chore: verify signature for arm-gcc toolchain

[rjaegers]

🚀 Hey, I have created a Pull Request

Description of changes

This pull request updates the .devcontainer/cpp/Dockerfile to improve how the ARM GCC toolchain is installed for both x86_64 and aarch64 development containers. The changes streamline the download and extraction process, ensure better caching for package installs, and remove redundant installation steps.

ARM GCC toolchain integration:

• Added steps to download the ARM GNU toolchain archives for both x86_64 and aarch64 architectures during the image build process, ensuring the correct toolchain is available for cross-compilation. [1] [2]
• Updated the extraction process to unpack the ARM toolchain from the downloaded archive (excluding unnecessary components) directly during the main build stage, and moved the extracted toolchain to /opt/gcc-arm-none-eabi. [1] [2]
• Removed the previous approach of downloading and extracting the ARM toolchain via a separate wget command, reducing redundancy and potential network failures during build.

Build performance improvements:

• Introduced caching for apt package management directories to speed up repeated builds and reduce network usage.

✔️ Checklist

• I have followed the contribution guidelines for this repository
• I have added tests for new behavior, and have not broken any existing tests
• I have added or updated relevant documentation
• I have verified that all added components are accounted for in the SBOM

[Copilot]

Pull request overview

This pull request enhances the ARM GCC toolchain installation process in the C++ devcontainer by pre-downloading the toolchain archives during the build stage and verifying their integrity with checksums. The changes eliminate the runtime wget download, improve build performance through apt caching, and ensure the correct architecture-specific toolchain is available.

Changes:

• Added ARM GNU toolchain downloads with SHA256 checksums for both x86_64 and aarch64 architectures in the downloader stages
• Consolidated toolchain extraction into the main RUN instruction with apt caching enabled
• Replaced the separate wget-based ARM toolchain installation with extraction from pre-downloaded archives

[Copilot]

The ARM toolchain extraction lacks an explicit destination directory (no -C flag), which means it extracts to the current working directory (/). This could create unexpected files in the root filesystem. Consider adding -C /src or another appropriate destination directory to match the later mv /src/arm-none-eabi command on line 125.

Suggested change

	tar xJf /dl/arm-gnu-toolchain.tar.xz --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
	mkdir -p /src
	tar xJf /dl/arm-gnu-toolchain.tar.xz -C /src --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1

[Copilot]

This command assumes that the ARM toolchain was extracted to /src/arm-none-eabi, but the extraction on line 58 doesn't specify -C /src as the destination. The toolchain is being extracted to the working directory (/) with --strip-components=1, which would place the arm-none-eabi directory at /arm-none-eabi, not /src/arm-none-eabi. Either update line 58 to extract to /src or change this line to mv /arm-none-eabi /opt/gcc-arm-none-eabi.

Suggested change

	mv /src/arm-none-eabi /opt/gcc-arm-none-eabi
	mv /arm-none-eabi /opt/gcc-arm-none-eabi

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	20		0	0	0.5s
❌ DOCKERFILE	hadolint	3		1	2	0.65s
✅ GHERKIN	gherkin-lint	6		0	0	2.1s
✅ JSON	npm-package-json-lint	yes		no	no	0.36s
✅ JSON	prettier	21	4	0	0	0.45s
✅ JSON	v8r	21		0	0	6.82s
✅ MARKDOWN	markdownlint	12	0	0	0	0.81s
✅ MARKDOWN	markdown-table-formatter	12	0	0	0	0.21s
✅ REPOSITORY	checkov	yes		no	no	16.33s
✅ REPOSITORY	gitleaks	yes		no	no	0.43s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	33.7s
✅ REPOSITORY	secretlint	yes		no	no	0.77s
✅ REPOSITORY	syft	yes		no	no	1.8s
✅ REPOSITORY	trivy	yes		no	no	6.85s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.21s
✅ REPOSITORY	trufflehog	yes		no	no	2.35s
⚠️ SPELL	lychee	80		1	0	11.48s
✅ YAML	prettier	28	0	0	0	0.88s
✅ YAML	v8r	28		0	0	7.78s
✅ YAML	yamllint	28		0	0	0.72s

Detailed Issues

❌ DOCKERFILE / hadolint - 1 error

warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
   ┌─ .devcontainer/cpp/Dockerfile:48:1
   │
48 │ RUN --mount=from=downloader,target=/dl <<EOF
   │ ^

warning: In POSIX sh, == in place of = is undefined.
   ┌─ .devcontainer/cpp/Dockerfile:48:1
   │
48 │ RUN --mount=from=downloader,target=/dl <<EOF
   │ ^

warning: 2 warnings emitted

⚠️ SPELL / lychee - 1 error

[IGNORED] docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a | Unsupported: Error creating request client: builder error for url (docker://pandoc/extra:3.7.0@sha256:a703d335fa237f8fc3303329d87e2555dca5187930da38bfa9010fa4e690933a)
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden
[IGNORED] https://vscode.dev/redirect?url=vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer | Unsupported: Error creating request client: builder error for url (vscode://ms-vscode-remote.remote-containers/cloneInVolume?url=https://github.com/philips-software/amp-devcontainer)
📝 Summary
---------------------
🔍 Total..........126
✅ Successful.....123
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........1

Errors in .github/TOOL_VERSION_ISSUE_TEMPLATE.md
[403] https://developer.arm.com/downloads/-/arm-gnu-toolchain-downloads | Network error: Forbidden

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.3.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,DOCKERFILE_HADOLINT,GHERKIN_GHERKIN_LINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,SPELL_LYCHEE,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

[github-actions]

📦 Container Size Analysis

Note

Comparing ghcr.io/philips-software/amp-devcontainer-base:edge ➔ ghcr.io/philips-software/amp-devcontainer-base:pr-1108

📈 Size Comparison Table

OS/Platform	Previous	Current	Change	Trend
linux/amd64	165.43 MB	167.84 MB	+2.41 MB (+1.46%)	🔼
linux/arm64	158.37 MB	160.6 MB	+2.23 MB (+1.41%)	🔼

[github-actions]

Test Results

2 files   -  5  2 suites   - 5   0s ⏱️ - 3m 59s
1 tests  - 32  1 ✅  - 32  0 💤 ±0  0 ❌ ±0 
2 runs   - 67  2 ✅  - 67  0 💤 ±0  0 ❌ ±0 

Results for commit 39c7cdf. ± Comparison against base commit 30b6a59.

♻️ This comment has been updated with latest results.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

[Copilot]

Unnecessary blank lines have been added around set -e. These blank lines don't add clarity and should be removed to maintain consistency with the existing code style.

Suggested change

	set -e
	set -e

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

[Copilot]

The tar extraction uses --strip-components=1 but extracts to the current directory (/src) without specifying a target directory. Later, line 133 expects the extracted content at /src/arm-none-eabi. The strip-components will remove the top-level directory name from the archive, so the extraction may not produce the expected /src/arm-none-eabi path. Either remove --strip-components=1 or add -C flag to specify the extraction target explicitly.

Suggested change

	tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1
	mkdir -p /src
	tar xJf "${ARM_GNU_TOOLCHAIN_TAR}" -C /src --exclude="*arm-none-eabi-gdb*" --exclude="share" --strip-components=1

[Copilot]

This assumes /src/arm-none-eabi exists after extraction on line 64, but the tar command uses --strip-components=1 which removes the top-level directory. The actual directory structure after extraction may not match this expectation. Verify the archive structure and adjust either the extraction command or this mv command accordingly.