Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

hermetic-true #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
jsztuka wants to merge 1 commit into
base: main
Choose a base branch
Loading
from
Open

hermetic-true #15

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions 6 .tekton/devfile-sample-java-springboot-basic-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,10 @@ spec:
value: 5d
- name: dockerfile
value: Dockerfile
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}, {"type": "generic", "path": "."}]'
pipelineSpec:
description: |
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.
Expand Down Expand Up @@ -176,6 +180,8 @@ spec:
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
- name: dev-package-managers
value: "true"
runAfter:
- clone-repository
taskRef:
Expand Down
72 changes: 56 additions & 16 deletions 72 Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,35 +1,75 @@
FROM registry.access.redhat.com/ubi9/go-toolset:1.23.6-1745328278 as check-payload-build
FROM registry.access.redhat.com/ubi9/go-toolset:9.6-1747333074 as check-payload-build

#check-payload
WORKDIR /opt/app-root/src
ARG CHECK_PAYLOAD_VERSION=0.3.6

ARG CHECK_PAYLOAD_VERSION=0.3.5

RUN curl -s -L -o check-payload.tar.gz "https://github.com/openshift/check-payload/archive/refs/tags/${CHECK_PAYLOAD_VERSION}.tar.gz" && \
tar -xzf check-payload.tar.gz && rm check-payload.tar.gz && cd check-payload-${CHECK_PAYLOAD_VERSION} && \
RUN tar -xzf /cachi2/output/deps/generic/check-payload.tar.gz && cd check-payload-${CHECK_PAYLOAD_VERSION} && \
CGO_ENABLED=0 go build -ldflags="-X main.Commit=${CHECK_PAYLOAD_VERSION}" -o /opt/app-root/src/check-payload-binary && \
chmod +x /opt/app-root/src/check-payload-binary
chmod +x /opt/app-root/src/check-payload-binary

# Container image that runs your code
FROM docker.io/snyk/snyk:linux@sha256:5c7f8de797c870a171ad36c8ab38d17bcb4592ee4683d0e4640fea4c27e984fc as snyk
FROM docker.io/snyk/snyk:linux@sha256:6d26ce5ef31116eb21315b99f1b0970ca3cc6267174cd6f3de1cb375bd782083 as snyk
FROM quay.io/enterprise-contract/ec-cli:snapshot@sha256:6491f75e335015b8e800ca4508ac0cd155aeaf3a89399bc98949f93860a3b0a5 AS ec-cli
FROM ghcr.io/sigstore/cosign/cosign:v99.99.91@sha256:8caf794491167c331776203c60b7c69d4ff24b4b4791eba348d8def0fd0cc343 as cosign-bin
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5-1745845495
FROM quay.io/appuio/oc:v4.18 AS oc-bin
FROM registry.access.redhat.com/ubi9/ubi:9.6-1747219013

# Note that the version of OPA used by pr-checks must be updated manually to reflect conftest updates
# To find the OPA version associated with conftest run the following with the relevant version of conftest:
# $ conftest --version
ARG conftest_version=0.45.0
ARG BATS_VERSION=1.6.0
ARG conftest_version=0.61.2
ARG BATS_VERSION=1.8.2
ARG sbom_utility_version=0.12.0
ARG OPM_VERSION=v1.40.0
ARG UMOCI_VERSION=v0.4.7

ARG PATH_TO_ART=/cachi2/output/deps/generic

ENV POLICY_PATH="/project"

ADD https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm epel-release-latest-9.noarch.rpm
#ADD https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm epel-release-latest-9.noarch.rpm

