chore: preinstall linux acceptance deps in build image

[danskmt]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (PR link: ___)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Adds docker.io, xdg-utils, and uv to .circleci/Dockerfile so Linux acceptance jobs can rely on the build image instead of installing these during CircleCI.

Where should the reviewer start?

• .circleci/Dockerfile — apt packages and uv install for the circleci user
• .circleci/config.yml — uses the new image

How should this be manually tested?

1. After merge, run Create Build Image (workflow_dispatch) and confirm amd64/arm64 images build.
2. Verify pipelines are working fine for Linux acceptance tests.

What's the product update that needs to be communicated to CLI users?

None — internal CI image only.

Risk assessment

Low — slightly larger image and longer build; no CLI behavior change until executor tags are updated.

What are the relevant tickets?

CLI-1443

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[danskmt]

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 Security concerns

Installing tools via unpinned remote scripts (curl | sh) in a build image used for security products (Snyk) is a supply chain risk if the external source is compromised.

⚡ Recommended focus areas for review

Deployment Contradiction 🔴 [critical]
The PR description explicitly states 'Does not change ... executor image tags yet', but the code diff updates four executors to use tag 20260402-123524. If these images have not been published to the registry yet—which the description implies—the CI pipeline will break immediately upon merge due to image pull failures.

    - image: snyklabs/cli-build-private:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: large
docker-amd64-xl:
  docker:
    - image: snyklabs/cli-build-private:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: xlarge
docker-arm64:
  docker:
    - image: snyklabs/cli-build-private-arm64:20260402-123524
      auth:
        username: $DOCKER_CLI_BUILD_USERNAME
        password: $DOCKER_CLI_BUILD_PASSWORD
  # working_directory: /mnt/ramdisk/snyk
  resource_class: arm.large
docker-arm64-xl:
  docker:
    - image: snyklabs/cli-build-private-arm64:20260402-123524

Unpinned Dependency 🟡 [minor]
The 'uv' package manager is installed via an unpinned remote script (https://astral.sh/uv/install.sh). This is non-deterministic; if the remote script changes or is unavailable, the build image creation could fail or result in an unexpected version of the tool. It is safer to use a versioned installer or a specific checksum.

RUN curl -LsSf https://astral.sh/uv/install.sh | sh

📚 Repository Context Analyzed

This review considered 5 relevant code sections from 3 files (average relevance: 0.73)

• CONTRIBUTING.md (3 segments, lines 218-387)
• scripts/create-build-image.sh (lines 1-81)
• dangerfile.js (lines 1-111)

I've updated the description. Changes from #6703 were merged here.

[PeterSchafer]

@danskmt you need to cleanup of the usage of install-deps-linux-acceptance-tests as well

[danskmt]

yeah I noticed that, thanks! Just pushed removing:

install_deps_extension: linux-acceptance-tests

but kept:

