Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

fix(gateway): require sandbox image at startup #41

Closed
jwilger wants to merge 2 commits from issue-10-mandatory-sandbox into main
pull from: issue-10-mandatory-sandbox
merge into: Slipstream:main
Conversation 2 Commits 2 Files changed 15 +430 -116
jwilger commented 2026-05-02 14:17:42 -07:00
Owner
Copy link

Summary

  • require AR_SANDBOX_IMAGE during gateway startup and remove production direct-sandbox fallback
  • fail fast when neither podman nor docker is available, with blank runtime overrides treated as unset
  • document mandatory sandboxing and add a Forgejo workflow to publish versioned sandbox images

Verification

  • cargo test -p ar-gateway sandbox_ -- --nocapture
  • cargo fmt --all -- --check
  • cargo clippy --workspace --all-targets -- -D warnings
  • cargo nextest run -p ar-gateway

Closes #10

## Summary - require `AR_SANDBOX_IMAGE` during gateway startup and remove production direct-sandbox fallback - fail fast when neither podman nor docker is available, with blank runtime overrides treated as unset - document mandatory sandboxing and add a Forgejo workflow to publish versioned sandbox images ## Verification - cargo test -p ar-gateway sandbox_ -- --nocapture - cargo fmt --all -- --check - cargo clippy --workspace --all-targets -- -D warnings - cargo nextest run -p ar-gateway Closes #10
fix(gateway): require sandbox image at startup
All checks were successful
CI / Nix flake check (pull_request) Successful in 1m46s
Details
auto_review auto_review: no findings
8ee4cc99a9
auto-review requested changes 2026-05-02 14:53:37 -07:00
auto-review left a comment
Copy link

This PR enforces the requirement for AR_SANDBOX_IMAGE during gateway startup, removing the fallback to direct host execution. It also introduces clear error messages when neither Podman nor Docker is available. The changes are well-documented across various files, ensuring users are informed of the new requirements. The PR appears safe to merge, with no critical issues identified.

Pre-merge checks

  • CHANGELOG updated — CHANGELOG.md is in the diff
  • Tests touched — source changed but no test file appears in the diff
  • No new TODO/FIXME comments — no new TODO/FIXME markers
Linters
  • gitleaks — ok, 7 findings
  • semgrep — ok, 0 findings
  • trivy — ok, 0 findings
  • osv-scanner — skipped: osv-scanner not found in sandbox image, 0 findings
  • ast-grep — ok, 0 findings
  • typos — ok, 25 findings
  • actionlint — failed: parse error in actionlint output: missing field Filepath at line 1 column 1005, 0 findings
  • prettier — ok, 0 findings
  • yamllint — ok, 2 findings
  • kubeconform — ok, 0 findings
  • ansible-lint — ok, 0 findings
This PR enforces the requirement for `AR_SANDBOX_IMAGE` during gateway startup, removing the fallback to direct host execution. It also introduces clear error messages when neither Podman nor Docker is available. The changes are well-documented across various files, ensuring users are informed of the new requirements. The PR appears safe to merge, with no critical issues identified. ## Pre-merge checks - [x] CHANGELOG updated — CHANGELOG.md is in the diff - [ ] Tests touched — source changed but no test file appears in the diff - [x] No new TODO/FIXME comments — no new TODO/FIXME markers <details> <summary>Linters</summary> - gitleaks — ok, 7 findings - semgrep — ok, 0 findings - trivy — ok, 0 findings - osv-scanner — skipped: osv-scanner not found in sandbox image, 0 findings - ast-grep — ok, 0 findings - typos — ok, 25 findings - actionlint — failed: parse error in actionlint output: missing field `Filepath` at line 1 column 1005, 0 findings - prettier — ok, 0 findings - yamllint — ok, 2 findings - kubeconform — ok, 0 findings - ansible-lint — ok, 0 findings </details>
fix(review): make pre-merge rejections actionable
All checks were successful
auto_review auto_review: 6 warnings
CI / Nix flake check (pull_request) Successful in 1m45s
Details
b03aff245a
auto-review requested changes 2026-05-02 19:14:38 -07:00
auto-review left a comment
Copy link

This PR enforces the requirement of AR_SANDBOX_IMAGE during gateway startup, removing the fallback to direct-sandbox mode. It also introduces a Forgejo workflow for publishing sandbox images and updates documentation accordingly. The changes appear safe to merge, with minor improvements suggested for YAML and Dockerfile practices.

Walkthrough

  • Gateway Startup Changes

    • The gateway now requires AR_SANDBOX_IMAGE to be set, failing closed if not provided. This ensures that the sandbox image is always used, enhancing security by preventing direct execution on the host.
    • The selection logic for OCI runtimes now prefers podman over docker, with clear error messages if neither is available.

  • Documentation Updates

    • Updated various documentation files to reflect the new requirement for AR_SANDBOX_IMAGE and the removal of the direct-sandbox fallback.
    • Added a Forgejo workflow to automate the publishing of versioned sandbox images.

  • Dockerfile Improvements

    • Introduced version pinning for various tools installed in the sandbox Dockerfile to ensure consistent builds.
    • Suggested improvements for apt-get, pip, and npm commands to enhance build reliability and security.

  • Testing Enhancements

    • Added tests to ensure that the sandbox selection logic behaves as expected, particularly around the new requirement for AR_SANDBOX_IMAGE.
    • Improved pre-merge checks to provide clearer feedback when changes are requested due to failed checks.

Pre-merge checks

  • CHANGELOG updated — CHANGELOG.md is in the diff
  • Tests touched — source changed but no test file appears in the diff
  • No new TODO/FIXME comments — no new TODO/FIXME markers
Linters
  • gitleaks — ok, 7 findings
  • semgrep — ok, 0 findings
  • trivy — ok, 0 findings
  • osv-scanner — skipped: osv-scanner not found in sandbox image, 0 findings
  • ast-grep — ok, 0 findings
  • typos — ok, 25 findings
  • hadolint — ok, 6 findings
  • actionlint — failed: parse error in actionlint output: missing field Filepath at line 1 column 1005, 0 findings
  • prettier — ok, 0 findings
  • yamllint — ok, 2 findings
  • kubeconform — ok, 0 findings
  • ansible-lint — ok, 0 findings
This PR enforces the requirement of `AR_SANDBOX_IMAGE` during gateway startup, removing the fallback to direct-sandbox mode. It also introduces a Forgejo workflow for publishing sandbox images and updates documentation accordingly. The changes appear safe to merge, with minor improvements suggested for YAML and Dockerfile practices. ## Walkthrough - **Gateway Startup Changes** - The gateway now requires `AR_SANDBOX_IMAGE` to be set, failing closed if not provided. This ensures that the sandbox image is always used, enhancing security by preventing direct execution on the host. - The selection logic for OCI runtimes now prefers `podman` over `docker`, with clear error messages if neither is available. - **Documentation Updates** - Updated various documentation files to reflect the new requirement for `AR_SANDBOX_IMAGE` and the removal of the direct-sandbox fallback. - Added a Forgejo workflow to automate the publishing of versioned sandbox images. - **Dockerfile Improvements** - Introduced version pinning for various tools installed in the sandbox Dockerfile to ensure consistent builds. - Suggested improvements for `apt-get`, `pip`, and `npm` commands to enhance build reliability and security. - **Testing Enhancements** - Added tests to ensure that the sandbox selection logic behaves as expected, particularly around the new requirement for `AR_SANDBOX_IMAGE`. - Improved pre-merge checks to provide clearer feedback when changes are requested due to failed checks. ## Pre-merge checks - [x] CHANGELOG updated — CHANGELOG.md is in the diff - [ ] Tests touched — source changed but no test file appears in the diff - [x] No new TODO/FIXME comments — no new TODO/FIXME markers <details> <summary>Linters</summary> - gitleaks — ok, 7 findings - semgrep — ok, 0 findings - trivy — ok, 0 findings - osv-scanner — skipped: osv-scanner not found in sandbox image, 0 findings - ast-grep — ok, 0 findings - typos — ok, 25 findings - hadolint — ok, 6 findings - actionlint — failed: parse error in actionlint output: missing field `Filepath` at line 1 column 1005, 0 findings - prettier — ok, 0 findings - yamllint — ok, 2 findings - kubeconform — ok, 0 findings - ansible-lint — ok, 0 findings </details>
.forgejo/workflows/sandbox-image.yml
@ -0,0 +1,42 @@
name: Sandbox image
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Lines 1–42: Consider adding a document start marker --- at the beginning of the YAML file for better compatibility and readability.

🟡 **Warning:** **Lines 1–42:** Consider adding a document start marker `---` at the beginning of the YAML file for better compatibility and readability.
deploy/Dockerfile.sandbox
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Pin versions in apt-get install to ensure consistent builds. Specify the package version explicitly.

🟡 **Warning:** Pin versions in `apt-get install` to ensure consistent builds. Specify the package version explicitly.
deploy/Dockerfile.sandbox
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Pin versions in pip install to ensure consistent builds. Specify the package version explicitly or use a requirements file.

🟡 **Warning:** Pin versions in `pip install` to ensure consistent builds. Specify the package version explicitly or use a requirements file.
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Avoid using cache directory with pip install to reduce image size. Use pip install --no-cache-dir.

🟡 **Warning:** Avoid using cache directory with `pip install` to reduce image size. Use `pip install --no-cache-dir`.
deploy/Dockerfile.sandbox
@ -40,7 +44,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
# interpreters used by linters that ship as scripts
nodejs npm \
python3 python3-pip \
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Pin versions in npm install to ensure consistent builds. Specify the package version explicitly.

🟡 **Warning:** Pin versions in `npm install` to ensure consistent builds. Specify the package version explicitly.
deploy/Dockerfile.sandbox
auto-review commented 2026-05-02 19:14:38 -07:00
Owner
Copy link

🟡 Warning: Set the SHELL option -o pipefail before RUN with a pipe to ensure that the command fails if any part of the pipeline fails.

🟡 **Warning:** Set the SHELL option `-o pipefail` before `RUN` with a pipe to ensure that the command fails if any part of the pipeline fails.
jwilger closed this pull request 2026-05-02 19:42:18 -07:00
Some checks are pending
auto_review auto_review: 6 warnings
Required
CI / Nix flake check (pull_request) Successful in 1m45s
Details
CI / Request auto_review semantic review (pull_request)
Required
CI / Build (pull_request)
Required
CI / Clippy (pull_request)
Required
CI / Test (pull_request)
Required
CI / Dependency policy (pull_request)
Required
CI / Format check (pull_request)
Required
CI / Build PR artifacts (no token) (pull_request)
Required

Pull request closed

Please reopen this pull request to perform a merge.
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!41
No description provided.