Version bumps

[lmakarov]

• Apache 2.4.67
• Github Actions version bumps

Resolves #26

Summary by CodeRabbit

• Chores

  • Bumped Apache HTTPD base image default to 2.4.67 across builds.
  • Modernized CI/CD: updated runners, multi-architecture build/test matrix, improved Docker build/push steps, registry caching, and artifact handling; disabled provenance/SBOM generation.

• Documentation

  • README updated to reflect the new Apache HTTPD base image version.

[coderabbitai]

Warning

Review limit reached

@lmakarov, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 32 minutes and 37 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6b146c4c-0d81-4553-8fc5-c2258ecebffc

📥 Commits

Reviewing files that changed from the base of the PR and between 57f30e2 and fee2a96.

📒 Files selected for processing (2)

• .github/workflows/default.yaml
• Dockerfile

📝 Walkthrough

Walkthrough

This PR bumps the Apache base image to httpd:2.4.67-alpine and modernizes the GitHub Actions workflow: explicit per-arch runners, upgraded actions (checkout/buildx/login/build-push), registry caching per-arch, disabled provenance/SBOM, and merged multi-arch test artifact validation.

Changes

Base Image Upgrade

Layer / File(s)	Summary
Apache image version declaration Dockerfile, Makefile, README.md	Default UPSTREAM_IMAGE in Dockerfile set to httpd:2.4.67-alpine; Makefile UPSTREAM_IMAGE default bumped to httpd:2.4.67-alpine; README.md updated to reference httpd:2.4.67-alpine.

CI/CD Pipeline Modernization

Layer / File(s)	Summary
Build matrix and Docker build job .github/workflows/default.yaml	Build/test matrices now include explicit platform and arch-specific runners (ubuntu-24.04 / ubuntu-24.04-arm). Build steps upgraded to actions/checkout@v6, docker/setup-buildx-action@v4, docker/login-action@v4, docker/build-push-action@v7. Docker build disables provenance and SBOM and uses per-arch registry cache with mode=max.
Test job setup and artifact handling .github/workflows/default.yaml	Test setup switched to bats-core/bats-action@4.0.0, checkout to v6; removed arm64 remote builder/QEMU setup. Test artifacts uploaded with actions/upload-artifact@v7 using dynamically generated names (includes SHA/version/arch), if-no-files-found: error, and overwrite: true.
Push job validation and tag cleanup .github/workflows/default.yaml	Push job updated to checkout v6 and login v4. Test artifact download now uses an artifact pattern with merge-multiple: true. Tagging logic now checks both amd64 and arm64 test result files before proceeding. Intermediate per-arch tag deletion is commented out.

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Out of Scope Changes check	⚠️ Warning	The PR includes GitHub Actions workflow modernization (checkout v6, buildx v4, etc.) beyond the scope of issue #26's specific request to update Apache version only.	Consider separating the workflow modernization into a separate PR to maintain clear separation of concerns: one PR for Apache upgrade, another for CI/CD tooling updates.
Title check	❓ Inconclusive	The title 'Version bumps' is generic and vague, lacking specificity about which components are being bumped or the motivation behind the changes.	Consider using a more descriptive title like 'Update Apache to 2.4.67 and modernize GitHub Actions workflow' to better clarify the main changes.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	The PR addresses issue #26 by upgrading Apache from 2.4.52 to 2.4.67, exceeding the requested 2.4.59 minimum and mitigating vulnerability concerns.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/version-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

.github/workflows/default.yaml (2)

51-77: 💤 Low value

Consider pinning actions to SHA hashes for supply chain security.

Static analysis flags all action references as unpinned. While version tags (e.g., @v6) are common practice, pinning to commit SHAs provides stronger protection against compromised action repositories.

Example for checkout:

uses: actions/checkout@<full-sha-hash>  # v6

This is optional given the project's established pattern of using version tags.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/default.yaml around lines 51 - 77, The workflow currently
uses floating tags for actions (e.g., actions/checkout@v6,
docker/setup-buildx-action@v4, docker/login-action@v4,
docker/build-push-action@v7); replace each `uses:` reference with the
corresponding full commit SHA for that action repository (pin the commit hash
for actions/checkout, docker/setup-buildx-action, docker/login-action,
docker/build-push-action) so the job uses an immutable reference — locate the
four `uses:` lines in the checkout, setup-buildx, login, and build-push steps
and update them to the approved full-sha values.

