Skip to content

CI fix for ubuntu runner #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dragosv wants to merge 1 commit into
base: main
Choose a base branch
from
Open

CI fix for ubuntu runner #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,12 @@ jobs:
steps:
- uses: actions/checkout@v6

- name: Enable io_uring (Linux)
if: runner.os == 'Linux'
run: |
sudo sysctl -w kernel.io_uring_disabled=0 || true
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
Comment on lines +24 to +26
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Avoid fail-open kernel setup in CI.

Line 25 and Line 26 swallow failures with || true, so CI can proceed in a misconfigured state and fail later in harder-to-diagnose ways.

Suggested fix 
       - name: Enable io_uring (Linux)
         if: runner.os == 'Linux'
         run: |
-          sudo sysctl -w kernel.io_uring_disabled=0 || true
-          sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
+          set -euo pipefail
+          sudo sysctl -w kernel.io_uring_disabled=0
+          if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
+            sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
+          fi
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
sudo sysctl -w kernel.io_uring_disabled=0 || true
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0 || true
run: |
set -euo pipefail
sudo sysctl -w kernel.io_uring_disabled=0
if [ -f /proc/sys/kernel/apparmor_restrict_unprivileged_userns ]; then
sudo sysctl -w kernel.apparmor_restrict_unprivileged_userns=0
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 24 - 26, The CI workflow currently
swallows sysctl failures by appending "|| true" to the kernel setup commands
(the lines running "sudo sysctl -w kernel.io_uring_disabled=0" and "sudo sysctl
-w kernel.apparmor_restrict_unprivileged_userns=0"), which can hide
misconfiguration; remove the "|| true" and instead let the step fail (or
explicitly check and exit non‑zero with a clear error message) so CI fails fast
on misconfigured kernels rather than proceeding in a bad state.


- uses: mlugg/setup-zig@v2
with:
version: 0.15.2
Expand Down
9 changes: 9 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y curl xz-utils
RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
tar xf zig-aarch64-linux-0.15.2.tar.xz && \
Comment on lines +3 to +4
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

git ls-files | grep -i dockerfile | head -20

Repository: dragosv/testcontainers-zig

Length of output: 80

🌐 Web query:

Zig 0.15.2 official checksums download aarch64 linux

💡 Result:

Zig 0.15.2 for Linux aarch64 is published as:

  • zig-aarch64-linux-0.15.2.tar.xz
  • signature: zig-aarch64-linux-0.15.2.tar.xz.minisig (same directory)
  • ZSF minisign public key (from the official download page):
    RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U [1]

Zig’s official download pages emphasize verifying the .minisig signature (not a published SHA256 list) using that public key. [2]

Verify on Linux:

minisign -Vm zig-aarch64-linux-0.15.2.tar.xz \
  -P RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U

(minisign -Vm ... -P <pubkey> is the standard verification form.) [3]

Sources: [1] Zig download page, [2] Zig community mirrors security notice, [3] minisign README/usage.

🏁 Script executed:

cat -n Dockerfile

Repository: dragosv/testcontainers-zig

Length of output: 509

Verify Zig tarball integrity before extraction.

The downloaded archive is extracted without signature verification, creating a supply-chain risk. Zig provides minisig signatures alongside releases; use the official verification method instead of SHA256.

Suggested fix 
-RUN apt-get update && apt-get install -y curl xz-utils
+RUN apt-get update && apt-get install -y curl xz-utils minisign
-RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
+RUN curl -fsSLO "https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz" && \
+    curl -fsSLO "https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz.minisig" && \
+    minisign -Vm zig-aarch64-linux-0.15.2.tar.xz -P RWSGOq2NVecA2UPNdBUZykf1CCb147pkmdtYxgb3Ti+JO/wCYvhbAb/U && \
     tar xf zig-aarch64-linux-0.15.2.tar.xz && \
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 3 - 4, The Dockerfile currently downloads and
directly extracts the Zig tarball (the RUN line that fetches
zig-aarch64-linux-0.15.2.tar.xz and then tar xf), which is unsafe; change the
RUN step to also download the corresponding .minisig signature file
(zig-aarch64-linux-0.15.2.tar.xz.minisig), install or include the minisign
verifier, import the Zig minisign public key, run minisign -Vm against the
downloaded tarball using the .minisig and the known Zig public key, and only
proceed to tar xf if verification succeeds (exit non-zero on failure) so
extraction happens only after signature verification.

mv zig-aarch64-linux-0.15.2 /opt/zig && \
ln -s /opt/zig/zig /usr/local/bin/zig
Comment on lines +3 to +6
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat Dockerfile

Repository: dragosv/testcontainers-zig

Length of output: 446

🏁 Script executed:

# Verify if Zig download integrity checks exist elsewhere in the repo
find . -name "*.sha256" -o -name "*.sig" 2>/dev/null | head -20
git ls-files | grep -i "checksum\|hash\|integrity" | head -20

Repository: dragosv/testcontainers-zig

Length of output: 52

Use architecture-aware Zig artifact selection.

