enable hermetic builds

additionally adding prefetch-input but commenting it out due to pre-fetch dependencies go 1.21 dependency
securesign · Nov 28, 2023 · f6fad4b · f6fad4b
1 parent 861d566
commit f6fad4b
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 11 deletions.
diff --git a/.dockerignore b/.dockerignore
diff --git a/.tekton/backfill-redis-1-0-gamma-pull-request.yaml b/.tekton/backfill-redis-1-0-gamma-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom

diff --git a/.tekton/backfill-redis-1-0-gamma-push.yaml b/.tekton/backfill-redis-1-0-gamma-push.yaml
@@ -29,6 +29,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom

diff --git a/.tekton/rekor-server-1-0-gamma-pull-request.yaml b/.tekton/rekor-server-1-0-gamma-pull-request.yaml
@@ -32,6 +32,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom

diff --git a/.tekton/rekor-server-1-0-gamma-push.yaml b/.tekton/rekor-server-1-0-gamma-push.yaml
@@ -29,6 +29,10 @@ spec:
     value: '{{revision}}'
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: [{"path": ".", "type": "gomod"}, {"path": "./hack/tools", "type": "gomod"}]
   pipelineSpec:
     finally:
     - name: show-sbom

diff --git a/Dockerfile b/Dockerfile
@@ -14,17 +14,23 @@
 # limitations under the License.
 
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
+
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && mkdir /opt/app-root/src/cmd && mkdir /opt/app-root/src/pkg && git config --global --add safe.directory /opt/app-root/src
+
 ENV APP_ROOT=/opt/app-root
 ENV GOPATH=$APP_ROOT
 
 WORKDIR $APP_ROOT/src/
 ADD go.mod go.sum $APP_ROOT/src/
+RUN go mod download
 
 # Add source code
 ADD ./cmd/ $APP_ROOT/src/cmd/
 ADD ./pkg/ $APP_ROOT/src/pkg/
 
-RUN go mod tidy && go mod vendor
+# Add source code
+ADD ./cmd/ $APP_ROOT/src/cmd/
+ADD ./pkg/ $APP_ROOT/src/pkg/
 
 ARG SERVER_LDFLAGS
 RUN go build -ldflags "${SERVER_LDFLAGS}" ./cmd/rekor-server

diff --git a/Dockerfile.backfill-redis b/Dockerfile.backfill-redis
@@ -1,15 +1,17 @@
-#Build stage
+# Build stage
+
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
 USER root
-ENV APP_ROOT=/opt/app-root
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && mkdir /opt/app-root/src/cmd && mkdir /opt/app-root/src/pkg && git config --global --add safe.directory /opt/app-root/src
+
+WORKDIR /opt/app-root/src/
+
+COPY . .
 
-WORKDIR $APP_ROOT/src/
+run make backfill-redis
 
-RUN git config --global --add safe.directory /opt/app-root/src
-ADD . .
-RUN go mod tidy && go mod vendor && make backfill-redis
 
-#Install stage
+# Install stage
 FROM registry.access.redhat.com/ubi9/ubi-minimal@sha256:7d1ea7ac0c6f464dac7bae6994f1658172bf6068229f40778a513bc90f47e624
 COPY --from=build-env /opt/app-root/src/backfill-redis /usr/local/bin/backfill-redis
 WORKDIR /opt/app-root/src/home

diff --git a/Dockerfile.cli b/Dockerfile.cli
@@ -2,11 +2,10 @@
 FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 AS build-env
 USER root
 
-RUN mkdir /opt/app-root && mkdir /opt/app-root/src
+RUN mkdir /opt/app-root && mkdir /opt/app-root/src && git config --global --add safe.directory /opt/app-root/src
 
 WORKDIR /opt/app-root/src
 
-RUN git config --global --add safe.directory /opt/app-root/src
 COPY . .
 
 WORKDIR /opt/app-root/src/hack/tools