-
-
Notifications
You must be signed in to change notification settings - Fork 2.6k
.pr_agent_auto_best_practices
Pattern 1: When downloading or tagging external tooling/artifacts in CI/Docker/scripts, pin the intended version, validate integrity (e.g., checksum), and ensure the source/repository and resulting tags are correct and non-empty.
Example code before:
# Dockerfile / script
TOOL_VERSION="$(curl -s https://example.com/tool/latest)"
curl -LO "https://example.com/tool/${TOOL_VERSION}/tool"
docker tag myimg: "${TOOL_VERSION}-"
Example code after:
# Dockerfile / script
ARG TOOL_VERSION="v1.2.3"
TOOL_URL="https://example.com/tool/${TOOL_VERSION}/tool"
curl -LO "${TOOL_URL}" && curl -LO "${TOOL_URL}.sha256"
echo "$(cat tool.sha256) tool" | sha256sum --check
test -n "${TOOL_VERSION}"
docker tag myimg: "${TOOL_VERSION}"
Relevant past accepted suggestions:
Suggestion 1:
Fix malformed Docker image tags
Fix the malformed Docker image tags in the newly added chrome-for-testing_*.md files. The script output shows a failure to retrieve Chrome and ChromeDriver versions, which needs to be corrected.
CHANGELOG/4.38.0/chrome-for-testing_113.md [1-21]
./tag_and_push_browser_images.sh 4.38.0 20251025 selenium false chrome-for-testing true Tagging images for browser chrome-for-testing, version 4.38.0, build date 20251025, namespace selenium Selenium Grid version -> 4.38.0-20251025 -Chrome for Testing version -> -Short Chrome for Testing version -> . -ChromeDriver version -> -Short ChromeDriver version -> . -Tagged selenium/node-chrome-for-testing:-chromedriver--grid-4.38.0-20251025 -Tagged selenium/standalone-chrome-for-testing:-chromedriver--grid-4.38.0-20251025 -Tagged selenium/node-chrome-for-testing:-chromedriver--20251025 -Tagged selenium/standalone-chrome-for-testing:-chromedriver--20251025 -Tagged selenium/node-chrome-for-testing:-20251025 -Tagged selenium/standalone-chrome-for-testing:-20251025 -Tagged selenium/node-chrome-for-testing:.-chromedriver-.-grid-4.38.0-20251025 -Tagged selenium/standalone-chrome-for-testing:.-chromedriver-.-grid-4.38.0-20251025 -Tagged selenium/node-chrome-for-testing:.-chromedriver-.-20251025 -Tagged selenium/standalone-chrome-for-testing:.-chromedriver-.-20251025 -Tagged selenium/node-chrome-for-testing:.-20251025 -Tagged selenium/standalone-chrome-for-testing:.-20251025 +Chrome for Testing version -> 113.0.5672.63 +Short Chrome for Testing version -> 113 +ChromeDriver version -> 113.0.5672.63 +Short ChromeDriver version -> 113 +Tagged selenium/node-chrome-for-testing:113.0.5672.63-chromedriver-113.0.5672.63-grid-4.38.0-20251025 +Tagged selenium/standalone-chrome-for-testing:113.0.5672.63-chromedriver-113.0.5672.63-grid-4.38.0-20251025 +Tagged selenium/node-chrome-for-testing:113.0.5672.63-chromedriver-113.0.5672.63-20251025 +Tagged selenium/standalone-chrome-for-testing:113.0.5672.63-chromedriver-113.0.5672.63-20251025 +Tagged selenium/node-chrome-for-testing:113.0.5672.63-20251025 +Tagged selenium/standalone-chrome-for-testing:113.0.5672.63-20251025 +Tagged selenium/node-chrome-for-testing:113-chromedriver-113-grid-4.38.0-20251025 +Tagged selenium/standalone-chrome-for-testing:113-chromedriver-113-grid-4.38.0-20251025 +Tagged selenium/node-chrome-for-testing:113-chromedriver-113-20251025 +Tagged selenium/standalone-chrome-for-testing:113-chromedriver-113-20251025 +Tagged selenium/node-chrome-for-testing:113-20251025 +Tagged selenium/standalone-chrome-for-testing:113-20251025
Suggestion 2:
Pin version and add checksum validation
Pin the kubectl version and add checksum validation during download to improve security and ensure reproducible builds.
