stolostron · dhaiducek · Jan 7, 2025 · Jan 14, 2025
diff --git a/.gitignore b/.gitignore
@@ -2,4 +2,3 @@ build/_output/
 bin/
 gosec.json
 kubeconfig_*
-external/
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,9 @@
+[submodule "policy-cli"]
+	path = external/policy-cli
+	url = https://github.com/stolostron/policy-cli
+	branch = release-2.13
+
+[submodule "policy-generator-plugin"]
+	path = external/policy-generator-plugin
+	url = https://github.com/stolostron/policy-generator-plugin
+	branch = release-2.13
diff --git a/.tekton/acm-cli-acm-213-pull-request.yaml b/.tekton/acm-cli-acm-213-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
       value: Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "gomod", "path": "external/policy-cli"},{"type": "gomod", "path": "external/policy-generator-plugin"},{"type": "rpm", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/.tekton/acm-cli-acm-213-push.yaml b/.tekton/acm-cli-acm-213-push.yaml
@@ -29,6 +29,10 @@ spec:
       value: Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "gomod", "path": "external/policy-cli"},{"type": "gomod", "path": "external/policy-generator-plugin"},{"type": "rpm", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -178,6 +182,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM registry.ci.openshift.org/stolostron/builder:go1.22-linux AS builder
 
-ENV RELEASE_TAG=release-2.12 \
+ENV RELEASE_TAG=release-2.13 \
     REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
 WORKDIR ${REPO_PATH}
@@ -10,15 +10,13 @@ COPY . .
 RUN make build
 
 # Fetch and package imported binaries
-RUN make clone-build-package
+RUN make sync-build-package
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
-RUN microdnf update -y \
-    && microdnf install -y tar \
-    && microdnf clean all
+RUN microdnf install -y tar
 
 # Copy binaries from builder
 COPY --from=builder ${REPO_PATH}/build/_output/* /acm-cli/

diff --git a/Dockerfile.rhtap b/Dockerfile.rhtap
@@ -1,6 +1,6 @@
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.22 AS builder
 
-ENV RELEASE_TAG=release-2.12 \
+ENV RELEASE_TAG=release-2.13 \
     REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
 WORKDIR ${REPO_PATH}
@@ -10,15 +10,13 @@ COPY . .
 RUN make build
 
 # Fetch and package imported binaries
-RUN make clone-build-package
+RUN make sync-build-package
 
 FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 
 ENV REPO_PATH=/go/src/github.com/stolostron/acm-cli
 
-RUN microdnf update -y \
-    && microdnf install -y tar \
-    && microdnf clean all
+RUN microdnf install -y tar
 
 # Copy binaries from builder
 COPY --from=builder ${REPO_PATH}/build/_output/* /acm-cli/

diff --git a/Makefile b/Makefile
@@ -50,25 +50,21 @@ REMOTE_SOURCES_SUBDIR ?=
 
 .PHONY: build
 build:
-	CGO_ENABLED=1 go build -o $(BUILD_DIR)/acm-cli-server ./server/main.go
+	CGO_ENABLED=1 go build -mod=readonly -o $(BUILD_DIR)/acm-cli-server ./server/main.go
 
 .PHONY: build-image
 build-image:
 	$(CONTAINER_ENGINE) build --platform linux/$(ARCH) $(BUILD_ARGS) -t $(IMAGE_NAME_AND_VERSION):$(TAG) .
 
-.PHONY: clone-build-package
-clone-build-package: clone-repos build-and-package
+.PHONY: sync-build-package
+sync-build-package: sync-repos build-and-package
 
 .PHONY: build-and-package
 build-and-package: build-binaries package-binaries
 
-.PHONY: clone-repos
-clone-repos:
-	while IFS=, read -r git_url build_cmd build_dir; do \
-		if [[ "$${git_url}" != "GIT REPO URL" ]]; then \
-			git clone --branch=${RELEASE_TAG} --depth=1 $${git_url} $(REMOTE_SOURCES_DIR)/$${git_url##*/}/$(REMOTE_SOURCES_SUBDIR); \
-		fi; \
-	done < ./build/cli_map.csv
+.PHONY: sync-repos
+sync-repos:
+	git submodule update --init
 
 .PHONY: build-binaries
 build-binaries:

diff --git a/external/policy-cli b/external/policy-cli
diff --git a/external/policy-generator-plugin b/external/policy-generator-plugin
diff --git a/rpms.in.yaml b/rpms.in.yaml
@@ -0,0 +1,12 @@
+contentOrigin:
+  repofiles:
+    - /etc/yum.repos.d/ubi.repo
+packages:
+  - tar
+context:
+  containerfile: Dockerfile.rhtap
+arches:
+  - aarch64
+  - x86_64
+  - s390x
+  - ppc64le
diff --git a/rpms.lock.yaml b/rpms.lock.yaml
@@ -0,0 +1,48 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-7.el9.aarch64.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 900197
+    checksum: sha256:44552dea889d350403c3074a33d7cb274b3f57553e47db998745df13f931b458
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: ppc64le
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/t/tar-1.34-7.el9.ppc64le.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 937724
+    checksum: sha256:f2cc206dfacc9981fad6cf33600ad28bcd1c573f16d8c18523dc9df52ca90660
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: s390x
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tar-1.34-7.el9.s390x.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 902370
+    checksum: sha256:fa8758bac6a56830de66ad1ab623c87768065bcc6f8242faa42ac4198260d456
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []
+- arch: x86_64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-7.el9.x86_64.rpm
+    repoid: ubi-9-baseos-rpms
+    size: 910235
+    checksum: sha256:17f2e592a2c04c050b690afeb9042e02521a0b5ee3288dad837463f4acf542c3
+    name: tar
+    evr: 2:1.34-7.el9
+    sourcerpm: tar-1.34-7.el9.src.rpm
+  source: []
+  module_metadata: []