Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

🚀 Build Images Ready

Images are ready for commit b9b5b62. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.12.x-302-gb9b5b62037

@porridge @davdhacs I have simplified and removed the checksums, relying on TLS entirely.

@porridge @davdhacs I have simplified and removed the checksums, relying on TLS entirely.

ty! and TLS includes a checksum on download, maybe safe enough? 😉

Also I really like that ROXIE_VERSION now matches the name and content-type of the other *_VERSION files. 📏

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands.}

@davdhacs & @porridge, after having completed several roxie features (stackrox/roxie#203, stackrox/roxie#204, stackrox/roxie#214), I am picking this PR up again and would like to get this merged.

I have polished some parts, fleshed out the README, added a roxie-config for persisting default deployment settings, rebased from current master.

Looking forward to some fresh review. :-)

@mclasmeier: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Full PR test history. Your PR dashboard.

@coderabbitai, please a fresh review, resolve all comments that are properly addressed.

#!/bin/bash
set -euo pipefail

echo "=== PR Review Comments ==="
gh pr view 20731 --repo stackrox/stackrox --json reviews,reviewRequests,comments | jq '.'

echo ""
echo "=== PR Review Threads ==="
gh api graphql -f query='
{
  repository(owner: "stackrox", name: "stackrox") {
    pullRequest(number: 20731) {
      reviewThreads(first: 50) {
        nodes {
          id
          isResolved
          isOutdated
          comments(first: 10) {
            nodes {
              author { login }
              body
              path
              line
              createdAt
            }
          }
        }
      }
    }
  }
}' | jq '.'

#!/bin/bash
set -euo pipefail

echo "=== scripts/roxie.sh ==="
cat -n scripts/roxie.sh

echo ""
echo "=== deploy/deploy.sh (new content) ==="
cat -n deploy/deploy.sh | head -100

echo ""
echo "=== ROXIE_VERSION ==="
cat ROXIE_VERSION

echo ""
echo "=== deploy/roxie-config.yaml ==="
cat deploy/roxie-config.yaml

echo ""
echo "=== scripts/teardown.sh ==="
cat scripts/teardown.sh

echo ""
echo "=== deploy/README.md ==="
cat deploy/README.md

@mclasmeier All four comments from the previous round are properly addressed — the aarch64 fix, the asset_id guard, the typo, and the path correction are all in the current code. I've confirmed those threads are already resolved.

Here are two new observations from the fresh read:

scripts/roxie.sh, lines 74–76 — xattr -d on a curl download may always fail on macOS

if [[ "$os" == "darwin" ]]; then
    xattr -d com.apple.quarantine "$tmp_roxie"
fi

The macOS quarantine extended attribute (com.apple.quarantine) is set by GUI applications (Finder, Safari, etc.) via LSSetItemAttribute. Command-line curl does not set it. So when this path is hit, xattr -d will return exit code 1 because the attribute doesn't exist on the mktemp-created file. With set -euo pipefail at the top of the script, that non-zero exit aborts the entire installation.

Suggested fix — swallow the error when the attribute is absent:

if [[ "$os" == "darwin" ]]; then
    xattr -d com.apple.quarantine "$tmp_roxie" 2>/dev/null || true
fi

scripts/roxie.sh, line 116 — unusual GitHub API version date

-H "X-GitHub-Api-Version: 2026-03-10" \

The widely-documented stable GitHub REST API version is 2022-11-28. The date 2026-03-10 is after my knowledge cutoff — if this is intentional (e.g. a newly published version), that's fine, but it's worth a quick confirmation that this header value works correctly with the GitHub Releases API endpoint, since an unrecognised version value may cause unexpected behaviour.

@coderabbitai, final review?
The API version works just fine, no need to complain about it.

@mclasmeier, understood — withdrawing the API version comment, noted that it's a valid and working header value.

Triggering the final review now — I'll carry forward only the outstanding xattr -d concern (it may abort on macOS when the quarantine attribute isn't present on curl-downloaded files) unless that has already been addressed in the latest push.

📝 Learnings were identified and not saved (knowledge base disabled). Enable