---

131-132: 💤 Low value

Consider disabling credential persistence.

Static analysis flags that persist-credentials is not set to false. While unlikely to be exploited in this context, setting it explicitly prevents Git credentials from persisting in the runner workspace.

       name: Checkout
       uses: actions/checkout@v6
+      with:
+        persist-credentials: false

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/default.yaml around lines 131 - 132, The Checkout step
using actions/checkout@v6 leaves Git credentials persisted; update the Checkout
step (the step named "Checkout" that uses actions/checkout@v6) to explicitly set
persist-credentials: false so credentials are not stored in the runner workspace
(add the persist-credentials: false input under that step).

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@Dockerfile`:
- Line 1: The Dockerfile's ARG UPSTREAM_IMAGE currently uses the floating tag
"httpd:2.4-alpine"; change it to the pinned patch version "httpd:2.4.67-alpine"
so builds match the Makefile/docs and are reproducible and easier to track for
vulnerabilities—update the ARG UPSTREAM_IMAGE value and any related references
or README/docs to use the same pinned tag to keep consistency.

In `@README.md`:
- Line 7: README currently documents the base image as "httpd:2.4.67-alpine" but
the CI/workflow uses "httpd:2.4-alpine"; pick one and make them consistent by
either updating README.md to "httpd:2.4-alpine" or updating the workflow input
to "httpd:2.4.67-alpine"; search for the strings "httpd:2.4.67-alpine" and
"httpd:2.4-alpine" and change the mismatched occurrence(s) (e.g., the README
entry or the workflow IMAGE/BASE_IMAGE variable) so both sources match exactly.

---

Nitpick comments:
In @.github/workflows/default.yaml:
- Around line 51-77: The workflow currently uses floating tags for actions
(e.g., actions/checkout@v6, docker/setup-buildx-action@v4,
docker/login-action@v4, docker/build-push-action@v7); replace each `uses:`
reference with the corresponding full commit SHA for that action repository (pin
the commit hash for actions/checkout, docker/setup-buildx-action,
docker/login-action, docker/build-push-action) so the job uses an immutable
reference — locate the four `uses:` lines in the checkout, setup-buildx, login,
and build-push steps and update them to the approved full-sha values.
- Around line 131-132: The Checkout step using actions/checkout@v6 leaves Git
credentials persisted; update the Checkout step (the step named "Checkout" that
uses actions/checkout@v6) to explicitly set persist-credentials: false so
credentials are not stored in the runner workspace (add the persist-credentials:
false input under that step).

🪄 Autofix (Beta)

✅ Autofix completed

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fd8a963b-8fd5-44ad-9506-67395aea503f

📥 Commits

Reviewing files that changed from the base of the PR and between cb387f4 and 0f2ace7.

📒 Files selected for processing (4)

• .github/workflows/default.yaml
• Dockerfile
• Makefile
• README.md

[coderabbitai]

Note

Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it.

Fixes Applied Successfully

Fixed 1 file(s) based on 2 unresolved review comments.

Files modified:

• Dockerfile

Commit: 57f30e2cbe898c911d4ea175af1c2d50f12b9bf3

The changes have been pushed to the feature/version-bumps branch.

Time taken: 1m 57s

---

⚠️ 1 file(s) could not be committed — the agent does not have permission to push to .github/workflows/. Please apply these changes manually:

.github/workflows/default.yaml — 1 change:

Lines 44–50

       ARCH: ${{ matrix.arch }}
       VERSION_PREFIX: ""
       VERSION: ${{ matrix.version }}
-      UPSTREAM_IMAGE: httpd:${{ matrix.version }}-alpine
+      UPSTREAM_IMAGE: httpd:2.4.67-alpine
       BUILD_DIR: "."
 
     steps: