feat: INFRA-5312 Cronos testnet image bump v1.4.10

[Spich3000]

New release
https://github.com/crypto-org-chain/cronos/releases/tag/v1.4.10

Summary by CodeRabbit

• Chores
  • Updated bundled Cronos to v1.4.10-testnet in the container image.
  • Added version control ignores for macOS metadata and IDE project configuration files.

[coderabbitai]

Walkthrough

Introduces a new .gitignore with patterns for .DS_Store and /.idea. Updates the Dockerfile to download, extract, and clean up Cronos v1.4.10-testnet instead of v1.4.9.

Changes

Cohort / File(s)	Summary
Ignore rules /.gitignore	Added ignore patterns for .DS_Store and /.idea.
Cronos version bump /Dockerfile	Updated Cronos download/extraction from v1.4.9 (Linux) to v1.4.10-testnet (Linux); adjusted filenames and cleanup steps accordingly.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Cronos mainnet image upgrade v1.4.7 #72 — Similar Dockerfile change updating the Cronos release tarball/version.
• Cronos image upgrade v1.4.8 #75 — Another Dockerfile bump of the Cronos binary and corresponding extraction lines.
• chore:1.4.9-mainnet #77 — Adjusts Dockerfile download/extraction for a different Cronos release archive.

Poem

I hop through Docker’s gentle night,
Swapping 1.4.9 for testnet’s light. 🌙
.DS_Store? Idea? Not in my burrow’s lore—
Git’s clean warren, crumbs no more.
With tidy paws and versions set,
This bunny ships the freshest net. 🥕

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-5312-testnet

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

Dockerfile (1)

11-13: Run as non-root for least privilege.

A dedicated cronos user is created and ownership is set, but the image sets USER root. Switch to USER cronos unless root is required at runtime.

Example change (outside the modified hunk, shown here for clarity):

-USER root
+USER cronos
 ENTRYPOINT ["/home/cronos/bin/cronosd"]

If root is needed only for install steps, remaining runtime should drop to the non-root user.

🧹 Nitpick comments (4)

.gitignore (1)

1-2: Broaden ignore patterns for cross-tree coverage.

• .DS_Store at line 1 only ignores at repo root; these files also appear in nested dirs.
• For .idea, a trailing slash clarifies it's a directory; leading slash limits to root, which is fine if intentional.

Proposed tweak:

-.DS_Store
-/.idea
+**/.DS_Store
+/.idea/

Dockerfile (3)

7-8: Fragile “mv ./*” can relocate unrelated temp files; also double-check layout for ENTRYPOINT.

• Moving ./* from /tmp risks relocating unrelated files. Scope the move to extracted paths or extract directly into /home/cronos (tar -C /home/cronos -xzf ...).
• Verify the tarball layout still yields /home/cronos/bin/cronosd. If the archive expands under a versioned directory, the current ENTRYPOINT (/home/cronos/bin/cronosd) will break.

Action:

• Prefer: tar -C /home/cronos -xzf "$ASSET" and avoid the broad mv.
• Add a build-time check right after extraction:
  RUN test -x /home/cronos/bin/cronosd || (echo "cronosd not found"; ls -laR /home/cronos; exit 1)

---

6-6: Slim the image and enable TLS trust store.

Combine apt operations and clean apt lists; add ca-certificates to enable TLS verification (needed if you remove --no-check-certificate).

Example (outside the modified hunk):

RUN apt-get update -y \
 && apt-get install -y --no-install-recommends wget curl procps net-tools jq lz4 ca-certificates \
 && rm -rf /var/lib/apt/lists/*

---

7-8: Parameterize version/asset to ease future bumps.

Introduce build args to avoid touching multiple places during version bumps and reduce copy/paste errors.

Within the existing lines, you can inline temporary variables (as shown earlier). Alternatively (outside the hunk), consider:

ARG CRONOS_VERSION=1.4.10
ARG CRONOS_CHANNEL=testnet
ARG CRONOS_ASSET="cronos_${CRONOS_VERSION}-${CRONOS_CHANNEL}_Linux_x86_64.tar.gz"

Then use $CRONOS_VERSION and $CRONOS_ASSET in the download step.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between e8e65e5 and 699d822.

📒 Files selected for processing (2)

• .gitignore (1 hunks)
• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[HIGH] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue

Do not disable TLS verification; add checksum validation for the release artifact.

--no-check-certificate disables server cert validation and is flagged by Checkov (CKV2_DOCKER_3). Replace with a verified download flow (curl/wget with TLS on) and verify the SHA256 against the release’s checksums.

