fixing helm build failure

[saurabh-arios]

Fixed helm failure according to https://github.com/helm/helm-www/pull/1750/files
Current implementation fails on my M1 Mac with arm architecture

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

Walkthrough

The Dockerfile switches Helm installation from an inline script to APT-based installation via the official Helm repository. It removes Kubernetes release verification environment variables, installs Helm in the builder stage, and copies the binary to the final image with updated paths and permissions.

Changes

Cohort / File(s)	Summary
Docker build and tooling adjustments Dockerfile	- Remove ENV VERIFY_CHECKSUM and VERIFY_SIGNATURES in builder stage - Add Helm APT key and repo; install helm via apt - Clean apt lists post-install - Install Helm to /usr/bin/helm (builder) and copy to /usr/local/bin/helm (final) - Retain chmod and helm --version execution

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant Dev as Docker Builder (Stage 1)
  participant APT as APT Repos
  participant Final as Final Image (Stage 2)

  Dev->>APT: Add Helm GPG key and repo
  Dev->>APT: apt-get update
  Dev->>APT: apt-get install helm
  Note right of Dev: Helm installed at /usr/bin/helm

  Dev-->>Final: COPY /usr/bin/helm -> /usr/local/bin/helm
  Final->>Final: chmod +x /usr/local/bin/helm
  Final->>Final: helm --version

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• helm installation fix #934: Similar Dockerfile changes replacing script-based Helm install with APT and adjusting binary copy paths.

Suggested reviewers

• Sheeproid

Pre-merge checks (3 passed)

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title directly describes the primary purpose of the changeset — resolving a Helm build failure. The raw_summary and PR objectives show the main changes replace an inline Helm installer with an apt-based installation and address ARM/M1 build issues, which the title references. Therefore the title is related and sufficiently summarizes the primary change for reviewers scanning history.
Description Check	✅ Passed	The PR description states it fixes a Helm build failure, links to the upstream change, and notes the issue occurs on M1/ARM, which aligns with the Dockerfile changes and PR objectives that switch Helm installation to apt and remove verification flags. This makes the description relevant to the changeset and not off-topic, so it passes the lenient description check. The description could be expanded with file-level notes and the CLA status to better assist reviewers.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a12c989 and 8f6a9ce.

📒 Files selected for processing (1)

• Dockerfile (2 hunks)

🔇 Additional comments (1)

Dockerfile (1)

138-141: Helm binary handoff LGTM

Copying from builder’s /usr/bin/helm to /usr/local/bin/helm in the final stage and verifying with helm version looks good.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Harden Helm APT install: avoid pipe-to-gpg, reduce deps, and pin/hold for reproducibility

Current pipeline-to-gpg can mask download failures, and unpinned installs hurt repeatability. Also install with no-recommends and hold the package to prevent accidental upgrades.

Apply this diff within this RUN block:

-RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
-    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
-    && apt-get update \
-    && apt-get install -y helm \
-    && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
+    && gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
+    && rm -f /tmp/helm.gpgkey \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
+    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends helm \
+    && apt-mark hold helm \
+    && rm -rf /var/lib/apt/lists/*

Please confirm the upstream source and key fingerprint to lock this down:

---

🌐 Web query:

As of September 2025, is packages.buildkite.com/helm-linux/helm-debian the official APT repository recommended by Helm docs? What is the current GPG key fingerprint for this repo?

💡 Result:

No — Helm's official docs (helm.sh) recommend the APT repo at https://baltocdn.com/helm/stable/debian/ (not packages.buildkite.com). [1][2]

The signing key used by that repo is commonly referenced by key ID 294AC4827C1A168A (seen in Helm community/GitHub reports). [3][4]

Sources:

• Helm installation docs (Apt instructions pointing at baltocdn.com). [1]
• Example Helm apt install instructions / mirrors. [2]
• Helm community issue showing the repo public-key ID NO_PUBKEY 294AC4827C1A168A. [3]
• Additional discussion/examples referencing the same key ID. [4]

---

Harden Helm APT install, verify upstream repo & GPG key (Dockerfile: lines 60–66)

Apply the hardening diff below (avoid pipe-to-gpg, use --no-install-recommends, hold package). Also: the Dockerfile currently points at packages.buildkite.com — Helm's docs recommend the official APT repo at https://baltocdn.com/helm/stable/debian/ and the signing key is commonly referenced by key ID 294AC4827C1A168A; replace the repo with the official one or confirm packages.buildkite.com is intentional and provide the full GPG fingerprint before merging.

-RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
-    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
-    && apt-get update \
-    && apt-get install -y helm \
-    && rm -rf /var/lib/apt/lists/*
+RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
+    && gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
+    && rm -f /tmp/helm.gpgkey \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
+    | tee /etc/apt/sources.list.d/helm-stable-debian.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends helm \
+    && apt-mark hold helm \
+    && rm -rf /var/lib/apt/lists/*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Install Helm - https://github.com/helm/helm-www/pull/1750/files
	RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey | gpg --dearmor -o /usr/share/keyrings/helm.gpg \
	&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
	| tee /etc/apt/sources.list.d/helm-stable-debian.list \
	&& apt-get update \
	&& apt-get install -y helm \
	&& rm -rf /var/lib/apt/lists/*
	# Install Helm - https://github.com/helm/helm-www/pull/1750/files
	RUN curl -fsSL https://packages.buildkite.com/helm-linux/helm-debian/gpgkey -o /tmp/helm.gpgkey \
	&& gpg --batch --yes --dearmor -o /usr/share/keyrings/helm.gpg /tmp/helm.gpgkey \
	&& rm -f /tmp/helm.gpgkey \
	&& echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/helm.gpg] https://packages.buildkite.com/helm-linux/helm-debian/any/ any main" \
	| tee /etc/apt/sources.list.d/helm-stable-debian.list \
	&& apt-get update \
	&& apt-get install -y --no-install-recommends helm \
	&& apt-mark hold helm \
	&& rm -rf /var/lib/apt/lists/*