- install-deps-<< parameters.install_deps_extension >>

as it should default to noop in this case.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review CI Interruption Risk 🟠 [major] The PR updates the executor image tags (lines 66, 74, 82, 90) and removes the manual dependency installation fallback install_deps_extension: linux-acceptance-tests (lines 772, 795, 817, 841) in a single commit. Per the PR description, the build image is intended to be created after merging. This sequence ensures that the 'main' branch CI will fail for all Linux acceptance tests immediately after merge until the manual image creation job (which takes time to build and push) is completed, as the new tags will not yet exist in the registry or will lack the new dependencies. - image: snyklabs/cli-build-private:20260402-123524 auth: username: $DOCKER_CLI_BUILD_USERNAME password: $DOCKER_CLI_BUILD_PASSWORD # working_directory: /mnt/ramdisk/snyk resource_class: large docker-amd64-xl: docker: - image: snyklabs/cli-build-private:20260402-123524 auth: username: $DOCKER_CLI_BUILD_USERNAME password: $DOCKER_CLI_BUILD_PASSWORD # working_directory: /mnt/ramdisk/snyk resource_class: xlarge docker-arm64: docker: - image: snyklabs/cli-build-private-arm64:20260402-123524 auth: username: $DOCKER_CLI_BUILD_USERNAME password: $DOCKER_CLI_BUILD_PASSWORD # working_directory: /mnt/ramdisk/snyk resource_class: arm.large docker-arm64-xl: docker: - image: snyklabs/cli-build-private-arm64:20260402-123524 auth: username: $DOCKER_CLI_BUILD_USERNAME password: $DOCKER_CLI_BUILD_PASSWORD # working_directory: /mnt/ramdisk/snyk resource_class: arm.xlarge linux-ubuntu-jammy-amd64: docker: - image: ubuntu:jammy # working_directory: /mnt/ramdisk/snyk resource_class: medium linux-ubuntu-focal-amd64: docker: - image: ubuntu:focal # working_directory: /mnt/ramdisk/snyk resource_class: medium linux-ubuntu-latest-amd64: docker: - image: ubuntu:latest # working_directory: /mnt/ramdisk/snyk resource_class: medium linux-ubuntu-bionic-beaver-amd64: docker: - image: ubuntu:18.04 # working_directory: /mnt/ramdisk/snyk resource_class: medium linux-ubuntu-latest-arm64: docker: - image: ubuntu:latest # working_directory: /mnt/ramdisk/snyk resource_class: arm.medium linux-ubuntu-jammy-arm64: docker: - image: ubuntu:jammy # working_directory: /mnt/ramdisk/snyk resource_class: arm.medium linux-ubuntu-focal-arm64: docker: - image: ubuntu:focal # working_directory: /mnt/ramdisk/snyk resource_class: arm.medium macos-arm64: macos: # https://circleci.com/developer/machine/image/xcode#image-tags xcode: '26.1.0' resource_class: m4pro.medium macos-arm64-large: macos: # https://circleci.com/developer/machine/image/xcode#image-tags xcode: '26.1.0' resource_class: m4pro.large win-server2022-amd64: machine: image: windows-server-2022-gui:2024.01.1 resource_class: windows.large shell: powershell win-server2019-amd64: machine: image: windows-server-2019-vs2019:2022.08.1 resource_class: windows.medium shell: powershell cbl-mariner: docker: - image: mcr.microsoft.com/cbl-mariner/base/python:3.9.14-8-cm2.0.20240301-arm64 resource_class: arm.medium suse-linux-fips: docker: - image: registry.suse.com/bci/bci-base-fips:15.6 resource_class: arm.medium commands: make-binary: parameters: go_arch: type: string go_target_os: type: string make_target: type: string default: 'build' c_compiler: type: string default: '' static: type: boolean default: false steps: - when: condition: << parameters.static >> steps: - run: name: Build static << parameters.go_target_os >>/<< parameters.go_arch >> shell: bash environment: CC: << parameters.c_compiler >> MACOSX_DEPLOYMENT_TARGET: 13.0 command: | # load Windows $Env:Path values of tools necessary to execute the build (like Go) if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=true CGO_ENABLED=0 - unless: condition: << parameters.static >> steps: - run: name: Build << parameters.go_target_os >>/<< parameters.go_arch >> shell: bash environment: CC: << parameters.c_compiler >> MACOSX_DEPLOYMENT_TARGET: 13.0 command: | # load