIX_$(basename $cert_file)"
+ALIAS="${ALIAS_PREFIX}_$(basename $cert_file)"
Suggestion 4:

Handle special characters in filenames

The basename could contain spaces or special characters. Quote the basename command to prevent word splitting and globbing issues.

charts/selenium-grid/certs/add-cert-helper.sh [78]

-ALIAS="$ALIAS_PREFIX_$(basename $cert_file)"
+ALIAS="${ALIAS_PREFIX}_$(basename "$cert_file")"

[Auto-generated best practices - 2025-10-02]

Clone this wiki locally