feat: INFRA-6244 Cronos testnet image upgrade v1.5.3

[Spich3000]

Cronos testnet image upgrade v1.5.3
INFRA-6244 Cronos v1.5.3 Upgrades across clusters

Summary by CodeRabbit

• Chores
  • Updated deployment configuration to use testnet environment (Cronos v1.5.1) instead of mainnet version (Cronos v1.5.3), with corresponding updates to download and extraction settings.

[coderabbitai]

Walkthrough

The Dockerfile's Cronos binary download configuration has been modified to fetch the testnet v1.5.1 release instead of mainnet v1.5.3, updating the download URL, tarball filename, and extraction path accordingly while preserving all other build steps.

Changes

Cohort / File(s)	Summary
Cronos binary version switch Dockerfile	Changed Cronos download source from mainnet v1.5.3 to testnet v1.5.1; updated download URL, archive name, and extraction filename

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the testnet v1.5.1 URL is correct and accessible
• Confirm the tarball and extraction filenames match the actual archive contents
• Ensure the version downgrade (v1.5.3 → v1.5.1) and network switch (mainnet → testnet) are intentional

Possibly related PRs

• feat: INFRA-6018 Cronos testnet image upgrade v1.5.1 #85: Switches the Dockerfile's Cronos download to the same v1.5.1 testnet tarball with matching URL and filename updates
• feat: INFRA-5557 Cronos testnet image bump v1.5.0 #82: Replaces mainnet Cronos binary with testnet variant in the Dockerfile by updating download URL, tarball name, and extraction targets
• chore:upgrade to 1.4.9.testnet #76: Modifies the Dockerfile to toggle between mainnet and testnet Cronos releases with corresponding version and archive filename adjustments

Poem

🐰 From mainnet peaks to testnet springs,
Version hops to lighter things,
A tarball renamed, a path redrawn,
The Cronos chain moves ever on! 🔗✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references a testnet upgrade to v1.5.3, but the actual change downgrades from mainnet v1.5.3 to testnet v1.5.1, creating a mismatch.	Update the title to accurately reflect the change: 'feat: INFRA-6244 Switch Cronos Docker image from mainnet v1.5.3 to testnet v1.5.1' or similar.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/INFRA-6244-testnet

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

Dockerfile (1)

11-12: Consider adding checksum verification for supply chain security.

Downloading and extracting binaries without verifying checksums or signatures increases the risk of deploying compromised binaries. GitHub releases typically provide SHA256 checksums.

Add checksum verification after download:

 RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
      && rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN cd /tmp && \
+  wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && \
+  wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz.sha256 && \
+  sha256sum -c cronos_1.5.3-testnet_Linux_x86_64.tar.gz.sha256 && \
+  tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz && \
+  rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz cronos_1.5.3-testnet_Linux_x86_64.tar.gz.sha256 && \
+  mv ./* /home/cronos/

Confirm that the release provides an SHA256 checksum file before implementing this.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between eef2ccd and 528086e.

📒 Files selected for processing (1)

• Dockerfile (1 hunks)

🧰 Additional context used

🪛 Checkov (3.2.334)

Dockerfile

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: guardrails/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove --no-check-certificate flag for security.

Disabling certificate validation via --no-check-certificate introduces a man-in-the-middle attack vector, even in a trusted Docker build environment. This is a security best practice violation.

Apply this fix to remove the flag:

-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
+RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \

If certificate issues persist in your build environment, consider updating the base image (bullseye-slim includes current CA certificates) rather than disabling verification.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
	RUN cd /tmp && wget https://github.com/crypto-org-chain/cronos/releases/download/v1.5.1/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around line 11, the wget invocation uses the insecure
--no-check-certificate flag; remove that flag from the RUN command and use plain
wget to fetch the tarball, and ensure the image has up-to-date CA certificates
by adding a package install (e.g., apt-get update && apt-get install -y
ca-certificates) earlier in the Dockerfile if necessary so TLS verification
succeeds during build.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify release version: PR claims v1.5.3 but URL downloads v1.5.1.

The PR objective states "Cronos testnet image upgrade to v1.5.3", but line 11 downloads from the v1.5.1 release tag. The tarball filename references 1.5.3-testnet, creating ambiguity about which version is actually being deployed. This mismatch between the PR objective and the release tag needs clarification—is v1.5.1 the correct version, or should the URL reference v1.5.3?

Run the following script to verify the release exists and inspect its contents:

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the v1.5.1 release and check for the expected tarball

# Fetch release metadata
gh api repos/crypto-org-chain/cronos/releases/tags/v1.5.1 --jq '.assets[] | {name, download_count}'

# Check if v1.5.3 release also exists
echo "Checking for v1.5.3 release..."
gh api repos/crypto-org-chain/cronos/releases/tags/v1.5.3 --jq '.assets[] | {name, download_count}' 2>/dev/null || echo "v1.5.3 release not found or not accessible"

Length of output: 1697

---

---

Fix critical version mismatch: URL downloads v1.5.1 but requests v1.5.3 file that doesn't exist.

Line 11 contains a breaking error: the URL references the v1.5.1 release tag, but attempts to download cronos_1.5.3-testnet_Linux_x86_64.tar.gz. This file does not exist in the v1.5.1 release (which only contains cronos_1.5.1-testnet_* files). The v1.5.3 file exists in the v1.5.3 release. This mismatch will cause the build to fail. Change the download URL from v1.5.1 to v1.5.3 to match the PR objective and the requested filename:

RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos/releases/download/v1.5.3/cronos_1.5.3-testnet_Linux_x86_64.tar.gz && tar -xvf cronos_1.5.3-testnet_Linux_x86_64.tar.gz \
     && rm cronos_1.5.3-testnet_Linux_x86_64.tar.gz && mv ./* /home/cronos/

Additionally, remove the --no-check-certificate flag to avoid disabling SSL certificate verification (security risk flagged by Checkov CKV2_DOCKER_3).

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In Dockerfile around lines 11-12, the wget URL uses release tag v1.5.1 but
attempts to fetch cronos_1.5.3-testnet_Linux_x86_64.tar.gz (causing a
nonexistent-file build failure); update the download URL to use the v1.5.3
release so the requested filename exists, and remove the --no-check-certificate
flag to avoid disabling SSL verification (ensure the tarball name and URL tag
match exactly and keep the subsequent tar, rm, and mv steps unchanged).