From 6bd9deda5e823549e74e2639a66350d260b2efdc Mon Sep 17 00:00:00 2001 From: dirgim Date: Wed, 27 Nov 2024 19:45:31 +0100 Subject: [PATCH] feat: use ADD directives instead of curls * Use ADD directives instead of curl to download utilities that will be installed * Download the archives as part of a multi-stage build * Unify RUN directives to reduce final image layers Signed-off-by: dirgim rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED --- .github/workflows/build_reusable.yaml | 2 +- Dockerfile | 53 ++++++++++++++++----------- 2 files changed, 32 insertions(+), 23 deletions(-) diff --git a/.github/workflows/build_reusable.yaml b/.github/workflows/build_reusable.yaml index 11649d8f..37ac78d2 100644 --- a/.github/workflows/build_reusable.yaml +++ b/.github/workflows/build_reusable.yaml @@ -18,7 +18,7 @@ on: jobs: build_container_image: name: Build and check main image - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - name: Check out Docker file code in the root directory diff --git a/Dockerfile b/Dockerfile index f0ff1f57..db3b9764 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,21 +2,44 @@ FROM docker.io/snyk/snyk:linux@sha256:893db22bae8074744d869f585013d7d7e471531d1287d28ca2f54d356f9be44b as snyk FROM quay.io/enterprise-contract/ec-cli:snapshot@sha256:dc7d404596385e7d3c624ec0492524a1d57efe2b0c10cf0ec2158d49c0290a83 AS ec-cli FROM ghcr.io/sigstore/cosign/cosign:v99.99.91@sha256:8caf794491167c331776203c60b7c69d4ff24b4b4791eba348d8def0fd0cc343 as cosign-bin -FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542 +FROM registry.access.redhat.com/ubi9/ubi:9.4-1214.1729773476 AS src + +ARG TARGETARCH # Note that the version of OPA used by pr-checks must be updated manually to reflect conftest updates # To find the OPA version associated with conftest run the following with the relevant version of conftest: # $ conftest --version -ARG conftest_version=0.45.0 +ARG CONFTEST_VERSION=0.45.0 +ARG SBOM_UTILITY_VERSION=0.12.0 ARG BATS_VERSION=1.6.0 -ARG sbom_utility_version=0.12.0 ARG OPM_VERSION=v1.40.0 ARG UMOCI_VERSION=v0.4.7 +ADD https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm /tmp/epel-release-latest-9.noarch.rpm + +ADD https://github.com/open-policy-agent/conftest/releases/download/v"${CONFTEST_VERSION}"/conftest_"${CONFTEST_VERSION}"_Linux_"${TARGETARCH/amd64/x86_64}".tar.gz /src/conftest.tar.gz +ADD https://github.com/CycloneDX/sbom-utility/releases/download/v"${SBOM_UTILITY_VERSION}"/sbom-utility-v"${SBOM_UTILITY_VERSION}"-linux-"${TARGETARCH/ppc64le/ppc64}".tar.gz /src/sbom-utility.tar.gz +ADD https://mirror.openshift.com/pub/openshift-v4/"${TARGETARCH}"/clients/ocp/stable/openshift-client-linux.tar.gz /src/oc.tar.gz +ADD https://github.com/bats-core/bats-core/archive/refs/tags/v"${BATS_VERSION}".tar.gz /src/bats.tar.gz + +ADD --chmod=744 https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION}"/linux-"${TARGETARCH}"-opm /usr/local/bin/opm +ADD --chmod=744 https://github.com/opencontainers/umoci/releases/download/"${UMOCI_VERSION}"/umoci.amd64 /usr/local/bin/umoci + +RUN tar -xvzf src/conftest.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/conftest && \ + tar -xvzf src/sbom-utility.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/sbom-utility && \ + tar -xvzf src/oc.tar.gz -C /usr/local/bin/ && chmod +x /usr/local/bin/oc && \ + tar -xvzf src/bats.tar.gz -C /tmp/ + +FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-1227.1726694542 + +ARG BATS_VERSION=1.6.0 + ENV POLICY_PATH="/project" -RUN curl -k -s -L https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm --output epel-release-latest-9.noarch.rpm && \ - rpm -Uvh epel-release-latest-9.noarch.rpm && \ +COPY --from=src /usr/local/bin/ /usr/local/bin/ +COPY --from=src /tmp/ /tmp/ + +RUN rpm -Uvh /tmp/epel-release-latest-9.noarch.rpm && \ microdnf -y --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install \ findutils \ jq \ @@ -33,24 +56,10 @@ RUN curl -k -s -L https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.no csmock-plugin-shellcheck-core \ clamav-update && \ pip3 install --no-cache-dir yq && \ - curl -k -s -L https://github.com/CycloneDX/sbom-utility/releases/download/v"${sbom_utility_version}"/sbom-utility-v"${sbom_utility_version}"-linux-amd64.tar.gz --output sbom-utility.tar.gz && \ - mkdir sbom-utility && tar -xf sbom-utility.tar.gz -C sbom-utility && rm sbom-utility.tar.gz && \ - cd /usr/bin && \ microdnf -y install libicu && \ - microdnf clean all - -RUN ARCH=$(uname -m) && curl -k -s -L https://github.com/open-policy-agent/conftest/releases/download/v"${conftest_version}"/conftest_"${conftest_version}"_Linux_"$ARCH".tar.gz | tar -xz --no-same-owner -C /usr/bin/ && \ - curl https://mirror.openshift.com/pub/openshift-v4/"$ARCH"/clients/ocp/stable/openshift-client-linux.tar.gz --output oc.tar.gz && tar -xzvf oc.tar.gz -C /usr/bin && rm oc.tar.gz && \ - curl -k -s -LO "https://github.com/bats-core/bats-core/archive/refs/tags/v$BATS_VERSION.tar.gz" && \ - curl -k -s -L https://github.com/operator-framework/operator-registry/releases/download/"${OPM_VERSION}"/linux-amd64-opm > /usr/bin/opm && chmod +x /usr/bin/opm && \ - curl -k -s -L https://github.com/opencontainers/umoci/releases/download/"${UMOCI_VERSION}"/umoci.amd64 > /usr/bin/umoci && chmod +x /usr/bin/umoci && \ - tar -xf "v$BATS_VERSION.tar.gz" && \ - cd "bats-core-$BATS_VERSION" && \ - ./install.sh /usr && \ - cd .. && rm -rf "bats-core-$BATS_VERSION" && rm -rf "v$BATS_VERSION.tar.gz" && \ - cd / - -ENV PATH="${PATH}:/sbom-utility" + microdnf clean all && \ + cd /tmp/"bats-core-$BATS_VERSION" && ./install.sh /usr && \ + cd .. && rm -rf /tmp/* COPY --from=snyk /usr/local/bin/snyk /usr/local/bin/snyk