Refactor Dockerfile and analysis script to remove Node.js dependency for Claude CLI installation

[kaovilai]

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Summary by CodeRabbit

• Chores

  • Switched container build to install the Claude CLI as a native binary via curl instead of using npm; test scripts updated to reference the new installation method.

• Documentation

  • Updated design documentation and user-facing messages to reflect the native Claude CLI installation and adjusted install guidance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 1df2f8e and 2cfcf02.

📒 Files selected for processing (3)

• build/ci-Dockerfile
• docs/design/claude-prow-failure-analysis_design.md
• tests/e2e/scripts/analyze_failures.sh

🚧 Files skipped from review as they are similar to previous changes (3)

• tests/e2e/scripts/analyze_failures.sh
• docs/design/claude-prow-failure-analysis_design.md
• build/ci-Dockerfile

---

Walkthrough

Replaces Node.js/npm-based Claude CLI installation with a native Claude CLI binary installer (via curl) across build config, documentation, and test scripts; removes NodeSource/Node.js/npm install steps and adds a symlinked native claude binary and version check.

Changes

Cohort / File(s)	Summary
Build Configuration build/ci-Dockerfile	Removed NodeSource setup and Node.js install; removed npm install -g @anthropic-ai/claude-code``; added `curl -fsSL https://claude.ai/install.sh
Documentation & Tests docs/design/claude-prow-failure-analysis_design.md, tests/e2e/scripts/analyze_failures.sh	Updated user-facing and test messages to recommend the curl-based installer (`curl -fsSL https://claude.ai/install.sh

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description template sections are present but empty; no details explain why changes were made or how to test them, making the description largely incomplete.	Fill in 'Why the changes were made' with problem statement and benefits, and 'How to test the changes' with specific testing commands and verification steps.
Test Structure And Quality	❓ Inconclusive	Unable to execute shell commands to analyze PR test code structure and quality requirements.	Please provide the PR details, test files content, or repository structure to assess test quality compliance.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and accurately summarizes the main change: refactoring Dockerfile and analysis scripts to remove Node.js dependency for Claude CLI installation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	PR modifies only infrastructure, CI helper scripts, and documentation files without any Ginkgo test definitions.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@build/ci-Dockerfile`:
- Around line 17-19: Replace the unpinned installer invocation that runs "curl
-fsSL https://claude.ai/install.sh | bash" with a pinned-and-verified install:
call the installer with an explicit channel or version (e.g., pass "stable" or
"X.Y.Z" via "bash -s") and validate the downloaded release checksum before
running the installer by fetching the VERSION's manifest.json from Anthropic's
release storage and verifying the SHA256; keep the existing symlink step that
creates /usr/local/bin/claude after successful installation (the ln -sf
~/.claude/bin/claude /usr/local/bin/claude command) so the binary path remains
unchanged.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 6b2eff5 and d804f74.

📒 Files selected for processing (3)

• build/ci-Dockerfile
• docs/design/claude-prow-failure-analysis_design.md
• tests/e2e/scripts/analyze_failures.sh

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Claude CLI official installation method version pinning checksum verification

💡 Result:

Official install (Claude Code / “Claude CLI”)

Native installer (recommended):

• macOS / Linux / WSL: curl -fsSL https://claude.ai/install.sh | bash
• Windows PowerShell: irm https://claude.ai/install.ps1 | iex
• Windows CMD: curl -fsSL https://claude.ai/install.cmd -o install.cmd && install.cmd && del install.cmd [1]

Homebrew / WinGet:

• brew install --cask claude-code
• winget install Anthropic.ClaudeCode [1]

NPM (deprecated): npm install -g @anthropic-ai/claude-code`` [1]

---

Version pinning

Native installer: pin to a channel or exact version

• Stable channel: curl -fsSL https://claude.ai/install.sh | bash -s stable
• Exact version: curl -fsSL https://claude.ai/install.sh | bash -s 1.0.58
  (Windows variants are shown in the same doc.) [1]