Windows $Env:Path values of tools necessary to execute the build (like Go) if [ -f "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>" ]; then source "/c/tools-cache/<< pipeline.parameters.windows_bash_env_script >>"; fi make << parameters.make_target >> GOOS=<< parameters.go_target_os >> GOARCH=<< parameters.go_arch >> STATIC_NODE_BINARY=false CGO_ENABLED=1 install-go: parameters: go_os: type: string go_target_os: type: string go_arch: type: string base_url: type: string extraction_path: type: string cache_key_file: type: string default: go_cache_key.txt steps: - run: name: Create Cache Key command: | echo << parameters.extraction_path >>-<< parameters.base_url >>-<< parameters.go_target_os >>-<< parameters.go_arch >>-<< pipeline.parameters.go_version >> > << parameters.cache_key_file >> cat << parameters.cache_key_file >> - restore_cache: name: Restoring go binary cache keys: - go-binary-cache-{{ checksum "<< parameters.cache_key_file >>" }} - run: name: Download go binary command: python ./scripts/download_go.py << pipeline.parameters.go_version >> --go_os=<< parameters.go_os >> --go_arch=<< parameters.go_arch >> --base_url=<< parameters.base_url >> --extraction_path=<< parameters.extraction_path >> - save_cache: name: Caching go binary key: go-binary-cache-{{ checksum "<< parameters.cache_key_file >>" }} paths: - << parameters.extraction_path >>/go - unless: condition: equal: ['windows', << parameters.go_os >>] steps: - run: name: Add go binary to PATH command: echo "export PATH=$(realpath << parameters.extraction_path >>/go/bin):\$PATH" >> "$BASH_ENV" - when: condition: equal: ['windows', << parameters.go_os >>] steps: - run: name: Add go binary to PATH (via snyk-env) shell: powershell command: | $goBin = '<< parameters.extraction_path >>\go\bin' $envScript = '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>' $bashEnvScript = '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_bash_env_script >>' if (-not (Test-Path $envScript)) { New-Item -Path $envScript -ItemType File -Force | Out-Null } '$Env:Path = "' + $goBin + ';" + $Env:Path' | Out-File -FilePath $envScript -Append -Encoding UTF8 if (-not (Test-Path $bashEnvScript)) { New-Item -Path $bashEnvScript -ItemType File -Force | Out-Null } $bashPath = $goBin.Replace('\', '/').Replace('C:', '/c') 'export PATH="' + $bashPath + ':$PATH"' | Out-File -FilePath $bashEnvScript -Append -Encoding UTF8 install-deps-windows-native-build: steps: - run: name: Ensure tools cache directory shell: powershell command: | $cacheDir = '<< pipeline.parameters.windows_cache_dir >>' if (-not (Test-Path $cacheDir)) { New-Item -ItemType Directory -Path $cacheDir | Out-Null } - restore_cache: name: Restoring Windows tools cache keys: - windows-tools-cache-v2-{{ arch }} - run: name: Install Node.js (native) shell: powershell command: | .\scripts\windows\install-node.ps1 - run: name: Install Apache Maven 3.8.2 (native) shell: powershell command: | .\scripts\windows\install-maven.ps1 - run: name: Install Gradle 8.1.1 (native) shell: powershell command: | .\scripts\windows\install-gradle.ps1 - run: name: Install .NET SDK 8.0.100 (native) shell: powershell command: | .\scripts\windows\install-dotnet-sdk.ps1 - run: name: Install Python 3.12.8 (native) shell: powershell command: | .\scripts\windows\install-python3.ps1 - run: name: Install GNU Make 4.4.1 (native) shell: powershell command: | .\scripts\windows\install-make.ps1 - run: name: Ensure Python and uv shell: powershell command: | if (Test-Path '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>') { . '<< pipeline.parameters.windows_cache_dir >>/<< pipeline.parameters.windows_env_script >>' } .