Skip to content

chore: preinstall linux acceptance deps in build image#6701

Merged
PeterSchafer merged 1 commit intomainfrom
chore/CLI-1443-preinstall-linux-acceptance-deps-build-image
Apr 8, 2026
Merged

chore: preinstall linux acceptance deps in build image#6701
PeterSchafer merged 1 commit intomainfrom
chore/CLI-1443-preinstall-linux-acceptance-deps-build-image

Conversation

@danskmt
Copy link
Copy Markdown
Contributor

@danskmt danskmt commented Apr 2, 2026

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages are release-note ready, emphasizing what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Adds docker.io, xdg-utils, and uv to .circleci/Dockerfile so Linux acceptance jobs can rely on the build image instead of installing these during CircleCI.

Where should the reviewer start?

  • .circleci/Dockerfile — apt packages and uv install for the circleci user
  • .circleci/config.yml — uses the new image

How should this be manually tested?

  1. After merge, run Create Build Image (workflow_dispatch) and confirm amd64/arm64 images build.
  2. Verify pipelines are working fine for Linux acceptance tests.

What's the product update that needs to be communicated to CLI users?

None — internal CI image only.

Risk assessment

Low — slightly larger image and longer build; no CLI behavior change until executor tags are updated.

What are the relevant tickets?

CLI-1443

@danskmt danskmt requested review from a team as code owners April 2, 2026 12:23
@snyk-io
Copy link
Copy Markdown

snyk-io bot commented Apr 2, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@snyk-pr-review-bot

This comment has been minimized.

@danskmt danskmt changed the base branch from main to chore/CLI-1403-circleci-linux-acceptance-build-image April 8, 2026 09:00
@danskmt danskmt changed the base branch from chore/CLI-1403-circleci-linux-acceptance-build-image to main April 8, 2026 09:00
@danskmt danskmt force-pushed the chore/CLI-1443-preinstall-linux-acceptance-deps-build-image branch 2 times, most recently from c6e22a0 to 71afe62 Compare April 8, 2026 09:11
@PeterSchafer PeterSchafer enabled auto-merge April 8, 2026 09:16
@snyk-pr-review-bot

This comment has been minimized.

@danskmt
Copy link
Copy Markdown
Contributor Author

danskmt commented Apr 8, 2026

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 Security concerns

Installing tools via unpinned remote scripts (curl | sh) in a build image used for security products (Snyk) is a supply chain risk if the external source is compromised.

⚡ Recommended focus areas for review

Deployment Contradiction 🔴 [critical]
The PR description explicitly states 'Does not change ... executor image tags yet', but the code diff updates four executors to use tag 20260402-123524. If these images have not been published to the registry yet—which the description implies—the CI pipeline will break immediately upon merge due to image pull failures.

    - image: snyklabs/cli-build-private:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: large
docker-amd64-xl:
  docker:
    - image: snyklabs/cli-build-private:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: xlarge
docker-arm64:
  docker:
    - image: snyklabs/cli-build-private-arm64:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: arm.large
docker-arm64-xl:
  docker:
    - image: snyklabs/cli-build-private-arm64:20260402-123524

Unpinned Dependency 🟡 [minor]
The 'uv' package manager is installed via an unpinned remote script (https://astral.sh/uv/install.sh). This is non-deterministic; if the remote script changes or is unavailable, the build image creation could fail or result in an unexpected version of the tool. It is safer to use a versioned installer or a specific checksum.

RUN curl -LsSf https://astral.sh/uv/install.sh | sh

📚 Repository Context Analyzed

This review considered 5 relevant code sections from 3 files (average relevance: 0.73)

I've updated the description. Changes from #6703 were merged here.

Comment thread .circleci/config.yml
command: echo all done!

# this can be removed if we install the xdg-utils package in the docker image
install-deps-linux-acceptance-tests:
Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danskmt you need to cleanup of the usage of install-deps-linux-acceptance-tests as well

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I noticed that, thanks! Just pushed removing:

install_deps_extension: linux-acceptance-tests

but kept:

- install-deps-<< parameters.install_deps_extension >>

as it should default to noop in this case.

