RHAIENG-2860: Consolidate dependencies in artifact input

.tekton/odh-workbench-codeserver-datascience-cpu-py312-ubi9-pull-request.yaml

@@ -87,8 +87,6 @@ spec:
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/debug-server-ready
       type: npm
-    - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/emmet
-      type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/extension-editing
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/git
@@ -165,13 +163,39 @@ spec:
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server
       type: npm
-    # patches/
+    # patches/ overlay (overwrites code-server at build); use these so Cachi2 prefetches registry-only lockfiles
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode
       type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/remote
+      type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions
+      type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions/emmet
+      type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/test
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions/microsoft-authentication
       type: npm
+    # Registry-only npm deps (ProdSec); @parcel/watcher, @emmetio/css-parser, @playwright/browser-chromium in custom-packages/package.json
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/custom-packages
+      type: npm
+  taskRunSpecs:
+    - pipelineTaskName: prefetch-dependencies
+      computeResources:
+        requests:
+          cpu: "8"
+          memory: "32Gi"
+        limits:
+          cpu: "8"
+          memory: "32Gi"
+    - pipelineTaskName: build-images
+      computeResources:
+        requests:
+          cpu: "8"
+          memory: "32Gi"
+        limits:
+          cpu: "8"
+          memory: "32Gi"
   pipelineRef:
     name: multiarch-combined-pipeline
   taskRunTemplate:

.tekton/odh-workbench-codeserver-datascience-cpu-py312-ubi9-push.yaml

@@ -84,8 +84,6 @@ spec:
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/debug-server-ready
       type: npm
-    - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/emmet
-      type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/extension-editing
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server/lib/vscode/extensions/git
@@ -162,14 +160,40 @@ spec:
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/code-server
       type: npm
-    # patches/
+    # patches/ overlay (codeserver/ubi9-python-3.12/prefetch-input/patches/) — Cachi2 prefetches registry-only lockfiles; keep in sync with patches that have package.json
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode
       type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/remote
+      type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions
+      type: npm
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions/emmet
+      type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/test
       type: npm
     - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/lib/vscode/extensions/microsoft-authentication
       type: npm
+    # Registry-only npm deps (ProdSec); @parcel/watcher, @emmetio/css-parser, @playwright/browser-chromium in custom-packages/package.json
+    - path: codeserver/ubi9-python-3.12/prefetch-input/patches/code-server-v4.106.3/custom-packages
+      type: npm
 
+  taskRunSpecs:
+    - pipelineTaskName: prefetch-dependencies
+      computeResources:
+        requests:
+          cpu: "8"
+          memory: "32Gi"
+        limits:
+          cpu: "8"
+          memory: "32Gi"
+    - pipelineTaskName: build-images
+      computeResources:
+        requests:
+          cpu: "8"
+          memory: "32Gi"
+        limits:
+          cpu: "8"
+          memory: "32Gi"
   pipelineRef:
     name: multiarch-combined-pipeline
   taskRunTemplate:

Makefile

@@ -96,7 +96,7 @@ define build_image
 	$(info # Building $(IMAGE_NAME) using $(DOCKERFILE_NAME) with $(CONF_FILE) and $(BUILD_ARGS)...)
 
 	@if [ -d '$(BUILD_DIR)prefetch-input' ] && [ ! -d cachi2/output ]; then \
-	  echo "Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) — see scripts/lockfile-generators/README.md"; \
+	  echo "Prefetch required for hermetic build. Run: scripts/lockfile-generators/prefetch-all.sh --component-dir $(patsubst %/,%,$(BUILD_DIR)) -- see scripts/lockfile-generators/README.md"; \
 	  exit 1; \
 	fi
 	$(ROOT_DIR)/scripts/sandbox.py --dockerfile '$(2)' --platform '$(BUILD_ARCH)' -- \

codeserver/ubi9-python-3.12/Dockerfile.cpu

@@ -57,12 +57,11 @@ ARG CODESERVER_VERSION=v4.106.3
 
 # [HERMETIC] Import GPG keys for prefetched RPM verification.
 # CentOS key needed because libX11-devel comes from CentOS Stream repos.
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \
@@ -81,10 +80,6 @@ RUN dnf install -y \
         /cachi2/output/deps/generic/nfpm-2.44.1-1.$(uname -m).rpm && \
     dnf clean all
 
