Add a skill for addressing vulnerable dependencies in the Firebase Docker image#10321
Add a skill for addressing vulnerable dependencies in the Firebase Docker image#10321
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new skill for resolving Docker vulnerabilities, updates the picomatch dependency, and parameterizes the Docker build process in cloudbuild.yaml and run.sh. The review feedback highlights a regression caused by hardcoding the target project ID in the build configuration and suggests improvements to the run.sh script for better path handling and parameterization.
| @@ -1,6 +1,8 @@ | |||
| ## Script for testing Docker image creation without running a full release. | |||
| PROJECT_ID=$1 | |||
| REPO_NAME=${2:-us} | |||
There was a problem hiding this comment.
Consider adding a parameter for the target project ID and using dirname "$0" to ensure the script can correctly locate its configuration files when called from the repository root, as suggested in the SKILL.md workflow.
| REPO_NAME=${2:-us} | |
| REPO_NAME=${2:-us} | |
| TARGET_PROJECT_ID=${3:-$PROJECT_ID} | |
| DIR=$(dirname "$0") |
| submit \ | ||
| --substitutions=_REPO_NAME=$REPO_NAME No newline at end of file |
There was a problem hiding this comment.
Specify the configuration file and build context explicitly to ensure the command works when run from the repository root. Also, pass the _TARGET_PROJECT_ID substitution to allow overriding the registry project (which now defaults to firebase-cli in cloudbuild.yaml).
| submit \ | |
| --substitutions=_REPO_NAME=$REPO_NAME | |
| submit \ | |
| --config "$DIR/cloudbuild.yaml" \ | |
| --substitutions=_REPO_NAME="$REPO_NAME",_TARGET_PROJECT_ID="$TARGET_PROJECT_ID" \ | |
| "$DIR" |
|
|
||
| substitutions: | ||
| _REPO_NAME: us | ||
| _TARGET_PROJECT_ID: firebase-cli |
There was a problem hiding this comment.
Hardcoding firebase-cli as the default for _TARGET_PROJECT_ID is a regression from the previous behavior where the image was pushed to the project running the build. This makes the build configuration less reusable for developers testing in their own projects.
| Run the build on `fir-tools-builds` and publish to the `staging` repository in `firebase-cli` to see the baseline vulnerabilities after the build's own updates. | ||
|
|
||
| ```bash | ||
| ./scripts/publish/firebase-docker-image/run.sh fir-tools-builds staging |
There was a problem hiding this comment.
If run.sh is updated to default the target project to the project running the build (restoring previous behavior), this command should explicitly specify firebase-cli as the third argument to maintain the intended workflow of pushing to the staging registry.
| ./scripts/publish/firebase-docker-image/run.sh fir-tools-builds staging | |
| ./scripts/publish/firebase-docker-image/run.sh fir-tools-builds staging firebase-cli |
3 participants
Description
Adding a skill for checking for and addressign vulnerabilities flagged in the Firebase docker image.
Also, updated the firebase-docker-image publish script to make it simpler to stage builds for testing and vulnerability checking.