+ARG KUBECTL_VERSION=v1.30.3
RUN apt-get update && apt-get install -y curl && \
- curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$(dpkg --print-architecture)/kubectl" && \
+ KUBECTL_URL="https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/$(dpkg --print-architecture)/kubectl" && \
+ curl -LO "${KUBECTL_URL}" && \
+ curl -LO "${KUBECTL_URL}.sha256" && \
+ echo "$(cat kubectl.sha256) kubectl" | sha256sum --check && \
chmod +x kubectl && \
mv kubectl /usr/local/bin/ && \
+ rm kubectl.sha256 && \
apt-get clean && rm -rf /var/lib/apt/lists/*Suggestion 3:
Fix incorrect repository URL
The CRI-Dockerd version is being fetched from the wrong repository. It should fetch from the Mirantis/cri-dockerd repository instead of kubernetes-sigs/cri-tools.
tests/charts/make/chart_setup_env.sh [113]
-CRI_DOCKERD_VERSION="$(curl -s -L -o /dev/null -w '%{url_effective}\n' https://github.com/kubernetes-sigs/cri-tools/releases/latest | sed -E 's#.*/tag/(v[0-9.]+).*#\1#')"
+CRI_DOCKERD_VERSION="$(curl -s -L -o /dev/null -w '%{url_effective}\n' https://github.com/Mirantis/cri-dockerd/releases/latest | sed -E 's#.*/tag/(v[0-9.]+).*#\1#')"Suggestion 4:
Verify Firefox ARM64 compatibility
The condition allows installing Firefox latest version on ARM64 without verifying if Firefox actually supports ARM64 for that version. Add explicit version check for ARM64 compatibility.
-if [ "$(dpkg --print-architecture)" = "amd64" ] || [ $FIREFOX_VERSION = "latest" ]; then \
+if [ "$(dpkg --print-architecture)" = "amd64" ] || ([ $FIREFOX_VERSION = "latest" ] && firefox --version >/dev/null 2>&1); then \Pattern 2: In shell/Dockerfile code, write robust command and variable handling by chaining commands correctly (e.g., with &&), using proper variable interpolation (${VAR}), and quoting variable expansions/command substitutions to avoid word-splitting and globbing.
Example code before:
RUN apt-get update \
&& apt-get install -y ca-certificates \
rm -rf /var/lib/apt/lists/* \
echo "done"
ALIAS="$PREFIX_$(basename $file)"
Example code after:
RUN apt-get update \
&& apt-get install -y ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& echo "done"
ALIAS="${PREFIX}_$(basename "$file")"
Relevant past accepted suggestions:
Suggestion 1:
Fix missing command continuation
The command is missing a backslash continuation character after the package installation line, which will cause the echo command to fail. Add a backslash after the apt cleanup command.
RUN apt-get -qqy update \
&& apt-get upgrade -yq \
&& apt-get -qqy --no-install-recommends install \
python3 python3-pip python3-venv \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/* \
- echo "source $VENV_PATH/bin/activate" >> /etc/bash.bashrc
+ && echo "source $VENV_PATH/bin/activate" >> /etc/bash.bashrcSuggestion 2:
Fix variable concatenation syntax
The ALIAS variable concatenation is incorrect. The underscore is part of the prefix instead of being a separator. Add a space before the underscore to properly separate prefix from filename.
charts/selenium-grid/certs/add-cert-helper.sh [78]
-ALIAS="$ALIAS_PREFIX_$(basename $cert_file)"
+ALIAS="${ALIAS_PREFIX}_$(basename $cert_file)"Suggestion 3:
Handle special characters in filenames
The basename could contain spaces or special characters. Quote the basename command to prevent word splitting and globbing issues.
charts/selenium-grid/certs/add-cert-helper.sh [78]
-ALIAS="$ALIAS_PREFIX_$(basename $cert_file)"
+ALIAS="${ALIAS_PREFIX}_$(basename "$cert_file")"[Auto-generated best practices - 2026-01-18]