Merge pull request #81 from RedHatInsights/enable_hermetic_builds

Enabling hermetic builds for all Konflux pipelines
RedHatInsights · Jan 29, 2025 · b89e867 · b89e867
2 parents 115f1c3 + b19ec2c
commit b89e867
Show file tree

Hide file tree

Showing 6 changed files with 8,311 additions and 0 deletions.
diff --git a/.tekton/rhproxy-engine-container-pull-request.yaml b/.tekton/rhproxy-engine-container-pull-request.yaml
@@ -30,6 +30,10 @@ spec:
     value: /Containerfile
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "."}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -184,6 +188,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/rhproxy-engine-container-push.yaml b/.tekton/rhproxy-engine-container-push.yaml
@@ -27,6 +27,10 @@ spec:
     value: /Containerfile
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "."}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -181,6 +185,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/.tekton/rhproxy-engine-container-release-push.yaml b/.tekton/rhproxy-engine-container-release-push.yaml
@@ -26,6 +26,10 @@ spec:
     value: /Containerfile
   - name: build-source-image
     value: "true"
+  - name: hermetic
+    value: "true"
+  - name: prefetch-input
+    value: '{"type": "rpm", "path": "."}'
   pipelineSpec:
     description: |
       This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization.
@@ -221,6 +225,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: "true"
       runAfter:
       - clone-repository
       taskRef:

diff --git a/rpms.in.yaml b/rpms.in.yaml
@@ -0,0 +1,23 @@
+packages:
+  - gettext
+  - zlib
+  - libaio
+  - openssl
+  - shadow-utils
+  - procps-ng
+  - less
+  - util-linux
+  - vim
+  - gcc
+  - gcc-c++
+  - kernel-headers
+  - make
+  - zlib-devel
+  - pcre-devel
+  - openssl-devel
+  - libxml2-devel
+  - libxslt-devel
+  - gd-devel
+  - perl
+contentOrigin:
+  repofiles: ["./ubi.repo"]