Enable hermetic builds

Signed-off-by: Dale Haiducek <[email protected]>
stolostron · Jan 8, 2025 · dfd746d · dfd746d
1 parent 71a3d96
commit dfd746d
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 2 deletions.
diff --git a/.tekton/governance-policy-propagator-acm-213-pull-request.yaml b/.tekton/governance-policy-propagator-acm-213-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
       value: build/Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/.tekton/governance-policy-propagator-acm-213-push.yaml b/.tekton/governance-policy-propagator-acm-213-push.yaml
@@ -29,6 +29,10 @@ spec:
       value: build/Dockerfile.rhtap
     - name: path-context
       value: .
+    - name: hermetic
+      value: "true"
+    - name: prefetch-input
+      value: '[{"type": "gomod", "path": "."},{"type": "rpm", "path": "."}]'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -178,6 +182,8 @@ spec:
             value: $(params.output-image).prefetch
           - name: ociArtifactExpiresAfter
             value: $(params.image-expires-after)
+          - name: dev-package-managers
+            value: "true"
         runAfter:
           - clone-repository
         taskRef:

diff --git a/Makefile b/Makefile
@@ -102,7 +102,7 @@ gosec-scan: GOSEC_ARGS=-exclude G201
 
 .PHONY: build
 build:
-	CGO_ENABLED=1 go build -o build/_output/bin/$(IMG) main.go
+	CGO_ENABLED=1 go build -mod=readonly -o build/_output/bin/$(IMG) main.go
 
 ############################################################
 # images section

diff --git a/build/Dockerfile.rhtap b/build/Dockerfile.rhtap
@@ -7,7 +7,6 @@ ENV COMPONENT=governance-policy-propagator
 ENV REPO_PATH=/go/src/github.com/stolostron/${COMPONENT}
 WORKDIR ${REPO_PATH}
 COPY . .
-RUN go mod vendor
 RUN make build
 
 # Stage 2: Copy the binaries from the image builder to the base image