diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
index a850096f1..a546a3ede 100644
--- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
+++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -274,8 +274,12 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+
+ dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
+ cp "$dockerfile_path" "$dockerfile_copy"
+
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
touch /var/lib/containers/java
fi
@@ -310,7 +314,7 @@ spec:
done
BASE_IMAGES=$(
- dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" |
+ dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
)
@@ -352,7 +356,7 @@ spec:
sed -E -i \
-e 'H;1h;$!d;x' \
-e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \
- "$dockerfile_path"
+ "$dockerfile_copy"
echo "Prefetched content will be made available"
prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
@@ -413,15 +417,18 @@ spec:
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
fi
+ # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
+ declare IMAGE
+
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE .
+ -f "$dockerfile_copy" -t "$IMAGE" .
- container=$(buildah from --pull-never $IMAGE)
+ container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
index 538aa9346..e83886558 100644
--- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
+++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml
@@ -309,8 +309,12 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+
+ dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
+ cp "$dockerfile_path" "$dockerfile_copy"
+
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
touch /var/lib/containers/java
fi
@@ -345,7 +349,7 @@ spec:
done
BASE_IMAGES=$(
- dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" |
+ dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
)
@@ -387,7 +391,7 @@ spec:
sed -E -i \
-e 'H;1h;$!d;x' \
-e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \
- "$dockerfile_path"
+ "$dockerfile_copy"
echo "Prefetched content will be made available"
prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
@@ -448,15 +452,18 @@ spec:
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
fi
+ # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
+ declare IMAGE
+
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE .
+ -f "$dockerfile_copy" -t "$IMAGE" .
- container=$(buildah from --pull-never $IMAGE)
+ container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml
index eaf91fe79..1aeff9e56 100644
--- a/task/buildah-remote/0.2/buildah-remote.yaml
+++ b/task/buildah-remote/0.2/buildah-remote.yaml
@@ -291,8 +291,12 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+
+ dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
+ cp "$dockerfile_path" "$dockerfile_copy"
+
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
touch /var/lib/containers/java
fi
@@ -327,7 +331,7 @@ spec:
done
BASE_IMAGES=$(
- dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" |
+ dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
)
@@ -369,7 +373,7 @@ spec:
sed -E -i \
-e 'H;1h;$!d;x' \
-e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \
- "$dockerfile_path"
+ "$dockerfile_copy"
echo "Prefetched content will be made available"
prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
@@ -430,15 +434,18 @@ spec:
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
fi
+ # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
+ declare IMAGE
+
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE .
+ -f "$dockerfile_copy" -t "$IMAGE" .
- container=$(buildah from --pull-never $IMAGE)
+ container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete
diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml
index c1cc7f5f0..8c8719b25 100644
--- a/task/buildah/0.2/buildah.yaml
+++ b/task/buildah/0.2/buildah.yaml
@@ -211,8 +211,12 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+
+ dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX")
+ cp "$dockerfile_path" "$dockerfile_copy"
+
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_copy"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_copy"
touch /var/lib/containers/java
fi
@@ -247,7 +251,7 @@ spec:
done
BASE_IMAGES=$(
- dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_path" |
+ dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" |
jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)'
)
@@ -289,7 +293,7 @@ spec:
sed -E -i \
-e 'H;1h;$!d;x' \
-e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \
- "$dockerfile_path"
+ "$dockerfile_copy"
echo "Prefetched content will be made available"
prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
@@ -350,15 +354,18 @@ spec:
done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
fi
+ # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.
+ declare IMAGE
+
unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
$VOLUME_MOUNTS \
"${BUILDAH_ARGS[@]}" \
"${LABELS[@]}" \
--tls-verify=$TLSVERIFY --no-cache \
--ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE .
+ -f "$dockerfile_copy" -t "$IMAGE" .
- container=$(buildah from --pull-never $IMAGE)
+ container=$(buildah from --pull-never "$IMAGE")
buildah mount $container | tee /shared/container_path
# delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
find $(cat /shared/container_path) -xtype l -delete