t3820: Pin dependency versions and use official glab source in GitLab CI template#3860
Conversation
…I template - Pin opencode-ai to v1.2.21 in both main and minimal configs for reproducible builds (was unpinned, risking breakage on new releases) - Switch glab install from archived profclems/glab (GitHub) to official gitlab-org/cli (GitLab), pinned at v1.89.0 - Fix tar extraction path (binary is at bin/glab, not root) - Remove fragile grep/cut JSON parsing of GitHub API Closes #3820
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the reliability and security of the GitLab CI templates by addressing critical dependency management issues. It ensures reproducible builds by pinning specific versions for key tools like Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
🔍 Code Quality Report�[0;35m[MONITOR]�[0m Code Review Monitoring Report �[0;34m[INFO]�[0m Latest Quality Status: �[0;34m[INFO]�[0m Recent monitoring activity: 📈 Current Quality Metrics
Generated on: Sun Mar 8 09:15:22 UTC 2026 Generated by AI DevOps Framework Code Review Monitoring |
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request makes important improvements to the GitLab CI template by pinning dependency versions for opencode-ai and glab. This is a great step towards ensuring reproducible and stable CI builds. Switching to the official glab repository and fixing the installation process also significantly increases reliability. I've added one suggestion to further enhance security by verifying the checksum of the downloaded glab binary, which would protect against potential supply-chain attacks.
| GLAB_VERSION="v1.89.0" | ||
| curl -sL "https://gitlab.com/gitlab-org/cli/-/releases/${GLAB_VERSION}/downloads/glab_${GLAB_VERSION#v}_linux_amd64.tar.gz" | tar xz | ||
| mv bin/glab /usr/local/bin/ |
There was a problem hiding this comment.
For enhanced security and to mitigate supply-chain attacks, it's a best practice to verify the checksum of downloaded artifacts. The glab releases provide a checksum file that can be used for this purpose.
This change introduces a step to download the glab archive, verify its SHA-512 checksum against a known value, and then proceed with extraction. This ensures the integrity of the CLI tool being installed.
GLAB_VERSION="v1.89.0"
GLAB_ARCHIVE="glab_${GLAB_VERSION#v}_linux_amd64.tar.gz"
# SHA-512 for v1.89.0 from https://gitlab.com/gitlab-org/cli/-/releases/v1.89.0
GLAB_CHECKSUM="572877508378775317426802118357803372233975253130101888916350320490085810"
curl -sLO "https://gitlab.com/gitlab-org/cli/-/releases/${GLAB_VERSION}/downloads/${GLAB_ARCHIVE}"
echo "${GLAB_CHECKSUM} ${GLAB_ARCHIVE}" | sha512sum --check --strict
tar xzf "${GLAB_ARCHIVE}"
mv bin/glab /usr/local/bin/
rm "${GLAB_ARCHIVE}"
…I template (marcusquinn#3860) Merged by pulse supervisor — green CI, 1 review.
1 participant
Summary
opencode-aito@1.2.21in both main and minimal CI job configs for reproducible buildsglabCLI install from archivedprofclems/glab(GitHub) to officialgitlab-org/cli(GitLab), pinned atv1.89.0bin/glabnot root-levelglab)grep/cutJSON parsing of GitHub API responseDetails
The review feedback from PR #5 identified two high-severity issues:
Unpinned
opencode-ai(line 33, 109):npm install --global opencode-aiwithout a version could break CI on any new release with breaking changes.Fragile
glabinstall (lines 39-42): The original code fetchedlatestfrom the archivedprofclems/glabrepo (last updated Oct 2022, pinned at v1.22.0) using fragilegrep/cutJSON parsing. The official CLI has moved togitlab.com/gitlab-org/cli(currently at v1.89.0). Additionally, the tar extraction assumedglabwas at the archive root, but it's actually atbin/glab.Closes #3820