\scripts\windows\ensure-python-uv.ps1 - save_cache: name: Saving Windows tools cache key: windows-tools-cache-v2-{{ arch }} paths: - << pipeline.parameters.windows_cache_dir >> install-deps-windows-native-full-signing: steps: - install-deps-windows-signing - install-deps-windows-native-build install-deps-windows-signing: steps: - run: name: Generate Cache Key command: | date +%U%Y >> ~/cache_key.txt cat ~/cache_key.txt - restore_cache: name: Restoring DigitCert cache keys: - digicert-cache-v3-{{ arch }}-{{ checksum "~/cache_key.txt" }} - run: name: Install DigiCert Keylocker Tools shell: powershell command: | # Navigate to C: drive Set-Location C:\ # Check if the file exists in the user's home directory $filePath = Join-Path $env:USERPROFILE 'smtools-windows-x64.msi' if (Test-Path $filePath) { Write-Host "File exists. Moving to C:" Copy-Item $filePath -Destination .\ } else { Write-Host "No existing file found. Downloading..." # Download the file using Invoke-WebRequest curl.exe -X GET https://one.digicert.com/signingmanager/api-ui/v1/releases/smtools-windows-x64.msi/download -H "x-api-key:$env:SM_API_KEY" -o smtools-windows-x64.msi # Copy the downloaded file to the user's home directory Copy-Item 'smtools-windows-x64.msi' -Destination $env:USERPROFILE } # Execute the MSI installer msiexec.exe /i smtools-windows-x64.msi /quiet /qn | Wait-Process & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smksp_cert_sync.exe' # Manual resync & 'C:\Program Files\DigiCert\DigiCert One Signing Manager Tools\smctl.exe' windows certsync - save_cache: name: Saving DigitCert cache key: digicert-cache-v3-{{ arch }}-{{ checksum "~/cache_key.txt" }} paths: - ~\smtools-windows-x64.msi install-deps-windows-full-signing: steps: - install-deps-windows-signing install-deps-noop: steps: - run: name: No dependencies to install command: echo all done! install-deps-python: parameters: os: type: string default: linux modules: type: string default: requests PyYAML steps: - when: condition: matches: pattern: '^(linux.*|macos.*|alpine.*|docker.*)' value: << parameters.os >> steps: - run: name: Installing python modules command: python3 -m pip install << parameters.modules >> - when: condition: matches: pattern: '^(win.*|cbl-mariner.*)' value: << parameters.os >> steps: - run: shell: bash.exe name: Installing python modules command: python -m pip install << parameters.modules >> install-deps-macos-full: parameters: items: type: string default: go gradle python pipenv elixir composer gradle@9 maven sbt dotnet uv steps: - run: name: Installing Rosetta command: softwareupdate --install-rosetta --agree-to-license - restore_cache: key: acceptance-tests-macos-<< parameters.items >> - run: name: Installing sdks and tools via homebrew command: | brew install << parameters.items >> echo 'export PATH="/opt/homebrew/opt/gradle@9/bin:$PATH"' >> "$BASH_ENV" - save_cache: key: acceptance-tests-macos-<< parameters.items >> paths: - ~/Library/Caches/Homebrew - install-deps-python: os: macos install-deps-macos-build: parameters: items: type: string default: go gradle python elixir composer gradle@9 maven sbt dotnet steps: - run: name: Installing Rosetta command: softwareupdate --install-rosetta --agree-to-license - install-deps-python: os: macos install-deps-alpine-full: steps: - run: name: Installing Node.js + other test dependencies command: | arch=$(uname -m) case "$arch" in aarch64) arch="arm64";; *) arch="amd64";; esac echo "using architecture: $arch" apk add --update nodejs npm bash maven git python3 py3-pip elixir composer unzip xdg-utils docker pip3 install pipenv requests PyYAML setuptools==70.3.0 wget https://dot.net/v1/dotnet-install.sh -O dotnet-install.sh && chmod +x dotnet-install.sh && ./dotnet-install.sh && \ ln -s $HOME/.dotnet/dotnet /usr/local/bin/dotnet wget https://go.dev/dl/go<< pipeline.parameters.go_version >>.linux-$arch.tar.gz -O /tmp/go.tgz && \ tar -C /usr/local -xzvf /tmp/go.tgz && \ ln -s /usr/local/go/bin/go /usr/local/bin wget https://services.gradle.org/distributions/gradle-9.0.0-bin.zip -O /tmp/gradle.zip && \ unzip -d /usr/local /tmp/gradle.zip && \ ln -s /usr/local/gradle-9.0.0/bin/gradle /usr/local/bin wget -qO- https://astral.sh/uv/install.sh | sh ln -s $HOME/.local/bin/uv /usr/local/bin/uv failed-release-notification: steps: - when: condition: equal: [main, << pipeline.git.branch >>] steps: - run: name: Handling failed release command: bash ./release-scripts/handle-failed-release.sh