Problem
In the template Dockerfile, RTK is installed by piping an install script fetched from the master branch straight into sh:
# RTK — reduces LLM token consumption by 60-90% on shell commands
RUN curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh \
&& ln -sf /root/.local/bin/rtk /usr/local/bin/rtk
This has two weaknesses:
- Unpinned version.
refs/heads/master is a mutable branch HEAD that changes on every upstream commit, so two builds of the same image can install different RTK versions with no record of which one shipped. Builds aren't reproducible.
- No integrity check. The install script is fetched and executed with no checksum, so a changed or compromised upstream artifact runs undetected.
Proposed change
1. Pin the version through .config.rde.qovery.yml, the documented source of truth for component versions in the RDE install flow (see Qovery/documentation#143). The rtk component key accepts a version string and currently defaults to latest; set it to an explicit released version so the build installs exactly that, instead of tracking master:
# .config.rde.qovery.yml
rtk: "<pinned-version>" # was: latest (tracks master)
2. Verify integrity of the RTK artifact before executing it. Once a version is pinned, the downloaded RTK install script (or release artifact) should be checksum-verified with sha256sum -c against a known-good SHA256 before it runs, so a tampered or unexpectedly-changed download is rejected rather than executed.
The template should consume the pinned, verified value when installing RTK rather than hardcoding the unverified master fetch in the Dockerfile.
Acceptance criteria
Note
rtk's documented default is latest, so this is about choosing a pinned version for the template's own config rather than adding a new mechanism. If rtk-ai/rtk does not currently publish versioned release tags (and a stable, checksummable artifact per release), that's a prerequisite worth raising upstream — both pinning and checksum verification are only meaningful against a stable, tagged version.
Problem
In the template
Dockerfile, RTK is installed by piping an install script fetched from themasterbranch straight intosh:This has two weaknesses:
refs/heads/masteris a mutable branch HEAD that changes on every upstream commit, so two builds of the same image can install different RTK versions with no record of which one shipped. Builds aren't reproducible.Proposed change
1. Pin the version through
.config.rde.qovery.yml, the documented source of truth for component versions in the RDE install flow (see Qovery/documentation#143). Thertkcomponent key accepts a version string and currently defaults tolatest; set it to an explicit released version so the build installs exactly that, instead of trackingmaster:2. Verify integrity of the RTK artifact before executing it. Once a version is pinned, the downloaded RTK install script (or release artifact) should be checksum-verified with
sha256sum -cagainst a known-good SHA256 before it runs, so a tampered or unexpectedly-changed download is rejected rather than executed.The template should consume the pinned, verified value when installing RTK rather than hardcoding the unverified
masterfetch in the Dockerfile.Acceptance criteria
.config.rde.qovery.yml(notlatest, nottrue).config.rde.qovery.yml, not from themasterbranchsha256sum -c) against a pinned SHA256 before execution.config.rde.qovery.yml(and its associated checksum)rtkruns in the container (existingrtk init -ghooks still work)Note
rtk's documented default islatest, so this is about choosing a pinned version for the template's own config rather than adding a new mechanism. Ifrtk-ai/rtkdoes not currently publish versioned release tags (and a stable, checksummable artifact per release), that's a prerequisite worth raising upstream — both pinning and checksum verification are only meaningful against a stable, tagged version.