Add ldbw support

[koudis]

Summary by CodeRabbit

• New Features

  • Added Ubuntu 18.04 support to the build matrix across multiple modules and packages.
  • Introduced new Docker configurations for fleet-os-3 and Ubuntu 18.04 environments.
  • Added Yocto build configuration for enhanced toolchain management.

• Chores

  • Updated Docker image configurations with improved SSH setup and environment variable handling.
  • Bumped fleet-protocol-internal-client version from v1.1.3 to v1.1.4.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR introduces Ubuntu 18.04 support to the project's Docker build matrix by modifying the build automation script to append ubuntu1804 image names, updating 60+ package and application manifest files with new Docker image entries, and adding supporting Ubuntu 18.04 infrastructure including Dockerfile and Yocto configuration.

Changes

Cohort / File(s)	Summary
Build Automation Script add_docker_to_matrix.sh	Changed target Docker image name from "fedora40" to "ubuntu1804" when appending to DockerMatrix.ImageNames arrays
App Manifest Files - Docker Matrix Updates app/io-module/io-module_debug.json, app/io-module/io-module_release.json, app/mission-module/mission-module_debug.json, app/mission-module/mission-module_release.json, app/module-gateway/module-gateway_debug.json, app/module-gateway/module-gateway_release.json, app/mosquitto/mosquitto_debug.json, app/mosquitto/mosquitto_release.json, app/transparent-module/transparent-module_debug.json, app/transparent-module/transparent-module_release.json	Added duplicate "ubuntu1804" entries to DockerMatrix.ImageNames arrays in all files
Package Manifest Files - Docker Matrix Updates package/async-function-execution/*, package/ba-logger/*, package/bzip2/*, package/curl/*, package/cxxopts/cxxopts_v3_*, package/expat/*, package/fleet-http-client-shared/fleet_http_client_*, package/fleet-protocol-interface/fleet_protocol_*, package/gtest/*, package/modbuspp/*, package/msgpack/*, package/nlohmann-json/nlohmann_json_*, package/osmium/*, package/protobuf/protobuf_*, package/protozero/*, package/spdlog/*, package/zlib/*	Added duplicate "ubuntu1804" entries to DockerMatrix.ImageNames arrays across debug and release manifests
Package Manifest Files - Docker Matrix & Formatting Updates package/pahomqttc/pahomqttc_debug.json, package/pahomqttc/pahomqttc_release.json, package/pahomqttcpp/pahomqttcpp_debug.json, package/pahomqttcpp/pahomqttcpp_release.json	Added duplicate "ubuntu1804" entries to DockerMatrix.ImageNames; reformatted Env object from multi-line to compact format
Package Manifest Files - Version & Docker Matrix Updates package/fleet-protocol-internal-client/internal_client_debug.json, package/fleet-protocol-internal-client/internal_client_release.json	Bumped Git.Revision to commit hash 7af777d7d0e568d30c09f0bb10697953e93261b2; bumped Package.VersionTag from v1.1.3 to v1.1.4; added duplicate "ubuntu1804" entries to DockerMatrix.ImageNames
New App Infrastructure app/lightdbw-vehicle-control/lightdbw-vehicle-control_debug.json, app/lightdbw-vehicle-control/lightdbw-vehicle-control_release.json	Added new configuration files with environment, Git metadata, CMake build settings, and Docker matrix configuration for lightdbw-vehicle-control project
Docker Infrastructure - Ubuntu 18.04 docker/ubuntu1804/Dockerfile	New Dockerfile for Ubuntu 18.04 with SSH server, build tools (GCC, CMake 3.28.0), CMCONF setup, and compiler configuration
Docker Infrastructure - Fleet OS docker/fleet-os-3/Dockerfile	Added environment script sourcing and SSH known_hosts configuration for gitlab.bringauto.com on port 1999
Docker Toolchain Configuration docker/fleet-os-3/toolchain/yocto_config.json	New Yocto build configuration file with host system settings, build targets, output options, and Docker matrix definitions
Docker Architecture Metadata docker/ubuntu1804-aarch64/uname.txt	Updated uname output from aarch64 to x86_64 GNU/Linux architecture identifier

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• PR#1: Directly related modification to add_docker_to_matrix.sh script that changes the appended Docker image name from "fedora40" to "ubuntu1804"
• PR#12: Related code-level changes to docker/fleet-os-3/Dockerfile affecting the same Docker infrastructure file with environment and SSH configuration updates
• PR#3: Related changes to DockerMatrix.ImageNames fields across multiple package and app JSON configuration files, using a similar bulk-update pattern

Suggested reviewers

• MarioIvancik

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Add ldbw support' is vague and does not clearly describe the actual changes in this PR, which involve adding Ubuntu 18.04 Docker support across numerous configuration files.	Consider using a more descriptive title such as 'Add Ubuntu 18.04 Docker image support to build matrix' to better reflect the primary changes made in this pull request.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/add_ldbw

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[koudis]

Ubuntu 18.04 2x?