The Dockerfile hardcodes the aarch64 tarball. On amd64 builds, this fails at runtime with format errors. Use Docker's TARGETARCH variable to select the correct artifact.

Suggested fix 
 FROM ubuntu:24.04
+ARG ZIG_VERSION=0.15.2
+ARG TARGETARCH=amd64
 RUN apt-get update && apt-get install -y curl xz-utils
-RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
-    tar xf zig-aarch64-linux-0.15.2.tar.xz && \
-    mv zig-aarch64-linux-0.15.2 /opt/zig && \
+RUN case "${TARGETARCH}" in \
+      amd64) ZIG_ARCH=x86_64 ;; \
+      arm64) ZIG_ARCH=aarch64 ;; \
+      *) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
+    esac && \
+    curl -fsSLO "https://ziglang.org/download/${ZIG_VERSION}/zig-${ZIG_ARCH}-linux-${ZIG_VERSION}.tar.xz" && \
+    tar xf "zig-${ZIG_ARCH}-linux-${ZIG_VERSION}.tar.xz" && \
+    mv "zig-${ZIG_ARCH}-linux-${ZIG_VERSION}" /opt/zig && \
     ln -s /opt/zig/zig /usr/local/bin/zig
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 3 - 6, The RUN step currently hardcodes the aarch64
Zig tarball causing failures on amd64; update the RUN command that downloads and
installs Zig (the line using curl, tar, mv to /opt/zig and ln -s /opt/zig/zig
/usr/local/bin/zig) to choose the correct archive using Docker's TARGETARCH
variable (e.g., build the filename or URL with ${TARGETARCH} mapped to zig's
naming convention) so the artifact matches the build architecture before
extracting and symlinking.

WORKDIR /app
COPY . .
CMD ["zig", "build", "integration-test", "--summary", "all"]
Comment on lines +1 to +9
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Run the container as a non-root user.

No USER is set, so tests run as root by default.

Suggested fix 
 WORKDIR /app
 COPY . .
+RUN useradd --create-home --uid 10001 appuser && chown -R appuser:appuser /app
+USER appuser
 CMD ["zig", "build", "integration-test", "--summary", "all"]
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y curl xz-utils
RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
tar xf zig-aarch64-linux-0.15.2.tar.xz && \
mv zig-aarch64-linux-0.15.2 /opt/zig && \
ln -s /opt/zig/zig /usr/local/bin/zig
WORKDIR /app
COPY . .
CMD ["zig", "build", "integration-test", "--summary", "all"]
FROM ubuntu:24.04
RUN apt-get update && apt-get install -y curl xz-utils
RUN curl -O https://ziglang.org/download/0.15.2/zig-aarch64-linux-0.15.2.tar.xz && \
tar xf zig-aarch64-linux-0.15.2.tar.xz && \
mv zig-aarch64-linux-0.15.2 /opt/zig && \
ln -s /opt/zig/zig /usr/local/bin/zig
WORKDIR /app
COPY . .
RUN useradd --create-home --uid 10001 appuser && chown -R appuser:appuser /app
USER appuser
CMD ["zig", "build", "integration-test", "--summary", "all"]
🧰 Tools
🪛 Trivy (0.69.1)

[error] 1-1: Image user should not be 'root'

Specify at least 1 USER command in Dockerfile with non-root user as argument

Rule: DS-0002

Learn more

(IaC/Dockerfile)

[error] 2-2: 'apt-get' missing '--no-install-recommends'

'--no-install-recommends' flag is missed: 'apt-get update && apt-get install -y curl xz-utils'

Rule: DS-0029

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@Dockerfile` around lines 1 - 9, The Dockerfile currently runs as root; create
a non-root user and switch to it before CMD: add steps to create a user/group
(e.g., "app" or "ziguser"), chown the WORKDIR (/app) and any required installed
binaries (/opt/zig and /usr/local/bin/zig) to that user, and add a USER
directive so the container runs the zig build command as the non-root user;
update references in the Dockerfile around WORKDIR, the installation steps for
/opt/zig, and the final CMD to ensure correct ownership and permissions.

Loading