Add reusable action to install roxie CLI#97
Merged
Conversation
Adds roxie/install-cli composite action that downloads a roxie release binary from GitHub, verifies its SHA-256 checksum, and places it in PATH for subsequent workflow steps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
📝 WalkthroughWalkthroughA new Changesroxie/install-cli Action
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@roxie/install-cli/install-roxie.sh`:
- Around line 5-13: The install-roxie.sh script only normalizes architecture in
the uname-based setup, so non-Linux runners can still proceed and later download
a roxie-linux binary that won’t run. Add an early OS check using uname -s before
building the download URL, and exit with a clear error unless the platform is
Linux. Keep the existing architecture normalization for amd64/arm64, and update
the installer flow around the download URL construction so the Linux-only
contract is enforced by the main install path.
- Around line 21-25: The install flow publishes roxie to PATH before checksum
verification, so unverified binaries can be picked up by later steps. In
install-roxie.sh, update the download/install sequence around the PATH export
logic so the binary is first written to a temporary location, verified, and only
then moved into ~/.local/bin. Also move the GITHUB_PATH append in the install
path handling so it runs only after verification succeeds, keeping PATH
unchanged for failed installs.
- Around line 33-35: The checksum download in install-roxie.sh uses a
predictable /tmp/roxie-checksums.txt path, which should be replaced with a
unique mktemp-based file to avoid TOCTOU/symlink issues. Update the
checksum-fetching flow around the curl and expected lookup to create a temporary
file, use it for the grep/awk verification in place of /tmp/roxie-checksums.txt,
and add a trap to clean it up when the script exits.
In `@roxie/install-cli/README.md`:
- Line 32: The README example currently references the install-cli action via a
mutable `@main` ref, which should be replaced with a stable versioned reference.
Update the documented usage in the README to point to a fixed tag such as `@v1` or
a pinned commit SHA, using the stackrox/actions/roxie/install-cli action
reference so consumers get reproducible workflows.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 84026963-0058-4caa-ab19-2fa9791c0fac
📒 Files selected for processing (4)
README.mdroxie/install-cli/README.mdroxie/install-cli/action.ymlroxie/install-cli/install-roxie.sh
- Reject non-Linux runners early - Download binary to temp dir and verify checksum before installing - Use mktemp instead of predictable /tmp path - Use @v1 tag in README usage example Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
roxie/install-clicomposite action that downloads a roxie release binary from GitHub releasesroxie/to allow future additions (e.g.roxie/deploy)Usage
Or omit
versionto install the latest release:Test plan
roxie versionoutput: in https://github.com/stackrox/stackrox/actions/runs/28446934417/job/84298720305🤖 Generated with Claude Code