Conversation
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdds configurable NPM/Yarn registry plumbing and a runtime/install fallback: installer steps log the registry, try Changes
Sequence Diagram(s)sequenceDiagram
participant CI as CI workflow
participant Docker as Docker build
participant Installer as Installer step
participant RegLocal as Local registry
participant RegNpm as npmjs.org
CI->>Docker: start build (with NPM_* build-args/env)
Docker->>Installer: run install script (logs registry)
Installer->>RegLocal: request packages (NPM_REGISTRY_SERVER)
alt install success
RegLocal-->>Installer: packages returned
Installer-->>Docker: install success
else install failure
RegLocal-->>Installer: error
Installer->>Docker: log failure, set NPM_REGISTRY_SERVER=https://registry.npmjs.org
Installer->>RegNpm: retry request
RegNpm-->>Installer: packages returned
Installer-->>Docker: install success on fallback
end
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e88d047e8a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Dockerfile
Outdated
| export NPM_REGISTRY_SERVER="https://registry.npmjs.org" | ||
| yarn install --immutable --inline-builds |
There was a problem hiding this comment.
The installer fallback only switches NPM_REGISTRY_SERVER, but it keeps NPM_ALWAYS_AUTH enabled from the build args. In this stage, if NPM_AUTH_TOKEN is empty/unavailable (for example in a forked PR or after secret rotation), Yarn fails with YN0033 No authentication configured for request, so both the primary and fallback installs fail and the image build is blocked instead of recovering to npmjs.
Useful? React with 👍 / 👎.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/nodejs.condo.ci.yml (1)
282-294: Consolidate duplicated install/fallback script into one reusable unit.The same fallback block is duplicated across six jobs, which will drift over time. Move it to a shared shell script or composite action and call it from each job.
Also applies to: 365-375, 817-826, 852-861, 992-1001, 1027-1036
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/nodejs.condo.ci.yml around lines 282 - 294, The repeated install+fallback block (starting with "set -euo pipefail", "npm i -g turbo" and the "yarn install --immutable || { ... }" fallback that sets NPM_REGISTRY_SERVER) should be extracted into a single reusable unit (either a shell script like install-with-fallback.sh or a composite action) that accepts the NPM_REGISTRY_SERVER env/secret and preserves the echo logs and fallback behavior; then replace each duplicated block in the jobs with a single call to that shared script/action and pass the NPM_REGISTRY_SERVER secret, ensuring the original behavior (global turbo install, registry check, fallback to https://registry.npmjs.org) is retained.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile`:
- Around line 30-37: Remove the ARG/ENV declarations for NPM_AUTH_TOKEN (and
related credentials like NPM_REGISTRY_SERVER, NPM_ALWAYS_AUTH/TURBO_TOKEN) from
the Dockerfile and switch to BuildKit secrets: stop exporting credentials via
ARG/ENV and instead consume them inside RUN steps using --mount=type=secret
(e.g., read from /run/secrets/<id> and export to NPM_AUTH_TOKEN within the RUN),
and update CI workflow to pass the secret via the secrets map (e.g.,
npm_auth_token) so tokens are not baked into image layers or build metadata;
locate the ARG/ENV entries named "ARG NPM_AUTH_TOKEN" and "ENV
NPM_AUTH_TOKEN=..." to remove/replace and adjust the RUN steps that currently
rely on those environment vars to read the secret from the mounted secret
instead.
- Around line 51-54: When falling back to the npmjs registry in the Dockerfile's
yarn install retry block, ensure you unset NPM_ALWAYS_AUTH and NPM_AUTH_TOKEN
before exporting NPM_REGISTRY_SERVER to avoid leaking private auth to the public
registry; modify the retry branch around the yarn install fallback so it
explicitly unsets or sets NPM_ALWAYS_AUTH to "false" and clears NPM_AUTH_TOKEN
before running the second yarn install (the change should be applied in the
block handling the fallback for the yarn install command).
---
Nitpick comments:
In @.github/workflows/nodejs.condo.ci.yml:
- Around line 282-294: The repeated install+fallback block (starting with "set
-euo pipefail", "npm i -g turbo" and the "yarn install --immutable || { ... }"
fallback that sets NPM_REGISTRY_SERVER) should be extracted into a single
reusable unit (either a shell script like install-with-fallback.sh or a
composite action) that accepts the NPM_REGISTRY_SERVER env/secret and preserves
the echo logs and fallback behavior; then replace each duplicated block in the
jobs with a single call to that shared script/action and pass the
NPM_REGISTRY_SERVER secret, ensuring the original behavior (global turbo
install, registry check, fallback to https://registry.npmjs.org) is retained.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 86a35eff-06e5-4dec-8abb-f7e33199da5b
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (3)
.github/workflows/nodejs.condo.ci.yml.yarnrc.ymlDockerfile
| ARG NPM_REGISTRY_SERVER | ||
| ARG NPM_ALWAYS_AUTH | ||
| ARG NPM_AUTH_TOKEN | ||
|
|
||
| ENV NPM_REGISTRY_SERVER=$NPM_REGISTRY_SERVER | ||
| ENV NPM_ALWAYS_AUTH=$NPM_ALWAYS_AUTH | ||
| ENV NPM_AUTH_TOKEN=$NPM_AUTH_TOKEN | ||
|
|
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify the Dockerfile content around the reported lines
cat -n Dockerfile | head -50Repository: open-condo-software/condo
Length of output: 1858
🏁 Script executed:
#!/bin/bash
# Check for npm credentials patterns across Docker and workflow files
rg -n 'NPM_AUTH_TOKEN|NPM_ALWAYS_AUTH|NPM_REGISTRY_SERVER' Dockerfile .github/workflows/ -t yaml -t dockerRepository: open-condo-software/condo
Length of output: 1531
🏁 Script executed:
#!/bin/bash
# Check how build-args are passed in the workflows
rg -B 5 -A 5 'docker build|build-args|build_args|--build-arg' .github/workflows/nodejs.condo.ci.ymlRepository: open-condo-software/condo
Length of output: 448
🏁 Script executed:
#!/bin/bash
# Look at the full docker build step in the workflow
rg -B 10 -A 15 'docker build|docker/build-push-action' .github/workflows/nodejs.condo.ci.yml | head -60Repository: open-condo-software/condo
Length of output: 1049
🏁 Script executed:
#!/bin/bash
# Check if NPM_AUTH_TOKEN is passed to build command (lines 95-115 area)
sed -n '95,120p' .github/workflows/nodejs.condo.ci.ymlRepository: open-condo-software/condo
Length of output: 955
🏁 Script executed:
#!/bin/bash
# Check if BuildKit secrets are used anywhere in the codebase
rg -n 'type=secret|--secret' Dockerfile .github/workflows/ -t yaml -t dockerRepository: open-condo-software/condo
Length of output: 51
Avoid passing npm credentials via Docker ARG/ENV.
The NPM_AUTH_TOKEN (and other credentials like TURBO_TOKEN) are passed as build-args in the workflow and persisted as ENV in the Dockerfile. While BuildKit is enabled, credentials should use --mount=type=secret instead to avoid appearing in build metadata and layer history. For example:
RUN --mount=type=secret,id=npm_auth_token \
--mount=type=cache,target=/usr/local/share/.cache/yarn \
bash -ceu '
export NPM_AUTH_TOKEN=$(cat /run/secrets/npm_auth_token)
# ... rest of commands
'And pass secrets in the workflow via:
secrets:
npm_auth_token: ${{ secrets.NPM_AUTH_TOKEN }}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile` around lines 30 - 37, Remove the ARG/ENV declarations for
NPM_AUTH_TOKEN (and related credentials like NPM_REGISTRY_SERVER,
NPM_ALWAYS_AUTH/TURBO_TOKEN) from the Dockerfile and switch to BuildKit secrets:
stop exporting credentials via ARG/ENV and instead consume them inside RUN steps
using --mount=type=secret (e.g., read from /run/secrets/<id> and export to
NPM_AUTH_TOKEN within the RUN), and update CI workflow to pass the secret via
the secrets map (e.g., npm_auth_token) so tokens are not baked into image layers
or build metadata; locate the ARG/ENV entries named "ARG NPM_AUTH_TOKEN" and
"ENV NPM_AUTH_TOKEN=..." to remove/replace and adjust the RUN steps that
currently rely on those environment vars to read the secret from the mounted
secret instead.