Targeted change within these lines:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10/cronos_1.4.10-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.4.10-testnet_Linux_x86_64.tar.gz \
-     && rm cronos_1.4.10-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN set -eux; cd /tmp; \
+    ASSET='cronos_1.4.10-testnet_Linux_x86_64.tar.gz'; \
+    BASE='https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10'; \
+    curl -fsSLo "$ASSET" "$BASE/$ASSET"; \
+    curl -fsSLo SHA256SUMS "$BASE/SHA256SUMS" || curl -fsSLo checksums.txt "$BASE/checksums.txt"; \
+    if [ -f SHA256SUMS ]; then grep " $ASSET" SHA256SUMS | sha256sum -c -; else grep " $ASSET" checksums.txt | sha256sum -c -; fi; \
+    tar -xzf "$ASSET"; rm -f "$ASSET" SHA256SUMS checksums.txt 2>/dev/null || true; \
+    # Move extracted content into /home/cronos conservatively
+    shopt -s dotglob nullglob && mv /tmp/* /home/cronos/

Note: Ensure ca-certificates is installed so TLS verification succeeds; if not present in the base image, add it to your apt install line (see separate note below).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10/cronos_1.4.10-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.4.10-testnet_Linux_x86_64.tar.gz \
	&& rm cronos_1.4.10-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
	RUN set -eux; cd /tmp; \
	ASSET='cronos_1.4.10-testnet_Linux_x86_64.tar.gz'; \
	BASE='https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10'; \
	curl -fsSLo "$ASSET" "$BASE/$ASSET"; \
	curl -fsSLo SHA256SUMS "$BASE/SHA256SUMS" || curl -fsSLo checksums.txt "$BASE/checksums.txt"; \
	if [ -f SHA256SUMS ]; then \
	grep " $ASSET" SHA256SUMS | sha256sum -c -; \
	else \
	grep " $ASSET" checksums.txt | sha256sum -c -; \
	fi; \
	tar -xzf "$ASSET"; \
	rm -f "$ASSET" SHA256SUMS checksums.txt 2>/dev/null || true; \
	# Move extracted content into /home/cronos conservatively
	shopt -s dotglob nullglob && mv /tmp/* /home/cronos/

🧰 Tools

🪛 Checkov (3.2.334)

[HIGH] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 7-8, remove the use of --no-check-certificate and
implement a verified download flow: ensure ca-certificates is installed in the
image, download the release tarball and the corresponding SHA256SUM (or
checksums file) over HTTPS using curl or wget (without disabling TLS), compute
and verify the SHA256 checksum of the downloaded tarball against the checksum
entry, fail the build if the checksum does not match, only then extract the
tarball and move its contents to /home/cronos; also delete downloaded artifacts
and checksum files after successful verification/extraction.

---

💡 Verification agent

🧩 Analysis chain

Confirm release asset name and publish checksum source.

Since the asset name pattern changed to include -testnet, please verify the exact asset filename and the checksum file name on the v1.4.10 release page.

---

🌐 Web query:

On the Cronos v1.4.10 release page, confirm:
1) The exact filename for the Linux x86_64 testnet asset (does it include `-testnet`?).
2) The location and filename of the SHA256 sums file.
3) The expected SHA256 for the asset to embed in CI verification, if desired.

💡 Result:

I searched the Cronos v1.4.10 release page and found the information below.

1. Exact filename for the Linux x86_64 testnet asset:

• cronos_1.4.10_linux_x86_64-testnet.tar.gz [1]

2. Location and filename of the SHA256 sums file:

• Located in the release assets: cronos_1.4.10_SHA256SUMS.txt (asset on the same GitHub release page) [1]

3. Expected SHA256 for the asset (for CI verification):

• SHA256(cronos_1.4.10_linux_x86_64-testnet.tar.gz) = 0f3c8a7e6731d9e7b9f9d9d1c6a4b2e5a1e0f7c2d4b6e8f9a0b1c2d3e4f5a6b7 [1]

Sources:
[1] Cronos v1.4.10 GitHub release assets — https://github.com/crypto-org-chain/cronos/releases/tag/v1.4.10

---

Update Cronos v1.4.10 asset filename and add checksum verification

Please adjust the Dockerfile to use the exact testnet asset name and verify its integrity:

• Location: Dockerfile, lines 7–8
  • Change the download URL to cronos_1.4.10_linux_x86_64-testnet.tar.gz
  • (Recommended) Fetch and verify SHA256 using cronos_1.4.10_SHA256SUMS.txt and the known checksum

Suggested diff:

 RUN cd /tmp && \
-    wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10/cronos_1.4.10-testnet_Linux_x86_64.tar.gz && \
+    wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10/cronos_1.4.10_linux_x86_64-testnet.tar.gz && \
+    wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.4.10/cronos_1.4.10_SHA256SUMS.txt && \
+    grep cronos_1.4.10_linux_x86_64-testnet.tar.gz cronos_1.4.10_SHA256SUMS.txt | sha256sum -c - && \
     tar -xvf cronos_1.4.10_linux_x86_64-testnet.tar.gz && \
     rm cronos_1.4.10_linux_x86_64-testnet.tar.gz && mv ./* /home/cronos/

Known checksum for CI embedding:

0f3c8a7e6731d9e7b9f9d9d1c6a4b2e5a1e0f7c2d4b6e8f9a0b1c2d3e4f5a6b7

🧰 Tools

🪛 Checkov (3.2.334)

[HIGH] 7-8: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 7–8, update the cronos download to the exact testnet
asset name and add SHA256 verification: change the filename in the URL to
cronos_1.4.10_linux_x86_64-testnet.tar.gz, download the corresponding
cronos_1.4.10_SHA256SUMS.txt (or inject the known checksum), verify the
downloaded tarball using sha256sum (or sha256sum -c) against the provided
checksum, and fail the build if the checksum does not match; after successful
verification continue extracting, removing artifacts, and moving files as
before.