when: on_fail prepare-workspace: parameters: executor: type: string default: linux-base-edge-amd64 steps: - checkout - attach_workspace: at: . shall-deploy: parameters: deployment: type: string steps: - run: name: Shall deployment be done command: | if [ "$(./release-scripts/skip-deployment.sh << parameters.deployment >>)" == true ]; then echo The current branch does not deploy to \"<< parameters.deployment >>\" circleci-agent step halt fi #################################################################################################### # WORKFLOWS #################################################################################################### workflows: test_and_release: jobs: - prodsec/secrets-scan: name: secrets-scan context: snyk-bot-slack channel: cli-alerts trusted-branch: main - docs-only-check: context: devex_cli_docker_hub filters: branches: only: - '/^docs\/.*/' - prepare-build: context: devex_cli_docker_hub requires: - secrets-scan filters: branches: ignore: - '/^docs\/.*/' - code-analysis: go_target_os: linux go_os: linux go_arch: amd64 go_download_base_url: << pipeline.parameters.go_download_base_url >> context: - devex_cli - devex_cli_docker_hub requires: - prepare-build filters: branches: ignore: - '/release.*/' - test-node: context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub requires: - prepare-build filters: branches: ignore: - main - '/release.*/' - test-go: go_target_os: linux go_os: linux go_arch: amd64 go_download_base_url: << pipeline.parameters.go_download_base_url >> context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub requires: - prepare-build filters: branches: ignore: - main - '/release.*/' - test-legacy-tap: context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub requires: - prepare-build filters: branches: ignore: - main - '/release.*/' - build-special-artifacts: name: build fix & protect context: devex_cli_docker_hub requires: - prepare-build - build-artifact: name: build linux amd64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: amd64 static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: docker-amd64-xl requires: - prepare-build - build-artifact: name: build linux static amd64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: amd64 static_binary: true go_download_base_url: << pipeline.parameters.go_download_base_url >> make_target: build-experimental executor: docker-amd64-xl requires: - prepare-build - build-artifact: name: build linux fips amd64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: amd64 go_download_base_url: << pipeline.parameters.fips_go_download_base_url >> make_target: build-fips executor: docker-amd64-xl requires: - prepare-build - build-artifact: name: build linux arm64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: arm64 static_binary: false # TODO: set to true when we have confidence for v1.1304.0 release go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: docker-arm64-xl requires: - prepare-build - build-artifact: name: build linux static arm64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: arm64 static_binary: true go_download_base_url: << pipeline.parameters.go_download_base_url >> make_target: build-experimental executor: docker-arm64-xl requires: - prepare-build - build-artifact: name: build linux fips arm64 context: - iac-cli - devex_cli_docker_hub go_target_os: linux go_os: linux go_arch: arm64 go_download_base_url: << pipeline.parameters.fips_go_download_base_url >> make_target: build-fips executor: docker-arm64-xl requires: - prepare-build - build-artifact: name: build alpine amd64 context: - iac-cli - devex_cli_docker_hub go_target_os: alpine go_os: linux go_arch: amd64 go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: docker-amd64-xl c_compiler: /usr/bin/musl-gcc requires: - prepare-build - build-artifact: name: build alpine arm64 context: - iac-cli - devex_cli_docker_hub go_target_os: alpine go_os: linux go_arch: arm64 go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: docker-arm64-xl c_compiler: /usr/bin/musl-gcc