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (2)
Dockerfile (2)
49-52:⚠️ Potential issue | 🔴 CriticalClear auth before fallback to npmjs to avoid token exposure.
When switching registry to npmjs, auth state should be reset (
NPM_ALWAYS_AUTH=false, unset token). This was reported before and still applies.🔒 Proposed fix
yarn install --immutable --inline-builds || { echo "Primary registry failed -> fallback to npmjs" + export NPM_ALWAYS_AUTH=false + unset NPM_AUTH_TOKEN export NPM_REGISTRY_SERVER="https://registry.npmjs.org" yarn install --immutable --inline-builds }#!/bin/bash # Verify fallback branch and whether auth-reset is present. sed -n '49,53p' Dockerfile rg -n 'NPM_ALWAYS_AUTH=false|unset NPM_AUTH_TOKEN' Dockerfile🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile` around lines 49 - 52, The fallback branch that switches NPM_REGISTRY_SERVER to https://registry.npmjs.org before retrying yarn install must first clear auth state to avoid leaking tokens: in the yarn install fallback block (the branch that exports NPM_REGISTRY_SERVER and retries yarn install) set NPM_ALWAYS_AUTH=false and unset any NPM auth env vars (e.g., NPM_AUTH_TOKEN, NPM_TOKEN) before exporting NPM_REGISTRY_SERVER and running yarn install again so credentials are not sent to the public registry.
30-37:⚠️ Potential issue | 🟠 MajorDo not persist npm auth credentials via
ARG/ENVin image build stages.This keeps sensitive values in build metadata/scope and was already flagged earlier; it should be migrated to BuildKit secrets.
#!/bin/bash # Verify credential propagation through ARG/ENV and workflow build args. rg -n 'ARG NPM_(REGISTRY_SERVER|ALWAYS_AUTH|AUTH_TOKEN)|ENV NPM_(REGISTRY_SERVER|ALWAYS_AUTH|AUTH_TOKEN)' Dockerfile sed -n '94,104p' .github/workflows/nodejs.condo.ci.yml🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile` around lines 30 - 37, The Dockerfile currently exposes sensitive npm credentials via ARG and ENV (ARG NPM_REGISTRY_SERVER, ARG NPM_ALWAYS_AUTH, ARG NPM_AUTH_TOKEN and the corresponding ENV NPM_* lines); remove those ARG/ENV lines and instead update the Dockerfile to read npm auth from BuildKit secrets (use --secret and the secret id inside the build step) and update the CI workflow (.github/workflows node build) to pass the credentials as BuildKit secrets rather than build-args; ensure any npm authentication in functions/commands that previously referenced ENV NPM_AUTH_TOKEN is switched to read from the secret mount or a temporary file at build time and remove all ARG/ENV references to NPM_REGISTRY_SERVER/NPM_ALWAYS_AUTH/NPM_AUTH_TOKEN to avoid persisting credentials in image metadata.
🧹 Nitpick comments (1)
.github/workflows/nodejs.condo.ci.yml (1)
287-293: Consider extracting install+fallback into a reusable action/script.The same fallback block is duplicated across many jobs; centralizing it will reduce drift and make registry behavior consistent.
