Share commit-SHA into build context for build-image

[k15r]

Description

Please share the current commit SHA of the source-code that will be used by image builder into the build container as an environment variable.

Reasons

We want to use go build -X ldflags main.version=$COMMIT_SHA to set the reported build version of our manager to the commit version used to build the binary. This value will then be exposed as a metric and can be used in monitoring to know exactly which binary version is running on a cluster.

Currently it is not possible to get this version using git rev-parse HEAD as there is simply no git repository mounted into the build container. Sharing this value from our GitHub-Actions is also not an option as setting it ourselves to any value does not guarantee that the value we set is actually the same value as is associated with the source code.

Acceptance Criteria

export an environment variable (e.g. COMMIT_SHA) and make it available to be consumed in our Dockerfiles.

Attachments

[dekiel]

Implementation looks rather easy, we have two following options.

1. Requested solution
   In oci-image-builder pipeline we do checkout of commit to build in step clone_repo_to_build or clone_pull_request_to_build. The commit SHA can be added to the build args in prepare_build_and_sign_args step.

2. Alternative solution with using git rev-parse HEAD should be possible too. Kaniko container which runs build has access to the source repository.
   --mount type=bind,source=$(System.DefaultWorkingDirectory)/${{ parameters.RepoName }},target=/repository

Option 1 will be most comfortable for users. Developers will not have to run additional steps in Dockerfile and use build images with git to access commit sha.

[k15r]

I would prefer option 2. It is not as convenient to use for developers, but I get the sha as close as possible to where the code is actually used.