konflux-ci · fmudry · Feb 11, 2026 · Feb 11, 2026 · Feb 12, 2026 · Feb 11, 2026
@@ -1,4 +1,4 @@
-FROM registry.access.redhat.com/ubi9/ubi:9.6-1752587049
+FROM quay.io/konflux-ci/task-runner:1.3.0
 
 ARG BSI_VERSION=0.2.0
 ARG bsi_source=https://github.com/containers/BuildSourceImage/archive/refs/tags/v${BSI_VERSION}.tar.gz
@@ -7,18 +7,32 @@ ARG patch1=0001-Increase-counter-as-numeric-rather-than-string.patch
 ARG patch2=0001-Use-extra-src-archive-checksum-in-filename.patch
 ARG patch3=0001-Set-mediaType-on-image-manifest.patch
 
+USER 0
+
+# We still need to install 'file' and 'dnf' packages, becasue the BSI script expects them.
+# These packages are specific for the source-container-build, so we don't want to include them in the base image.
+# After the BSI is implemented in Go, we won't need the source-container-build.
 # hadolint ignore=DL3041
-RUN dnf update -y && dnf install -y python3.11 git jq skopeo file tar && dnf clean all
+RUN microdnf update -y && microdnf install -y file dnf && microdnf clean all
+
+# Create the directories as root, then give ownership to user 1000.
+# We use group 0 because the base image uses 'useradd -g 0 ...'
+RUN mkdir -p /opt/BuildSourceImage /opt/source_build && \
+    chown -R 1000:0 /opt/BuildSourceImage /opt/source_build && \
+    chmod -R g+rwX /opt/BuildSourceImage /opt/source_build
 
+USER 1000
 WORKDIR /opt/BuildSourceImage
-COPY $patch0 $patch1 $patch2 $patch3 ./
+
+COPY --chown=1000:0 $patch0 $patch1 $patch2 $patch3 ./
 RUN cp /cachi2/output/deps/generic/BuildSourceImage-${BSI_VERSION}.tar.gz . && \
     tar --extract -f BuildSourceImage-${BSI_VERSION}.tar.gz -z --strip-components=1 BuildSourceImage-${BSI_VERSION}/BuildSourceImage.sh && \
     git apply --allow-empty BuildSourceImage.sh $patch0 $patch1 $patch2 $patch3 && \
     rm -r $patch0 $patch1 $patch2 $patch3 && \
     mv BuildSourceImage.sh bsi
 
