From 7dc039320bb868e13595aec8475c00797c32cf84 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Tue, 16 Jan 2024 16:46:48 +0100 Subject: [PATCH] Implement the downstream build process Dockerfile: - compile the syft binary during the container build, don't copy an externally compiled binary - base the build on the Red Hat UBI 9 go-toolset image - remove unnecessary labels and labels that Konflux cannot provide - change the vendor label to Red Hat, Inc. build-syft-binary.sh: - replicate the required goreleaser-like functionality (passing version data to the syft build) - use a custom script rather than goreleaser to avoid depending on an external tool (problem for hermetic builds) and to have more control over the versions that we pass to the syft build Signed-off-by: Adam Cmiel --- Dockerfile | 28 ++++++++++++---------------- build-syft-binary.sh | 32 ++++++++++++++++++++++++++++++++ hack/generate-downstream.sh | 1 + 3 files changed, 45 insertions(+), 16 deletions(-) create mode 100755 build-syft-binary.sh diff --git a/Dockerfile b/Dockerfile index c93c21fa..6b0393d8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,29 +1,25 @@ -FROM gcr.io/distroless/static-debian11:debug AS build +FROM registry.access.redhat.com/ubi9/go-toolset:1.20@sha256:077f292da8bea9ce7f729489cdbd217dd268ce300f3e216cb1fffb38de7daeb9 AS build + +WORKDIR /src/syft + +COPY --chown=1001 go.mod go.sum . +RUN go mod download + +COPY --chown=1001 . . +RUN ./build-syft-binary.sh FROM scratch # needed for version check HTTPS request -COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt +COPY --from=build /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /etc/ssl/certs/ca-certificates.crt # create the /tmp dir, which is needed for image content cache WORKDIR /tmp -COPY syft / - -ARG BUILD_DATE -ARG BUILD_VERSION -ARG VCS_REF -ARG VCS_URL +COPY --from=build /src/syft/dist/syft /syft -LABEL org.opencontainers.image.created=$BUILD_DATE LABEL org.opencontainers.image.title="syft" LABEL org.opencontainers.image.description="CLI tool and library for generating a Software Bill of Materials from container images and filesystems" -LABEL org.opencontainers.image.source=$VCS_URL -LABEL org.opencontainers.image.revision=$VCS_REF -LABEL org.opencontainers.image.vendor="Anchore, Inc." -LABEL org.opencontainers.image.version=$BUILD_VERSION +LABEL org.opencontainers.image.vendor="Red Hat, Inc." LABEL org.opencontainers.image.licenses="Apache-2.0" -LABEL io.artifacthub.package.readme-url="https://raw.githubusercontent.com/anchore/syft/main/README.md" -LABEL io.artifacthub.package.logo-url="https://user-images.githubusercontent.com/5199289/136844524-1527b09f-c5cb-4aa9-be54-5aa92a6086c1.png" -LABEL io.artifacthub.package.license="Apache-2.0" ENTRYPOINT ["/syft"] diff --git a/build-syft-binary.sh b/build-syft-binary.sh new file mode 100755 index 00000000..f26f530b --- /dev/null +++ b/build-syft-binary.sh @@ -0,0 +1,32 @@ +#!/usr/bin/env bash +set -o errexit -o nounset -o pipefail + +# Roughly replicate goreleaser templating: https://goreleaser.com/customization/templates/. +# Needed for passing version information to the Syft build (see the upstream .goreleaser.yaml). + +get_version() { + local version + version=$(git describe --tags --abbrev=0) + # TODO: should we indicate the Red Hat patches in the version? + # TODO: how to version re-releases of past versions? + echo "${version#v}" # strip the 'v' prefix +} + +version=$(get_version) +full_commit=$(git rev-parse HEAD) +date="$(date --utc --iso-8601=seconds | cut -d '+' -f 1)Z" # yyyy-mm-ddThh:mm:ssZ +summary=$(git describe --dirty --always --tags) + +# command based on .goreleaser.yaml configuration +CGO_ENABLED=0 go build -ldflags " + -w + -s + -extldflags '-static' + -X main.version=$version + -X main.gitCommit=$full_commit + -X main.buildDate=$date + -X main.gitDescription=$summary +" -o dist/syft ./cmd/syft + +echo "--- output path: dist/syft ---" +dist/syft version diff --git a/hack/generate-downstream.sh b/hack/generate-downstream.sh index bda1c1e1..284283e1 100755 --- a/hack/generate-downstream.sh +++ b/hack/generate-downstream.sh @@ -28,6 +28,7 @@ FORCE='false' CUSTOM_FILES=( Dockerfile + build-syft-binary.sh ) while getopts v:m:b:fh opt; do