Bump aws-kubectl to latest (based on Ubuntu 24.04)

[imnasnainaec]

Pairs with sillsdev/aws-kubectl#9

Devin review: https://app.devin.ai/review/sillsdev/TheCombine/pull/4262

---

This change is 

Summary by CodeRabbit

• Chores
  • Updated AWS credential helper container image version to 0.5.0.
  • Updated kubectl/tooling container image version to 0.5.0 across deployments.
  • Updated maintenance container base image and build steps, including streamlined package installation and adjusted file ownerships for container builds.

[coderabbitai]

Warning

Rate limit exceeded

@imnasnainaec has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 7 minutes and 8 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 7 minutes and 8 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 78385a1a-f9bd-4d0a-baac-b35b1d734ee5

📥 Commits

Reviewing files that changed from the base of the PR and between ca40ab6 and ef974bd.

📒 Files selected for processing (3)

• deploy/helm/aws-login/values.yaml
• deploy/helm/thecombine/charts/maintenance/values.yaml
• maintenance/Dockerfile

📝 Walkthrough

Walkthrough

Bumps aws-kubectl image tag from 0.4.2 → 0.5.0 in two Helm chart values files and updates maintenance/Dockerfile to use the new base image tag plus minor build-step changes (apt flags, ownership adjustments, and pip invocation).

Changes

Cohort / File(s)	Summary
Helm Chart Values deploy/helm/aws-login/values.yaml, deploy/helm/thecombine/charts/maintenance/values.yaml	Updated awsEcr.imageVersion from "0.4.2" → "0.5.0".
Maintenance Dockerfile maintenance/Dockerfile	Updated base image tag to public.ecr.aws/thecombine/aws-kubectl:0.5.0-$TARGETARCH; changed apt-get install to use --no-install-recommends and removed apt-get autoremove; adjusted file ownerships from user:user → user:group; modified pip install to pip3 install --break-system-packages -r requirements.txt.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• [deploy] Bump aws-kubectl to 0.4.1 #4228: Modifies the same Helm values (awsEcr.imageVersion) and the maintenance Dockerfile to bump the aws-kubectl image tag.

Suggested labels

python, 🟨Medium

Suggested reviewers

• jasonleenaylor

Poem

🐰 I hopped through Dockerfiles and charts today,
Pushed tags from point-four-two to point-five-oh away.
Pip and apt got tidy, ownership set right,
A tiny spring-clean for the CI's delight. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: bumping the aws-kubectl Docker image to version 0.5.0 (based on Ubuntu 24.04), which is reflected across all modified files in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch aws-kubectl-0.5.0

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

maintenance/Dockerfile (1)

19-19: Tag bump is correct; consider pinning by digest if available.

Line 19 correctly updates the base image tag. As an optional hardening step, pinning to an immutable digest would improve reproducibility and prevent tag mutation. If you have AWS credentials, retrieve the digest using:

aws ecr-public describe-images --repository-name thecombine/aws-kubectl --image-ids imageTag=0.5.0 --region us-east-1

Then apply the manifest digest syntax (for multi-arch support):

FROM public.ecr.aws/thecombine/aws-kubectl:0.5.0@sha256:<manifest-digest>

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@maintenance/Dockerfile` at line 19, The FROM line currently uses a mutable
tag "public.ecr.aws/thecombine/aws-kubectl:0.5.0-$TARGETARCH"; to pin immutably,
fetch the repository's manifest digest for tag 0.5.0 (e.g. via AWS ECR Public
describe-images) and replace the base image reference with the multi-arch
manifest form that appends `@sha256`:<manifest-digest> while keeping the
$TARGETARCH qualifier as needed (i.e., change the FROM to include
:0.5.0@sha256:<manifest-digest> so the image is pinned to the specific digest).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@maintenance/Dockerfile`:
- Line 19: The FROM line currently uses a mutable tag
"public.ecr.aws/thecombine/aws-kubectl:0.5.0-$TARGETARCH"; to pin immutably,
fetch the repository's manifest digest for tag 0.5.0 (e.g. via AWS ECR Public
describe-images) and replace the base image reference with the multi-arch
manifest form that appends `@sha256`:<manifest-digest> while keeping the
$TARGETARCH qualifier as needed (i.e., change the FROM to include
:0.5.0@sha256:<manifest-digest> so the image is pinned to the specific digest).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f2e1c3e-3e06-480e-b68b-2c0951efe084

📥 Commits

Reviewing files that changed from the base of the PR and between 89f76ce and 34ce2fb.

📒 Files selected for processing (3)

• deploy/helm/aws-login/values.yaml
• deploy/helm/thecombine/charts/maintenance/values.yaml
• maintenance/Dockerfile

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 75.94%. Comparing base (b2a5e76) to head (ef974bd).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #4262   +/-   ##
=======================================
  Coverage   75.94%   75.94%           
=======================================
  Files         303      303           
  Lines       11352    11352           
  Branches     1403     1403           
=======================================
  Hits         8621     8621           
  Misses       2330     2330           
  Partials      401      401           

Flag	Coverage Δ
backend	87.23% <ø> (ø)
frontend	66.79% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jasonleenaylor]

@jasonleenaylor reviewed 3 files and all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on imnasnainaec).

[jasonleenaylor]

@jasonleenaylor reviewed 1 file and all commit messages.
Reviewable status: complete! all files reviewed, all discussions resolved (waiting on imnasnainaec).