# Build dependency offline to streamline build
RUN rpm -Uvh epel-release-latest-9.noarch.rpm && \
microdnf -y --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install \
findutils \
jq
#rpm -Uvh epel-release-latest-9.noarch.rpm && \
RUN dnf install -y --nogpgcheck jq \
skopeo \
tar \
python3 \
clamav \
clamd \
csdiff \
git \
# Remove golang after https://github.com/openshift/check-payload/issues/231 is resolved
golang \
python3-file-magic \
python3-pip \
clamav-update \
ShellCheck \
csmock-plugin-shellcheck-core \
libicu && \
mkdir sbom-utility && tar -xf ${PATH_TO_ART}/sbom-utility.tar.gz -C sbom-utility && \
cp ${PATH_TO_ART}/linux-amd64-opm /usr/bin/opm && chmod +x /usr/bin/opm && \
cp ${PATH_TO_ART}/umoci.amd64 /usr/bin/umoci && chmod +x /usr/bin/umoci && \
cp ${PATH_TO_ART}/opa_linux_amd64_static /usr/bin/opa && chmod +x /usr/bin/opa && \
tar -xzf ${PATH_TO_ART}/conftest_0.61.2_Darwin_x86_64.tar.gz -C /usr/bin/ && \
tar -xf ${PATH_TO_ART}/v1.8.2.tar.gz && \
cd "bats-core-$BATS_VERSION" && \
./install.sh /usr && \
cd .. && rm -rf "bats-core-$BATS_VERSION" && \
cd / && \
dnf clean all

#yq install, oneline because its pip, ryan
RUN pip install --no-cache-dir ${PATH_TO_ART}/PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl ${PATH_TO_ART}/argcomplete-3.6.2-py3-none-any.whl ${PATH_TO_ART}/tomlkit-0.13.3-py3-none-any.whl ${PATH_TO_ART}/xmltodict-0.14.2-py2.py3-none-any.whl ${PATH_TO_ART}/yq-3.4.3-py3-none-any.whl

ENV PATH="${PATH}:/sbom-utility"

COPY --from=check-payload-build /opt/app-root/src/check-payload-binary /usr/bin/check-payload

