fix: migrate openapi Dockerfile from Docker to UBI

[mprpic]

Replace docker.io/openapitools/openapi-generator-cli with registry.access.redhat.com/ubi9/ubi:9.7. Install Java and Go via dnf and download the openapi-generator JAR directly from Maven Central. Remove unused make, sudo, and Debian-specific Go env vars.

[coderabbitai]

Walkthrough

The Dockerfile for the ambient API server is modified to replace the specialized OpenAPI generator image with a generic UBI9 base image, switching from apt-get to dnf package management, and downloading the OpenAPI Generator CLI JAR directly to invoke via java -jar instead of relying on pre-built tooling.

Changes

Cohort / File(s)	Summary
Dockerfile Base Image and Build Approach components/ambient-api-server/Dockerfile.openapi	Base image switched from openapitools/openapi-generator-cli:v7.16.0 to ubi9/ubi:9.7; package installation changed from apt-get to dnf for Java, Go, and git; OpenAPI Generator CLI now downloaded via curl and executed with java -jar; Go environment variables (PATH, GOPATH, GOBIN, CGO_ENABLED) removed; cleanup steps retained with added gofmt step.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating the OpenAPI Dockerfile from a Docker-based image to UBI, which aligns with the changeset.
Description check	✅ Passed	The description directly addresses the changeset, detailing the base image replacement, dependency installation method, JAR download approach, and removal of unused packages.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch openapi-dockerfile-use-ubi

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

components/ambient-api-server/Dockerfile.openapi (1)

1-19: ⚠️ Potential issue | 🟠 Major

Run as a non-root user before generation steps

There is no USER instruction, so the container executes generation as root. This is a security posture gap.

Proposed fix

 RUN mkdir -p /local
 COPY . /local
+RUN chown -R 10001:0 /local
+USER 10001

 WORKDIR /local

As per coding guidelines, “Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.”

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/ambient-api-server/Dockerfile.openapi` around lines 1 - 19, The
Dockerfile runs generation steps (the RUN java -jar
/usr/local/bin/openapi-generator-cli.jar generate and RUN gofmt -w
/local/pkg/api/openapi) as root; create a non-root user (e.g., addgroup/adduser
or groupadd/useradd and a home dir), chown the /local workspace and any tool
paths to that user, then add a USER instruction to switch to that non-root user
before the generation and gofmt RUN steps; ensure the non-root user has
permission to execute /usr/local/bin/openapi-generator-cli.jar and to write
under /local so the java generation, file removals, and gofmt succeed.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@components/ambient-api-server/Dockerfile.openapi`:
- Around line 7-8: The RUN that downloads openapi-generator-cli.jar uses curl -L
which can silently save HTTP error pages and doesn't verify integrity; update
the RUN that writes /usr/local/bin/openapi-generator-cli.jar to use curl --fail
--show-error --location (and ideally --retry) so it fails fast on HTTP errors,
then download the corresponding checksum (e.g.,
openapi-generator-cli-7.16.0.jar.sha256 or .sha256sum) from the same Maven
coordinates and verify the JAR with sha256sum -c (or perform an explicit
sha256sum comparison) before installing/making executable; ensure the build
exits if the checksum verification fails so openapi-generator-cli.jar is only
used when integrity is confirmed.

---

Outside diff comments:
In `@components/ambient-api-server/Dockerfile.openapi`:
- Around line 1-19: The Dockerfile runs generation steps (the RUN java -jar
/usr/local/bin/openapi-generator-cli.jar generate and RUN gofmt -w
/local/pkg/api/openapi) as root; create a non-root user (e.g., addgroup/adduser
or groupadd/useradd and a home dir), chown the /local workspace and any tool
paths to that user, then add a USER instruction to switch to that non-root user
before the generation and gofmt RUN steps; ensure the non-root user has
permission to execute /usr/local/bin/openapi-generator-cli.jar and to write
under /local so the java generation, file removals, and gofmt succeed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fd60acb2-a613-410b-8249-e64dc79ffe7a

📥 Commits

Reviewing files that changed from the base of the PR and between 151b9e1 and bd93697.

