OCPBUGS-77414: simplify dockerfile by removing cachito dependencies

[lgarciaaco]

Summary

Simplified Dockerfile.art by removing Cachito dependency management and using standard npm ci workflow.

Changes

• Remove Cachito dependency management from build process to use direct npm installation
• Eliminate remote sources and associated environment variables
• Disable Cypress binary installation to reduce build overhead
• Replace yum with dnf for consistency
• Fix typo: "none-root" to "non-root"

Summary by CodeRabbit

• Chores
  • Simplified the build process by streamlining dependency installation and compilation.
  • Updated the containerized build environment with package manager improvements.

[coderabbitai]

Walkthrough

Dockerfile.art was updated to simplify the builder stage by removing Cachito-based dependency management and replacing it with direct npm commands. The package manager was changed from yum to dnf, and a comment typo was corrected.

Changes

Cohort / File(s)	Summary
Build configuration Dockerfile.art	Removed Cachito-based remote source copying and root user switching in the builder stage. Consolidated build steps into a single RUN instruction with CYPRESS_INSTALL_BINARY=0 npm ci && npm run build. Changed package manager from yum to dnf in the web server stage. Fixed typo in non-root user comment from "none-root" to "non-root".

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Stable And Deterministic Test Names	❓ Inconclusive	Unable to verify the custom check as no repository context or pull request files were provided for analysis.	Provide the repository contents, PR changes, and any test files to assess whether test names contain dynamic information that violates deterministic naming conventions.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Test Structure And Quality	✅ Passed	PR contains only Dockerfile changes with no test code modifications, making the test quality check not applicable.
Title check	✅ Passed	The title 'OCPBUGS-77414: simplify dockerfile by removing cachito dependencies' directly matches the main objective of the pull request, which is to simplify the Dockerfile by removing Cachito-based dependency management.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Dockerfile.art`:
- Around line 14-19: The DNF cleanup is not in the conventional
scanner-acceptable form, causing Trivy DS-0019; update the RUN that installs
packages (the block installing nginx) so after dnf install you explicitly run
dnf clean all and then remove DNF caches (e.g., rm -rf /var/cache/dnf) before
the chown/chmod steps; keep the install command (INSTALL_PKGS/nginx) and the
subsequent rpm -V check but reorder/append the explicit cache removal so
scanners reliably detect cleanup.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 86f180a and 4fc729d.

📒 Files selected for processing (1)

• Dockerfile.art

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Make DNF cleanup scanner-compliant to avoid CI/security gate failures.

Line 17 still triggers Trivy DS-0019 in this PR context. Even if cleanup is logically present, use the conventional dnf clean all + cache directory removal pattern to satisfy scanners consistently.

Proposed fix

 RUN INSTALL_PKGS="nginx" && \
     dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
     rpm -V $INSTALL_PKGS && \
-    dnf -y clean all --enablerepo='*' && \
+    dnf -y clean all && \
+    rm -rf /var/cache/dnf && \
     chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
     chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN INSTALL_PKGS="nginx" && \
	dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
	rpm -V $INSTALL_PKGS && \
	yum -y clean all --enablerepo='*' && \
	dnf -y clean all --enablerepo='*' && \
	chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
	chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run
	RUN INSTALL_PKGS="nginx" && \
	dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
	rpm -V $INSTALL_PKGS && \
	dnf -y clean all && \
	rm -rf /var/cache/dnf && \
	chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
	chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run

🧰 Tools

🪛 Trivy (0.69.1)

[error] 14-19: 'dnf clean all' missing

'dnf clean all' is missed: INSTALL_PKGS="nginx" && dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && rpm -V $INSTALL_PKGS && dnf -y clean all --enablerepo='*' && chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run

Rule: DS-0019

Learn more

(IaC/Dockerfile)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Dockerfile.art` around lines 14 - 19, The DNF cleanup is not in the
conventional scanner-acceptable form, causing Trivy DS-0019; update the RUN that
installs packages (the block installing nginx) so after dnf install you
explicitly run dnf clean all and then remove DNF caches (e.g., rm -rf
/var/cache/dnf) before the chown/chmod steps; keep the install command
(INSTALL_PKGS/nginx) and the subsequent rpm -V check but reorder/append the
explicit cache removal so scanners reliably detect cleanup.

[galkremer1]

@lgarciaaco is this a valid concern?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[openshift-ci-robot]

@lgarciaaco: This pull request references Jira Issue OCPBUGS-77414, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.22.0) matches configured target version for branch (4.22.0)
• bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gouyang

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

Simplified Dockerfile.art by removing Cachito dependency management and using standard npm ci workflow.

Changes

• Remove Cachito dependency management from build process to use direct npm installation
• Eliminate remote sources and associated environment variables
• Disable Cypress binary installation to reduce build overhead
• Replace yum with dnf for consistency
• Fix typo: "none-root" to "non-root"

Summary by CodeRabbit

• Chores
• Simplified the build process by streamlining dependency installation and compilation.
• Updated the containerized build environment with package manager improvements.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@lgarciaaco: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lgarciaaco, upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [upalatucci]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@lgarciaaco: Jira Issue OCPBUGS-77414: All pull requests linked via external trackers have merged:

• openshift/networking-console-plugin#356

Jira Issue OCPBUGS-77414 has been moved to the MODIFIED state.

Details

In response to this:

Summary

Simplified Dockerfile.art by removing Cachito dependency management and using standard npm ci workflow.

Changes

• Remove Cachito dependency management from build process to use direct npm installation
• Eliminate remote sources and associated environment variables
• Disable Cypress binary installation to reduce build overhead
• Replace yum with dnf for consistency
• Fix typo: "none-root" to "non-root"

Summary by CodeRabbit

• Chores
• Simplified the build process by streamlining dependency installation and compilation.
• Updated the containerized build environment with package manager improvements.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.