requires: - prepare-build - build-artifact: name: build macOS amd64 go_target_os: darwin go_os: darwin go_arch: amd64 go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64-large install_deps_extension: macos-build context: - snyk-macos-signing - iac-cli requires: - prepare-build - build-artifact: name: build macOS arm64 go_target_os: darwin go_os: darwin go_arch: arm64 go_download_base_url: << pipeline.parameters.go_download_base_url >> executor: macos-arm64-large install_deps_extension: macos-build context: - snyk-macos-signing - iac-cli requires: - prepare-build - build-artifact: name: build windows amd64 go_target_os: windows go_os: windows go_arch: amd64 go_download_base_url: << pipeline.parameters.fips_go_download_base_url >> make_target: build clean-golang build-fips install_deps_extension: windows-native-full-signing install_path: 'C:\' executor: win-server2022-amd64 context: - snyk-windows-signing - iac-cli requires: - prepare-build - acceptance-tests: name: acceptance-tests linux static arm64 go_target_os: linux go_os: linux go_arch: arm64 go_download_base_url: << pipeline.parameters.go_download_base_url >> shards: 6 context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub filters: branches: ignore: - main - '/release.*/' pre_test_cmds: export BROWSER="curl -L" requires: - build linux static arm64 executor: docker-arm64-xl test_snyk_command: ./binary-releases/experimental/snyk-linux-arm64 - acceptance-tests: name: acceptance-tests linux amd64 go_target_os: linux go_os: linux go_arch: amd64 go_download_base_url: << pipeline.parameters.go_download_base_url >> shards: 6 context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub filters: branches: ignore: - main - '/release.*/' pre_test_cmds: export BROWSER="curl -L" requires: - build linux amd64 executor: docker-amd64-xl test_snyk_command: ./binary-releases/snyk-linux - acceptance-tests: name: acceptance-tests linux arm64 go_target_os: linux go_os: linux go_arch: arm64 go_download_base_url: << pipeline.parameters.go_download_base_url >> shards: 6 context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub filters: branches: ignore: - main - '/release.*/' pre_test_cmds: export BROWSER="curl -L" requires: - build linux arm64 executor: docker-arm64 test_snyk_command: ./binary-releases/snyk-linux-arm64 - acceptance-tests: name: acceptance-tests fips linux arm64 go_target_os: linux go_os: linux go_arch: arm64 go_download_base_url: << pipeline.parameters.fips_go_download_base_url >> shards: 6 executor: docker-arm64 test_snyk_command: ./binary-releases/fips/snyk-linux-arm64 fips: 1 context: - nodejs-install - team_hammerhead-cli - devex_cli_docker_hub filters: branches: ignore: - main - '/release.*/' pre_test_cmds: export BROWSER="curl -L" requires: - build linux fips arm64

📚 Repository Context Analyzed This review considered 4 relevant code sections from 2 files (average relevance: 0.72) CONTRIBUTING.md (3 segments, lines 387-464) scripts/create-build-image.sh (lines 1-81)

[danskmt]

PR Reviewer Guide 🔍

🧪 No relevant tests
🔒 No security concerns identified
⚡ Recommended focus areas for review

CI Interruption Risk 🟠 [major]
The PR updates the executor image tags (lines 66, 74, 82, 90) and removes the manual dependency installation fallback install_deps_extension: linux-acceptance-tests (lines 772, 795, 817, 841) in a single commit. Per the PR description, the build image is intended to be created after merging. This sequence ensures that the 'main' branch CI will fail for all Linux acceptance tests immediately after merge until the manual image creation job (which takes time to build and push) is completed, as the new tags will not yet exist in the registry or will lack the new dependencies.

📚 Repository Context Analyzed

This review considered 4 relevant code sections from 2 files (average relevance: 0.72)

• CONTRIBUTING.md (3 segments, lines 387-464)
• scripts/create-build-image.sh (lines 1-81)

The image that is being should now contain the dependencies. A separate for installing dependencies is not needed.