@danskmt danskmt force-pushed the chore/CLI-1443-preinstall-linux-acceptance-deps-build-image branch from 71afe62 to 39223e6 Compare April 8, 2026 09:30
@snyk-pr-review-bot
Copy link
Copy Markdown

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

CI Interruption Risk 🟠 [major]

The PR updates the executor image tags (lines 66, 74, 82, 90) and removes the manual dependency installation fallback install_deps_extension: linux-acceptance-tests (lines 772, 795, 817, 841) in a single commit. Per the PR description, the build image is intended to be created after merging. This sequence ensures that the 'main' branch CI will fail for all Linux acceptance tests immediately after merge until the manual image creation job (which takes time to build and push) is completed, as the new tags will not yet exist in the registry or will lack the new dependencies.

      - image: snyklabs/cli-build-private:20260402-123524
        auth:
          username: $DOCKER_CLI_BUILD_USERNAME
          password: $DOCKER_CLI_BUILD_PASSWORD
    # working_directory: /mnt/ramdisk/snyk
    resource_class: large
  docker-amd64-xl:
    docker:
      - image: snyklabs/cli-build-private:20260402-123524
        auth:
          username: $DOCKER_CLI_BUILD_USERNAME
          password: $DOCKER_CLI_BUILD_PASSWORD
    # working_directory: /mnt/ramdisk/snyk
    resource_class: xlarge
  docker-arm64:
    docker:
      - image: snyklabs/cli-build-private-arm64:20260402-123524
        auth:
          username: $DOCKER_CLI_BUILD_USERNAME
          password: $DOCKER_CLI_BUILD_PASSWORD
    # working_directory: /mnt/ramdisk/snyk
    resource_class: arm.large
  docker-arm64-xl:
    docker:
      - image: snyklabs/cli-build-private-arm64:20260402-123524
        auth:
          username: $DOCKER_CLI_BUILD_USERNAME
          password: $DOCKER_CLI_BUILD_PASSWORD
    # working_directory: /mnt/ramdisk/snyk
    resource_class: arm.xlarge
  linux-ubuntu-jammy-amd64:
    docker:
      - image: ubuntu:jammy
    # working_directory: /mnt/ramdisk/snyk
    resource_class: medium
  linux-ubuntu-focal-amd64:
    docker:
      - image: ubuntu:focal
    # working_directory: /mnt/ramdisk/snyk
    resource_class: medium
  linux-ubuntu-latest-amd64:
    docker:
      - image: ubuntu:latest
    # working_directory: /mnt/ramdisk/snyk
    resource_class: medium
  linux-ubuntu-bionic-beaver-amd64:
    docker:
      - image: ubuntu:18.04
    # working_directory: /mnt/ramdisk/snyk
    resource_class: medium
  linux-ubuntu-latest-arm64:
    docker:
      - image: ubuntu:latest
    # working_directory: /mnt/ramdisk/snyk
    resource_class: arm.medium
  linux-ubuntu-jammy-arm64:
    docker:
      - image: ubuntu:jammy
    # working_directory: /mnt/ramdisk/snyk
    resource_class: arm.medium
  linux-ubuntu-focal-arm64:
    docker:
      - image: ubuntu:focal
    # working_directory: /mnt/ramdisk/snyk
    resource_class: arm.medium
  macos-arm64:
    macos:
      # https://circleci.com/developer/machine/image/xcode#image-tags
      xcode: '26.1.0'
    resource_class: m4pro.medium
  macos-arm64-large:
    macos:
      # https://circleci.com/developer/machine/image/xcode#image-tags
      xcode: '26.1.0'
    resource_class: m4pro.large
  win-server2022-amd64:
    machine:
      image: windows-server-2022-gui:2024.01.1
    resource_class: windows.large
    shell: powershell
  win-server2019-amd64:
    machine:
      image: windows-server-2019-vs2019:2022.08.1
    resource_class: windows.medium
    shell: powershell
  cbl-mariner:
    docker:
      - image: mcr.microsoft.com/cbl-mariner/base/python:3.9.14-8-cm2.0.20240301-arm64
    resource_class: arm.medium
  suse-linux-fips:
    docker:
      - image: registry.suse.com/bci/bci-base-fips:15.6
    resource_class: arm.medium

