Skip to content

Commit 54e1611

Browse files
lcarvalcarva
committed
Use trusted binary or build from source
This commit changes the build process to either consume binaries from a trusted party, i.e. registry.redhat.io, or build the binary directly from source otherwise. This approach allows us to stay up to date with automation such as renovate or dependabot. For the binaries built from source, we can also update transitivie dependencies individually if needed. Since building from source requires a newer version of Go than what is officially released by Red Hat, the internal image from brew.registry.redhat.io is used instead. Signed-off-by: Luiz Carvalho <[email protected]>
1 parent 0425a07 commit 54e1611

File tree

7 files changed

+1724
-14
lines changed

7 files changed

+1724
-14
lines changed

Dockerfile

Lines changed: 25 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,25 +1,36 @@
1-
#
2-
# Base image for use as a step runner for RHTAP pipelines
3-
#
1+
FROM registry.redhat.io/rhtas/cosign-rhel9:1.1.0@sha256:6fa39582a3d62a2aa5404397bb638fdd0960f9392db659d033d7bacf70bddfb1 as cosign
42

5-
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:d85040b6e3ed3628a89683f51a38c709185efc3fb552db2ad1b9180f2a6c38be
3+
FROM registry.redhat.io/rhtas/ec-rhel9:0.5@sha256:3d330b4c742f584be63cf11e451f7822863a5960976a721e18bd8b2e9f1c0038 as ec
4+
5+
FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:v1.23@sha256:ca0c771ecd4f606986253f747e2773fe2960a6b5e8e7a52f6a4797b173ac7f56 as go-builder
6+
7+
WORKDIR /build
68

7-
# Todo:
8-
# - Pin all the versions (maybe)
9-
# - Don't hard code the arch and platform in curl downloads
10-
# - Use RH builds instead of upstream where possible
11-
# - Check the sigature files for the curl downloads
9+
COPY . .
10+
11+
ENV GOBIN=/usr/local/bin/
12+
13+
RUN \
14+
cd tools/yq && \
15+
go install -trimpath --mod=readonly github.com/mikefarah/yq/v4 && \
16+
yq --version
17+
18+
RUN \
19+
cd tools/syft && \
20+
go install -trimpath --mod=readonly github.com/anchore/syft/cmd/syft && \
21+
syft version
22+
23+
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:d85040b6e3ed3628a89683f51a38c709185efc3fb552db2ad1b9180f2a6c38be
1224

1325
RUN \
1426
microdnf upgrade --assumeyes --nodocs --setopt=keepcache=0 --refresh && \
1527
microdnf -y --nodocs --setopt=keepcache=0 install which git-core jq python3.11 podman buildah podman fuse-overlayfs findutils && \
1628
ln -s /usr/bin/python3.11 /usr/bin/python3
1729

18-
RUN \
19-
curl -sL https://github.com/mikefarah/yq/releases/download/v4.44.3/yq_linux_amd64 -o /usr/bin/yq && chmod 755 /usr/bin/yq && \
20-
curl -sL https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-linux-amd64 -o /usr/bin/cosign && chmod 755 /usr/bin/cosign && \
21-
curl -sL https://github.com/enterprise-contract/ec-cli/releases/download/v0.6.104/ec_linux_amd64 -o /usr/bin/ec && chmod 755 /usr/bin/ec && \
22-
curl -sL https://github.com/anchore/syft/releases/download/v1.14.2/syft_1.14.2_linux_amd64.tar.gz | tar zxf - syft && mv syft /usr/bin/syft
30+
COPY --from=cosign /usr/local/bin/cosign /usr/bin/cosign
31+
COPY --from=ec /usr/local/bin/ec /usr/bin/ec
32+
COPY --from=go-builder /usr/local/bin/yq /usr/bin/yq
33+
COPY --from=go-builder /usr/local/bin/syft /usr/bin/syft
2334

