Add RHTAP build pipeline

A few differences from the standard RHTAP build pipeline: * Use of 6GB buildah image to avoid OOMs during container build task * There is an extra step to fetch the vuln feed data. This is done outside of the build step to make hermetic builds easier. The vuln feed data script pulls the definitions from the Google storage location and writes them to the "source" folder of the "source" workspace which is shared by the build-container task. This task will build using `image/scanner/rhtap/Dockerfile`, which expects the vuln files to be in the buildah working directory. I decided to create a separate dockerfile for RHTAP to avoid any regressions with modifying the existing ones. The dockerfile was created using a combination of the upstream and downstream dockerfiles. Current RHTAP build trigger config: * PRs will only build in RHTAP when "rhtap" is in the branch name * Pushes to master will trigger an RHTAP build
stackrox · Jan 4, 2024 · 91e999b · 91e999b
1 parent 56f4260
commit 91e999b
Show file tree

Hide file tree

Showing 7 changed files with 1,014 additions and 0 deletions.
diff --git a/.containerignore b/.containerignore
@@ -0,0 +1,9 @@
+# This file is derived of the .dockerignore
+# It is required to pass `.git` to the builder containers on RHTAP so we can bake build information into the binary.
+# It is required to pass the `.gitignore` files in `image/bin/` and `bin` to avoid a dirty version.
+# RHTAP uses Buildah which first looks up for `.containerignore`, then, if absent, `.dockerignore`.
+# Having this file enables us to have different exclusion list for RHTAP builds than in GHA/OSCI.
+# To regenerate, replace the below contents with the output of the following command (please keep these comments).
+#  grep -vF -e '/.git/' -e '/bin/' -e '/image/bin/' .dockerignore
+
+# currently empty!
diff --git a/.github/actions/job-preamble/action.yaml b/.github/actions/job-preamble/action.yaml
@@ -0,0 +1,17 @@
+name: Job Preamble
+description: Common steps for most jobs
+runs:
+  using: composite
+  steps:
+    - name: Recover docker image cache space
+      run: |
+        df --si /
+        docker system prune --force --all
+        df --si /
+      shell: bash
+
+    - name: Ignore dubious repository ownership
+      run: |
+        # Prevent fatal error "detected dubious ownership in repository" from recent git.
+        git config --global --add safe.directory "$(pwd)"
+      shell: bash
diff --git a/.github/workflows/style.yaml b/.github/workflows/style.yaml
@@ -0,0 +1,28 @@
+name: Style
+on:
+  push:
+    tags:
+    - '*'
+    branches:
+    - master
+  pull_request:
+    types:
+    - opened
+    - reopened
+    - synchronize
+jobs:
+  check-generated-files:
+    runs-on: ubuntu-latest
+    container:
+      image: quay.io/stackrox-io/apollo-ci:scanner-test-0.3.61
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+
+    - uses: ./.github/actions/job-preamble
+
+    - name: Check Generated
+      run: scripts/ci/jobs/check-generated.sh