Implement the downstream build process

Dockerfile: - compile the syft binary during the container build, don't copy an externally compiled binary - base the build on the Red Hat UBI 9 go-toolset image - remove unnecessary labels and labels that Konflux cannot provide - change the vendor label to Red Hat, Inc. build-syft-binary.sh: - replicate the required goreleaser-like functionality (passing version data to the syft build) - use a custom script rather than goreleaser to avoid depending on an external tool (problem for hermetic builds) and to have more control over the versions that we pass to the syft build Signed-off-by: Adam Cmiel <[email protected]>
redhat-appstudio · Jan 16, 2024 · 7dc0393 · 7dc0393
1 parent 4f9c929
commit 7dc0393
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 16 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,29 +1,25 @@
-FROM gcr.io/distroless/static-debian11:debug AS build
+FROM registry.access.redhat.com/ubi9/go-toolset:1.20@sha256:077f292da8bea9ce7f729489cdbd217dd268ce300f3e216cb1fffb38de7daeb9 AS build
+
+WORKDIR /src/syft
+
+COPY --chown=1001 go.mod go.sum .
+RUN go mod download
+
+COPY --chown=1001 . .
+RUN ./build-syft-binary.sh
 
 FROM scratch
 # needed for version check HTTPS request
-COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+COPY --from=build /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/ssl/certs/ca-certificates.crt
 
 # create the /tmp dir, which is needed for image content cache
 WORKDIR /tmp
 
-COPY syft /
-
-ARG BUILD_DATE
-ARG BUILD_VERSION
-ARG VCS_REF
-ARG VCS_URL
+COPY --from=build /src/syft/dist/syft /syft
 
-LABEL org.opencontainers.image.created=$BUILD_DATE
 LABEL org.opencontainers.image.title="syft"
 LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems"
-LABEL org.opencontainers.image.source=$VCS_URL
-LABEL org.opencontainers.image.revision=$VCS_REF
-LABEL org.opencontainers.image.vendor="Anchore, Inc."
-LABEL org.opencontainers.image.version=$BUILD_VERSION
+LABEL org.opencontainers.image.vendor="Red Hat, Inc."
 LABEL org.opencontainers.image.licenses="Apache-2.0"
-LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md"
-LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png"
-LABEL io.artifacthub.package.license="Apache-2.0"
 
 ENTRYPOINT ["/syft"]
diff --git a/build-syft-binary.sh b/build-syft-binary.sh
@@ -0,0 +1,32 @@
+#!/usr/bin/env bash
+set -o errexit -o nounset -o pipefail
+
+# Roughly replicate goreleaser templating: https://goreleaser.com/customization/templates/.
+# Needed for passing version information to the Syft build (see the upstream .goreleaser.yaml).
+
+get_version() {
+    local version
+    version=$(git describe --tags --abbrev=0)
+    # TODO: should we indicate the Red Hat patches in the version?
+    # TODO: how to version re-releases of past versions?
+    echo "${version#v}"  # strip the 'v' prefix
+}
+
+version=$(get_version)
+full_commit=$(git rev-parse HEAD)
+date="$(date --utc --iso-8601=seconds | cut -d '+' -f 1)Z"  # yyyy-mm-ddThh:mm:ssZ
+summary=$(git describe --dirty --always --tags)
+
+# command based on .goreleaser.yaml configuration
+CGO_ENABLED=0 go build -ldflags "
+  -w
+  -s
+  -extldflags '-static'
+  -X main.version=$version
+  -X main.gitCommit=$full_commit
+  -X main.buildDate=$date
+  -X main.gitDescription=$summary
+" -o dist/syft ./cmd/syft
+
+echo "--- output path: dist/syft ---"
+dist/syft version
diff --git a/hack/generate-downstream.sh b/hack/generate-downstream.sh
@@ -28,6 +28,7 @@ FORCE='false'
 
 CUSTOM_FILES=(
     Dockerfile
+    build-syft-binary.sh
 )
 
 while getopts v:m:b:fh opt; do