Skip to content

codex/fix gce git branches #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
quan0715 merged 1 commit into from
Feb 6, 2026
Merged

codex/fix gce git branches #27

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions devops/base-image/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,11 @@ FROM python:3.11-slim AS dependencies
ENV PIP_DISABLE_PIP_VERSION_CHECK=1 \
PIP_NO_PYTHON_VERSION_WARNING=1

# Rust toolchain (1.7x)
ENV RUSTUP_HOME=/usr/local/rustup \
CARGO_HOME=/usr/local/cargo \
PATH=/usr/local/cargo/bin:$PATH
Comment on lines +12 to +15
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR title/description references GCE git branches and workspace export, but this diff only adds a Rust toolchain to the base image. Please align the PR metadata with the actual change (or include the missing commits) so reviewers can accurately assess scope and impact.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In ENV PATH=/usr/local/cargo/bin:$PATH, consider using ${PATH} (and quoting if your style requires) to avoid any ambiguity around variable expansion and to match common Dockerfile patterns for PATH appends.

Suggested change
PATH=/usr/local/cargo/bin:$PATH
PATH=/usr/local/cargo/bin:${PATH}

Copilot uses AI. Check for mistakes.

# 只安裝 runtime 必要的系統套件與工具鏈
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
Expand All @@ -31,6 +36,9 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
postgresql-client \
nodejs \
npm \
&& curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain 1.74.1 \
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rustup will try to modify shell profile files by default; in container images this can leave unnecessary dotfiles in the image and is not used by the non-interactive runtime. Consider adding the installer option to prevent PATH/profile modification since PATH is already being set via ENV.

Suggested change
&& curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain 1.74.1 \
&& curl -fsSL https://sh.rustup.rs | sh -s -- -y --no-modify-path --profile minimal --default-toolchain 1.74.1 \

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Feb 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command curl -fsSL https://sh.rustup.rs | sh -s -- -y --profile minimal --default-toolchain 1.74.1 downloads and executes a remote script as root without any integrity or authenticity verification. If the rustup distribution endpoint, DNS, or TLS channel is compromised, an attacker can inject arbitrary commands into your build, resulting in a backdoored base image. Consider installing Rust from a pinned, signed package or downloading a specific rustup-init artifact and verifying its checksum/signature before execution instead of using a curl | sh pipeline.

Copilot uses AI. Check for mistakes.
&& rustc --version \
&& cargo --version \
&& rm -rf /var/lib/apt/lists/*

# 先複製 requirements.txt(這層變動頻率低,cache 命中率高)
Expand Down
Loading