setting up hermetic builds for pip and go deps

Marcusk19 · Dec 12, 2024 · 5a0faed · 5a0faed
1 parent 5bb01ab
commit 5a0faed
Show file tree

Hide file tree

Showing 5 changed files with 1,372 additions and 256 deletions.
diff --git a/.tekton/quay-test-pull-request.yaml b/.tekton/quay-test-pull-request.yaml
@@ -28,6 +28,8 @@ spec:
     value: 5d
   - name: dockerfile
     value: Dockerfile.downstream
+  - name: prefetch-input
+    value: '[{"type": "gomod", "path": "./config-tool"}, {"type": "pip", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.

diff --git a/.tekton/quay-test-push.yaml b/.tekton/quay-test-push.yaml
@@ -25,6 +25,8 @@ spec:
     value: quay.io/redhat-user-workloads/quay-eng-tenant/quay-test:{{revision}}
   - name: dockerfile
     value: Dockerfile.downstream
+  - name: prefetch-input
+    value: '[{"type": "gomod", "path": "./config-tool"}, {"type": "pip", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.
@@ -416,56 +418,3 @@ spec:
     - name: push-dockerfile
       params:
       - name: IMAGE
-        value: $(tasks.build-image-index.results.IMAGE_URL)
-      - name: IMAGE_DIGEST
-        value: $(tasks.build-image-index.results.IMAGE_DIGEST)
-      - name: DOCKERFILE
-        value: $(params.dockerfile)
-      - name: CONTEXT
-        value: $(params.path-context)
-      - name: SOURCE_ARTIFACT
-        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
-      runAfter:
-      - build-image-index
-      taskRef:
-        params:
-        - name: name
-          value: push-dockerfile-oci-ta
-        - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:80d48a1b9d2707490309941ec9f79338533938f959ca9a207b481b0e8a5e7a93
-        - name: kind
-          value: task
-        resolver: bundles
-    - name: rpms-signature-scan
-      params:
-      - name: image-url
-        value: $(tasks.build-image-index.results.IMAGE_URL)
-      - name: image-digest
-        value: $(tasks.build-image-index.results.IMAGE_DIGEST)
-      runAfter:
-      - build-image-index
-      taskRef:
-        params:
-        - name: name
-          value: rpms-signature-scan
-        - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:8f3b23bf1b0ef55cc79d28604d2397a0101ac9c0c42ae26e26532eb2778c801b
-        - name: kind
-          value: task
-        resolver: bundles
-      when:
-      - input: $(params.skip-checks)
-        operator: in
-        values:
-        - "false"
-    workspaces:
-    - name: git-auth
-      optional: true
-    - name: netrc
-      optional: true
-  taskRunTemplate: {}
-  workspaces:
-  - name: git-auth
-    secret:
-      secretName: '{{ git_auth_secret }}'
-status: {}
diff --git a/downstream-dockerfile.sed b/downstream-dockerfile.sed
@@ -22,6 +22,7 @@ LABEL summary="Red Hat Quay"\
 LABEL maintainer="support@redhat.com"\
 LABEL io.openshift.tags="quay"\
 LABEL description="Red Hat Quay"\
+LABEL vendor="Red Hat, Inc."
 ENV RED_HAT_QUAY=true
 		d
 	}