feat: INFRA-6244 Fix image source

[Spich3000]

Fix image source for v1.5.3-testnet image upgrade

Summary by CodeRabbit

• Chores
  • Updated container deployment to use testnet artifacts instead of mainnet.
  • Minor build configuration formatting adjustments around download/extract steps.

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

The Dockerfile's Cronos tarball reference was updated: the download URL and referenced tarball filename were changed from a mainnet release to the v1.5.3 testnet tarball; extraction, cleanup, and move commands continue to operate on the new filename.

Changes

Cohort / File(s)	Summary
Cronos tarball URL & filename update Dockerfile	Replaced the Cronos tarball download URL/filename to point to the v1.5.3 testnet archive; extraction, removal, and move commands updated to use the new tarball name.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single-file change with consistent filename/URL substitution.
• No logic, permissions, or runtime behavior changes beyond artifact target.
• Pay attention to the exact tarball filename and URL formatting in the Dockerfile.

Possibly related PRs

• feat: INFRA-6244 Cronos mainnet image upgrade v1.5.3 #87 — Updates Dockerfile to download Cronos v1.5.3 (mainnet/testnet variations) affecting the same download/extract lines.
• chore:upgrade to 1.4.9.testnet #76 — Changes Dockerfile tarball target to a testnet artifact, same area of edits.
• feat: cronos_1.5.0-testnet #83 — Modifies Dockerfile download/extract flow for Cronos tarballs; related to artifact handling in build.

Suggested reviewers

• agrevtsev

Poem

🐰
From tarball path to Dockerfile tune,
I hopped and fetched v1.5.3 in June.
A swap so small, the build's new song—
Testnet beats now hum along.
Hop to it, containers move along! 🥕

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'feat: INFRA-6244 Fix image source' is vague and does not clearly convey the specific change being made. While it mentions fixing the image source, it lacks detail about what the actual change is (e.g., that it switches from mainnet to testnet tarball).	Clarify the title to be more specific, such as 'feat: Switch Cronos Docker image from mainnet to testnet tarball' or 'feat: Update Docker image to use testnet v1.5.3 tarball'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a79a45c and a545131.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7a7b965 and a79a45c.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

🔇 Additional comments (1)

Dockerfile (1)

11-12: Tarball filename verified as correct and consistent.

The artifact cronos_1.5.3-testnet_Linux_x86_64.tar.gz is confirmed as a valid release asset for Cronos v1.5.3-testnet. The filename is used consistently across the wget download, tar extraction, and rm removal commands in the Dockerfile with no mismatches or typos. No changes required.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Remove --no-check-certificate to enforce SSL/TLS validation.

Disabling certificate validation creates a security risk by making the download vulnerable to man-in-the-middle attacks. This is a critical security posture gap that should be remediated.

Apply this diff to enforce certificate validation:

- RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
-      && rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+ RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
+      && rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/

If certificate validation fails due to missing CA certificates in the base image, consider installing ca-certificates instead of disabling validation:

  # Install dependencies
- RUN apt-get update -y && apt-get install wget curl procps net-tools jq lz4 -y
+ RUN apt-get update -y && apt-get install wget curl procps net-tools jq lz4 ca-certificates -y

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
	&& rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
	RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
	&& rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 11-12, the wget call uses --no-check-certificate
which disables TLS validation; remove that flag and ensure the image has
up-to-date CA roots by adding installation of ca-certificates (and update
package lists) earlier in the Dockerfile so wget can validate the server
certificate; keep the rest of the download/tar/move steps unchanged.