[WIP] Update Dockerfile.plugins.demo to use maintained OpenShift CI builder image

[sg00dwin]

The quay.io/coreos/tectonic-console-builder:v29 image is stale/non-existent
and causes OpenSSL error 1C800066:Provider routines:bad decrypt during
yarn install in CI builds.

Update to use the same rhel-9-base-nodejs-openshift-4.21 base image as
the main Dockerfile, which is actively maintained by the OpenShift CI team
and has proper Node.js v22 + OpenSSL 3.x configuration.

Resolves: console-plugin-demo build failures

Co-Authored-By: Claude Sonnet 4.5

Summary by CodeRabbit

Release Notes

• Chores
  • Updated Docker build configuration with a new node-based builder image and modified build paths
  • Adjusted working directories and file handling in the multi-stage build process

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Single Dockerfile updated to replace base image with nodebuilder, shift build context paths from /src to /opt/app-root, introduce YARN_VERSION ARG with bootstrap logic, and adjust final-stage artifact sourcing accordingly.

Changes

Cohort / File(s)	Summary
Docker Build Configuration Dockerfile.plugins.demo	Replaced base image with nodebuilder, migrated working directories from /src/console/* to /opt/app-root/src/*, introduced YARN_VERSION ARG with npm-based Yarn bootstrap (cached/remote tarball), switched from COPY to ADD instruction, and updated final-stage COPY directives to source artifacts from nodebuilder stage instead of build stage.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly identifies the main change: updating Dockerfile.plugins.demo to use a maintained OpenShift CI builder image instead of the stale quay.io/coreos/tectonic-console-builder image.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sg00dwin
Once this PR has been reviewed and has the lgtm label, please assign rhamilto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

Dockerfile.plugins.demo (2)

8-8: Prefer COPY over ADD for copying local files.

Per Dockerfile best practices (and the Hadolint DL3020 rule), COPY should be used for copying files and folders from the build context. ADD has additional capabilities (URL fetching, tar auto-extraction) that aren't needed here and can introduce unexpected behavior.

Suggested fix

-ADD . .
+COPY . .

---

29-33: Final stage artifact paths correctly updated.

The COPY --from=nodebuilder instructions properly reference the new paths from the build stage. The node:22 base image aligns with the Node.js version in the builder.

For CI reproducibility, you might consider pinning to a more specific tag (e.g., node:22-slim or node:22.x.y) to avoid unexpected behavior from upstream image updates, though for a demo plugin this is less critical.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 4e7a8f7 and 8417448.

📒 Files selected for processing (1)

• Dockerfile.plugins.demo

🧰 Additional context used

🪛 Hadolint (2.14.0)

Dockerfile.plugins.demo

[error] 8-8: Use COPY instead of ADD for files and folders

(DL3020)

🔇 Additional comments (3)

Dockerfile.plugins.demo (3)

6-6: Good choice using the maintained OpenShift CI builder image.

This aligns with the main Dockerfile's base image and ensures consistent tooling (Node.js v22, OpenSSL 3.x) across the console build artifacts. The rhel-9-base-nodejs-openshift-4.21 image is actively maintained by the OpenShift CI team, which should prevent the stale image issues that triggered the bad decrypt errors.

---

22-26: The path structure changes are correct. The repository root contains frontend/ and dynamic-demo-plugin/ directories, and the ADD . . at line 8 places them under /opt/app-root/src/ (the default WORKDIR for the OpenShift builder base image). The subsequent WORKDIR commands in lines 22 and 25 correctly navigate to /opt/app-root/src/frontend and /opt/app-root/src/dynamic-demo-plugin. The removal of /console from the path hierarchy reflects the base image layout change, not a misconfiguration—no action needed.

---

10-20: Yarn bootstrap pattern is sound for this OpenShift builder context.

The cached tarball strategy with GitHub fallback is a solid CI optimization. USER 0 is correctly placed here since the OpenShift builder base image requires root for npm operations; the later switch to USER 1001 in the final stage maintains proper non-root production runtime behavior.

Two points to ensure consistency:

1. The ./artifacts/ path is relative to the working directory (/opt/app-root/src). Verify this directory is included in your build context if you intend to leverage tarball caching in CI pipelines.
2. The v1.22.22 pinning is current (latest Yarn 1.x Classic stable) and avoids the documentation/release discrepancy that exists on the Yarn classic site.

The two-stage build cleanly separates build dependencies from runtime, following K8s container best practices.