[coderabbitai]

Actionable comments posted: 7

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

package/nlohmann-json/nlohmann_json_debug.json (1)

26-38: Remove duplicate ubuntu1804 entry.

The DockerMatrix.ImageNames array contains "ubuntu1804" twice (lines 36 and 37), which will cause redundant builds.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "ubuntu2204",
       "fleet-os-3",
       "debian12",
       "ubuntu2404",
       "ubuntu2504",
       "fedora40",
       "fedora41",
       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/spdlog/spdlog_release.json (1)

27-39: Remove duplicate ubuntu1804 entry.

Same issue as other files — "ubuntu1804" appears twice in the array (lines 37 and 38).

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "ubuntu2204",
       "fleet-os-3",
       "debian12",
       "ubuntu2404",
       "ubuntu2504",
       "fedora40",
       "fedora41",
       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/osmium/osmium_debug.json (1)

35-46: Remove duplicate ubuntu1804 entry.

"ubuntu1804" appears twice (lines 44 and 45).

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
       "ubuntu2204",
       "debian12",
       "ubuntu2404",
       "fedora40",
       "fedora41",
       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/protobuf/protobuf_release_v3.17.json (1)

27-34: Remove duplicate ubuntu1804 entry.

"ubuntu1804" appears twice (lines 32 and 33).

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fedora40",
       "fedora41",
       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/fleet-protocol-internal-client/internal_client_debug.json (1)

33-42: Remove the duplicate ubuntu1804 entry from the DockerMatrix.ImageNames array.

The duplicate entries in lines 41-42 appear to be a result of the add_docker_to_matrix.sh script being applied to files that already contained this image name. This pattern is systemic across 40+ package configuration files in the repository. Duplicates will cause redundant build jobs and should be deduplicated.

Suggested fix

     "ImageNames": [
       "ubuntu2204",
       "debian12",
       "ubuntu1804-aarch64",
       "ubuntu2404",
       "fedora40",
       "fedora41",
       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
     ]

package/fleet-protocol-internal-client/internal_client_release.json (1)

9-24: Change Revision to match VersionTag v1.1.4.

All other packages in the codebase use version tags in the Revision field (e.g., "Revision": "v1.1.1" in fleet-protocol-cpp). Replace the commit hash with "Revision": "v1.1.4" to maintain consistency with the established pattern and keep metadata aligned.

🤖 Fix all issues with AI agents

In `@add_docker_to_matrix.sh`:
- Around line 6-10: The script unconditionally appends "ubuntu1804" to
DockerMatrix.ImageNames causing duplicates and mishandles filenames with spaces;
update the jq invocation inside the loop that iterates package_json to add the
image only if missing (e.g. use a conditional like: .DockerMatrix.ImageNames |=
(if index("ubuntu1804") then . else . + ["ubuntu1804"] end) or equivalent
contains/index check) and quote the variable references ("${package_json}") when
reading/writing; also write to a safer temp file (mktemp) or atomic move to
replace "${package_json}" after jq succeeds to avoid corruption.

In `@app/lightdbw-vehicle-control/lightdbw-vehicle-control_debug.json`:
- Around line 4-5: The "URI" value in lightdbw-vehicle-control_debug.json
contains an exposed GitLab PAT (glpat-...) which must be removed: rotate the
compromised token immediately, replace the embedded token in the "URI" field
with a secure reference (e.g., use CI/CD secret variable, a credential helper,
or a tokens placeholder like ${GITLAB_TOKEN}) and update any Git fetch/auth
logic to read the token from your environment/CI secret rather than from the
file; ensure the changed file no longer contains the PAT and follow your
secrets-rotation/remediation process to revoke the leaked token.

In `@app/lightdbw-vehicle-control/lightdbw-vehicle-control_release.json`:
- Around line 4-5: The file contains a GitLab personal access token embedded in
the "URI" value; remove the embedded credentials by replacing the "URI" string
with a non‑credentialed URL (e.g.,
https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git)
and update any consumers to use CI/credential helpers or a CI/CD variable
(masked secret) for authentication instead of in-repo secrets; after making the
change, rotate/revoke the exposed token in GitLab and confirm pipelines use the
new secret (refer to the "URI" field and the file
lightdbw-vehicle-control_release.json to locate the change).

In `@docker/fleet-os-3/Dockerfile`:
- Line 46: The RUN step in the Dockerfile creates /root/.ssh and appends the
host key to the wrong file name (/root/.ssh/known_host), causing SSH host
verification failures; update the ssh-keyscan redirection in that RUN (the
command that currently references known_host) to append to
/root/.ssh/known_hosts so OpenSSH can read the entry, and ensure the same RUN
still creates the .ssh directory beforehand (mkdir -p /root/.ssh).