2435
WORKDIR /work
2536

tools/syft/go.mod

Lines changed: 213 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,213 @@
1+
module github.com/redhat-appstudio/tssc-dev-multi-ci/tools/syft
2+
3+
go 1.23.0
4+
5+
require github.com/anchore/syft v1.14.2
6+
7+
require (
8+
dario.cat/mergo v1.0.1 // indirect
9+
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230811130428-ced1acdcaa24 // indirect
10+
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20230306123547-8075edf89bb0 // indirect
11+
github.com/BurntSushi/toml v1.4.0 // indirect
12+
github.com/CycloneDX/cyclonedx-go v0.9.1 // indirect
13+
github.com/DataDog/zstd v1.5.5 // indirect
14+
github.com/Masterminds/goutils v1.1.1 // indirect
15+
github.com/Masterminds/semver v1.5.0 // indirect
16+
github.com/Masterminds/semver/v3 v3.3.0 // indirect
17+
github.com/Masterminds/sprig/v3 v3.3.0 // indirect
18+
github.com/Microsoft/go-winio v0.6.2 // indirect
19+
github.com/Microsoft/hcsshim v0.11.7 // indirect
20+
github.com/ProtonMail/go-crypto v1.0.0 // indirect
21+
github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
22+
github.com/acobaugh/osrelease v0.1.0 // indirect
23+
github.com/adrg/xdg v0.5.1 // indirect
24+
github.com/anchore/bubbly v0.0.0-20231115134915-def0aba654a9 // indirect
25+
github.com/anchore/clio v0.0.0-20240522144804-d81e109008aa // indirect
26+
github.com/anchore/fangs v0.0.0-20240903175602-e716ef12c23d // indirect
27+
github.com/anchore/go-collections v0.0.0-20240216171411-9321230ce537 // indirect
28+
github.com/anchore/go-logger v0.0.0-20230725134548-c21dafa1ec5a // indirect
29+
github.com/anchore/go-macholibre v0.0.0-20220308212642-53e6d0aaf6fb // indirect
30+
github.com/anchore/go-struct-converter v0.0.0-20221118182256-c68fdcfa2092 // indirect
31+
github.com/anchore/go-version v1.2.2-0.20200701162849-18adb9c92b9b // indirect
32+
github.com/anchore/packageurl-go v0.1.1-0.20241018175412-5c22e6360c4f // indirect
33+
github.com/anchore/stereoscope v0.0.5-0.20241018131503-a38c93517fc7 // indirect
34+
github.com/andybalholm/brotli v1.0.4 // indirect
35+
github.com/aquasecurity/go-pep440-version v0.0.0-20210121094942-22b2f8951d46 // indirect
36+
github.com/aquasecurity/go-version v0.0.0-20210121072130-637058cfe492 // indirect
37+
github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
38+
github.com/becheran/wildmatch-go v1.0.0 // indirect
39+
github.com/bmatcuk/doublestar/v4 v4.7.1 // indirect
40+
github.com/charmbracelet/bubbles v0.20.0 // indirect
41+
github.com/charmbracelet/bubbletea v1.1.1 // indirect
42+
github.com/charmbracelet/harmonica v0.2.0 // indirect
43+
github.com/charmbracelet/lipgloss v0.13.0 // indirect
44+
github.com/charmbracelet/x/ansi v0.2.3 // indirect
45+
github.com/charmbracelet/x/term v0.2.0 // indirect
46+
github.com/cloudflare/circl v1.3.8 // indirect
47+
github.com/containerd/cgroups v1.1.0 // indirect
48+
github.com/containerd/containerd v1.7.23 // indirect
49+
github.com/containerd/containerd/api v1.7.19 // indirect
50+
github.com/containerd/continuity v0.4.2 // indirect
51+
github.com/containerd/errdefs v0.3.0 // indirect
52+
github.com/containerd/fifo v1.1.0 // indirect
53+
github.com/containerd/log v0.1.0 // indirect
54+
github.com/containerd/platforms v0.2.1 // indirect
55+
github.com/containerd/stargz-snapshotter/estargz v0.14.3 // indirect
56+
github.com/containerd/ttrpc v1.2.5 // indirect
57+
github.com/containerd/typeurl/v2 v2.1.1 // indirect
58+
github.com/cyphar/filepath-securejoin v0.2.4 // indirect
59+
github.com/deitch/magic v0.0.0-20230404182410-1ff89d7342da // indirect
60+
github.com/distribution/reference v0.6.0 // indirect
61+
github.com/docker/cli v27.3.1+incompatible // indirect
62+
github.com/docker/distribution v2.8.3+incompatible // indirect
63+
github.com/docker/docker v27.3.1+incompatible // indirect
64+
github.com/docker/docker-credential-helpers v0.7.0 // indirect
65+
github.com/docker/go-connections v0.4.0 // indirect
66+
github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect
67+
github.com/docker/go-units v0.5.0 // indirect