Also applies to: 367-373, 817-823, 851-857, 990-996, 1024-1030
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/nodejs.condo.ci.yml around lines 287 - 293, Extract the duplicated yarn install + fallback logic into a single reusable action or script (e.g., create a script named install-with-registry-fallback or a composite GitHub Action install-fallback) and replace each repeated block (the yarn install --immutable fallback that sets NPM_REGISTRY_SERVER="https://registry.npmjs.org" and re-runs yarn install) with a single call to that new action/script; ensure the new implementation preserves the logging lines ("Registry (before): $(yarn config get npmRegistryServer)" and "Registry (fallback): $(yarn config get npmRegistryServer)"), exits with a non-zero status on final failure, and update all occurrences referenced in the comment to call the central install-fallback instead of duplicating the block.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/nodejs.condo.ci.yml:
- Around line 367-373: The job never sets NPM_REGISTRY_SERVER before the initial
yarn install, so the fallback path never actually exercises a local registry;
update the block containing the echo "Registry (before): $(yarn config get
npmRegistryServer)" and the yarn install --immutable lines to explicitly export
NPM_REGISTRY_SERVER pointing at the local registry (e.g. export
NPM_REGISTRY_SERVER="https://local-registry.example") before the first yarn
install, keep the existing fallback that sets
NPM_REGISTRY_SERVER="https://registry.npmjs.org" on failure, and mirror this
change for the other identical install blocks (the ones around the other
occurrences) so the initial attempt uses the local registry and only falls back
to npmjs on error.
In `@Dockerfile`:
- Around line 45-54: The RUN block uses backslash continuation with a multi-line
single-quoted shell script which Dockerfile parsing rejects; replace the
continued-quoted script with a single RUN that uses a heredoc to pass the
multi-line shell content (preserving the existing mount
--mount=type=cache,target=/usr/local/share/.cache/yarn and the script logic that
echoes NPM_REGISTRY_SERVER, runs yarn install --immutable --inline-builds, and
on failure sets NPM_REGISTRY_SERVER to https://registry.npmjs.org and retries);
remove the backslash continuation and wrap the multi-line commands in a heredoc
delimiter so the shell script runs as one argument to RUN while keeping
references to NPM_REGISTRY_SERVER and the yarn install commands.
---
Duplicate comments:
In `@Dockerfile`:
- Around line 49-52: The fallback branch that switches NPM_REGISTRY_SERVER to
https://registry.npmjs.org before retrying yarn install must first clear auth
state to avoid leaking tokens: in the yarn install fallback block (the branch
that exports NPM_REGISTRY_SERVER and retries yarn install) set
NPM_ALWAYS_AUTH=false and unset any NPM auth env vars (e.g., NPM_AUTH_TOKEN,
NPM_TOKEN) before exporting NPM_REGISTRY_SERVER and running yarn install again
so credentials are not sent to the public registry.
- Around line 30-37: The Dockerfile currently exposes sensitive npm credentials
via ARG and ENV (ARG NPM_REGISTRY_SERVER, ARG NPM_ALWAYS_AUTH, ARG
NPM_AUTH_TOKEN and the corresponding ENV NPM_* lines); remove those ARG/ENV
lines and instead update the Dockerfile to read npm auth from BuildKit secrets
(use --secret and the secret id inside the build step) and update the CI
workflow (.github/workflows node build) to pass the credentials as BuildKit
secrets rather than build-args; ensure any npm authentication in
functions/commands that previously referenced ENV NPM_AUTH_TOKEN is switched to
read from the secret mount or a temporary file at build time and remove all
ARG/ENV references to NPM_REGISTRY_SERVER/NPM_ALWAYS_AUTH/NPM_AUTH_TOKEN to
avoid persisting credentials in image metadata.
---
Nitpick comments:
In @.github/workflows/nodejs.condo.ci.yml:
- Around line 287-293: Extract the duplicated yarn install + fallback logic into
a single reusable action or script (e.g., create a script named
install-with-registry-fallback or a composite GitHub Action install-fallback)
and replace each repeated block (the yarn install --immutable fallback that sets
NPM_REGISTRY_SERVER="https://registry.npmjs.org" and re-runs yarn install) with
a single call to that new action/script; ensure the new implementation preserves
the logging lines ("Registry (before): $(yarn config get npmRegistryServer)" and
"Registry (fallback): $(yarn config get npmRegistryServer)"), exits with a
non-zero status on final failure, and update all occurrences referenced in the
comment to call the central install-fallback instead of duplicating the block.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5e775344-67b8-4c46-b62c-191a5f368274
📒 Files selected for processing (2)
.github/workflows/nodejs.condo.ci.ymlDockerfile
| echo "Registry (before): $(yarn config get npmRegistryServer)" | ||
| yarn install --immutable || { | ||
| echo "Local registry failed -> fallback to npmjs" | ||
| export NPM_REGISTRY_SERVER="https://registry.npmjs.org" | ||
| echo "Registry (fallback): $(yarn config get npmRegistryServer)" | ||
| yarn install --immutable | ||
| } |
There was a problem hiding this comment.
Local registry fallback is not wired in these jobs.
These install steps never set NPM_REGISTRY_SERVER, so they default to npmjs and won’t exercise the intended “local registry → npmjs fallback” path.
💡 Proposed fix
env:
DOCKER_IMAGE: condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }}
DOCKER_IMAGE_FULL: ${{ secrets.DOCKER_REGISTRY }}/condo/condo-image:${{ github.event.pull_request.head.sha || github.sha }}
+ NPM_REGISTRY_SERVER: ${{ secrets.NPM_REGISTRY_SERVER }}
CONDO_TEST_SHARD_TOTAL: 20Also applies to: 817-823, 851-857, 990-996, 1024-1030
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/nodejs.condo.ci.yml around lines 367 - 373, The job never
sets NPM_REGISTRY_SERVER before the initial yarn install, so the fallback path
never actually exercises a local registry; update the block containing the echo
"Registry (before): $(yarn config get npmRegistryServer)" and the yarn install
--immutable lines to explicitly export NPM_REGISTRY_SERVER pointing at the local
registry (e.g. export NPM_REGISTRY_SERVER="https://local-registry.example")
before the first yarn install, keep the existing fallback that sets
NPM_REGISTRY_SERVER="https://registry.npmjs.org" on failure, and mirror this
change for the other identical install blocks (the ones around the other
occurrences) so the initial attempt uses the local registry and only falls back
to npmjs on error.
Dockerfile
Outdated
| RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \ | ||
| yarn install --immutable --inline-builds | ||
| bash -ceu ' | ||
| echo "Registry from env: ${NPM_REGISTRY_SERVER}" | ||
|
|
||
| yarn install --immutable --inline-builds || { | ||
| echo "Primary registry failed -> fallback to npmjs" | ||
| export NPM_REGISTRY_SERVER="https://registry.npmjs.org" | ||
| yarn install --immutable --inline-builds | ||
| } | ||
| ' |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Extract and analyze the Dockerfile RUN block
echo "=== Dockerfile Lines 45-54 ==="
sed -n '45,54p' Dockerfile | cat -A
echo -e "\n=== Line-by-line inspection ==="
python3 << 'PYTHON'
import re
from pathlib import Path
# Read the Dockerfile
dockerfile_content = Path("Dockerfile").read_text()
lines = dockerfile_content.splitlines()
# Print lines 44-54 (0-indexed: 44-53) with line numbers
print("Raw lines 45-54 with metadata:")
for i in range(44, min(54, len(lines))):
line = lines[i]
has_backslash = line.rstrip().endswith("\\")
print(f"Line {i+1}: backslash={has_backslash} | {repr(line)}")
PYTHON
echo -e "\n=== Full RUN command check ==="
# Check if the RUN command is properly continued
sed -n '45,54p' Dockerfile | head -3Repository: open-condo-software/condo
Length of output: 1371
🏁 Script executed:
#!/bin/bash
# Check if docker/hadolint tools are available and test the syntax
echo "=== Testing if this is valid Docker RUN syntax ==="
# Create a minimal test Dockerfile with the same pattern
cat > /tmp/test_dockerfile << 'EOF'
FROM alpine:latest
RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
bash -ceu '
echo "Registry from env: ${NPM_REGISTRY_SERVER}"
yarn install --immutable --inline-builds || {
echo "Primary registry failed -> fallback to npmjs"
export NPM_REGISTRY_SERVER="https://registry.npmjs.org"
yarn install --immutable --inline-builds
}
'
EOF
# Check if hadolint is available and test
if command -v hadolint &> /dev/null; then
echo "Hadolint found. Testing syntax..."
hadolint /tmp/test_dockerfile || echo "Hadolint exit code: $?"
else
echo "Hadolint not available in this environment"
fi
# Verify the syntax more directly with bash
echo -e "\n=== Verifying shell script syntax within quotes ==="
python3 << 'PYTHON'
# Simulate what Docker sees - the command after RUN
shell_cmd = r"""bash -ceu '
echo "Registry from env: ${NPM_REGISTRY_SERVER}"
yarn install --immutable --inline-builds || {
echo "Primary registry failed -> fallback to npmjs"
export NPM_REGISTRY_SERVER="https://registry.npmjs.org"
yarn install --immutable --inline-builds
}
'"""
print("Command that Docker executes:")
print(repr(shell_cmd))
print("\nThis is valid shell syntax - single quotes can span multiple lines.")
print("The bash process will receive the entire multi-line string as one argument.")
PYTHONRepository: open-condo-software/condo
Length of output: 967
Fix invalid Dockerfile RUN syntax; backslash continuation doesn't support multi-line quoted strings.
Lines 45–54 use backslash continuation followed by a multi-line single-quoted string, which Dockerfile's parser rejects. Hadolint confirms this as a syntax error: unexpected 'e' expecting ... end of input.
The backslash at the end of line 45 tells the parser to continue line 46 as a Dockerfile argument, not to open a multi-line shell string. Use a heredoc instead, which handles multi-line content within a single RUN instruction without backslash continuation:
Proposed fix
RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
- bash -ceu '
- echo "Registry from env: ${NPM_REGISTRY_SERVER}"
-
- yarn install --immutable --inline-builds || {
- echo "Primary registry failed -> fallback to npmjs"
- export NPM_REGISTRY_SERVER="https://registry.npmjs.org"
- yarn install --immutable --inline-builds
- }
- '
+ bash -ceu <<'EOF'
+ echo "Registry from env: ${NPM_REGISTRY_SERVER}"
+ yarn install --immutable --inline-builds || {
+ echo "Primary registry failed -> fallback to npmjs"
+ export NPM_REGISTRY_SERVER="https://registry.npmjs.org"
+ yarn install --immutable --inline-builds
+ }
+EOF🧰 Tools
🪛 Hadolint (2.14.0)
[error] 47-47: unexpected 'e'
expecting '#', '', ADD, ARG, CMD, COPY, ENTRYPOINT, ENV, EXPOSE, FROM, HEALTHCHECK, LABEL, MAINTAINER, ONBUILD, RUN, SHELL, STOPSIGNAL, USER, VOLUME, WORKDIR, a pragma, at least one space, or end of input
(DL1000)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile` around lines 45 - 54, The RUN block uses backslash continuation
with a multi-line single-quoted shell script which Dockerfile parsing rejects;
replace the continued-quoted script with a single RUN that uses a heredoc to
pass the multi-line shell content (preserving the existing mount
--mount=type=cache,target=/usr/local/share/.cache/yarn and the script logic that
echoes NPM_REGISTRY_SERVER, runs yarn install --immutable --inline-builds, and
on failure sets NPM_REGISTRY_SERVER to https://registry.npmjs.org and retries);
remove the backslash continuation and wrap the multi-line commands in a heredoc
delimiter so the shell script runs as one argument to RUN while keeping
references to NPM_REGISTRY_SERVER and the yarn install commands.
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
|
1 participant
Summary by CodeRabbit