In `@docker/ubuntu1804/Dockerfile`:
- Line 4: Replace the hardcoded root password command `RUN echo root:1234 |
chpasswd` with a secure approach: remove the plaintext password, disable root
password SSH logins by ensuring `PasswordAuthentication no` and `PermitRootLogin
prohibit-password` (or `no`) are set in the image's `/etc/ssh/sshd_config`, and
create a non-root user (e.g., adduser + `USER`/`RUN` steps) that you grant sudo
via `/etc/sudoers.d/` or accept an SSH public key via a build ARG/secret;
alternatively, if this image is truly internal-only, add documentation in the
Dockerfile header stating that and why the insecure defaults are present. Ensure
all other occurrences of the same pattern in the Dockerfile are updated to
follow the same hardened approach.

In `@package/expat/expat_debug.json`:
- Around line 35-36: Remove the duplicate "ubuntu1804" entry from the ImageNames
array in expat_debug.json so the array contains unique image names; if you
intended to represent multiple architectures, replace the second "ubuntu1804"
with the correct distinct image name (e.g., "ubuntu1804-aarch64" or another
appropriate identifier) to avoid redundant duplicate builds.

In `@package/pahomqttc/pahomqttc_release.json`:
- Around line 42-43: The ImageNames array in pahomqttc_release.json contains a
duplicate "ubuntu1804" entry; remove the second "ubuntu1804" so each image name
is unique. Locate the ImageNames array in pahomqttc_release.json (and other
affected JSONs) and deduplicate entries (keep a single "ubuntu1804"). Also check
the script add_docker_to_matrix.sh that appends image names and modify it to
avoid appending duplicates (e.g., only add if not already present) to prevent
reoccurrence across the 50+ files.

♻️ Duplicate comments (9)

package/protobuf/protobuf_release_v21.12.json (1)

28-38: Duplicate ubuntu1804 entry (same issue as earlier).

app/lightdbw-vehicle-control/lightdbw-vehicle-control_release.json (1)

26-35: Duplicate ubuntu1804 entry (same issue as earlier).

package/zlib/zlib_release.json (1)

25-35: Duplicate ubuntu1804 entry (same issue as earlier).

package/async-function-execution/async-function-execution_debug.json (1)

34-43: Duplicate ubuntu1804 entry (same issue as earlier).

app/io-module/io-module_release.json (1)

26-34: Duplicate ubuntu1804 entry (same issue as earlier).

package/expat/expat_release.json (1)

34-36: Duplicate ubuntu1804 entry (same pattern as elsewhere).

docker/fleet-os-3/toolchain/yocto_config.json (1)

106-110: Duplicate ubuntu1804 entry in DockerMatrix (same pattern as elsewhere).

package/fleet-protocol-internal-client/internal_client_release.json (1)

40-42: Duplicate ubuntu1804 entry (same pattern as elsewhere).

package/protozero/protozero_release.json (1)

34-36: Duplicate ubuntu1804 entry (same pattern as elsewhere).

🟡 Minor comments (37)

app/transparent-module/transparent-module_release.json-26-30 (1)

26-30: Duplicate ubuntu1804 entry likely unintended.

Line 28–29 repeats the same image name, which can trigger redundant builds. If not intentional, please dedupe.

✅ Proposed fix

   "ImageNames": [
     "fleet-os-3",
-    "ubuntu1804",
     "ubuntu1804"
   ]

package/modbuspp/modbuspp_debug.json-33-35 (1)

33-35: Remove duplicate ubuntu1804 entry from DockerMatrix.ImageNames.

The duplicate entry will likely schedule the same build twice, wasting CI time and artifacts.

🔧 Proposed fix

       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/modbuspp/modbuspp_release.json-34-35 (1)

34-35: Duplicate ubuntu1804 entry.

The ubuntu1804 image name appears twice in the array. This will likely cause duplicate builds for the same image, wasting CI resources.

🐛 Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"

package/protozero/protozero_debug.json-35-36 (1)

35-36: Remove duplicate ubuntu1804 entry.

"ubuntu1804" is listed twice in the ImageNames array. This appears to be a copy-paste error that would cause redundant Docker builds for the same image.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/fleet-protocol-interface/fleet_protocol_debug.json-38-41 (1)

38-41: Duplicate ubuntu1804 entry in the image list.

Same issue as in fleet_protocol_release.json — lines 39 and 40 both contain "ubuntu1804". Remove one of the duplicate entries to avoid redundant builds.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/fleet-protocol-interface/fleet_protocol_release.json-38-41 (1)

38-41: Duplicate ubuntu1804 entry in the image list.

Lines 39 and 40 both contain "ubuntu1804", which will cause the build matrix to process the same image twice, wasting CI resources. Remove one of the duplicate entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/cxxopts/cxxopts_v3_release.json-37-38 (1)

37-38: Remove duplicate ubuntu1804 entry.

The ubuntu1804 image name appears twice in the ImageNames array. This duplicate entry will cause unnecessary redundant builds for the same Docker image.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"

package/protobuf/protobuf_debug_v3.17.json-31-34 (1)

31-34: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 value appears twice (lines 32-33), which will cause redundant duplicate builds. This appears to be a scripting error that the AI summary confirms is present across multiple files in this PR.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fedora40",
       "fedora41",
       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/fleet-http-client-shared/fleet_http_client_release.json-44-46 (1)

44-46: Deduplicate ubuntu1804 in the matrix.