commands:
  make-binary:
    parameters:
      go_arch:
        type: string
      go_target_os:
        type: string
      make_target:
        type: string
        default: 'build'
      c_compiler:
        type: string
        default: ''
      static:
        type: boolean
        default: false
    steps:
      - when:
          condition: << parameters.static >>
          steps:
            - run:
                name: Build static << parameters.go_target_os >>/<< parameters.go_arch >>
                shell: bash
                environment:
                  CC: << parameters.c_compiler >>
                  MACOSX_DEPLOYMENT_TARGET: 13.0
                command: |
                  # load Windows $Env:Path values of tools necessary to execute the build (like Go)
                  if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi
                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0
      - unless:
          condition: << parameters.static >>
          steps:
            - run:
                name: Build << parameters.go_target_os >>/<< parameters.go_arch >>
                shell: bash
                environment:
                  CC: << parameters.c_compiler >>
                  MACOSX_DEPLOYMENT_TARGET: 13.0
                command: |
                  # load Windows $Env:Path values of tools necessary to execute the build (like Go)
                  if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi
                  make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=false CGO_ENABLED=1
  install-go:
    parameters:
      go_os:
        type: string
      go_target_os:
        type: string
      go_arch:
        type: string
      base_url:
        type: string
      extraction_path:
        type: string
      cache_key_file:
        type: string
        default: go_cache_key.txt
    steps:
      - run:
          name: Create Cache Key
          command: |
            echo << parameters.extraction_path >>-<< parameters.base_url >>-<< parameters.go_target_os >>-<< parameters.go_arch >>-<< pipeline.parameters.go_version >> > << parameters.cache_key_file >>
            cat << parameters.cache_key_file >>
      - restore_cache:
          name: Restoring go binary cache
          keys:
            - go-binary-cache-{{ checksum "<< parameters.cache_key_file >>" }}
      - run:
          name: Download go binary
          command: python ./scripts/download_go.py << pipeline.parameters.go_version >> --go_os=<< parameters.go_os >> --go_arch=<< parameters.go_arch >> --base_url=<< parameters.base_url >> --extraction_path=<< parameters.extraction_path >>
      - save_cache:
          name: Caching go binary
          key: go-binary-cache-{{ checksum "<< parameters.cache_key_file >>" }}
          paths:
            - << parameters.extraction_path >>/go
      - unless:
          condition:
            equal: ['windows', << parameters.go_os >>]
          steps:
            - run:
                name: Add go binary to PATH
                command: echo "export PATH=$(realpath << parameters.extraction_path >>/go/bin):\$PATH" >> "$BASH_ENV"
      - when:
          condition:
            equal: ['windows', << parameters.go_os >>]
          steps:
            - run:
                name: Add go binary to PATH (via snyk-env)
                shell: powershell
                command: |
                  $goBin = '<< parameters.extraction_path >>\go\bin'
                  $envScript = '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>'
                  $bashEnvScript = '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_bash_env_script >>'

                  if (-not (Test-Path $envScript)) {
                    New-Item -Path $envScript -ItemType File -Force | Out-Null
                  }
                  '$Env:Path = "' + $goBin + ';" + $Env:Path' | Out-File -FilePath $envScript -Append -Encoding UTF8

                  if (-not (Test-Path $bashEnvScript)) {
                    New-Item -Path $bashEnvScript -ItemType File -Force | Out-Null
                  }
                  $bashPath = $goBin.Replace('\', '/').Replace('C:', '/c')
                  'export PATH="' + $bashPath + ':$PATH"' | Out-File -FilePath $bashEnvScript -Append -Encoding UTF8

