change trex plugin build#104
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR modernizes the build process by replacing the local Rust compilation of the trex plugin with a Docker-based approach. The changes eliminate the need to compile Rust code locally and instead use a pre-built Docker image containing the trex binary.
- Switches from local trex binary execution to Docker containerized execution
- Adds environment variable validation for Docker tag specification
- Removes Rust compilation steps from CI workflow
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/build.ts | Replaces local trex execution with Docker container approach and adds environment variable validation |
| .github/workflows/npm-ci.yml | Removes Rust compilation and cargo-related build steps |
| "-v", `${Deno.cwd()}:${Deno.cwd()}`, | ||
| "-w", Deno.cwd(), |
There was a problem hiding this comment.
Mounting the current working directory with the same path inside the container could expose sensitive files and create security risks. Consider using a more restrictive mount point or mounting only the necessary directories.
| "-v", `${Deno.cwd()}:${Deno.cwd()}`, | |
| "-w", Deno.cwd(), | |
| "-v", `${function_path2}:${function_path2}`, | |
| "-w", function_path2, |
| "run", "--rm", | ||
| "-v", `${Deno.cwd()}:${Deno.cwd()}`, | ||
| "-w", Deno.cwd(), | ||
| `ghcr.io/data2evidence/d2e-trex-base:${dockerTag}`, |
There was a problem hiding this comment.
Using an environment variable to specify the Docker image tag without validation could allow injection of malicious image references. Consider validating the dockerTag format or restricting it to known safe values.
| "/usr/src/trex", | ||
| ..._args | ||
| ]; | ||
| let cmd = new Deno.Command("docker", { args: dockerArgs }); |
There was a problem hiding this comment.
If Docker is not installed or available, this will fail with a potentially unclear error message. Consider adding a check for Docker availability or improving error handling to provide clearer feedback.
No description provided.