feature: upgrade cronos to 1.6.2

[bhaveshtank]

Summary by CodeRabbit

• Chores
  • Updated Cronos to v1.6.2

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Updates the Cronos binary version from v1.6.1 to v1.6.2 in the Dockerfile. The download URL and tarball filename are changed in both the wget command and the subsequent tar extraction step to reference the newer version.

Changes

Cohort / File(s)	Summary
Cronos Version Bump Dockerfile	Updated download URL and tarball filename from v1.6.1 to v1.6.2; changed URL path and extraction filename to match the new release artifact

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• feat: INFRA-6296 Cronos mainnet image upgrade v1.5.4 #91: Updates Dockerfile Cronos tarball download and extraction steps for a version bump (v1.5.4), following the same pattern.
• feat: INFRA-6582 Cronos testnet image upgrade v1.6.0 #92: Modifies Dockerfile to bump Cronos version by updating download URL and tarball filename (v1.5.4→v1.6.0).
• feat: cronos_1.5.0-testnet #83: Updates Dockerfile's Cronos download and extraction steps with tarball URL and filename modifications.

Suggested reviewers

• agrevtsev
• naviat

Poem

🐰 A hop, a skip, through version lands,
From 1.6.1 to 1.6.2, small but grand!
URLs updated, tarballs renamed with care,
Fresh Cronos flows through Docker's air! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feature: upgrade cronos to 1.6.2' clearly and specifically describes the main change: upgrading the Cronos version from 1.6.1 to 1.6.2, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/cronos-1.6.2

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@Dockerfile`:
- Around line 11-12: Update the RUN step that downloads
cronos_1.6.2_Linux_x86_64.tar.gz: remove the wget --no-check-certificate flag so
TLS validation remains enabled, download the tarball from a fixed release tag
(not raw/main), compute and verify its SHA256 against the official value
33279437c8facb32cfef2da642e452146600c43eddc0ca41cc1804ba9ab4cea5 (e.g., use
sha256sum or openssl dgst) and abort the build if the checksum does not match,
then proceed to extract and move files as before; the change affects the RUN
line handling cronos_1.6.2_Linux_x86_64.tar.gz in the Dockerfile.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

Cronos v1.6.2 official release SHA256 checksum GitHub

💡 Result:

I couldn't find an official GitHub release for "v1.6.2" of crypto-org-chain/cronos. The repository's Releases page shows v1.6.1 (latest) and v1.6.0, but no v1.6.2 entry. See the releases list on GitHub. [1]

Source:
[1] crypto-org-chain/cronos — Releases (GitHub). [https://github.com/crypto-org-chain/cronos/releases]

---

🏁 Script executed:

#!/bin/bash
# Search for Cronos release information in GitHub or official sources
curl -s "https://api.github.com/repos/crypto-org-chain/cronos/releases" | \
  jq -r '.[] | select(.tag_name | contains("v1.6.2")) | {tag_name, assets: .assets[].name, download_url: .assets[].browser_download_url}' | head -50

Repository: chainstack/cronos-docker

Length of output: 50

---

🏁 Script executed:

#!/bin/bash
# Check if v1.6.2 tag exists in the repository
curl -s "https://api.github.com/repos/crypto-org-chain/cronos/git/refs/tags" | \
  jq -r '.[] | select(.ref | contains("v1.6.2")) | .ref'

# Also check all recent tags
echo "=== Recent tags in crypto-org-chain/cronos ==="
curl -s "https://api.github.com/repos/crypto-org-chain/cronos/git/refs/tags" | \
  jq -r '.[-20:] | .[] | .ref' | sort -V | tail -10

Repository: chainstack/cronos-docker

Length of output: 311

---

🏁 Script executed:

#!/bin/bash
# Check the URL structure - does the path "cronos-v1.6.2" exist as a repo or path?
# Try to verify if this is a valid download endpoint
echo "Testing URL accessibility..."
curl -sI "https://github.com/crypto-org-chain/cronos-v1.6.2/raw/main/cronos_1.6.2_Linux_x86_64.tar.gz" 2>&1 | head -20

# Also check if cronos-v1.6.2 exists as a separate repository
echo -e "\n=== Checking if cronos-v1.6.2 is a separate repo ==="
curl -s "https://api.github.com/repos/crypto-org-chain/cronos-v1.6.2" | jq -r '.name, .full_name, .status' 2>/dev/null || echo "Repository not found or 404"

Repository: chainstack/cronos-docker

Length of output: 4408

---

🏁 Script executed:

#!/bin/bash
# Get metadata about the cronos-v1.6.2 repository
curl -s "https://api.github.com/repos/crypto-org-chain/cronos-v1.6.2" | jq -r '{owner: .owner.login, name: .name, description, is_fork: .fork, parent_repo: .parent.full_name, created_at: .created_at, pushed_at: .pushed_at}'

# Check for releases in this separate repo
echo -e "\n=== Releases in cronos-v1.6.2 repo ==="
curl -s "https://api.github.com/repos/crypto-org-chain/cronos-v1.6.2/releases" | jq -r '.[] | {tag_name, assets: [.assets[].name]}'

# Check if there are any release notes or checksums in the main branch
echo -e "\n=== Check for checksums or release notes ==="
curl -s "https://api.github.com/repos/crypto-org-chain/cronos-v1.6.2/contents/" | jq -r '.[] | .name' | grep -i -E 'sha|check|release|hash'

Repository: chainstack/cronos-docker

Length of output: 413

---

🏁 Script executed:

#!/bin/bash
# Fetch checksums for Cronos v1.6.2
echo "=== Linux x86_64 checksum ==="
curl -s "https://raw.githubusercontent.com/crypto-org-chain/cronos-v1.6.2/main/checksums.txt" | grep -i "linux.*x86_64"

echo -e "\n=== All checksums in checksums.txt ==="
curl -s "https://raw.githubusercontent.com/crypto-org-chain/cronos-v1.6.2/main/checksums.txt"

Repository: chainstack/cronos-docker

Length of output: 963

---

Remove --no-check-certificate and verify the tarball checksum.

The RUN command disables TLS validation with --no-check-certificate and downloads from a mutable raw/main branch without any checksum verification. This creates unnecessary supply-chain risk. Official checksums are published in the repository; use them.

The official SHA256 for cronos_1.6.2_Linux_x86_64.tar.gz is 33279437c8facb32cfef2da642e452146600c43eddc0ca41cc1804ba9ab4cea5. Add checksum verification and keep TLS validation enabled.

🔒 Suggested hardening

+ARG CRONOS_VERSION=1.6.2
+ARG CRONOS_SHA256=33279437c8facb32cfef2da642e452146600c43eddc0ca41cc1804ba9ab4cea5
+
-RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos-v1.6.2/raw/main/cronos_1.6.2_Linux_x86_64.tar.gz && tar -xvf cronos_1.6.2_Linux_x86_64.tar.gz \
-     && rm cronos_1.6.2_Linux_x86_64.tar.gz && mv ./* /home/cronos/
+RUN cd /tmp && \
+    wget https://github.com/crypto-org-chain/cronos-v${CRONOS_VERSION}/raw/main/cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && \
+    echo "${CRONOS_SHA256}  cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz" | sha256sum -c - && \
+    tar -xvf cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && \
+    rm cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && mv ./* /home/cronos/

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	RUN cd /tmp && wget --no-check-certificate https://github.com/crypto-org-chain/cronos-v1.6.2/raw/main/cronos_1.6.2_Linux_x86_64.tar.gz && tar -xvf cronos_1.6.2_Linux_x86_64.tar.gz \
	&& rm cronos_1.6.2_Linux_x86_64.tar.gz && mv ./* /home/cronos/
	ARG CRONOS_VERSION=1.6.2
	ARG CRONOS_SHA256=33279437c8facb32cfef2da642e452146600c43eddc0ca41cc1804ba9ab4cea5
	RUN cd /tmp && \
	wget https://github.com/crypto-org-chain/cronos-v${CRONOS_VERSION}/raw/main/cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && \
	echo "${CRONOS_SHA256} cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz" | sha256sum -c - && \
	tar -xvf cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && \
	rm cronos_${CRONOS_VERSION}_Linux_x86_64.tar.gz && mv ./* /home/cronos/

🧰 Tools

🪛 Checkov (3.2.334)

[high] 11-12: Ensure that certificate validation isn't disabled with wget

(CKV2_DOCKER_3)

🤖 Prompt for AI Agents

In `@Dockerfile` around lines 11 - 12, Update the RUN step that downloads
cronos_1.6.2_Linux_x86_64.tar.gz: remove the wget --no-check-certificate flag so
TLS validation remains enabled, download the tarball from a fixed release tag
(not raw/main), compute and verify its SHA256 against the official value
33279437c8facb32cfef2da642e452146600c43eddc0ca41cc1804ba9ab4cea5 (e.g., use
sha256sum or openssl dgst) and abort the build if the checksum does not match,
then proceed to extract and move files as before; the change affects the RUN
line handling cronos_1.6.2_Linux_x86_64.tar.gz in the Dockerfile.