-# There was limitation on Hermeto, it can't fetch npm packages using git/ssh protocol.
-# To work around this, need to fetch some npm packages as generic artifacts and copy to npm directory.
-RUN cp /cachi2/output/deps/generic/npm/* /cachi2/output/deps/npm/
-
 # [HERMETIC] Git metadata needed by code-server's build scripts (version detection, submodules).
 COPY .git /root/.git
 # [HERMETIC] Rewrite script: used by setup-offline-binaries.sh to rewrite npm
@@ -111,8 +106,9 @@ RUN cd ${CODESERVER_SOURCE_CODE} && GHA_BUILD="${GHA_BUILD}" ./apply-patch.sh
 # [HERMETIC] Step 1: npm ci --offline (install all npm dependencies from local cache).
 # setup-offline-binaries.sh does all offline preparation in one shot:
 #   - sources codeserver-offline-env.sh (ELECTRON_SKIP_BINARY_DOWNLOAD, NPM_CONFIG_NODEDIR, etc.)
-#   - populates node-gyp header cache (22.20.0 for VS Code remote), ripgrep, VSCode extensions
-#   - pre-populates .build/node/ and .build/builtInExtensions/ so gulp skips network downloads
+#   - node-gyp uses system headers (NPM_CONFIG_NODEDIR=/usr from nodejs-devel RPM)
+#   - ripgrep, .vsix extensions from cachi2 generic; .build/node/ = system /usr/bin/node (per-arch)
+#   - pre-populates .build/builtInExtensions/ so gulp skips network downloads
 #   - rewrites package-lock.json "resolved" URLs to file:///cachi2/...
 # CI=1 makes ci/dev/postinstall.sh run "npm ci" (not "npm install") in subdirs,
 # so resolved URLs stay absolute (file:///cachi2/...) and lockfiles are never modified.
@@ -170,11 +166,10 @@ ARG LOCAL_BUILD
 ARG CODESERVER_SOURCE_CODE=codeserver/ubi9-python-3.12
 ARG PYLOCK_FLAVOR
 
-# [HERMETIC] Import GPG keys for EPEL, Red Hat, and CentOS repos (needed for dnf to verify prefetched RPMs).
-# EPEL + CentOS keys are prefetched as generic artifacts (see artifacts.in.yaml).
+# [HERMETIC] Import GPG keys for Red Hat and CentOS repos (needed for dnf to verify prefetched RPMs).
+# CentOS key is prefetched as a generic artifact (see artifacts.in.yaml).
 # UBI9 images only ship the Red Hat key; CentOS key is needed for ppc64le/s390x packages
 # from CentOS Stream repos (mesa-libGL, etc.).
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
@@ -254,12 +249,11 @@ USER 0
 
 # [HERMETIC] Import GPG keys for prefetched RPM verification.
 # CentOS key needed because mesa-libGL comes from CentOS Stream repos.
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \
@@ -330,7 +324,7 @@ USER 0
 WORKDIR /opt/app-root/bin
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \

codeserver/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -57,12 +57,11 @@ ARG CODESERVER_VERSION=v4.106.3
 
 # [HERMETIC] Import GPG keys for prefetched RPM verification.
 # CentOS key needed because libX11-devel comes from CentOS Stream repos.
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \
@@ -81,10 +80,6 @@ RUN dnf install -y \
         /cachi2/output/deps/generic/nfpm-2.44.1-1.$(uname -m).rpm && \
     dnf clean all
 