  install-deps-windows-native-build:
    steps:
      - run:
          name: Ensure tools cache directory
          shell: powershell
          command: |
            $cacheDir = '<< pipeline.parameters.windows_cache_dir >>'
            if (-not (Test-Path $cacheDir)) {
              New-Item -ItemType Directory -Path $cacheDir | Out-Null
            }
      - restore_cache:
          name: Restoring Windows tools cache
          keys:
            - windows-tools-cache-v2-{{ arch }}
      - run:
          name: Install Node.js (native)
          shell: powershell
          command: |
            .\scripts\windows\install-node.ps1
      - run:
          name: Install Apache Maven 3.8.2 (native)
          shell: powershell
          command: |
            .\scripts\windows\install-maven.ps1
      - run:
          name: Install Gradle 8.1.1 (native)
          shell: powershell
          command: |
            .\scripts\windows\install-gradle.ps1
      - run:
          name: Install .NET SDK 8.0.100 (native)
          shell: powershell
          command: |
            .\scripts\windows\install-dotnet-sdk.ps1
      - run:
          name: Install Python 3.12.8 (native)
          shell: powershell
          command: |
            .\scripts\windows\install-python3.ps1
      - run:
          name: Install GNU Make 4.4.1 (native)
          shell: powershell
          command: |
            .\scripts\windows\install-make.ps1
      - run:
          name: Ensure Python and uv
          shell: powershell
          command: |
            if (Test-Path '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>') { . '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>' }
            .\scripts\windows\ensure-python-uv.ps1
      - save_cache:
          name: Saving Windows tools cache
          key: windows-tools-cache-v2-{{ arch }}
          paths:
            - << pipeline.parameters.windows_cache_dir >>

  install-deps-windows-native-full-signing:
    steps:
      - install-deps-windows-signing
      - install-deps-windows-native-build

  install-deps-windows-signing:
    steps:
      - run:
          name: Generate Cache Key
          command: |
            date +%U%Y >> ~/cache_key.txt
            cat ~/cache_key.txt
      - restore_cache:
          name: Restoring DigitCert cache
          keys:
            - digicert-cache-v3-{{ arch }}-{{ checksum "~/cache_key.txt" }}
      - run:
          name: Install DigiCert Keylocker Tools
          shell: powershell
          command: |
            # Navigate to C: drive
            Set-Location C:\

            # Check if the file exists in the user's home directory
            $filePath = Join-Path $env:USERPROFILE 'smtools-windows-x64.msi'
            if (Test-Path $filePath) {
                Write-Host "File exists. Moving to C:"
                Copy-Item $filePath -Destination .\
            }
            else {
                Write-Host "No existing file found. Downloading..."
                # Download the file using Invoke-WebRequest
                curl.exe -X GET  https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi
                # Copy the downloaded file to the user's home directory
                Copy-Item 'smtools-windows-x64.msi' -Destination $env:USERPROFILE
            }

            # Execute the MSI installer
            msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process
            & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smksp_cert_sync.exe'

            # Manual resync
            & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smctl.exe' windows certsync
      - save_cache:
          name: Saving DigitCert cache
          key: digicert-cache-v3-{{ arch }}-{{ checksum "~/cache_key.txt" }}
          paths:
            - ~\smtools-windows-x64.msi

  install-deps-windows-full-signing:
    steps:
      - install-deps-windows-signing

  install-deps-noop:
    steps:
      - run:
          name: No dependencies to install
          command: echo all done!

  install-deps-python:
    parameters:
      os:
        type: string
        default: linux
      modules:
        type: string
        default: requests PyYAML
    steps:
      - when:
          condition:
            matches:
              pattern: '^(linux.*|macos.*|alpine.*|docker.*)'
              value: << parameters.os >>
          steps:
            - run:
                name: Installing python modules
                command: python3 -m pip install << parameters.modules >>
      - when:
          condition:
            matches:
              pattern: '^(win.*|cbl-mariner.*)'
              value: << parameters.os >>
          steps:
            - run:
                shell: bash.exe
                name: Installing python modules
                command: python -m pip install << parameters.modules >>

  install-deps-macos-full:
    parameters:
      items:
        type: string
        default: go gradle python pipenv elixir composer gradle@9 maven sbt dotnet uv
    steps:
      - run:
          name: Installing Rosetta
          command: softwareupdate --install-rosetta --agree-to-license
      - restore_cache:
          key: acceptance-tests-macos-<< parameters.items >>
      - run:
          name: Installing sdks and tools via homebrew
          command: |
            brew install << parameters.items >>
            echo 'export PATH="/opt/homebrew/opt/gradle@9/bin:$PATH"' >> "$BASH_ENV"
      - save_cache:
          key: acceptance-tests-macos-<< parameters.items >>
          paths:
            - ~/Library/Caches/Homebrew
      - install-deps-python:
          os: macos

