Update etcd Docker image to official quay.io/coreos/etcd:v3.6.5

[Copilot]

Problem

The CI workflows were using bitnami/etcd:latest, which is no longer freely available due to Bitnami/Broadcom's recent policy changes restricting access to their container images. This causes CI failures when trying to pull the image.

Solution

This PR migrates both GitHub Actions workflows (go.yml and sonar.yml) to use the official etcd Docker image maintained by the etcd project: quay.io/coreos/etcd:v3.6.5

Changes

Image Update:

• Replaced: bitnami/etcd:latest
• With: quay.io/coreos/etcd:v3.6.5 (latest stable version as of October 2025)

Environment Variables:

• Removed Bitnami-specific: ALLOW_NONE_AUTHENTICATION: "yes"
• Added official etcd configuration:
  • ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" - Allows container networking in GitHub Actions
  • ETCD_ADVERTISE_CLIENT_URLS: "http://localhost:2379" - Advertises localhost for proper security posture

Additional Fixes:

• Added missing newline at end of sonar.yml to comply with POSIX standards

Why This Approach

1. Official etcd image is reliable: Maintained directly by the etcd project at quay.io/coreos/etcd
2. Version pinning: Using a specific version tag (v3.6.5) instead of :latest ensures reproducible builds
3. Latest stable release: v3.6.5 provides the most up-to-date features and security fixes
4. Security: Maintaining localhost for advertise URL preserves the same security posture as the previous configuration
5. Consistency: Both CI workflows now use identical etcd configurations

Testing

• ✅ Local tests pass with 86.0% coverage using the new configuration
• ✅ Both workflow YAML files validated successfully
• ✅ CodeQL security scan passes with 0 alerts
• ✅ All workflow files end with newline

References

• Official etcd Docker documentation: https://etcd.io/docs/v3.6/op-guide/container/
• Bitnami deprecation announcement: https://www.docker.com/blog/broadcoms-new-bitnami-restrictions-migrate-easily-with-docker/

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Investigate and update etcd Docker image used in CI</issue_title>
<issue_description>
The current CI workflow uses the bitnami/etcd:latest Docker image, but this tag is no longer available. Investigate the best etcd Docker image to use going forward, and update the workflow accordingly.

References:

• Bitnami’s etcd image is well-maintained and recommended for CI: https://hub.docker.com/r/bitnami/etcd/
• The official etcd image (quay.io/coreos/etcd) is also an option, but requires more manual configuration: https://etcd.io/docs/v2.3/docker_guide/

Recommendations:

• Pin the etcd image to a specific version, e.g. bitnami/etcd:3.5.12-debian-11-r9, for reliability.
• If full upstream compatibility is required, consider the official image (quay.io/coreos/etcd:v3.5.12).

Tasks:

• Evaluate Bitnami vs official etcd images for CI reliability and configuration.
• Update .github/workflows/go.yml to use the selected image and a specific version tag.
• Add a newline to the end of the YAML file.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #48

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Summary by CodeRabbit

• Chores
  • Updated etcd service configuration in CI/CD workflows to use a stable, versioned container image with enhanced client URL configuration and improved security settings.

[coderabbitai]

Walkthrough

The pull request updates two GitHub Actions workflow files (go.yml and sonar.yml) to replace the unavailable bitnami/etcd:latest Docker image with quay.io/coreos/etcd:v3.6.5, pinning to a specific version of the official etcd image. The environment variable configuration is modified by removing ALLOW_NONE_AUTHENTICATION: "yes" and adding ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" to properly configure client URL listening. A trailing newline is added to sonar.yml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

The changes are homogeneous and straightforward—consistent image tag replacement and environment variable substitution across two workflow files with minimal logic density. The modifications follow a predictable pattern requiring verification that the new image version and configuration are compatible with existing workflows.

Poem

🐰 A hop, a skip, through workflows we go,
Old bitnami fades—new etcd's the show!
Pinned versions now keep our CI stable and bright,
With listening URLs configured just right! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "Update etcd Docker image to official quay.io/coreos/etcd:v3.6.5" directly and clearly describes the primary change in the changeset. The title is concise, specific, and accurately reflects the main objective—migrating from bitnami/etcd:latest to the official etcd image at quay.io/coreos/etcd:v3.6.5. It provides sufficient clarity for a teammate reviewing the repository history to immediately understand the purpose of the change.
Linked Issues Check	✅ Passed	The pull request addresses all coding-related requirements from linked issue #48. The etcd Docker image has been updated to the official quay.io/coreos/etcd:v3.6.5 (pinned version) in .github/workflows/go.yml, satisfying the requirement to use a selected image with a specific version tag. Environment variables have been appropriately modified to support the official image: ALLOW_NONE_AUTHENTICATION (Bitnami-specific) was removed and ETCD_LISTEN_CLIENT_URLS was added for proper listener configuration. Trailing newlines have been added to both workflow YAML files to comply with POSIX standards, as confirmed in the PR objectives. All core objectives from the linked issue are met.
Out of Scope Changes Check	✅ Passed	The changes align with the scope defined in linked issue #48. The image replacement, version pinning, environment variable adjustments, and newline addition are all necessary and directly related to resolving the unavailable bitnami/etcd:latest image problem. The update to both .github/workflows/go.yml and .github/workflows/sonar.yml, whilst sonar.yml was not explicitly mentioned in the task list, represents a reasonable consistency improvement as both workflows shared the same underlying issue with the deprecated image. The environment variable modifications (removing ALLOW_NONE_AUTHENTICATION and adding ETCD_LISTEN_CLIENT_URLS) are essential changes required to make the official etcd image function correctly, rather than unnecessary additions.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch copilot/update-etcd-docker-image

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dasco144]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/go.yml (1)

44-44: Port access syntax differs from sonar.yml, but both should work.

In go.yml line 44, the port is accessed via job.services.etcd.ports[2379] (numeric key), whereas sonar.yml line 33 uses job.services.etcd.ports['2379'] (string key). Both syntaxes are valid in GitHub Actions, but consistency across workflows would improve maintainability.

If preferred, align both files to use the same port key syntax (either [2379] or ['2379']). The numeric form is slightly more readable. This is optional — both forms function identically.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a755bac and df4aa62.

📒 Files selected for processing (2)

• .github/workflows/go.yml (1 hunks)
• .github/workflows/sonar.yml (2 hunks)

🔇 Additional comments (3)

.github/workflows/sonar.yml (2)

16-16: Official etcd image with pinned version is a solid improvement.

Migrating from bitnami/etcd:latest (no longer freely available) to the maintained official quay.io/coreos/etcd:v3.6.5 with version pinning is the right call for CI reliability and reproducibility. The environment variable changes are correct for the official image: ETCD_LISTEN_CLIENT_URLS: "http://0.0.0.0:2379" enables container accessibility, and the removal of Bitnami-specific ALLOW_NONE_AUTHENTICATION is appropriate.

Please verify that quay.io/coreos/etcd:v3.6.5 is still actively maintained and free of known security vulnerabilities. If you need help, I can search the latest release information and CVE advisories.

Also applies to: 18-19

---

40-40: Verify POSIX-compliant trailing newline.

The PR notes mention adding a missing trailing newline to sonar.yml for POSIX compliance. Please confirm the file ends with a newline character after line 40.

.github/workflows/go.yml (1)

21-21: Configuration mirrors sonar.yml — good consistency.

The image upgrade and environment variables match sonar.yml, which ensures uniform etcd configuration across both CI workflows. The removal of Bitnami-specific authentication and addition of proper listen/advertise URLs are correct for the official etcd image.

Also applies to: 23-24