 WORKDIR /opt/source_build/
-COPY app/source_build.py app/requirements.txt ./
-RUN python3.11 -m venv appenv && \
+COPY --chown=1000:0 app/source_build.py app/requirements.txt ./
+RUN python3.12 -m venv appenv && \
+    ./appenv/bin/pip uninstall -y setuptools wheel && \
     ./appenv/bin/python3 -m pip install --no-cache-dir -r ./requirements.txt
@@ -2,9 +2,15 @@
 # This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pybuild-deps compile --generate-hashes --output-file=requirements-build.txt app/requirements.txt
+#    pybuild-deps compile --generate-hashes --output-file=requirements-build.txt requirements.txt
 #
-poetry-core==2.1.3 \
-    --hash=sha256:0522a015477ed622c89aad56a477a57813cace0c8e7ff2a2906b7ef4a2e296a4 \
-    --hash=sha256:2c704f05016698a54ca1d327f46ce2426d72eaca6ff614132c8477c292266771
+flit-core==3.12.0 \
+    --hash=sha256:18f63100d6f94385c6ed57a72073443e1a71a4acb4339491615d0f16d6ff01b2 \
+    --hash=sha256:e7a0304069ea895172e3c7bb703292e992c5d1555dd1233ab7b5621b5b69e62c
+    # via
+    #   packaging
+    #   wheel
+poetry-core==2.3.1 \
+    --hash=sha256:96f791d5d7d4e040f3983d76779425cf9532690e2756a24fd5ca0f86af19ef82 \
+    --hash=sha256:db1cf63b782570deb38bfba61e2304a553eef0740dc17959a50cc0f5115ee634
     # via backoff
@@ -1,2 +1,7 @@
 filetype
 backoff
+
+# needed for the 'filetype', since python3.12 removed 'distutils'
+# and we had python3.11 in the previous base image
+setuptools
+wheel
@@ -1,10 +1,9 @@
 #
-# This file is autogenerated by pip-compile with Python 3.11
+# This file is autogenerated by pip-compile with Python 3.12
 # by the following command:
 #
-#    pip-compile --generate-hashes --output-file=requirements.txt requirements.in
+#    pip-compile --allow-unsafe --generate-hashes --output-file=requirements.txt requirements.in
 #
-
 backoff==2.2.1 \
     --hash=sha256:03f829f5bb1923180821643f8753b0502c3b682293992485b0eef2807afa5cba \
     --hash=sha256:63579f9a0628e06278f7e47b7d7d5b6ce20dc65c5e96a6f3ca99a6adca0396e8
@@ -13,3 +12,17 @@ filetype==1.2.0 \
     --hash=sha256:66b56cd6474bf41d8c54660347d37afcc3f7d1970648de365c102ef77548aadb \
     --hash=sha256:7ce71b6880181241cf7ac8697a2f1eb6a8bd9b429f7ad6d27b8db9ba5f1c2d25
     # via -r requirements.in
+packaging==26.0 \
+    --hash=sha256:00243ae351a257117b6a241061796684b084ed1c516a08c48a3f7e147a9d80b4 \
+    --hash=sha256:b36f1fef9334a5588b4166f8bcd26a14e521f2b55e6b9de3aaa80d3ff7a37529
+    # via wheel
+wheel==0.46.3 \
+    --hash=sha256:4b399d56c9d9338230118d705d9737a2a468ccca63d5e813e2a4fc7815d8bc4d \
+    --hash=sha256:e3e79874b07d776c40bd6033f8ddf76a7dad46a7b8aa1b2787a83083519a1803
+    # via -r requirements.in
+
+# The following packages are considered to be unsafe in a requirements file:
+setuptools==82.0.0 \
+    --hash=sha256:22e0a2d69474c6ae4feb01951cb69d515ed23728cf96d05513d36e42b62b37cb \
+    --hash=sha256:70b18734b607bd1da571d097d236cfcfacaf01de45717d59e6e04b96877532e0
+    # via -r requirements.in
@@ -25,7 +25,6 @@
 from typing import Any, TypedDict, NotRequired, Literal, Final, Dict
 from urllib.parse import urlparse
 
-
 """
 Requires: git, skopeo, tar, BuildSourceImage
 """

@@ -25,7 +25,6 @@
 
 import pytest
 
-
 FAKE_BSI: Final = "/testing/bsi"
 BINARY_IMAGE_DIGEST: Final = "sha256:87e8e87"
 BINARY_IMAGE_REF: Final = f"registry/ns/app:v1@{BINARY_IMAGE_DIGEST}"
@@ -985,12 +984,10 @@ def test_resolve_konflux_source_image(self):
         )
 
     def test_skip_handling_local_image(self):
-        parent_images = textwrap.dedent(
-            """\
+        parent_images = textwrap.dedent("""\
             registry.io/ubi9/ubi:9.3-1@sha256:123
             localhost/konflux-final-image@sha256:123
-            """
-        )
+            """)
         self._test_include_sources(parent_images=parent_images, expect_parent_image_sources_included=False)
 
     @patch("source_build.run")

@@ -1,4 +1,4 @@
-packages: [python3.11, git, jq, skopeo, file, tar]
+packages: [file, dnf]
 contentOrigin:
   repofiles: ["./ubi.repo"]
 arches: [x86_64]
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,7 +25,6 @@ @@
     from typing import Any, TypedDict, NotRequired, Literal, Final, Dict
     from urllib.parse import urlparse
     """
     Requires: git, skopeo, tar, BuildSourceImage
     """
@@ Expand Down @@