Problem
In the template Dockerfile, both the Qovery CLI and Qovery Skills are installed by piping a remote script into bash, unpinned and unverified:
# Qovery CLI
RUN curl -s https://get.qovery.com | bash
...
# Qovery Skills
RUN curl -fsSL https://skill.qovery.com/install.sh | bash
Both fetch from Qovery-controlled domains, so the external supply-chain risk is lower than for third-party tools — but:
- Unpinned. Neither install pins a version, so the CLI and skills can change between builds with no record of what shipped — builds aren't reproducible.
- No integrity check. The scripts are executed with no checksum.
Proposed change
Pin both components through .config.rde.qovery.yml (see Qovery/documentation#143). The qovery_cli key accepts a version string (default latest); the skills key controls the Qovery Skills install:
# .config.rde.qovery.yml
qovery_cli: "<pinned-version>" # was: latest
skills: true # pin to a version if/when the install supports it
Where the install path allows, checksum-verify the downloaded install scripts before executing them. Since these are Qovery's own endpoints, publishing a pinnable version and a checksum for each is fully within Qovery's control.
Acceptance criteria
Problem
In the template
Dockerfile, both the Qovery CLI and Qovery Skills are installed by piping a remote script intobash, unpinned and unverified:Both fetch from Qovery-controlled domains, so the external supply-chain risk is lower than for third-party tools — but:
Proposed change
Pin both components through
.config.rde.qovery.yml(see Qovery/documentation#143). Theqovery_clikey accepts a version string (defaultlatest); theskillskey controls the Qovery Skills install:Where the install path allows, checksum-verify the downloaded install scripts before executing them. Since these are Qovery's own endpoints, publishing a pinnable version and a checksum for each is fully within Qovery's control.
Acceptance criteria
.config.rde.qovery.yml(notlatest).config.rde.qovery.ymlqoveryruns and the skills are present in the container