Line 45-46 includes ubuntu1804 twice, which is likely redundant.

💡 Suggested fix

       "fedora42",
-      "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/osmium/osmium_release.json-43-45 (1)

43-45: Remove the duplicated ubuntu1804 entry.

Line 44-45 lists ubuntu1804 twice, which likely creates a redundant build.

💡 Suggested fix

       "fedora42",
-      "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/cxxopts/cxxopts_v3_debug.json-36-38 (1)

36-38: Deduplicate ubuntu1804 in the Docker matrix.

Line 37-38 lists ubuntu1804 twice, which likely triggers redundant builds. If not intentional, remove the duplicate.

💡 Suggested fix

       "fedora42",
-      "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/bzip2/bzip2_release.json-32-34 (1)

32-34: Deduplicate ubuntu1804 in the Docker matrix.

Line 33-34 repeats ubuntu1804, which likely causes a duplicated build.

💡 Suggested fix

       "fedora42",
-      "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/curl/curl_release.json-35-37 (1)

35-37: Remove the duplicate ubuntu1804 entry.

Line 36-37 repeats ubuntu1804, which likely causes a duplicated build.

💡 Suggested fix

       "fedora42",
-      "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

app/module-gateway/module-gateway_debug.json-28-33 (1)

28-33: Remove duplicate ubuntu1804 entry.

The DockerMatrix.ImageNames array contains "ubuntu1804" twice, which will cause redundant builds in the CI matrix.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/gtest/gtest_debug.json-32-35 (1)

32-35: Duplicate ubuntu1804 entry in ImageNames.

The ubuntu1804 image appears twice (lines 33-34). Remove one of the duplicate entries to avoid redundant builds.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

app/transparent-module/transparent-module_debug.json-26-30 (1)

26-30: Duplicate ubuntu1804 entry in ImageNames.

The ubuntu1804 image appears twice (lines 28-29). Remove one of the duplicate entries.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

app/module-gateway/module-gateway_release.json-29-33 (1)

29-33: Duplicate ubuntu1804 entry in ImageNames.

The ubuntu1804 image appears twice (lines 31-32). Remove one of the duplicate entries.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

app/mosquitto/mosquitto_debug.json-25-29 (1)

25-29: Duplicate ubuntu1804 entry in ImageNames.

The ubuntu1804 image appears twice (lines 27-28). Remove one of the duplicate entries.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

app/mission-module/mission-module_debug.json-29-33 (1)

29-33: Duplicate ubuntu1804 entry in ImageNames.

The ubuntu1804 image appears twice in the array (lines 31-32). This will cause redundant builds for the same Docker image. Remove one of the duplicate entries.

Proposed fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/curl/curl_debug.json-35-38 (1)

35-38: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice (lines 36 and 37). Remove the duplicate to avoid redundant builds.

🔧 Suggested fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/pahomqttcpp/pahomqttcpp_debug.json-43-46 (1)

43-46: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice (lines 44 and 45). Remove the duplicate to avoid redundant builds.

🔧 Suggested fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/protobuf/protobuf_debug_v21.12.json-36-39 (1)

36-39: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice (lines 37 and 38). Remove the duplicate to avoid redundant builds.

🔧 Suggested fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

app/mosquitto/mosquitto_release.json-26-29 (1)

26-29: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice in the array (lines 27 and 28). This will trigger redundant builds for the same Docker image. Remove one of the duplicate entries.

🔧 Suggested fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

app/mission-module/mission-module_release.json-31-34 (1)

31-34: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice (lines 32 and 33). Remove the duplicate to avoid redundant builds.

🔧 Suggested fix

   "DockerMatrix": {
     "ImageNames": [
       "fleet-os-3",
       "fedora40",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/nlohmann-json/nlohmann_json_release.json-35-38 (1)

35-38: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice (lines 36 and 37). This duplicate pattern appears across 60+ JSON files in the repository, confirming a bug in the add_docker_to_matrix.sh script. Line 8 unconditionally appends "ubuntu1804" without checking for existing entries, causing duplicates when run on files that already contain this value. Fix the script to check for existence before appending and re-run it to clean up all affected files.

🔧 Suggested fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]
   }

package/fleet-http-client-shared/fleet_http_client_debug.json-45-46 (1)

45-46: Duplicate ubuntu1804 entry.

Remove one of the duplicate ubuntu1804 entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/pahomqttc/pahomqttc_debug.json-42-43 (1)

42-43: Duplicate ubuntu1804 entry in ImageNames array.

The ubuntu1804 image appears twice in the array (lines 42-43). This will cause redundant Docker builds for the same image. Remove one of the duplicate entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

app/io-module/io-module_debug.json-33-34 (1)

33-34: Duplicate ubuntu1804 entry.

Remove one of the duplicate ubuntu1804 entries.

Proposed fix

       "fedora41",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/gtest/gtest_release.json-33-34 (1)

33-34: Duplicate ubuntu1804 entry.

Remove one of the duplicate ubuntu1804 entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/msgpack/msgpack_debug.json-36-37 (1)

36-37: Duplicate ubuntu1804 entry.

Same issue as other files in this PR—ubuntu1804 is listed twice. Remove the duplicate.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/bzip2/bzip2_debug.json-33-34 (1)

33-34: Duplicate ubuntu1804 entry.

Remove one of the duplicate ubuntu1804 entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"
     ]

package/zlib/zlib_debug.json-33-35 (1)

33-35: Deduplicate ubuntu1804 in DockerMatrix.ImageNames.

Lines 34–35 repeat the same image name, which likely produces duplicate builds.

💡 Proposed fix

       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/async-function-execution/async-function-execution_release.json-41-43 (1)

41-43: Deduplicate ubuntu1804 in DockerMatrix.ImageNames.

Lines 42–43 contain the same image name twice; this can cause redundant build jobs or ambiguous selection.

💡 Proposed fix

       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/pahomqttcpp/pahomqttcpp_release.json-42-44 (1)

42-44: Deduplicate ubuntu1804 in DockerMatrix.ImageNames.

Lines 43–44 repeat the same image name, which can create redundant build matrix entries.

💡 Proposed fix

       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/spdlog/spdlog_debug.json-36-38 (1)

36-38: Deduplicate ubuntu1804 in DockerMatrix.ImageNames.

Lines 37–38 repeat the same image name, which likely results in duplicate builds.

💡 Proposed fix

       "fedora42",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

app/lightdbw-vehicle-control/lightdbw-vehicle-control_debug.json-33-34 (1)

33-34: Deduplicate ubuntu1804 in DockerMatrix.ImageNames.

Lines 33–34 repeat the same image name, which likely produces duplicate builds.

💡 Proposed fix

       "fedora41",
       "ubuntu1804",
-      "ubuntu1804"
+      "ubuntu1804"

package/statesmurf/statesmurf_release.json-38-40 (1)

38-40: Avoid duplicate ubuntu1804 entries in the matrix.

Duplicates can trigger redundant builds or require downstream de-duplication. Consider keeping the list unique.

🛠️ Suggested fix

     "fedora42",
     "ubuntu1804",
-    "ubuntu1804"

🧹 Nitpick comments (3)

docker/fleet-os-3/toolchain/yocto_config.json (1)

3-4: Parameterize host-specific paths for portability.

cache_path and yocto_folder look tied to a specific build agent (and cache_path has a double slash). If this file is meant for broader use, consider env vars or relative defaults.

docker/ubuntu1804/Dockerfile (2)

13-16: Verify the CMake download integrity.

The binary download isn’t checksum-verified, which weakens supply-chain guarantees. Add a SHA256 check from the official release.

✅ Example checksum verification

 RUN wget "https://github.com/Kitware/CMake/releases/download/v3.28.0/cmake-3.28.0-linux-x86_64.sh" -O cmake.sh && \
+    echo "<sha256>  cmake.sh" | sha256sum -c - && \
     chmod +x cmake.sh && \
     ./cmake.sh --skip-license --prefix=/usr/local && \
     rm ./cmake.sh

---

18-19: Pin cmakelib to a tag/commit for reproducible builds.

A floating git clone makes builds non-deterministic across time.

🔒 Suggested pinning

-RUN git clone https://github.com/cmakelib/cmakelib.git /cmakelib
+RUN git clone --depth 1 --branch <tag-or-commit> https://github.com/cmakelib/cmakelib.git /cmakelib

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Script is not idempotent — running it twice creates duplicates.

This explains the duplicate "ubuntu1804" entries across all JSON files. The script unconditionally appends the image name without checking if it already exists.

Proposed fix — use `jq` to add only if not present

 shopt -s nullglob
-for package_json in $(find . -name '*.json')
+for package_json in $(find . -name '*.json')
 do
-  jq '.DockerMatrix.ImageNames += [ "ubuntu1804"  ]' ${package_json} > ${package_json}.test
+  jq 'if .DockerMatrix.ImageNames and (.DockerMatrix.ImageNames | index("ubuntu1804") | not) then .DockerMatrix.ImageNames += ["ubuntu1804"] else . end' "${package_json}" > "${package_json}.test"
-  mv ${package_json}.test ${package_json}
+  mv "${package_json}.test" "${package_json}"
 done
 shopt -u nullglob

Additionally, quote ${package_json} to handle filenames with spaces safely.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	for package_json in $(find . -name '*.json')
	do
	jq '.DockerMatrix.ImageNames += [ "fedora40" ]' ${package_json} > ${package_json}.test
	jq '.DockerMatrix.ImageNames += [ "ubuntu1804" ]' ${package_json} > ${package_json}.test
	mv ${package_json}.test ${package_json}
	done
	for package_json in $(find . -name '*.json')
	do
	jq 'if .DockerMatrix.ImageNames and (.DockerMatrix.ImageNames | index("ubuntu1804") | not) then .DockerMatrix.ImageNames += ["ubuntu1804"] else . end' "${package_json}" > "${package_json}.test"
	mv "${package_json}.test" "${package_json}"
	done

🧰 Tools

🪛 Shellcheck (0.11.0)

[warning] 6-6: For loops over find output are fragile. Use find -exec or a while read loop.

(SC2044)

🤖 Prompt for AI Agents

In `@add_docker_to_matrix.sh` around lines 6 - 10, The script unconditionally
appends "ubuntu1804" to DockerMatrix.ImageNames causing duplicates and
mishandles filenames with spaces; update the jq invocation inside the loop that
iterates package_json to add the image only if missing (e.g. use a conditional
like: .DockerMatrix.ImageNames |= (if index("ubuntu1804") then . else . +
["ubuntu1804"] end) or equivalent contains/index check) and quote the variable
references ("${package_json}") when reading/writing; also write to a safer temp
file (mktemp) or atomic move to replace "${package_json}" after jq succeeds to
avoid corruption.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove the embedded GitLab PAT from the repository URL.

Line 4 exposes a personal access token in source control, which is a critical security issue. Rotate the token immediately and use CI secrets/credential helpers instead.

🔒 Proposed fix

-    "URI": "https://oauth2:glpat-J7PrW2SI20joymh_SOQnXG86MQp1OjYH.01.0w1i5v7qa@gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
+    "URI": "https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"URI": "https://oauth2:glpat-J7PrW2SI20joymh_SOQnXG86MQp1OjYH.01.0w1i5v7qa@gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
	"Revision": "1211b2aabb02fa1aa1c004345b977616c391865b"
	"URI": "https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
	"Revision": "1211b2aabb02fa1aa1c004345b977616c391865b"

🧰 Tools

🪛 Checkov (3.2.334)

[medium] 4-5: Basic Auth Credentials

(CKV_SECRET_4)

🪛 Gitleaks (8.30.0)

[high] 4-4: Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure.

(gitlab-pat)

🤖 Prompt for AI Agents

In `@app/lightdbw-vehicle-control/lightdbw-vehicle-control_debug.json` around
lines 4 - 5, The "URI" value in lightdbw-vehicle-control_debug.json contains an
exposed GitLab PAT (glpat-...) which must be removed: rotate the compromised
token immediately, replace the embedded token in the "URI" field with a secure
reference (e.g., use CI/CD secret variable, a credential helper, or a tokens
placeholder like ${GITLAB_TOKEN}) and update any Git fetch/auth logic to read
the token from your environment/CI secret rather than from the file; ensure the
changed file no longer contains the PAT and follow your
secrets-rotation/remediation process to revoke the leaked token.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove the embedded GitLab PAT and rotate the token.

A personal access token is committed in the Git URI, which is a critical credential leak. Replace the URI with a non‑credentialed URL and rely on CI/credential helpers; rotate/revoke the exposed token.

🔒 Suggested fix

-    "URI": "https://oauth2:glpat-J7PrW2SI20joymh_SOQnXG86MQp1OjYH.01.0w1i5v7qa@gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
+    "URI": "https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"URI": "https://oauth2:glpat-J7PrW2SI20joymh_SOQnXG86MQp1OjYH.01.0w1i5v7qa@gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
	"Revision": "1211b2aabb02fa1aa1c004345b977616c391865b"
	"URI": "https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git",
	"Revision": "1211b2aabb02fa1aa1c004345b977616c391865b"

🧰 Tools

🪛 Checkov (3.2.334)

[medium] 4-5: Basic Auth Credentials

(CKV_SECRET_4)

🪛 Gitleaks (8.30.0)

[high] 4-4: Identified a GitLab Personal Access Token, risking unauthorized access to GitLab repositories and codebase exposure.

(gitlab-pat)

🤖 Prompt for AI Agents

In `@app/lightdbw-vehicle-control/lightdbw-vehicle-control_release.json` around
lines 4 - 5, The file contains a GitLab personal access token embedded in the
"URI" value; remove the embedded credentials by replacing the "URI" string with
a non‑credentialed URL (e.g.,
https://gitlab.bringauto.com/bring-auto/hardware/lightdbw-vehicle-control.git)
and update any consumers to use CI/credential helpers or a CI/CD variable
(masked secret) for authentication instead of in-repo secrets; after making the
change, rotate/revoke the exposed token in GitLab and confirm pipelines use the
new secret (refer to the "URI" field and the file
lightdbw-vehicle-control_release.json to locate the change).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fix SSH known_hosts filename to avoid auth failures.

Line 46 writes to /root/.ssh/known_host, but OpenSSH reads /root/.ssh/known_hosts. This can cause non-interactive SSH/Git to fail host key verification.

🐛 Proposed fix

-RUN mkdir -p /root/.ssh && ssh-keyscan -p 1999 gitlab.bringauto.com >> /root/.ssh/known_host
+RUN mkdir -p /root/.ssh && ssh-keyscan -p 1999 gitlab.bringauto.com >> /root/.ssh/known_hosts

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN mkdir -p /root/.ssh && ssh-keyscan -p 1999 gitlab.bringauto.com >> /root/.ssh/known_host
	RUN mkdir -p /root/.ssh && ssh-keyscan -p 1999 gitlab.bringauto.com >> /root/.ssh/known_hosts

🤖 Prompt for AI Agents

In `@docker/fleet-os-3/Dockerfile` at line 46, The RUN step in the Dockerfile
creates /root/.ssh and appends the host key to the wrong file name
(/root/.ssh/known_host), causing SSH host verification failures; update the
ssh-keyscan redirection in that RUN (the command that currently references
known_host) to append to /root/.ssh/known_hosts so OpenSSH can read the entry,
and ensure the same RUN still creates the .ssh directory beforehand (mkdir -p
/root/.ssh).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's locate and examine the Dockerfile in question
find . -name "Dockerfile" -path "*/docker/ubuntu1804/*" 2>/dev/null

Repository: bringauto/packager-fleet-protocol-context

Length of output: 115

---

🏁 Script executed:

# Let's also search for the file more broadly
fd -t f "Dockerfile" | grep -i ubuntu

Repository: bringauto/packager-fleet-protocol-context

Length of output: 237

---

🏁 Script executed:

# Search for any docker-related configuration files and README
find . -name "docker*" -o -name "*docker*" -type d | head -20

Repository: bringauto/packager-fleet-protocol-context

Length of output: 93

---

🏁 Script executed:

cat -n docker/ubuntu1804/Dockerfile

Repository: bringauto/packager-fleet-protocol-context

Length of output: 1958

---

🏁 Script executed:

# Check for CI/CD configuration files
ls -la | grep -E "\.github|\.gitlab|\.circleci|Jenkinsfile"

Repository: bringauto/packager-fleet-protocol-context

Length of output: 67

---

🏁 Script executed:

# Search for Docker registry or push configuration
rg -i "registry|dockerhub|ghcr|docker push" --type yaml --type json --type txt

Repository: bringauto/packager-fleet-protocol-context

Length of output: 67

---

🏁 Script executed:

# Look for README or documentation
find . -name "README*" -o -name "*.md" | head -10

Repository: bringauto/packager-fleet-protocol-context

Length of output: 185

---

🏁 Script executed:

# Check if there's a docker-compose or build script that shows how these images are used
find . -name "docker-compose*" -o -name "Makefile" -o -name "build*.sh"

Repository: bringauto/packager-fleet-protocol-context

Length of output: 67

---

🏁 Script executed:

cat -n README.md

Repository: bringauto/packager-fleet-protocol-context

Length of output: 1408

---

🏁 Script executed:

cat -n ./docker/fleet-os-3/README.md

Repository: bringauto/packager-fleet-protocol-context

Length of output: 589

---

🏁 Script executed:

# Check if there are other docker READMEs
fd -t f README.md | grep docker

Repository: bringauto/packager-fleet-protocol-context

Length of output: 150

---

🏁 Script executed:

# Look for package JSON files that reference the docker images
find . -name "*.json" | xargs grep -l "ubuntu1804" 2>/dev/null || echo "No matches found"

Repository: bringauto/packager-fleet-protocol-context

Length of output: 2692

---

🏁 Script executed:

# Check the git remote to see if repo is public
git remote -v 2>/dev/null || echo "Not a git repo or no remotes"

Repository: bringauto/packager-fleet-protocol-context

Length of output: 255

---

🏁 Script executed:

# Look for any documentation about the docker images and their usage
find ./docker -name "*.md" -o -name "*.txt" | xargs cat -n 2>/dev/null

Repository: bringauto/packager-fleet-protocol-context

Length of output: 888

---

🏁 Script executed:

# Check if there's any dockerfile usage documentation
grep -r "ubuntu1804\|docker" README.md config/README.md 2>/dev/null || true

Repository: bringauto/packager-fleet-protocol-context

Length of output: 466

---

Hardcoded root password and root SSH login in publicly accessible Dockerfile should be hardened.

This image is checked into a public GitHub repository without documentation indicating it's internal-only (unlike fleet-os-3 which explicitly states this). While not currently used in active package builds, anyone can clone the repo, build, and deploy this image. The configuration allows password authentication on root with listening on 0.0.0.0.

For consistency with security best practices in public repositories, either:

1. Add explicit documentation if this is internal-only (matching fleet-os-3's approach), or
2. Apply the hardening below to make password optional and disable password auth by default

🔐 Hardened default

- RUN echo root:1234 | chpasswd
+ ARG ROOT_PASSWORD
+ RUN if [ -n "$ROOT_PASSWORD" ]; then \
+       echo "root:${ROOT_PASSWORD}" | chpasswd; \
+     else \
+       passwd -l root; \
+     fi

- RUN sed -ri 's/#?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
+ RUN sed -ri 's/#?PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
+     sed -ri 's/#?PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config

Also applies to: 26-35, 42-42

🧰 Tools

🪛 Checkov (3.2.334)

[medium] 4-4: Ensure that 'chpasswd' is not used to set or remove passwords

(CKV2_DOCKER_17)

🤖 Prompt for AI Agents

In `@docker/ubuntu1804/Dockerfile` at line 4, Replace the hardcoded root password
command `RUN echo root:1234 | chpasswd` with a secure approach: remove the
plaintext password, disable root password SSH logins by ensuring
`PasswordAuthentication no` and `PermitRootLogin prohibit-password` (or `no`)
are set in the image's `/etc/ssh/sshd_config`, and create a non-root user (e.g.,
adduser + `USER`/`RUN` steps) that you grant sudo via `/etc/sudoers.d/` or
accept an SSH public key via a build ARG/secret; alternatively, if this image is
truly internal-only, add documentation in the Dockerfile header stating that and
why the insecure defaults are present. Ensure all other occurrences of the same
pattern in the Dockerfile are updated to follow the same hardened approach.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Duplicate ubuntu1804 entry in ImageNames array.

The same image name "ubuntu1804" appears twice consecutively. This will cause redundant duplicate builds with no benefit. Remove one of the entries.

Proposed fix

       "fedora42",
-      "ubuntu1804",
       "ubuntu1804"

If the intent was to support different architectures (e.g., x86_64 and aarch64), use distinct image names instead.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"ubuntu1804",
	"ubuntu1804"
	"ubuntu1804"

🤖 Prompt for AI Agents

In `@package/expat/expat_debug.json` around lines 35 - 36, Remove the duplicate
"ubuntu1804" entry from the ImageNames array in expat_debug.json so the array
contains unique image names; if you intended to represent multiple
architectures, replace the second "ubuntu1804" with the correct distinct image
name (e.g., "ubuntu1804-aarch64" or another appropriate identifier) to avoid
redundant duplicate builds.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, verify the file exists and check its content around lines 42-43
cat -n package/pahomqttc/pahomqttc_release.json | sed -n '35,50p'

Repository: bringauto/packager-fleet-protocol-context

Length of output: 351

---

🏁 Script executed:

# Get full context of the file
wc -l package/pahomqttc/pahomqttc_release.json

Repository: bringauto/packager-fleet-protocol-context

Length of output: 128

---

🏁 Script executed:

# Search for how ImageNames is used in the build system
rg -i "imagenames" --type json

Repository: bringauto/packager-fleet-protocol-context

Length of output: 4302

---

🏁 Script executed:

# Check if there are other similar release.json files to understand the pattern
fd -e release.json

Repository: bringauto/packager-fleet-protocol-context

Length of output: 67

---

🏁 Script executed:

# Check pahomqttc_debug.json for comparison
cat -n package/pahomqttc/pahomqttc_debug.json | sed -n '35,50p'

Repository: bringauto/packager-fleet-protocol-context

Length of output: 351

---

🏁 Script executed:

# Check a few other similar files to see if duplicates exist elsewhere
for file in package/zlib/zlib_release.json package/spdlog/spdlog_release.json package/protobuf/protobuf_release_v3.17.json; do
  echo "=== $file ==="
  cat -n "$file" | sed -n '35,50p'
done

Repository: bringauto/packager-fleet-protocol-context

Length of output: 434

---

🏁 Script executed:

# Search for how the ImageNames array is processed/used in code
rg -l "ImageNames" --type-not json | head -10

Repository: bringauto/packager-fleet-protocol-context

Length of output: 130

---

🏁 Script executed:

# Check the scripts that process ImageNames
cat -n add_docker_to_matrix.sh | head -50

Repository: bringauto/packager-fleet-protocol-context

Length of output: 405

---

🏁 Script executed:

cat -n change_docker_name.sh | head -50

Repository: bringauto/packager-fleet-protocol-context

Length of output: 532

---

🏁 Script executed:

# Check if there are more files with ubuntu1804 duplicates
rg '"ubuntu1804"' package/ app/ docker/ -A 1 | grep -B 1 '"ubuntu1804"' | grep -A 1 '"ubuntu1804"'

Repository: bringauto/packager-fleet-protocol-context

Length of output: 7511

---

Remove duplicate ubuntu1804 entry in ImageNames array.

"ubuntu1804" appears twice on lines 42-43. This is part of a system-wide issue affecting 50+ JSON files in the repository—likely caused by the add_docker_to_matrix.sh script appending to arrays that already contained this value. All affected files should be deduplicated to prevent redundant builds and potential build failures.

🤖 Prompt for AI Agents

In `@package/pahomqttc/pahomqttc_release.json` around lines 42 - 43, The
ImageNames array in pahomqttc_release.json contains a duplicate "ubuntu1804"
entry; remove the second "ubuntu1804" so each image name is unique. Locate the
ImageNames array in pahomqttc_release.json (and other affected JSONs) and
deduplicate entries (keep a single "ubuntu1804"). Also check the script
add_docker_to_matrix.sh that appends image names and modify it to avoid
appending duplicates (e.g., only add if not already present) to prevent
reoccurrence across the 50+ files.

[koudis]

Why is there a yocto_config?

[koudis]

You have gitlab oauth2 token publicly visible??

[koudis]

revoked.

[koudis]

Wrong internal client version