frontend: rewrite HandleDepsOnly to use BuildContainerWithPackages

Replace the broken --downloadonly --alldeps approach in HandleDepsOnly
with a new BuildContainerWithPackages method that passes package names
directly to the package manager for resolution from repos. This avoids
the --alldeps flag which is unsupported by dnf.

Add deps-only integration tests for all RPM distros with two sub-tests:
- minimal spec: only runtime deps, verifies curl is installed
- full spec: includes sources, build steps, and a shell script artifact;
  verifies runtime deps are installed and build artifacts are excluded
- replaces the "e2e" test in docker-bake.hcl and tets all relevant
  distros

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

Author: cpuguy83

docker-bake.hcl

@@ -3,7 +3,7 @@ group "default" {
 }
 
 group "test" {
-    targets = ["runc-test", "test-deps-only"]
+    targets = ["runc-test"]
 }
 
 variable "FRONTEND_REF" {
@@ -227,42 +227,6 @@ target "examples" {
     tags = ["local/dalec/examples/${f}:${distro}"]
 }
 
-target "deps-only" {
-    name = "deps-only-${distro}"
-    matrix = {
-        distro = ["mariner2"]
-    }
-    dockerfile-inline = <<EOT
-dependencies:
-    runtime:
-        patch: {}
-        bash: {}
-    EOT
-    args = {
-        "BUILDKIT_SYNTAX" = "dalec_frontend"
-    }
-    contexts = {
-        "dalec_frontend" = "target:frontend"
-    }
-    target = "${distro}/container/depsonly"
-    tags = ["local/dalec/deps-only:${distro}"]
-}
-
-target "test-deps-only" {
-    dockerfile-inline = <<EOT
-    FROM deps-only-context
-    # Make sure the deps-only target has the runtime dependencies we expect and not, for instance, "rpm"
-    RUN command -v bash
-    RUN command -v patch
-    RUN if command -v rpm; then echo should be a distroless image but rpm binary is installed; exit 1; fi
-    EOT
-
-    contexts = {
-        "deps-only-context" = "target:deps-only-mariner2"
-    }
-}
-
-
 variable "CI_FRONTEND_CACHE_SCOPE" {
     default = "dalec/frontend/ci"
 }

targets/linux/rpm/distro/container.go

@@ -80,6 +80,67 @@ func (cfg *Config) BuildContainer(ctx context.Context, client gwclient.Client, s
 	return rootfs
 }
 
+// BuildContainerWithPackages builds a container image by installing the given
+// package names (resolved from repos) instead of local RPM files.
+// This is used by the deps-only target where there are no locally-built RPMs.
+func (cfg *Config) BuildContainerWithPackages(ctx context.Context, client gwclient.Client, sOpt dalec.SourceOpts, spec *dalec.Spec, targetKey string, packages []string, opts ...llb.ConstraintsOpt) llb.State {
+	opts = append(opts, dalec.ProgressGroup("Install packages"))
+	opts = append(opts, frontend.IgnoreCache(client))
+
+	const workPath = "/tmp/rootfs"
+
+	bi, err := spec.GetSingleBase(targetKey)
+	if err != nil {
+		return dalec.ErrorState(llb.Scratch(), err)
+	}
+
+	skipBase := bi != nil
+	rootfs := bi.ToState(sOpt, opts...)
+
+	installTimeRepos := spec.GetInstallRepos(targetKey)
+	repoMounts, keyPaths := cfg.RepoMounts(installTimeRepos, sOpt, opts...)
+	importRepos := []DnfInstallOpt{
+		DnfWithMounts(repoMounts),
+		DnfImportKeys(keyPaths),
+		DnfInstallWithConstraints(opts),
+	}
+
+	installOpts := []DnfInstallOpt{DnfAtRoot(workPath)}
+	installOpts = append(installOpts, importRepos...)
+	installOpts = append(installOpts, IncludeDocs(spec.GetArtifacts(targetKey).HasDocs()))
+
+	pkgs := append([]string{}, packages...)
+
+	if !skipBase && len(cfg.BasePackages) > 0 {
+		baseMountPath := "/tmp/rpms-base"
+		opts := append(opts, dalec.ProgressGroup("Create base virtual package"))
+
+		var basePkgStates []llb.State
+		for _, spec := range cfg.BasePackages {
+			pkg := cfg.BuildPkg(ctx, client, sOpt, &spec, targetKey, opts...)
+			basePkgStates = append(basePkgStates, pkg)
+		}
+
+		basePkgs := dalec.MergeAtPath(llb.Scratch().File(llb.Mkdir("/RPMS", 0o755), opts...), basePkgStates, "/", opts...)
+		installOpts = append(installOpts, DnfWithMounts(llb.AddMount(baseMountPath, basePkgs, llb.SourcePath("/RPMS"))))
+		pkgs = append(pkgs, filepath.Join(baseMountPath, "**/*.rpm"))
+	}
+
+	worker := cfg.Worker(sOpt, dalec.Platform(sOpt.TargetPlatform), dalec.WithConstraints(opts...))
+
+	rootfs = worker.Run(
+		dalec.WithConstraints(opts...),
+		cfg.Install(pkgs, installOpts...),
+		frontend.IgnoreCache(client, targets.IgnoreCacheKeyContainer),
+	).AddMount(workPath, rootfs)
+
+	if post := spec.GetImagePost(targetKey); post != nil && len(post.Symlinks) > 0 {
+		rootfs = rootfs.With(dalec.InstallPostSymlinks(post, worker, opts...))
+	}
+
+	return rootfs
+}
+
 func (cfg *Config) HandleDepsOnly(ctx context.Context, client gwclient.Client) (*gwclient.Result, error) {
 	return frontend.BuildWithPlatform(ctx, client, func(ctx context.Context, client gwclient.Client, platform *ocispecs.Platform, spec *dalec.Spec, targetKey string) (gwclient.Reference, *dalec.DockerImageSpec, error) {
 		rtDeps := spec.GetPackageDeps(targetKey).GetRuntime()
@@ -95,16 +156,9 @@ func (cfg *Config) HandleDepsOnly(ctx context.Context, client gwclient.Client) (
 		}
 
 		pc := dalec.Platform(platform)
-		worker := cfg.Worker(sOpt, pg, pc)
-
 		deps := dalec.SortMapKeys(rtDeps)
 
-		withDownloads := worker.Run(dalec.ShArgs("set -ex; mkdir -p /tmp/rpms/RPMS/$(uname -m)")).
-			Run(cfg.Install(deps,
-				DnfDownloadAllDeps("/tmp/rpms/RPMS/$(uname -m)")), pg).Root()
-		rpmDir := llb.Scratch().File(llb.Copy(withDownloads, "/tmp/rpms", "/", dalec.WithDirContentsOnly()), pg)
-
-		ctr := cfg.BuildContainer(ctx, client, sOpt, spec, targetKey, rpmDir, pg, pc)
+		ctr := cfg.BuildContainerWithPackages(ctx, client, sOpt, spec, targetKey, deps, pg, pc)
 
 		def, err := ctr.Marshal(ctx, pc)
 		if err != nil {

targets/linux/rpm/distro/dnf_install.go

@@ -34,12 +34,6 @@ type dnfInstallConfig struct {
 
 	constraints []llb.ConstraintsOpt
 
-	downloadOnly bool
-
-	allDeps bool
-
-	downloadDir string
-
 	// When true, don't omit docs from the installed RPMs.
 	includeDocs bool
 
@@ -82,14 +76,6 @@ func DnfForceArch(arch string) DnfInstallOpt {
 	}
 }
 
-func DnfDownloadAllDeps(dest string) DnfInstallOpt {
-	return func(cfg *dnfInstallConfig) {
-		cfg.downloadOnly = true
-		cfg.allDeps = true
-		cfg.downloadDir = dest
-	}
-}
-
 func IncludeDocs(v bool) DnfInstallOpt {
 	return func(cfg *dnfInstallConfig) {
 		cfg.includeDocs = v
@@ -110,18 +96,6 @@ func dnfInstallFlags(cfg *dnfInstallConfig) string {
 		cmdOpts += " --setopt=reposdir=/etc/yum.repos.d"
 	}
 
-	if cfg.downloadOnly {
-		cmdOpts += " --downloadonly"
-	}
-
-	if cfg.allDeps {
-		cmdOpts += " --alldeps"
-	}
-
-	if cfg.downloadDir != "" {
-		cmdOpts += " --downloaddir " + cfg.downloadDir
-	}
-
 	if !cfg.includeDocs {
 		cmdOpts += " --setopt=tsflags=nodocs"
 	}

test/linux_target_test.go

@@ -61,6 +61,8 @@ type targetConfig struct {
 	Package string
 	// Container is the target for creating a container
 	Container string
+	// DepsOnly is the target for creating a deps-only container (no package built, only runtime deps installed).
+	DepsOnly string
 	// Worker is the target for creating the worker image.
 	Worker string
 	// Sysext is the target for creating a systemd system extension.
@@ -177,6 +179,16 @@ func testLinuxDistro(ctx context.Context, t *testing.T, testConfig testLinuxConf
 		})
 	})
 
+	t.Run("container/depsonly", func(t *testing.T) {
+		if testConfig.Target.DepsOnly == "" {
+			t.Skip("depsonly target not defined")
+		}
+
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+		testDepsOnly(ctx, t, testConfig)
+	})
+
 	t.Run("target-prebuilt-packages", func(t *testing.T) {
 		t.Parallel()
 		ctx := startTestSpan(ctx, t)
@@ -5403,6 +5415,85 @@ echo "This is a third test binary"
 	})
 }
 
+func testDepsOnly(ctx context.Context, t *testing.T, testConfig testLinuxConfig) {
+	t.Run("minimal spec", func(t *testing.T) {
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+
+		spec := &dalec.Spec{
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: map[string]dalec.PackageConstraints{
+					"curl": {},
+				},
+			},
+		}
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, client gwclient.Client) {
+			req := newSolveRequest(withSpec(ctx, t, spec), withBuildTarget(testConfig.Target.DepsOnly))
+			res := solveT(ctx, t, client, req)
+
+			ref, err := res.SingleRef()
+			assert.NilError(t, err)
+
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/curl"})
+			assert.NilError(t, err)
+		})
+	})
+
+	t.Run("full spec", func(t *testing.T) {
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+
+		// Full spec includes sources, build steps, and a shell script artifact.
+		// The deps-only target should install only runtime deps (curl) and NOT
+		// include the built artifact (/usr/bin/my-script) or its implicit dep.
+		spec := fillMetadata("test-deps-only-full", &dalec.Spec{
+			Sources: map[string]dalec.Source{
+				"my-script": {
+					Inline: &dalec.SourceInline{
+						File: &dalec.SourceInlineFile{
+							Contents:    "#!/usr/bin/env bash\necho hello from deps-only test\n",
+							Permissions: 0o700,
+						},
+					},
+				},
+			},
+			Build: dalec.ArtifactBuild{
+				Steps: []dalec.BuildStep{
+					{Command: "/bin/true"},
+				},
+			},
+			Artifacts: dalec.Artifacts{
+				Binaries: map[string]dalec.ArtifactConfig{
+					"my-script": {},
+				},
+			},
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: map[string]dalec.PackageConstraints{
+					"curl": {},
+				},
+			},
+		})
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, client gwclient.Client) {
+			req := newSolveRequest(withSpec(ctx, t, spec), withBuildTarget(testConfig.Target.DepsOnly))
+			res := solveT(ctx, t, client, req)
+
+			ref, err := res.SingleRef()
+			assert.NilError(t, err)
+
+			// Runtime dep should be installed.
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/curl"})
+			assert.NilError(t, err)
+
+			// The shell script artifact should NOT be present — deps-only
+			// never builds the package, so no artifacts are installed.
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/my-script"})
+			assert.ErrorContains(t, err, "no such file")
+		})
+	})
+}
+
 func testLinuxSpec(t *testing.T, userSpec dalec.Spec) dalec.Spec {
 	t.Helper()
 

test/target_almalinux_test.go

@@ -17,6 +17,7 @@ func TestAlmalinux9(t *testing.T) {
 			Key:       "almalinux9",
 			Package:   "almalinux9/rpm",
 			Container: "almalinux9/container",
+			DepsOnly:  "almalinux9/container/depsonly",
 			Worker:    "almalinux9/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -65,6 +66,7 @@ func TestAlmalinux8(t *testing.T) {
 		Target: targetConfig{
 			Package:   "almalinux8/rpm",
 			Container: "almalinux8/container",
+			DepsOnly:  "almalinux8/container/depsonly",
 			Worker:    "almalinux8/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v

test/target_azlinux_test.go

@@ -46,6 +46,7 @@ func TestMariner2(t *testing.T) {
 			Key:       azlinux.Mariner2TargetKey,
 			Package:   "mariner2/rpm",
 			Container: "mariner2/container",
+			DepsOnly:  "mariner2/container/depsonly",
 			Worker:    "mariner2/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -91,6 +92,7 @@ func TestAzlinux3(t *testing.T) {
 			Key:                   "azlinux3",
 			Package:               "azlinux3/rpm",
 			Container:             "azlinux3/container",
+			DepsOnly:              "azlinux3/container/depsonly",
 			Worker:                "azlinux3/worker",
 			Sysext:                "azlinux3/testing/sysext",
 			ListExpectedSignFiles: azlinuxListSignFiles("azl3"),

test/target_rockylinux_test.go

@@ -17,6 +17,7 @@ func TestRockylinux9(t *testing.T) {
 			Key:       "rockylinux9",
 			Package:   "rockylinux9/rpm",
 			Container: "rockylinux9/container",
+			DepsOnly:  "rockylinux9/container/depsonly",
 			Worker:    "rockylinux9/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -65,6 +66,7 @@ func TestRockylinux8(t *testing.T) {
 		Target: targetConfig{
 			Package:   "rockylinux8/rpm",
 			Container: "rockylinux8/container",
+			DepsOnly:  "rockylinux8/container/depsonly",
 			Worker:    "rockylinux8/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v