68+
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5 // indirect
69+
github.com/dustin/go-humanize v1.0.1 // indirect
70+
github.com/edsrzf/mmap-go v1.1.0 // indirect
71+
github.com/elliotchance/phpserialize v1.4.0 // indirect
72+
github.com/emirpasic/gods v1.18.1 // indirect
73+
github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
74+
github.com/facebookincubator/nvdtools v0.1.5 // indirect
75+
github.com/felixge/fgprof v0.9.3 // indirect
76+
github.com/felixge/httpsnoop v1.0.4 // indirect
77+
github.com/fsnotify/fsnotify v1.7.0 // indirect
78+
github.com/gabriel-vasile/mimetype v1.4.6 // indirect
79+
github.com/github/go-spdx/v2 v2.3.2 // indirect
80+
github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
81+
github.com/go-git/go-billy/v5 v5.5.0 // indirect
82+
github.com/go-git/go-git/v5 v5.12.0 // indirect
83+
github.com/go-logr/logr v1.4.1 // indirect
84+
github.com/go-logr/stdr v1.2.2 // indirect
85+
github.com/go-restruct/restruct v1.2.0-alpha // indirect
86+
github.com/gogo/protobuf v1.3.2 // indirect
87+
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
88+
github.com/golang/protobuf v1.5.4 // indirect
89+
github.com/golang/snappy v0.0.4 // indirect
90+
github.com/google/go-cmp v0.6.0 // indirect
91+
github.com/google/go-containerregistry v0.20.2 // indirect
92+
github.com/google/licensecheck v0.3.1 // indirect
93+
github.com/google/pprof v0.0.0-20240409012703-83162a5b38cd // indirect
94+
github.com/google/uuid v1.6.0 // indirect
95+
github.com/gookit/color v1.5.4 // indirect
96+
github.com/hashicorp/errwrap v1.1.0 // indirect
97+
github.com/hashicorp/go-multierror v1.1.1 // indirect
98+
github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
99+
github.com/hashicorp/hcl v1.0.0 // indirect
100+
github.com/huandu/xstrings v1.5.0 // indirect
101+
github.com/iancoleman/strcase v0.3.0 // indirect
102+
github.com/inconshreveable/mousetrap v1.1.0 // indirect
103+
github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
104+
github.com/jedib0t/go-pretty/v6 v6.6.1 // indirect
105+
github.com/jinzhu/copier v0.4.0 // indirect
106+
github.com/kastenhq/goversion v0.0.0-20230811215019-93b2f8823953 // indirect
107+
github.com/kevinburke/ssh_config v1.2.0 // indirect
108+
github.com/klauspost/compress v1.17.8 // indirect
109+
github.com/klauspost/pgzip v1.2.5 // indirect
110+
github.com/knqyf263/go-rpmdb v0.1.1 // indirect
111+
github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
112+
github.com/magiconair/properties v1.8.7 // indirect
113+
github.com/mattn/go-colorable v0.1.13 // indirect
114+
github.com/mattn/go-isatty v0.0.20 // indirect
115+
github.com/mattn/go-localereader v0.0.2-0.20220822084749-2491eb6c1c75 // indirect
116+
github.com/mattn/go-runewidth v0.0.16 // indirect
117+
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
118+
github.com/mholt/archiver/v3 v3.5.1 // indirect
119+
github.com/microsoft/go-rustaudit v0.0.0-20220730194248-4b17361d90a5 // indirect
120+
github.com/mitchellh/copystructure v1.2.0 // indirect
121+
github.com/mitchellh/go-homedir v1.1.0 // indirect
122+
github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
123+
github.com/mitchellh/mapstructure v1.5.0 // indirect
124+
github.com/mitchellh/reflectwalk v1.0.2 // indirect
125+
github.com/moby/docker-image-spec v1.3.1 // indirect
126+
github.com/moby/locker v1.0.1 // indirect
127+
github.com/moby/sys/mountinfo v0.7.2 // indirect
128+
github.com/moby/sys/sequential v0.5.0 // indirect
129+
github.com/moby/sys/signal v0.7.0 // indirect
130+
github.com/moby/sys/user v0.3.0 // indirect
131+
github.com/moby/sys/userns v0.1.0 // indirect
132+
github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
133+
github.com/muesli/cancelreader v0.2.2 // indirect
134+
github.com/muesli/termenv v0.15.2 // indirect
135+
github.com/ncruces/go-strftime v0.1.9 // indirect
136+
github.com/nwaples/rardecode v1.1.0 // indirect
137+
github.com/olekukonko/tablewriter v0.0.5 // indirect
138+
github.com/opencontainers/go-digest v1.0.0 // indirect
139+
github.com/opencontainers/image-spec v1.1.0 // indirect
140+
github.com/opencontainers/runtime-spec v1.1.0 // indirect
141+
github.com/opencontainers/selinux v1.11.0 // indirect
142+
github.com/pborman/indent v1.2.1 // indirect
143+
github.com/pelletier/go-toml v1.9.5 // indirect
144+
github.com/pelletier/go-toml/v2 v2.2.2 // indirect
145+
github.com/pierrec/lz4/v4 v4.1.19 // indirect
146+
github.com/pjbgf/sha1cd v0.3.0 // indirect
147+
github.com/pkg/errors v0.9.1 // indirect
148+
github.com/pkg/profile v1.7.0 // indirect
149+
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
150+
github.com/rivo/uniseg v0.4.7 // indirect
151+
github.com/saferwall/pe v1.5.4 // indirect
152+
github.com/sagikazarmark/locafero v0.4.0 // indirect
153+
github.com/sagikazarmark/slog-shim v0.1.0 // indirect
154+
github.com/saintfish/chardet v0.0.0-20230101081208-5e3ef4b5456d // indirect
155+
github.com/sassoftware/go-rpmutils v0.4.0 // indirect
156+
github.com/scylladb/go-set v1.0.3-0.20200225121959-cc7b2070d91e // indirect
157+
github.com/secDre4mer/pkcs7 v0.0.0-20240322103146-665324a4461d // indirect
158+
github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
159+
github.com/shopspring/decimal v1.4.0 // indirect
160+
github.com/sirupsen/logrus v1.9.3 // indirect
161+
github.com/skeema/knownhosts v1.2.2 // indirect
162+
github.com/sourcegraph/conc v0.3.0 // indirect
163+
github.com/spdx/tools-golang v0.5.5 // indirect
164+
github.com/spf13/afero v1.11.0 // indirect
165+
github.com/spf13/cast v1.7.0 // indirect
166+
github.com/spf13/cobra v1.8.1 // indirect
167+
github.com/spf13/pflag v1.0.5 // indirect
168+
github.com/spf13/viper v1.19.0 // indirect
169+
github.com/subosito/gotenv v1.6.0 // indirect
170+
github.com/sylabs/sif/v2 v2.19.1 // indirect
171+
github.com/sylabs/squashfs v1.0.0 // indirect
172+
github.com/therootcompany/xz v1.0.1 // indirect
173+
github.com/ulikunitz/xz v0.5.12 // indirect
174+
github.com/vbatts/go-mtree v0.5.4 // indirect
175+
github.com/vbatts/tar-split v0.11.3 // indirect
176+
github.com/vifraa/gopom v1.0.0 // indirect
177+
github.com/wagoodman/go-partybus v0.0.0-20230516145632-8ccac152c651 // indirect
178+
github.com/wagoodman/go-progress v0.0.0-20230925121702-07e42b3cdba0 // indirect
179+
github.com/xanzy/ssh-agent v0.3.3 // indirect
180+
github.com/xi2/xz v0.0.0-20171230120015-48954b6210f8 // indirect
181+
github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
182+
github.com/zyedidia/generic v1.2.2-0.20230320175451-4410d2372cb1 // indirect
183+
go.opencensus.io v0.24.0 // indirect
184+
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.49.0 // indirect
185+
go.opentelemetry.io/otel v1.24.0 // indirect
186+
go.opentelemetry.io/otel/metric v1.24.0 // indirect
187+
go.opentelemetry.io/otel/trace v1.24.0 // indirect
188+
go.uber.org/atomic v1.9.0 // indirect
189+
go.uber.org/multierr v1.9.0 // indirect
190+
golang.org/x/crypto v0.28.0 // indirect
191+
golang.org/x/exp v0.0.0-20231108232855-2478ac86f678 // indirect
192+
golang.org/x/mod v0.21.0 // indirect
193+
golang.org/x/net v0.30.0 // indirect
194+
golang.org/x/sync v0.8.0 // indirect
195+
golang.org/x/sys v0.26.0 // indirect
196+
golang.org/x/term v0.25.0 // indirect
197+
golang.org/x/text v0.19.0 // indirect
198+
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
199+
google.golang.org/genproto v0.0.0-20240213162025-012b6fc9bca9 // indirect
200+
google.golang.org/genproto/googleapis/rpc v0.0.0-20240314234333-6e1732d8331c // indirect
201+
google.golang.org/grpc v1.62.1 // indirect
202+
google.golang.org/protobuf v1.34.2 // indirect
203+
gopkg.in/ini.v1 v1.67.0 // indirect
204+
gopkg.in/warnings.v0 v0.1.2 // indirect
205+
gopkg.in/yaml.v3 v3.0.1 // indirect
206+
modernc.org/gc/v3 v3.0.0-20240107210532-573471604cb6 // indirect
207+
modernc.org/libc v1.55.3 // indirect
208+
modernc.org/mathutil v1.6.0 // indirect
209+
modernc.org/memory v1.8.0 // indirect
210+
modernc.org/sqlite v1.33.1 // indirect
211+
modernc.org/strutil v1.2.0 // indirect
212+
modernc.org/token v1.1.0 // indirect
213+
)

0 commit comments

Comments
 (0)