Also: the install-time choice (“latest” vs “stable”) becomes the default for auto-updates, and you can set "autoUpdatesChannel": "stable" in settings.json to stay on stable. [1]

NPM: pin to an exact version

Use standard npm version syntax, e.g.:

• npm install -g @anthropic-ai/claude-code@X.Y.Z
  (NPM is deprecated, but still supported.) [1]

---

Checksum verification (SHA256) + code signing

• Anthropic publishes SHA256 checksums in a per-version release manifest:
  https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/{VERSION}/manifest.json [1]

Typical workflow:

1. Download the binary you intend to install.
2. Download the matching manifest.json for that exact {VERSION}.
3. Compare your local sha256 of the binary against the manifest’s SHA256 for your OS/arch. [1]

Code signing: macOS binaries are signed by “Anthropic PBC” (and notarized by Apple) and Windows binaries are signed by “Anthropic, PBC”. [1]

Source: Set up Claude Code (official docs). [1]

---

Pin the Claude CLI installer to a stable version.

The current curl -fsSL https://claude.ai/install.sh | bash pulls "latest" at build time, creating non-reproducible builds and weakening supply-chain guarantees. Anthropic provides version pinning and checksum verification:

• Version pinning: Append bash -s stable (for stable channel) or bash -s X.Y.Z (for exact version, e.g., bash -s 1.0.58)
• Checksum verification: SHA256 checksums are published per-version at https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/{VERSION}/manifest.json, along with code signing (macOS/Windows)
• Alternative: Consider brew install --cask claude-code (if Homebrew is available in your base image) for better reproducibility in container environments

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@build/ci-Dockerfile` around lines 17 - 19, Replace the unpinned installer
invocation that runs "curl -fsSL https://claude.ai/install.sh | bash" with a
pinned-and-verified install: call the installer with an explicit channel or
version (e.g., pass "stable" or "X.Y.Z" via "bash -s") and validate the
downloaded release checksum before running the installer by fetching the
VERSION's manifest.json from Anthropic's release storage and verifying the
SHA256; keep the existing symlink step that creates /usr/local/bin/claude after
successful installation (the ln -sf ~/.claude/bin/claude /usr/local/bin/claude
command) so the binary path remains unchanged.

[Copilot]

Pull request overview

This pull request removes the Node.js dependency for Claude CLI installation by switching from the npm package @anthropic-ai/claude-code to a direct installation using a shell script. The change simplifies the container image by eliminating the need for Node.js and npm, relying instead on a native binary installation method.

Changes:

• Replaced Node.js/npm-based Claude CLI installation with a curl-based shell script installation
• Updated installation instructions in error messages to reflect the new installation method
• Updated design documentation to reflect the new installation approach

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
build/ci-Dockerfile	Removed Node.js installation steps and replaced with direct Claude CLI installation via shell script
docs/design/claude-prow-failure-analysis_design.md	Updated Dockerfile documentation and error message with new installation command
tests/e2e/scripts/analyze_failures.sh	Updated error message to show new installation command using curl instead of npm

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The symlink uses ~/.claude/bin/claude which expands to the home directory of the user running the RUN command (typically root in Dockerfiles). If the container runs as a different user at runtime, the symlink may point to a non-existent path. Consider using an absolute path or verify that the installation script places the binary in a location accessible to all users, or copy the binary directly to /usr/local/bin instead of symlinking.

Suggested change

	ln -sf ~/.claude/bin/claude /usr/local/bin/claude
	cp ~/.claude/bin/claude /usr/local/bin/claude

[Copilot]

The symlink uses ~/.claude/bin/claude which expands to the home directory of the user running the RUN command (typically root in Dockerfiles). If the container runs as a different user at runtime, the symlink may point to a non-existent path. Consider using an absolute path or verify that the installation script places the binary in a location accessible to all users, or copy the binary directly to /usr/local/bin instead of symlinking.

