Enable hermetic builds

Signed-off-by: Dale Haiducek <[email protected]>
stolostron · Jan 8, 2025 · fa865a4 · fa865a4
1 parent 392b545
commit fa865a4
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 2 deletions.
diff --git a/.tekton/cert-policy-controller-acm-213-pull-request.yaml b/.tekton/cert-policy-controller-acm-213-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
       value: build/Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "build"}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/.tekton/cert-policy-controller-acm-213-push.yaml b/.tekton/cert-policy-controller-acm-213-push.yaml
@@ -29,6 +29,10 @@ spec:
       value: build/Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "build"}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -178,6 +182,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/Makefile b/Makefile
@@ -63,7 +63,7 @@ clean:
 
 .PHONY: build
 build:
-	CGO_ENABLED=1 go build -o ./build/_output/bin/$(IMG) ./main.go
+	CGO_ENABLED=1 go build -mod=readonly -o ./build/_output/bin/$(IMG) ./main.go
 
 # Run against the current locally configured Kubernetes cluster
 .PHONY: run

diff --git a/build/Dockerfile.rhtap b/build/Dockerfile.rhtap
@@ -7,7 +7,6 @@ ENV COMPONENT=cert-policy-controller
 ENV REPO_PATH=/go/src/github.com/stolostron/${COMPONENT}
 WORKDIR ${REPO_PATH}
 COPY . .
-RUN go mod vendor
 RUN make build
 
 # Stage 2: Copy the binaries from the image builder to the base image

diff --git a/build/rpms.in.yaml b/build/rpms.in.yaml
@@ -0,0 +1,9 @@
+contentOrigin:
+  repofiles:
+    - /etc/yum.repos.d/ubi.repo
+packages: []
+arches:
+  - aarch64
+  - x86_64
+  - s390x
+  - ppc64le
diff --git a/build/rpms.lock.yaml b/build/rpms.lock.yaml
@@ -0,0 +1,20 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages: []
+  source: []
+  module_metadata: []
+- arch: ppc64le
+  packages: []
+  source: []
+  module_metadata: []
+- arch: s390x
+  packages: []
+  source: []
+  module_metadata: []
+- arch: x86_64
+  packages: []
+  source: []
+  module_metadata: []