Skip to content

feat: download busybox from fc-busybox release instead of embedding#2281

Draft
tomassrnka wants to merge 9 commits intomainfrom
feat/busybox-download-from-release
Draft

feat: download busybox from fc-busybox release instead of embedding#2281
tomassrnka wants to merge 9 commits intomainfrom
feat/busybox-download-from-release

Conversation

@tomassrnka
Copy link
Copy Markdown
Member

@tomassrnka tomassrnka commented Apr 1, 2026

Summary

  • Download busybox binary from e2b-dev/fc-busybox GitHub release at build time instead of committing binaries to git
  • Dockerfile: ADD from GitHub release, uses TARGETARCH for correct arch
  • Makefile: fetch-busybox target for local dev builds (build-local, build-debug)
  • Removes ~3.2MB of committed binaries from git

Test plan

  • Docker build produces working orchestrator for amd64
  • Docker build produces working orchestrator for arm64
  • make build-local downloads busybox and builds
  • Integration tests pass (sandbox creation exercises busybox in rootfs)

@cursor
Copy link
Copy Markdown

cursor bot commented Apr 1, 2026
edited
Loading

PR Summary

Medium Risk
Build and CI now fetch an external BusyBox binary and gate builds/tests on network availability and checksum validation, which can introduce supply-chain and reproducibility risks. Runtime behavior should be unchanged but failures will surface at build time if the release artifact/arch mapping differs.

Overview
Switches the orchestrator BusyBox go:embed input from repository-committed per-arch binaries to a single busybox file downloaded during builds (Docker and local) from the e2b-dev/fc-busybox GitHub release, verified via published SHA256 sums. CI workflows and local Makefile builds now run fetch-busybox (with a version/arch stamp and .gitignored artifacts), and the Docker build downloads BusyBox using TARGETARCH and builds Go binaries directly to avoid re-fetching.

Written by Cursor Bugbot for commit bf39424. This will update automatically on new commits. Configure here.

claude[bot]
claude bot reviewed Apr 1, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
tomassrnka and others added 6 commits April 1, 2026 17:00
@tomassrnka @claude
feat: download busybox from fc-busybox release instead of embedding
2f40620 
Download busybox binary from e2b-dev/fc-busybox GitHub release at
Docker build time (via ADD) and at local build time (via curl in
Makefile). Removes ~3.2MB of committed binaries from git.

- Dockerfile: ADD from GitHub release, uses TARGETARCH
- Makefile: fetch-busybox target for local dev builds
- Both amd64 and arm64 binaries from same reproducible CI build

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka @claude
fix: fetch busybox in CI before tests and lint
38c5020 
CI runs go test/lint directly (not via Docker), so the busybox
binary for go:embed must be downloaded first. Add fetch-busybox
to orchestrator test setup and lint workflow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka @claude
fix: verify busybox checksum, handle stale version and partial downloads
b7cf8bc 
- Dockerfile: download with curl + sha256sum verification per arch
- Makefile: track version in .version file to detect stale binaries,
  write to .tmp first to avoid partial downloads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka @claude
fix: verify busybox against published SHA256SUMS from fc-busybox release
6480812 
- Dockerfile: download SHA256SUMS from release, verify binary against it
  (no more hardcoded checksums that need manual updating)
- Makefile: track version+arch in .version file to detect stale binaries,
  write to .tmp first to avoid partial downloads

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka @claude
fix: move busybox download after COPY, fix sha256sum filename mismatch
53d39c8 
- Move RUN after COPY ./orchestrator/pkg so the target directory exists
- Download as /tmp/{binary_name} (not /tmp/busybox) so sha256sum -c
  can find the file by the name in SHA256SUMS

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka @claude
fix: don't re-download busybox in Docker, restore version tracking fo…
2a51117 
…r local dev

- Dockerfile: build go directly instead of make build-local, so
  fetch-busybox doesn't overwrite the SHA256-verified binary
- Makefile: restore stamp file for version tracking in local dev,
  only used by build-local/build-debug (not Docker)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@tomassrnka tomassrnka force-pushed the feat/busybox-download-from-release branch from 44bddeb to 2a51117 Compare April 1, 2026 15:00
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
@tomassrnka @claude
fix: subshell for cd /tmp in checksum verify, add fetch-busybox to te…
dbb8e2c 
…st/lint

- Dockerfile: wrap cd /tmp in subshell so mv/chmod use correct WORKDIR,
  use absolute paths for destination
- Makefile: add fetch-busybox dependency to test and lint targets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
@tomassrnka @claude
fix: add SHA256 verification to fetch-busybox Makefile target
83229ac 
Download SHA256SUMS from the fc-busybox release and verify the binary
checksum, matching the Dockerfile verification pattern. All build paths
now verify integrity.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cursor[bot]
cursor bot reviewed Apr 1, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

@tomassrnka @claude
fix: remove fetch-busybox from test/lint targets
bf39424 
test and lint are called inside test.Dockerfile which doesn't have the
pkg/ directory. CI workflows have their own fetch-busybox setup steps.
Local dev gets busybox via build-local/build-debug before running
test/lint.

fetch-busybox remains on: build-local, build-debug (the entry points
for local builds that produce the full binary).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@claude claude[bot] claude[bot] left review comments

@ValentaTomas ValentaTomas Awaiting requested review from ValentaTomas ValentaTomas will be requested when the pull request is marked ready for review ValentaTomas is a code owner

@jakubno jakubno Awaiting requested review from jakubno jakubno will be requested when the pull request is marked ready for review jakubno is a code owner

@dobrac dobrac Awaiting requested review from dobrac dobrac will be requested when the pull request is marked ready for review dobrac is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@dobrac dobrac

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomassrnka @dobrac