feat: INFRA-6018 Cronos testnet image upgrade v1.5.1

[Spich3000]

Cronos testnet image upgrade v1.5.1

INFRA-6018 Cronos testnet upgrade v1.5.1

Summary by CodeRabbit

• Chores
  • Upgraded bundled Cronos binary to v1.5.1-testnet in container images, aligning with the latest testnet release.
  • Delivers the latest protocol updates, stability improvements, and compatibility with current testnet networks.
  • Existing workflows remain the same; startup behavior and configuration are unchanged.
  • No user action required.

[coderabbitai]

Walkthrough

Updates the Dockerfile to switch the Cronos binary download from v1.4.11 to v1.5.1-testnet by changing the URL, tarball filename, and extraction references. No changes to permissions, entrypoint, or other installation steps.

Changes

Cohort / File(s)	Summary
Dockerfile version bump Dockerfile	Update Cronos download URL, tarball name, and extraction references to v1.5.1-testnet; no other installation, permission, or entrypoint changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• feat: Cronos mainnet image bump v1.4.11 #84 — Prior bump to Cronos v1.4.11 in Dockerfile; same lines changed (URL/filenames).
• feat: INFRA-5557 Cronos testnet image bump v1.5.0 #82 — Switch to v1.5.0-testnet in Dockerfile; closely related version change pattern.
• feat: INFRA-5312 Cronos mainnet image upgrade v1.4.10 #80 — Dockerfile updates to download/extract Cronos with revised URL and tarball filename.

Poem

A tarball hops to a fresher nest,
v1.5.1-testnet—ears perked, impressed.
I twitch my nose at URLs anew,
Extract, install—same little queue.
In Docker burrow, I thump with cheer:
“New bits fetched; the path is clear!” 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title explicitly summarizes the main change (upgrading the Cronos testnet image to v1.5.1) and references the relevant ticket, making it clear and concise for teammates scanning history.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-6018

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b8abd88 and 6b97b21.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Drop --no-check-certificate to avoid MITM exposure.

Disabling TLS validation when fetching the release tarball lets any man-in-the-middle swap the binary, which is an unacceptable supply-chain risk for production images. Please keep certificate checks enabled (and ideally add checksum verification). Fix by removing the flag:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.1-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.1-testnet_Linux_x86_64.tar.gz \
+RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.1-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.1-testnet_Linux_x86_64.tar.gz \

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 11-12, the wget invocation disables TLS certificate
validation via --no-check-certificate which exposes the build to MITM and
supply-chain attacks; remove the --no-check-certificate flag and instead fetch
the release over HTTPS with normal certificate checks enabled, and add
deterministic verification by downloading or embedding a trusted
checksum/signature (e.g., SHA256 or GPG signature) for the tarball and
validating it in the Dockerfile before extracting; ensure the build fails if the
checksum/signature does not match.