  install-deps-macos-build:
    parameters:
      items:
        type: string
        default: go gradle python elixir composer gradle@9 maven sbt dotnet
    steps:
      - run:
          name: Installing Rosetta
          command: softwareupdate --install-rosetta --agree-to-license
      - install-deps-python:
          os: macos

  install-deps-alpine-full:
    steps:
      - run:
          name: Installing Node.js + other test dependencies
          command: |
            arch=$(uname -m)
            case "$arch" in
            aarch64) arch="arm64";;
            *) arch="amd64";;
            esac
            echo "using architecture: $arch"
            apk add --update nodejs npm bash maven git python3 py3-pip elixir composer unzip xdg-utils docker
            pip3 install pipenv requests PyYAML setuptools==70.3.0
            wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh && chmod +x dotnet-install.sh && ./dotnet-install.sh && \
              ln -s $HOME/.dotnet/dotnet /usr/local/bin/dotnet
            wget https://go.dev/dl/go<< pipeline.parameters.go_version >>.linux-$arch.tar.gz -O /tmp/go.tgz && \
              tar -C /usr/local -xzvf /tmp/go.tgz && \
              ln -s /usr/local/go/bin/go /usr/local/bin
            wget https://services.gradle.org/distributions/gradle-9.0.0-bin.zip -O /tmp/gradle.zip && \
              unzip -d /usr/local /tmp/gradle.zip && \
              ln -s /usr/local/gradle-9.0.0/bin/gradle /usr/local/bin
            wget -qO- https://astral.sh/uv/install.sh | sh
            ln -s $HOME/.local/bin/uv /usr/local/bin/uv

  failed-release-notification:
    steps:
      - when:
          condition:
            equal: [main, << pipeline.git.branch >>]
          steps:
            - run:
                name: Handling failed release
                command: bash ./release-scripts/handle-failed-release.sh
                when: on_fail

  prepare-workspace:
    parameters:
      executor:
        type: string
        default: linux-base-edge-amd64
    steps:
      - checkout
      - attach_workspace:
          at: .

  shall-deploy:
    parameters:
      deployment:
        type: string
    steps:
      - run:
          name: Shall deployment be done
          command: |
            if [ "$(./release-scripts/skip-deployment.sh << parameters.deployment >>)" == true ]; then
              echo The current branch does not deploy to \"<< parameters.deployment >>\"
              circleci-agent step halt
            fi

####################################################################################################
# WORKFLOWS
####################################################################################################

workflows:
  test_and_release:
    jobs:
      - prodsec/secrets-scan:
          name: secrets-scan
          context: snyk-bot-slack
          channel: cli-alerts
          trusted-branch: main

      - docs-only-check:
          context: devex_cli_docker_hub
          filters:
            branches:
              only:
                - '/^docs\/.*/'

      - prepare-build:
          context: devex_cli_docker_hub
          requires:
            - secrets-scan
          filters:
            branches:
              ignore:
                - '/^docs\/.*/'

      - code-analysis:
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          context:
            - devex_cli
            - devex_cli_docker_hub
          requires:
            - prepare-build
          filters:
            branches:
              ignore:
                - '/release.*/'

      - test-node:
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          requires:
            - prepare-build
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'

      - test-go:
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          requires:
            - prepare-build
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'

      - test-legacy-tap:
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          requires:
            - prepare-build
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'

      - build-special-artifacts:
          name: build fix & protect
          context: devex_cli_docker_hub
          requires:
            - prepare-build

      - build-artifact:
          name: build linux amd64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: docker-amd64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build linux static amd64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          static_binary: true
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          make_target: build-experimental
          executor: docker-amd64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build linux fips amd64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
          make_target: build-fips
          executor: docker-amd64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build linux arm64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: docker-arm64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build linux static arm64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          static_binary: true
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          make_target: build-experimental
          executor: docker-arm64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build linux fips arm64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
          make_target: build-fips
          executor: docker-arm64-xl
          requires:
            - prepare-build

