Skip to content

feat: INFRA-6296 Cronos mainnet image upgrade v1.5.4 #91

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Spich3000 merged 1 commit into from
Nov 27, 2025
Merged

feat: INFRA-6296 Cronos mainnet image upgrade v1.5.4 #91

Spich3000 merged 1 commit into from
Nov 27, 2025

Conversation

@Spich3000
Copy link
Contributor

@Spich3000 Spich3000 commented Nov 27, 2025
edited by coderabbitai bot
Loading

Cronos mainnet image upgrade v1.5.4
INFRA-6296 Cronos v1.5.4 Upgrades across clusters

Summary by CodeRabbit

  • Chores
    • Updated build configuration for Linux x86_64 distribution.

✏️ Tip: You can customize this high-level summary in your review settings.

@Spich3000
Cronos mainnet image upgrade v1.5.4
1536341 
Signed-off-by: Dmitrii Spichakov <[email protected]>
@coderabbitai
Copy link

coderabbitai bot commented Nov 27, 2025
edited
Loading

Walkthrough

The Dockerfile has been updated to change the Cronos tarball filename from cronos_1.5.4-testnet_Linux_x86_64.tar.gz to cronos_1.5.4_Linux_x86_64.tar.gz, with corresponding updates to the download URL and all related extraction and cleanup operations.

Changes

Cohort / File(s) Summary
Dockerfile version update
Dockerfile		 Updated Cronos tarball filename from testnet release to production release version (cronos_1.5.4-testnet → cronos_1.5.4), including download URL, extraction, and cleanup commands

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

  • Simple filename and URL substitution with no logic changes
  • Verify the new URL is accessible and the tarball name matches the actual release artifact

Possibly related PRs

Suggested reviewers

  • agrevtsev
  • naviat

Poem

🐰 A tarball renamed, testnet trimmed away,
From "1.5.4-testnet" to "1.5.4"—a cleaner day!
Download, extract, cleanup—all in line,
The Dockerfile now pulls the production fine! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly reflects the main change: upgrading the Cronos mainnet image to v1.5.4 in the Dockerfile, with the tarball URL and filename update being the primary modification.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch feature/INFRA-6296-mainnet

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Nov 27, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 906dced and 1536341.

📒 Files selected for processing (1)
  • Dockerfile (1 hunks)
🧰 Additional context used
🪛 Checkov (3.2.334)
Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: guardrails/scan
🔇 Additional comments (1)
Dockerfile (1)

11-12: GitHub release URL and tarball filename are correct.

The release v1.5.4 exists and the tarball cronos_1.5.4_Linux_x86_64.tar.gz is present in the release assets. The URL resolves with HTTP 302 (expected redirect behavior for GitHub asset downloads).

However, verify the tarball extraction structure to ensure mv ./* /home/cronos/ captures all intended files. Download and inspect the tarball locally or consult the cronos repository documentation to confirm whether it extracts files directly to the current directory or to an intermediate subdirectory (e.g., cronos/). If it extracts to a subdirectory, the wildcard move may not work as intended.

Dockerfile
Comment on lines +11 to +12
RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.4/cronos_1.5.4_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.4_Linux_x86_64.tar.gz \
&& rm cronos_1.5.4_Linux_x86_64.tar.gz && mv ./* /home/cronos/
Copy link

@coderabbitai coderabbitai bot Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Remove insecure --no-check-certificate flag from wget.

Disabling certificate validation with --no-check-certificate creates a security vulnerability to man-in-the-middle attacks during the tarball download. Debian bullseye-slim includes up-to-date CA certificates by default.

Apply this diff to remove the insecure flag:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.4/cronos_1.5.4_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.4_Linux_x86_64.tar.gz \
+RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.4/cronos_1.5.4_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.4_Linux_x86_64.tar.gz \
      && rm cronos_1.5.4_Linux_x86_64.tar.gz && mv ./* /home/cronos/

If certificate validation fails, the root cause should be investigated and fixed separately.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.4/cronos_1.5.4_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.4_Linux_x86_64.tar.gz \
&& rm cronos_1.5.4_Linux_x86_64.tar.gz && mv ./* /home/cronos/
RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.4/cronos_1.5.4_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.4_Linux_x86_64.tar.gz \
&& rm cronos_1.5.4_Linux_x86_64.tar.gz && mv ./* /home/cronos/
🧰 Tools
🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents 
In Dockerfile around lines 11-12, remove the insecure --no-check-certificate
flag from the wget invocation and download the release tarball using normal
certificate-validated HTTPS; ensure the image has ca-certificates installed
(apt-get update && apt-get install -y ca-certificates) before running wget so
TLS validation succeeds, and keep the existing tar, rm and mv steps; if TLS
still fails, investigate/fix the root cause (DNS, proxy, or missing CA) rather
than disabling certificate checks.

@Spich3000 Spich3000 merged commit b15f15c into master Nov 27, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Spich3000