📒 Files selected for processing (1)

• components/ambient-api-server/Dockerfile.openapi

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Check if the file exists and read its full content
fd -t f "Dockerfile.openapi" --exec cat -n {}

Repository: ambient-code/platform

Length of output: 963

---

🏁 Script executed:

# Also search for any checksum or SHA references in the same directory
rg -A 5 -B 5 "openapi-generator" components/ambient-api-server/ 2>/dev/null || echo "No matches found"

Repository: ambient-code/platform

Length of output: 22302

---

🏁 Script executed:

# Check git history to see if there were related changes
git log --oneline --all -- "components/ambient-api-server/Dockerfile.openapi" 2>/dev/null | head -20

Repository: ambient-code/platform

Length of output: 249

---

Harden the JAR download with fail-fast and integrity verification

On lines 7–8, curl -L without the -f flag can silently save HTTP error pages, and the downloaded JAR is executed without checksum validation. This creates a supply-chain risk.

Proposed fix

+ARG OPENAPI_GENERATOR_VERSION=7.16.0
+ARG OPENAPI_GENERATOR_SHA512=<pin-from-maven-central>
 # Download openapi-generator-cli JAR
-RUN curl -L -o /usr/local/bin/openapi-generator-cli.jar \
-    https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/7.16.0/openapi-generator-cli-7.16.0.jar
+RUN curl -fsSL -o /tmp/openapi-generator-cli.jar \
+    "https://repo1.maven.org/maven2/org/openapitools/openapi-generator-cli/${OPENAPI_GENERATOR_VERSION}/openapi-generator-cli-${OPENAPI_GENERATOR_VERSION}.jar" \
+ && echo "${OPENAPI_GENERATOR_SHA512}  /tmp/openapi-generator-cli.jar" | sha512sum -c - \
+ && mv /tmp/openapi-generator-cli.jar /usr/local/bin/openapi-generator-cli.jar

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@components/ambient-api-server/Dockerfile.openapi` around lines 7 - 8, The RUN
that downloads openapi-generator-cli.jar uses curl -L which can silently save
HTTP error pages and doesn't verify integrity; update the RUN that writes
/usr/local/bin/openapi-generator-cli.jar to use curl --fail --show-error
--location (and ideally --retry) so it fails fast on HTTP errors, then download
the corresponding checksum (e.g., openapi-generator-cli-7.16.0.jar.sha256 or
.sha256sum) from the same Maven coordinates and verify the JAR with sha256sum -c
(or perform an explicit sha256sum comparison) before installing/making
executable; ensure the build exits if the checksum verification fails so
openapi-generator-cli.jar is only used when integrity is confirmed.

[ktdreyer]

agreed

[ktdreyer]

Suggested change

	FROM registry.access.redhat.com/ubi9/ubi:9.7
	FROM registry.access.redhat.com/ubi9:latest

[ktdreyer]

Suggested change

	RUN dnf install -y java-17-openjdk-headless go-toolset git && dnf clean all
	RUN dnf install -y java-17-openjdk-headless go-toolset git-core && dnf clean all

[ktdreyer]

agreed

[mergify]

Merge Queue Status

• ✅ Entered queue — 2026-03-18 20:03 UTC · Rule: default
• ✅ Checks passed · on draft merge queue: embarking main (44d7e11) and #947 together #956
• ✅ Merged — 2026-03-18 20:03 UTC · at bd9369701749b104b16fc48a9f81ae44bfc2d938

This pull request spent 15 seconds in the queue, including 2 seconds running CI.

Required conditions to merge

• #approved-reviews-by >= 1 [🛡 GitHub repository ruleset rule protect-main]
  • fix: migrate openapi Dockerfile from Docker to UBI #947
• #changes-requested-reviews-by = 0 [🛡 GitHub repository ruleset rule protect-main]
  • fix: migrate openapi Dockerfile from Docker to UBI #947