      - build-artifact:
          name: build alpine amd64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: alpine
          go_os: linux
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: docker-amd64-xl
          c_compiler: /usr/bin/musl-gcc
          requires:
            - prepare-build

      - build-artifact:
          name: build alpine arm64
          context:
            - iac-cli
            - devex_cli_docker_hub
          go_target_os: alpine
          go_os: linux
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: docker-arm64-xl
          c_compiler: /usr/bin/musl-gcc
          requires:
            - prepare-build

      - build-artifact:
          name: build macOS amd64
          go_target_os: darwin
          go_os: darwin
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: macos-arm64-large
          install_deps_extension: macos-build
          context:
            - snyk-macos-signing
            - iac-cli
          requires:
            - prepare-build

      - build-artifact:
          name: build macOS arm64
          go_target_os: darwin
          go_os: darwin
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          executor: macos-arm64-large
          install_deps_extension: macos-build
          context:
            - snyk-macos-signing
            - iac-cli
          requires:
            - prepare-build

      - build-artifact:
          name: build windows amd64
          go_target_os: windows
          go_os: windows
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
          make_target: build clean-golang build-fips
          install_deps_extension: windows-native-full-signing
          install_path: 'C:\'
          executor: win-server2022-amd64
          context:
            - snyk-windows-signing
            - iac-cli
          requires:
            - prepare-build

      - acceptance-tests:
          name: acceptance-tests linux static arm64
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          shards: 6
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'
          pre_test_cmds: export BROWSER="curl -L"
          requires:
            - build linux static arm64
          executor: docker-arm64-xl
          test_snyk_command: ./binary-releases/experimental/snyk-linux-arm64

      - acceptance-tests:
          name: acceptance-tests linux amd64
          go_target_os: linux
          go_os: linux
          go_arch: amd64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          shards: 6
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'
          pre_test_cmds: export BROWSER="curl -L"
          requires:
            - build linux amd64
          executor: docker-amd64-xl
          test_snyk_command: ./binary-releases/snyk-linux

      - acceptance-tests:
          name: acceptance-tests linux arm64
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.go_download_base_url >>
          shards: 6
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'
          pre_test_cmds: export BROWSER="curl -L"
          requires:
            - build linux arm64
          executor: docker-arm64
          test_snyk_command: ./binary-releases/snyk-linux-arm64

      - acceptance-tests:
          name: acceptance-tests fips linux arm64
          go_target_os: linux
          go_os: linux
          go_arch: arm64
          go_download_base_url: << pipeline.parameters.fips_go_download_base_url >>
          shards: 6
          executor: docker-arm64
          test_snyk_command: ./binary-releases/fips/snyk-linux-arm64
          fips: 1
          context:
            - nodejs-install
            - team_hammerhead-cli
            - devex_cli_docker_hub
          filters:
            branches:
              ignore:
                - main
                - '/release.*/'
          pre_test_cmds: export BROWSER="curl -L"
          requires:
            - build linux fips arm64
📚 Repository Context Analyzed

This review considered 4 relevant code sections from 2 files (average relevance: 0.72)

@danskmt
Copy link
Copy Markdown
Contributor Author

danskmt commented Apr 8, 2026

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

CI Interruption Risk 🟠 [major]
The PR updates the executor image tags (lines 66, 74, 82, 90) and removes the manual dependency installation fallback install_deps_extension: linux-acceptance-tests (lines 772, 795, 817, 841) in a single commit. Per the PR description, the build image is intended to be created after merging. This sequence ensures that the 'main' branch CI will fail for all Linux acceptance tests immediately after merge until the manual image creation job (which takes time to build and push) is completed, as the new tags will not yet exist in the registry or will lack the new dependencies.

📚 Repository Context Analyzed

This review considered 4 relevant code sections from 2 files (average relevance: 0.72)

The image that is being should now contain the dependencies. A separate for installing dependencies is not needed.

@PeterSchafer PeterSchafer merged commit a29a1ea into main Apr 8, 2026
9 checks passed
@PeterSchafer PeterSchafer deleted the chore/CLI-1443-preinstall-linux-acceptance-deps-build-image branch April 8, 2026 10:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants