Enable hermetic builds

Signed-off-by: Dale Haiducek <[email protected]>

.tekton/acm-cli-acm-213-pull-request.yaml

@@ -32,6 +32,10 @@ spec:
       value: Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "."},{"type": "generic", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

.tekton/acm-cli-acm-213-push.yaml

@@ -29,6 +29,10 @@ spec:
       value: Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "."},{"type": "generic", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -178,6 +182,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

Dockerfile

@@ -1,6 +1,6 @@
 FROM registry.ci.openshift.org/stolostron/builder:go1.22-linux AS builder
 
-ENV RELEASE_TAG=release-2.12 \
+ENV RELEASE_TAG=release-2.13 \
     REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
 WORKDIR ${REPO_PATH}
@@ -16,9 +16,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
-RUN microdnf update -y \
-    && microdnf install -y tar \
-    && microdnf clean all
+RUN microdnf install -y tar
 
 # Copy binaries from builder
 COPY --from=builder ${REPO_PATH}/build/_output/* /acm-cli/

Dockerfile.rhtap

@@ -1,6 +1,6 @@
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.22 AS builder
 
-ENV RELEASE_TAG=release-2.12 \
+ENV RELEASE_TAG=release-2.13 \
     REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
 WORKDIR ${REPO_PATH}
@@ -16,9 +16,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
-RUN microdnf update -y \
-    && microdnf install -y tar \
-    && microdnf clean all
+RUN microdnf install -y tar
 
 # Copy binaries from builder
 COPY --from=builder ${REPO_PATH}/build/_output/* /acm-cli/

Makefile

@@ -50,7 +50,7 @@ REMOTE_SOURCES_SUBDIR ?=
 
 .PHONY: build
 build:
-	CGO_ENABLED=1 go build -o $(BUILD_DIR)/acm-cli-server ./server/main.go
+	CGO_ENABLED=1 go build -mod=readonly -o $(BUILD_DIR)/acm-cli-server ./server/main.go
 
 .PHONY: build-image
 build-image:

artifacts.lock.yaml

@@ -0,0 +1,10 @@
+---
+metadata:
+  version: "1.0"
+artifacts:
+  - download_url: https://github.com/stolostron/policy-cli/archive/refs/heads/release-2.13.tar.gz
+    checksum: md5:5ce60871041cfdbd90eda56c188eecd8
+    filename: policy-cli.tar.gz
+  - download_url: https://github.com/stolostron/policy-generator-plugin/archive/refs/heads/release-2.13.tar.gz
+    checksum: md5:29f8b7babf26bcf860f6f26c22922c21
+    filename: policy-generator-plugin.tar.gz

rpms.in.yaml

@@ -0,0 +1,12 @@
+contentOrigin:
+  repofiles:
+    - /etc/yum.repos.d/ubi.repo
+packages:
+  - tar
+context:
+  containerfile: Dockerfile.rhtap
+arches:
+  - aarch64
+  - x86_64
+  - s390x
+  - ppc64le

rpms.lock.yaml

@@ -0,0 +1,48 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 900197
+    checksum: sha256:44552dea889d350403c3074a33d7cb274b3f57553e47db998745df13f931b458
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: ppc64le
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/t/tar-1.34-7.el9.ppc64le.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 937724
+    checksum: sha256:f2cc206dfacc9981fad6cf33600ad28bcd1c573f16d8c18523dc9df52ca90660
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: s390x
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tar-1.34-7.el9.s390x.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 902370
+    checksum: sha256:fa8758bac6a56830de66ad1ab623c87768065bcc6f8242faa42ac4198260d456
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: x86_64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 910235
+    checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []