Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(docker): Checkov installation silently fails on
docker build
in arm64. Workaround till issue will be fixed incheckov
itself #635fix(docker): Checkov installation silently fails on
docker build
in arm64. Workaround till issue will be fixed incheckov
itself #635Changes from 19 commits
5cf0ca5
63f4bef
7014fa0
3d85490
a13a983
42d77d9
f46e8f8
9b58092
3e0d679
b5c6379
54e5ea2
8798d3b
c3322d0
875999c
3481201
c4c1b16
2f00dcf
5e98ae3
1ca976a
01d0868
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exit 1
prevents silent fail oferror: can't find Rust compiler
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
btw, we can't just add comments inside the code about it. Probably, the best place is on L73
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Out of interest why at
# Install pre-commit
code block (lines 20-23)pip3
has no|| exit 1
bits? Is ii intentional?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because pre-commit doesn't use rust?
I prefer somehow make structured tests work for arm64, rather than add exit 1 in every possible place
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's kind of weird: if
pip3 install ...
fails (as in returns non-zero code) then exit the shell with non-successful code (exit 1
). And this is implemented forcheckov
install only, which means it's okay to not exit for the same e.g. withpre-commit
install bypip
. Doespip
behave differently if it fails to installpre-commit
? 🤔 Aint't Docker'sRUN
imply somewhatset -e
? Should we try and addset -e
to eachRUN
to explicitly let DockerRUN
exit when any downstream command fails withinif/else
statement? 🤔 I'm a bit lost to be honest 😲 We definitely should use consistent solution for all similar expressions for consistencyThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think of a single script that takes args? Like
install_deps.sh pre-commit
,install_deps.sh checkov
,install_deps.sh pre-commit checkov ...
, orinstall_deps.sh ALL
? Just to keep code in the same place and have re-usable snippets (like shell funcxtions) 🤔There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Problem there that they are different
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
currently, I just moving it out and implementing logic as
We can discuss it in next PR :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some are slightly different, whilst others use the same solutions (like extracting download URLs from GH releases API response). And also I see it odd to have a bunch of almost-the-same ten-lines shell scripts instead of one that can handle installation of all the deps one-by-one or all-at-once.
On the other hand such approach with single script would negatively impact build caching and each
RUN
layer would get rebuilt if the file is updated with a change to the installation steps of a specific dep =(From this point if view I'd better stay with the current approach =)
Makes sense 🤝 (apologies that I already outlined my thoughts — this helps me imprint them in memory 😺)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@MaxymVlasov do not install distributions with pip separately because it will not take all things installed in the previous session into account when you run a new install command. Enumerate everything and let the dependency resolver know all your requirements together. Ideally, use pip-compile to produce and commit constraint files (lockfiles) and invoke it via
pip install -r direct-deps.txt -c constraint.txt
.If you do run separate pip installs, inject a
pip check
invocation at the end to verify integrity.