Suggested change

	ln -sf ~/.claude/bin/claude /usr/local/bin/claude
	cp "$HOME/.claude/bin/claude" /usr/local/bin/claude && \
	chmod 755 /usr/local/bin/claude

[Copilot]

The installation URL https://claude.ai/install.sh should be verified to ensure it exists and is the correct official installation source for Claude CLI. Consider adding verification (such as checking a checksum or signature) after downloading the installation script, or documenting the source URL in comments to help future maintainers verify its authenticity. The curl | bash pattern executes remote code directly, which requires high trust in the source.

Suggested change

	RUN curl -fsSL https://claude.ai/install.sh | bash && \
	ln -sf ~/.claude/bin/claude /usr/local/bin/claude
	# The installer script is served from the official Claude site. For hardened builds,
	# provide CLAUDE_INSTALL_SHA256 to verify the script integrity.
	ARG CLAUDE_INSTALL_SHA256
	RUN curl -fsSLo /tmp/claude-install.sh https://claude.ai/install.sh && \
	if [ -n "${CLAUDE_INSTALL_SHA256:-}" ]; then \
	echo "${CLAUDE_INSTALL_SHA256} /tmp/claude-install.sh" | sha256sum -c -; \
	fi && \
	bash /tmp/claude-install.sh && \
	ln -sf ~/.claude/bin/claude /usr/local/bin/claude && \
	rm -f /tmp/claude-install.sh

[Copilot]

The RUN curl -fsSL https://claude.ai/install.sh | bash line executes a remote installation script as root during the CI image build without any integrity or authenticity verification beyond HTTPS. If an attacker compromises claude.ai or this script’s delivery path, they can run arbitrary code inside your build image and, transitively, any CI jobs that use it, leading to a supply chain compromise. Prefer installing the Claude CLI from a package or pinned artifact with a verified checksum or signature instead of piping a mutable remote script directly to bash.

[weshayutin]

Test Suite Failed
⚠ Claude CLI not found in PATH
Skipping Claude analysis (install with: curl -fsSL https://claude.ai/install.sh | bash)
make: *** [Makefile:976: test-e2e] Error

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/design/claude-prow-failure-analysis_design.md`:
- Around line 66-68: Update the design doc snippet to match the Dockerfile by
replacing the installer path "~/.claude/bin/claude" with the actual path used in
the build ( "~/.local/bin/claude" ) and mention that the Dockerfile runs a
CLAUDE version check after installation; ensure the doc text mirrors the install
line and the subsequent version verification so the design doc and
build/ci-Dockerfile remain consistent.

---

ℹ️ Review info

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between d804f74 and 1df2f8e.

📒 Files selected for processing (3)

• build/ci-Dockerfile
• docs/design/claude-prow-failure-analysis_design.md
• tests/e2e/scripts/analyze_failures.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/e2e/scripts/analyze_failures.sh

[kaovilai]

Failed to authenticate. API Error: 403 [{"error":{"code":403,"message":"Permission 'aiplatform.endpoints.predict' denied on resource '//aiplatform.googleapis.com/projects/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/locations/global/publishers/anthropic/models/claude-sonnet-4-5@20250929' (or it may not exist).","status":"PERMISSION_DENIED","details":[{"@type":"type.googleapis.com/google.rpc.ErrorInfo","reason":"IAM_PERMISSION_DENIED","domain":"aiplatform.googleapis.com","metadata":{"resource":"projects/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX/locations/global/publishers/anthropic/models/claude-sonnet-4-5@20250929","permission":"aiplatform.endpoints.predict"}}]}}]

almost there.. need to update model name

[kaovilai]

actually it was project name.

edited per slack

/retest

[openshift-ci]

@kaovilai: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.21-e2e-test-cli-aws	2cfcf02	link	false	/test 4.21-e2e-test-cli-aws

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[weshayutin]

/LGTM
THANK YOU @kaovilai

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment