Skip to content

Integrate gotap binary and use command field #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
mmaelicke wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Integrate gotap binary and use command field #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,13 @@ RUN pip install "json2args[data]>=0.6.2"
# with less dependencies
# RUN pip install json2args>=0.6.2

# Build spec binary from source
RUN apt-get update && apt-get install -y golang-go git && \
git clone https://github.com/hydrocode-de/gotap.git /tmp/gotap && \
cd /tmp/gotap && go build -o /usr/local/bin/spec ./main.go && \
rm -rf /tmp/gotap && \
apt-get remove -y golang-go git && apt-get autoremove -y && apt-get clean
Comment on lines +12 to +17
Copy link

@coderabbitai coderabbitai bot Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if gotap repository exists and list available tags
git ls-remote --tags https://github.com/hydrocode-de/gotap.git | head -20

Repository: VForWaTer/tool_template_python

Length of output: 365

Pin gotap to an immutable ref for reproducible, safer builds.

Cloning without a pinned tag makes the image non-deterministic and increases supply-chain risk. The gotap repository has stable releases available (latest: v0.2.3.1); pin to a specific tag and build with --depth 1 for efficiency.

✅ Suggested hardening (pin by tag) 
+ARG GOTAP_REF=v0.2.3.1
 RUN apt-get update && apt-get install -y golang-go git && \
-    git clone https://github.com/hydrocode-de/gotap.git /tmp/gotap && \
+    git clone --depth 1 --branch "${GOTAP_REF}" https://github.com/hydrocode-de/gotap.git /tmp/gotap && \
     cd /tmp/gotap && go build -o /usr/local/bin/spec ./main.go && \
     rm -rf /tmp/gotap && \
     apt-get remove -y golang-go git && apt-get autoremove -y && apt-get clean
🤖 Prompt for AI Agents 
In `@Dockerfile` around lines 12 - 17, The Dockerfile currently clones gotap
without an immutable ref; update the RUN step that clones
https://github.com/hydrocode-de/gotap.git (the git clone /tmp/gotap, cd
/tmp/gotap, go build -o /usr/local/bin/spec ./main.go sequence) to clone a
specific release tag (e.g., v0.2.3.1) and use a shallow clone (--depth 1 or
--branch <tag> --depth 1) so the build is reproducible and smaller, then proceed
to build the spec binary and remove /tmp/gotap as before.


# Do anything you need to install tool dependencies here
RUN echo "Replace this line with a tool"

Expand All @@ -23,4 +30,4 @@ COPY ./src /src
COPY ./CITATION.cf[f] /src/CITATION.cff

WORKDIR /src
CMD ["python", "run.py"]
CMD ["spec", "run", "foobar", "--input-file", "/in/input.json"]
1 change: 1 addition & 0 deletions src/tool.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ tools:
foobar:
title: Foo Bar
description: A dummy tool to exemplify the YAML file
command: "python run.py"
parameters:
foo_int:
type: integer
Expand Down