COPY --from=snyk /usr/local/bin/snyk /usr/local/bin/snyk

COPY --from=ec-cli /usr/local/bin/ec /usr/local/bin/ec

COPY --from=cosign-bin /ko-app/cosign /usr/local/bin/cosign

COPY --from=oc-bin /bin/oc /usr/bin/
47 changes: 47 additions & 0 deletions 47 artifacts.lock.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
---
metadata:
version: "1.0"
artifacts:
- download_url: "https://github.com/openshift/check-payload/archive/refs/tags/0.3.6.tar.gz"
checksum: "sha256:eeede72fdeeb3bdfc10ba806aef986b8fae1e6445c1e91e1db49976c9c5de1d2"
filename: "check-payload.tar.gz"
- download_url: "https://github.com/CycloneDX/sbom-utility/releases/download/v0.12.0/sbom-utility-v0.12.0-linux-amd64.tar.gz"
checksum: "sha256:762072a297f499691d59eeb3405aa873b6e71ea8f18d7db496511e584b0f5bb1"
filename: "sbom-utility.tar.gz"
# - download_url: "https://mirror.openshift.com/pub/openshift-v4/amd64/clients/ocp/stable/openshift-client-linux-4.18.16.tar.gz"
# checksum: "sha256:746073ce8409476078102bed7b26316c419c192aa27c69de0ce01b5774958d00"
# filename: "openshift-client-linux-amd64.tar.gz"
# - download_url: "https://mirror.openshift.com/pub/openshift-v4/ppc64le/clients/ocp/stable/openshift-client-linux-4.18.16.tar.gz"
# checksum: "sha256:a91a24577fd29e3faa559e56d88f3f46b8c7ff4db72fbed7a9679ff4fbd050e1"
# filename: "openshift-client-linux-ppc64le.tar.gz"
- download_url: "https://github.com/bats-core/bats-core/archive/refs/tags/v1.8.2.tar.gz"
checksum: "sha256:0f2df311a536e625a72bff64c838e67c7b5032e6ea9edcdf32758303062b2f3b"
filename: "v1.8.2.tar.gz"
- download_url: "https://github.com/operator-framework/operator-registry/releases/download/v1.40.0/linux-amd64-opm"
checksum: "sha256:33eb929264a69f31895e1973248b7e97e3b6a862d7ca27f6892e158f79ad6aeb"
filename: "linux-amd64-opm"
- download_url: "https://github.com/opencontainers/umoci/releases/download/v0.4.7/umoci.amd64"
checksum: "sha256:6abecdbe7ac96a8e48fdb73fb53f08d21d4dc5e040f7590d2ca5547b7f2b2e85"
filename: "umoci.amd64"
- download_url: "https://github.com/kislyuk/yq/releases/download/v3.4.3/yq-3.4.3-py3-none-any.whl"
checksum: "sha256:cb9160f33fcdaf0c2fb36b4ba916953f94e338fffbdee61c90fd84164b8d63b5"
filename: "yq-3.4.3-py3-none-any.whl"
- download_url: "https://files.pythonhosted.org/packages/3d/32/e7bd8535d22ea2874cef6a81021ba019474ace0d13a4819c2a4bce79bd6a/PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"
checksum: "sha256:3b1fdb9dc17f5a7677423d508ab4f243a726dea51fa5e70992e59a7411c89d19"
filename: "PyYAML-6.0.2-cp39-cp39-manylinux_2_17_x86_64.manylinux2014_x86_64.whl"
- download_url: "https://github.com/kislyuk/argcomplete/releases/download/v3.6.2/argcomplete-3.6.2-py3-none-any.whl"
checksum: "sha256:65b3133a29ad53fb42c48cf5114752c7ab66c1c38544fdf6460f450c09b42591"
filename: "argcomplete-3.6.2-py3-none-any.whl"
- download_url: "https://github.com/python-poetry/tomlkit/releases/download/0.13.3/tomlkit-0.13.3-py3-none-any.whl"
checksum: "sha256:c89c649d79ee40629a9fda55f8ace8c6a1b42deb912b2a8fd8d942ddadb606b0"
filename: "tomlkit-0.13.3-py3-none-any.whl"
- download_url: "https://files.pythonhosted.org/packages/d6/45/fc303eb433e8a2a271739c98e953728422fa61a3c1f36077a49e395c972e/xmltodict-0.14.2-py2.py3-none-any.whl"
checksum: "sha256:20cc7d723ed729276e808f26fb6b3599f786cbc37e06c65e192ba77c40f20aac"
filename: "xmltodict-0.14.2-py2.py3-none-any.whl"
- download_url: "https://openpolicyagent.org/downloads/v0.56.0/opa_linux_amd64_static"
checksum: "sha256:623771025227588898af1788998d5b5f29068a887682cd8b8e9699136d4cf121"
filename: "opa_linux_amd64_static"
- download_url: "https://github.com/open-policy-agent/conftest/releases/download/v0.61.2/conftest_0.61.2_Darwin_x86_64.tar.gz"
checksum: "sha256:ef0c065af770b4303a059d7f89bc218c8c9cf592e5f40ba69c1ea8aa086080ad"
filename: "conftest_0.61.2_Darwin_x86_64.tar.gz"

30 changes: 30 additions & 0 deletions 30 epel-testing.repo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[epel-testing]
name=Extra Packages for Enterprise Linux 9 - Testing - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/testing/9/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-epel9&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9

[epel-testing-debuginfo]
name=Extra Packages for Enterprise Linux 9 - Testing - $basearch - Debug
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/testing/9/Everything/$basearch/debug/
metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-debug-epel9&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
gpgcheck=1

[epel-testing-source]
name=Extra Packages for Enterprise Linux 9 - Testing - $basearch - Source
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/testing/9/Everything/source/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=testing-source-epel9&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
gpgcheck=1
30 changes: 30 additions & 0 deletions 30 epel.repo
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
[epel]
name=Extra Packages for Enterprise Linux 9 - $basearch
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/9/Everything/$basearch/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-9&arch=$basearch&infra=$infra&content=$contentdir
enabled=1
gpgcheck=1
countme=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 9 - $basearch - Debug
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/9/Everything/$basearch/debug/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-9&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 9 - $basearch - Source
# It is much more secure to use the metalink, but if you wish to use a local mirror
# place its address here.
#baseurl=https://download.example/pub/epel/9/Everything/source/tree/
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-9&arch=$basearch&infra=$infra&content=$contentdir
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-9
gpgcheck=1
3 changes: 3 additions & 0 deletions 3 rpms.in.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
packages: [jq, python3-file-magic, python3-pip, skopeo, python3, clamav, clamd, csdiff, git, golang, ShellCheck, csmock-plugin-shellcheck-core, libicu, clamav-update]
contentOrigin:
repofiles: ["./ubi.repo", "./epel-testing.repo", "./epel.repo"]
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.