feat: use ADD directives instead of curls

* Use ADD directives instead of curl to download utilities that will be installed * Download the archives as part of a multi-stage build * Unify RUN directives to reduce final image layers Signed-off-by: dirgim <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED
konflux-ci · Nov 29, 2024 · 6bd9ded · 6bd9ded
1 parent 3b85000
commit 6bd9ded
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 23 deletions.
diff --git a/.github/workflows/build_reusable.yaml b/.github/workflows/build_reusable.yaml
@@ -18,7 +18,7 @@ on:
 jobs:
   build_container_image:
     name: Build and check main image
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
       - name: Check out Docker file code in the root directory

diff --git a/Dockerfile b/Dockerfile
@@ -2,21 +2,44 @@
 FROM docker.io/snyk/snyk:linux@sha256:893db22bae8074744d869f585013d7d7e471531d1287d28ca2f54d356f9be44b as snyk
 FROM quay.io/enterprise-contract/ec-cli:snapshot@sha256:dc7d404596385e7d3c624ec0492524a1d57efe2b0c10cf0ec2158d49c0290a83 AS ec-cli
 FROM ghcr.io/sigstore/cosign/cosign:v99.99.91@sha256:8caf794491167c331776203c60b7c69d4ff24b4b4791eba348d8def0fd0cc343 as cosign-bin
-FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542
 
+FROM registry.access.redhat.com/ubi9/ubi:9.4-1214.1729773476 AS src
+
+ARG TARGETARCH
 # Note that the version of OPA used by pr-checks must be updated manually to reflect conftest updates
 # To find the OPA version associated with conftest run the following with the relevant version of conftest:
 # $ conftest --version
-ARG conftest_version=0.45.0
+ARG CONFTEST_VERSION=0.45.0
+ARG SBOM_UTILITY_VERSION=0.12.0
 ARG BATS_VERSION=1.6.0
-ARG sbom_utility_version=0.12.0
 ARG OPM_VERSION=v1.40.0
 ARG UMOCI_VERSION=v0.4.7
 
+ADD https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm /tmp/epel-release-latest-9.noarch.rpm
+
+ADD https://github.com/open-policy-agent/conftest/releases/download/v"${CONFTEST_VERSION}"/conftest_"${CONFTEST_VERSION}"_Linux_"${TARGETARCH/amd64/x86_64}".tar.gz /src/conftest.tar.gz
+ADD https://github.com/CycloneDX/sbom-utility/releases/download/v"${SBOM_UTILITY_VERSION}"/sbom-utility-v"${SBOM_UTILITY_VERSION}"-linux-"${TARGETARCH/ppc64le/ppc64}".tar.gz /src/sbom-utility.tar.gz
+ADD https://mirror.openshift.com/pub/openshift-v4/"${TARGETARCH}"/clients/ocp/stable/openshift-client-linux.tar.gz /src/oc.tar.gz
+ADD https://github.com/bats-core/bats-core/archive/refs/tags/v"${BATS_VERSION}".tar.gz /src/bats.tar.gz
+
+ADD --chmod=744 https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION}"/linux-"${TARGETARCH}"-opm /usr/local/bin/opm
+ADD --chmod=744 https://github.com/opencontainers/umoci/releases/download/"${UMOCI_VERSION}"/umoci.amd64 /usr/local/bin/umoci
+
+RUN tar -xvzf src/conftest.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/conftest && \
+    tar -xvzf src/sbom-utility.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/sbom-utility && \
+    tar -xvzf src/oc.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/oc && \
+    tar -xvzf src/bats.tar.gz -C /tmp/
+
+FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542
+
+ARG BATS_VERSION=1.6.0
+
 ENV POLICY_PATH="/project"
 
-RUN curl -k -s -L https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output epel-release-latest-9.noarch.rpm && \
-    rpm -Uvh epel-release-latest-9.noarch.rpm && \
+COPY --from=src /usr/local/bin/ /usr/local/bin/
+COPY --from=src /tmp/ /tmp/
+
+RUN rpm -Uvh /tmp/epel-release-latest-9.noarch.rpm && \
     microdnf -y --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install \
     findutils \
     jq \
@@ -33,24 +56,10 @@ RUN curl -k -s -L https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.no
     csmock-plugin-shellcheck-core \
     clamav-update && \
     pip3 install --no-cache-dir yq && \
-    curl -k -s -L https://github.com/CycloneDX/sbom-utility/releases/download/v"${sbom_utility_version}"/sbom-utility-v"${sbom_utility_version}"-linux-amd64.tar.gz --output sbom-utility.tar.gz && \
-    mkdir sbom-utility && tar -xf sbom-utility.tar.gz -C sbom-utility && rm sbom-utility.tar.gz && \
-    cd /usr/bin && \
     microdnf -y install libicu && \
-    microdnf clean all
-
-RUN ARCH=$(uname -m) && curl -k -s -L https://github.com/open-policy-agent/conftest/releases/download/v"${conftest_version}"/conftest_"${conftest_version}"_Linux_"$ARCH".tar.gz | tar -xz --no-same-owner -C /usr/bin/ && \
-    curl https://mirror.openshift.com/pub/openshift-v4/"$ARCH"/clients/ocp/stable/openshift-client-linux.tar.gz --output oc.tar.gz && tar -xzvf oc.tar.gz -C /usr/bin && rm oc.tar.gz && \
-    curl -k -s -LO "https://github.com/bats-core/bats-core/archive/refs/tags/v$BATS_VERSION.tar.gz" && \
-    curl -k -s -L https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION}"/linux-amd64-opm > /usr/bin/opm && chmod +x /usr/bin/opm && \
-    curl -k -s -L https://github.com/opencontainers/umoci/releases/download/"${UMOCI_VERSION}"/umoci.amd64 > /usr/bin/umoci && chmod +x /usr/bin/umoci && \
-    tar -xf "v$BATS_VERSION.tar.gz" && \
-    cd "bats-core-$BATS_VERSION" && \
-    ./install.sh /usr && \
-    cd .. && rm -rf "bats-core-$BATS_VERSION" && rm -rf "v$BATS_VERSION.tar.gz" && \
-    cd /
-
-ENV PATH="${PATH}:/sbom-utility"
+    microdnf clean all && \
+    cd /tmp/"bats-core-$BATS_VERSION" && ./install.sh /usr && \
+    cd .. && rm -rf /tmp/*
 
 COPY --from=snyk /usr/local/bin/snyk /usr/local/bin/snyk