[openshift-ci]

@sg00dwin: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-gcp-console	8417448	link	true	/test e2e-gcp-console
ci/prow/backend	8417448	link	true	/test backend

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sg00dwin]

@CodeRabbit configuration

[coderabbitai]

Configuration used: Path: .coderabbit.yaml

CodeRabbit configuration

language: en-US
tone_instructions: >-
  Principal engineer reviewing OpenShift Console (React/TS/JS/Go). Focus:
  architecture, security (RBAC/SCC), performance, maintainability,
  backward-compatible APIs, testing/edge cases. Enforce K8s best practices,
  PatternFly, a11y/i18n.
early_access: false
enable_free_tier: true
inheritance: false
reviews:
  profile: chill
  request_changes_workflow: false
  high_level_summary: true
  high_level_summary_instructions: ''
  high_level_summary_placeholder: '@coderabbitai summary'
  high_level_summary_in_walkthrough: false
  auto_title_placeholder: '@coderabbitai'
  auto_title_instructions: ''
  review_status: true
  review_details: false
  commit_status: true
  fail_commit_status: false
  collapse_walkthrough: false
  changed_files_summary: true
  sequence_diagrams: false
  estimate_code_review_effort: true
  assess_linked_issues: true
  related_issues: true
  related_prs: true
  suggested_labels: true
  labeling_instructions: []
  auto_apply_labels: false
  suggested_reviewers: true
  auto_assign_reviewers: false
  in_progress_fortune: false
  poem: false
  enable_prompt_for_ai_agents: true
  path_filters: []
  path_instructions: []
  abort_on_close: true
  disable_cache: false
  auto_review:
    enabled: true
    auto_incremental_review: true
    ignore_title_keywords:
      - WIP
      - '[WIP]'
      - do-not-merge
      - work-in-progress
    labels:
      - '!do-not-merge/work-in-progress'
    drafts: true
    base_branches: []
    ignore_usernames: []
  finishing_touches:
    docstrings:
      enabled: true
    unit_tests:
      enabled: true
  pre_merge_checks:
    docstrings:
      mode: warning
      threshold: 80
    title:
      mode: warning
      requirements: ''
    description:
      mode: warning
    issue_assessment:
      mode: warning
    custom_checks: []
  tools:
    ast-grep:
      rule_dirs: []
      util_dirs: []
      essential_rules: true
      packages: []
    shellcheck:
      enabled: true
    ruff:
      enabled: true
    markdownlint:
      enabled: true
    github-checks:
      enabled: true
      timeout_ms: 90000
    languagetool:
      enabled: true
      enabled_rules: []
      disabled_rules: []
      enabled_categories: []
      disabled_categories: []
      enabled_only: false
      level: default
    biome:
      enabled: true
    hadolint:
      enabled: true
    swiftlint:
      enabled: true
    phpstan:
      enabled: true
      level: default
    phpmd:
      enabled: true
    phpcs:
      enabled: true
    golangci-lint:
      enabled: true
    yamllint:
      enabled: true
    gitleaks:
      enabled: true
    checkov:
      enabled: true
    detekt:
      enabled: true
    eslint:
      enabled: true
    flake8:
      enabled: true
    fortitudeLint:
      enabled: true
    rubocop:
      enabled: true
    buf:
      enabled: true
    regal:
      enabled: true
    actionlint:
      enabled: true
    pmd:
      enabled: true
    clang:
      enabled: true
    cppcheck:
      enabled: true
    semgrep:
      enabled: true
    circleci:
      enabled: true
    clippy:
      enabled: true
    sqlfluff:
      enabled: true
    prismaLint:
      enabled: true
    pylint:
      enabled: true
    oxc:
      enabled: true
    shopifyThemeCheck:
      enabled: true
    luacheck:
      enabled: true
    brakeman:
      enabled: true
    dotenvLint:
      enabled: true
    htmlhint:
      enabled: true
    checkmake:
      enabled: true
    osvScanner:
      enabled: true
chat:
  art: true
  auto_reply: true
  integrations:
    jira:
      usage: auto
    linear:
      usage: auto
knowledge_base:
  opt_out: false
  web_search:
    enabled: true
  code_guidelines:
    enabled: true
    filePatterns:
      - STYLEGUIDE.md
      - CONTRIBUTING.md
      - README.md
      - .ai/context.md
      - .ai/README.md
  learnings:
    scope: auto
  issues:
    scope: auto
  jira:
    usage: auto
    project_keys: []
  linear:
    usage: auto
    team_keys: []
  pull_requests:
    scope: auto
  mcp:
    usage: auto
    disabled_servers: []
code_generation:
  docstrings:
    language: en-US
    path_instructions: []
  unit_tests:
    path_instructions: []
issue_enrichment:
  auto_enrich:
    enabled: false
  planning:
    enabled: true
    auto_planning:
      enabled: true
      labels: []
  labeling:
    labeling_instructions: []
    auto_apply_labels: false