-# There was limitation on Hermeto, it can't fetch npm packages using git/ssh protocol.
-# To work around this, need to fetch some npm packages as generic artifacts and copy to npm directory.
-RUN cp /cachi2/output/deps/generic/npm/* /cachi2/output/deps/npm/
-
 # [HERMETIC] Git metadata needed by code-server's build scripts (version detection, submodules).
 COPY .git /root/.git
 # [HERMETIC] Rewrite script: used by setup-offline-binaries.sh to rewrite npm
@@ -111,8 +106,9 @@ RUN cd ${CODESERVER_SOURCE_CODE} && GHA_BUILD="${GHA_BUILD}" ./apply-patch.sh
 # [HERMETIC] Step 1: npm ci --offline (install all npm dependencies from local cache).
 # setup-offline-binaries.sh does all offline preparation in one shot:
 #   - sources codeserver-offline-env.sh (ELECTRON_SKIP_BINARY_DOWNLOAD, NPM_CONFIG_NODEDIR, etc.)
-#   - populates node-gyp header cache (22.20.0 for VS Code remote), ripgrep, VSCode extensions
-#   - pre-populates .build/node/ and .build/builtInExtensions/ so gulp skips network downloads
+#   - node-gyp uses system headers (NPM_CONFIG_NODEDIR=/usr from nodejs-devel RPM)
+#   - ripgrep, .vsix extensions from cachi2 generic; .build/node/ = system /usr/bin/node (per-arch)
+#   - pre-populates .build/builtInExtensions/ so gulp skips network downloads
 #   - rewrites package-lock.json "resolved" URLs to file:///cachi2/...
 # CI=1 makes ci/dev/postinstall.sh run "npm ci" (not "npm install") in subdirs,
 # so resolved URLs stay absolute (file:///cachi2/...) and lockfiles are never modified.
@@ -170,11 +166,10 @@ ARG LOCAL_BUILD
 ARG CODESERVER_SOURCE_CODE=codeserver/ubi9-python-3.12
 ARG PYLOCK_FLAVOR
 
-# [HERMETIC] Import GPG keys for EPEL, Red Hat, and CentOS repos (needed for dnf to verify prefetched RPMs).
-# EPEL + CentOS keys are prefetched as generic artifacts (see artifacts.in.yaml).
+# [HERMETIC] Import GPG keys for Red Hat and CentOS repos (needed for dnf to verify prefetched RPMs).
+# CentOS key is prefetched as a generic artifact (see artifacts.in.yaml).
 # UBI9 images only ship the Red Hat key; CentOS key is needed for ppc64le/s390x packages
 # from CentOS Stream repos (mesa-libGL, etc.).
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
@@ -254,12 +249,11 @@ USER 0
 
 # [HERMETIC] Import GPG keys for prefetched RPM verification.
 # CentOS key needed because mesa-libGL comes from CentOS Stream repos.
-RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-EPEL-9
 RUN rpm --import /cachi2/output/deps/generic/RPM-GPG-KEY-CentOS-Official
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \
@@ -328,7 +322,7 @@ USER 0
 WORKDIR /opt/app-root/bin
 
 # [HERMETIC] Configure package repos: local hermeto repos for testing, or enable nodejs:22 module for Konflux.
-# Hermeto organises RPMs into per-arch sub-repos (baseos, epel, crb, ubi-*, …), each with
+# Hermeto organises RPMs into per-arch sub-repos (baseos, crb, ubi-*, …), each with
 # its own repodata/. The generated hermeto.repo already points at the correct file:// paths.
 RUN if [ "${LOCAL_BUILD}" = "true" ]; then \
         rm -f /etc/yum.repos.d/* && \

codeserver/ubi9-python-3.12/prefetch-input/odh/artifacts.in.yaml

@@ -6,8 +6,6 @@
 # is auto-generated and contains integrity hashes for each URL.
 
 input:
-    # GPG keys for verifying prefetched RPM packages
-    - url: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-9
     # CentOS Stream 9 GPG key (needed in whl-cache stage for ppc64le/s390x dnf install
     # from CentOS baseos/appstream/crb repos; UBI9 images only ship the Red Hat key)
     - url: https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official
@@ -16,30 +14,18 @@ input:
     - url: https://github.com/goreleaser/nfpm/releases/download/v2.44.1/nfpm-2.44.1-1.aarch64.rpm
     - url: https://github.com/goreleaser/nfpm/releases/download/v2.44.1/nfpm-2.44.1-1.ppc64le.rpm
 
-    # node-gyp headers for VS Code remote native modules (targets Node.js 22.20.0).
-    # System Node.js headers come from nodejs-devel RPM (NPM_CONFIG_NODEDIR=/usr);
-    # Electron headers are no longer needed (ELECTRON_SKIP_BINARY_DOWNLOAD=1).
-    - url: https://nodejs.org/download/release/v22.20.0/node-v22.20.0-headers.tar.gz
-    # Node.js runtime binaries for bundling with VSCode server (one per target arch)
-    - url: https://nodejs.org/download/release/v22.20.0/node-v22.20.0-linux-x64.tar.gz
-    - url: https://nodejs.org/download/release/v22.20.0/node-v22.20.0-linux-arm64.tar.gz
-    - url: https://nodejs.org/download/release/v22.20.0/node-v22.20.0-linux-ppc64le.tar.gz
+    # Node: system Node from nodejs RPM is used (like che-code). ppc64le/s390x use
+    # native gulp task (BUILD_TARGETS patched in setup-offline-binaries.sh); no extra tarball.
+    # ripgrep: one version (v13.0.0-13) for all 4 arches; @vscode/ripgrep postinstall patched to use it (see apply-patch.sh).
     - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-13/ripgrep-v13.0.0-13-x86_64-unknown-linux-musl.tar.gz
       filename: ripgrep-v13.0.0-13-x86_64-unknown-linux-musl.tar.gz
-    # aarch64/ppc64le: no musl builds exist; download GNU builds aliased to musl filenames
-    # so @vscode/ripgrep postinstall finds them in its expected cache path
+    # aarch64: no musl build upstream; GNU build aliased to musl filename (postinstall expects aarch64-unknown-linux-musl).
     - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-13/ripgrep-v13.0.0-13-aarch64-unknown-linux-gnu.tar.gz
       filename: ripgrep-v13.0.0-13-aarch64-unknown-linux-musl.tar.gz
     - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-13/ripgrep-v13.0.0-13-powerpc64le-unknown-linux-gnu.tar.gz
-      filename: ripgrep-v13.0.0-13-powerpc64le-unknown-linux-musl.tar.gz
-    # s390x: same pattern — GNU build aliased to musl for the regular v13.0.0-13 code path
+      filename: ripgrep-v13.0.0-13-powerpc64le-unknown-linux-gnu.tar.gz
     - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-13/ripgrep-v13.0.0-13-s390x-unknown-linux-gnu.tar.gz
-      filename: ripgrep-v13.0.0-13-s390x-unknown-linux-musl.tar.gz
-    # @vscode/ripgrep postinstall uses MULTI_ARCH_LINUX_VERSION v13.0.0-4 for ppc64le/s390x; must be in cache
-    - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-4/ripgrep-v13.0.0-4-powerpc64le-unknown-linux-gnu.tar.gz
-      filename: ripgrep-v13.0.0-4-powerpc64le-unknown-linux-gnu.tar.gz
-    - url: https://github.com/microsoft/ripgrep-prebuilt/releases/download/v13.0.0-4/ripgrep-v13.0.0-4-s390x-unknown-linux-gnu.tar.gz
-      filename: ripgrep-v13.0.0-4-s390x-unknown-linux-gnu.tar.gz
+      filename: ripgrep-v13.0.0-13-s390x-unknown-linux-gnu.tar.gz
     # node-argon2 prebuilts — two versions required because separate transitive
     # dependencies in the npm tree pin v0.31.2 and v0.28.7 respectively.
     # NOTE: Only x86_64 prebuilts are provided. On arm64/ppc64le, argon2 falls
@@ -59,16 +45,6 @@ input:
     - url: https://mirror.openshift.com/pub/openshift-v4/s390x/clients/ocp/4.18.33/openshift-client-linux.tar.gz
       filename: openshift-client-linux-s390x.tar.gz
 
-    # GitHub tarball dependency for @emmetio/css-parser (used by VSCode emmet extension)
-    # Filename must use .tgz to match rewrite-npm-urls.sh and download-npm.sh conventions.
-    - url: https://codeload.github.com/ramya-rao-a/css-parser/tar.gz/370c480ac103bd17c7bcfb34bf5d577dc40d3660
-      filename: npm/ramya-rao-a-css-parser-370c480ac103bd17c7bcfb34bf5d577dc40d3660.tgz
-
-    # GitHub tarball dependency for @parcel/watcher (v4.106.3 uses git ref instead of npm registry)
-    # Filename must use .tgz to match rewrite-npm-urls.sh and download-npm.sh conventions.
-    - url: https://codeload.github.com/parcel-bundler/watcher/tar.gz/1ca032aa8339260a8a3bcf825c3a1a71e3e43542
-      filename: npm/parcel-bundler-watcher-1ca032aa8339260a8a3bcf825c3a1a71e3e43542.tgz
-
     # VSCode marketplace extensions (built-in extensions bundled with code-server)
     - url: https://github.com/microsoft/vscode-js-debug-companion/releases/download/v1.1.3/ms-vscode.js-debug-companion.1.1.3.vsix
       filename: ms-vscode.js-debug-companion.1.1.3.vsix