[rest_gateway] Bump Go base image to 1.25 to fix Docker build

[ramonfigueiredo]

• grpc-gateway/v2@v2.29.0 now requires Go >= 1.25.0
• go.mod is generated at build time via go mod tidy
• golang Docker image defaults to GOTOOLCHAIN=local, blocking auto-upgrade
• Bump base image from golang:1.24-bookworm to golang:1.25-bookworm

[coderabbitai]

📝 Walkthrough

Walkthrough

The Docker build stage base image for the rest_gateway service was updated from Go version 1.24 to 1.25 (Bookworm). This change affects the Go toolchain used throughout the build process without modifying any build steps, runtime configuration, or entrypoint behavior.

Changes

Cohort / File(s)	Summary
Docker Build Configuration rest_gateway/Dockerfile	Updated Go base image from golang:1.24-bookworm to golang:1.25-bookworm for the build stage.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A version bump hops into view,
Go marches from 1.24 to 1.25 brand new,
In the Dockerfile's nest so bright,
The compiler toolchain takes its flight,
One line changed, the build runs right! 🚀

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[rest_gateway] Bump Go base image to 1.25 to fix Docker build' clearly summarizes the main change: updating the Go base image version from 1.24 to 1.25 to resolve a Docker build issue. This directly matches the changeset which updates the Dockerfile base image version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

rest_gateway/Dockerfile (1)

48-64: ⚠️ Potential issue | 🟠 Major

Run the runtime image as non-root.

The final stage has no USER, so the container runs as root by default. Please add a dedicated non-root user before entrypoint.

🔒 Proposed hardening patch

 FROM debian:bookworm-slim
 
 # Install curl for health checks
 RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
 
 COPY --from=build /app/opencue_gateway/grpc_gateway /app/
 
 # Ensure logs folder is created and has correct permissions
-RUN mkdir -p /logs && chmod 755 /logs
+RUN useradd --system --uid 10001 --create-home --home-dir /home/opencue opencue && \
+    mkdir -p /logs && chmod 755 /logs && \
+    chown -R opencue:opencue /app /logs
 
 # Set default environment variables
 ENV CUEBOT_ENDPOINT=localhost:8443
 ENV REST_PORT=8448
 ENV JWT_SECRET=default-secret-key
 
+USER opencue
+
 EXPOSE 8448
 ENTRYPOINT ["/app/grpc_gateway"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@rest_gateway/Dockerfile` around lines 48 - 64, The image runs as root because
the final Dockerfile stage lacks a non-root user; create a dedicated user (e.g.,
"opencue" or "gateway") and group, ensure ownership/permissions for /app and
/logs (chown/chmod) and switch to that user with USER before the ENTRYPOINT;
update any copies or created directories (COPY target /app, RUN mkdir -p /logs)
to set proper ownership for the new user so /app/grpc_gateway and /logs are
accessible when running as non-root.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@rest_gateway/Dockerfile`:
- Around line 48-64: The image runs as root because the final Dockerfile stage
lacks a non-root user; create a dedicated user (e.g., "opencue" or "gateway")
and group, ensure ownership/permissions for /app and /logs (chown/chmod) and
switch to that user with USER before the ENTRYPOINT; update any copies or
created directories (COPY target /app, RUN mkdir -p /logs) to set proper
ownership for the new user so /app/grpc_gateway and /logs are accessible when
running as non-root.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ca470012-9e51-4ac1-82b8-ef533133bd55

📥 Commits

Reviewing files that changed from the base of the PR and between 23c5230 and 22e633e.

📒 Files selected for processing (1)

• rest_gateway/Dockerfile

[ramonfigueiredo]

Hi @DiegoTavares / @lithorus

Minor fix. Ready for review!