task/buildah-remote: fix symlink deletion

There are two reasons why the buildah-remote task cannot delete container symlinks in the build step: * the multi-platform-runner image does not include the 'find' util * the script that generates buildah-remote from buildah doesn't handle changes to that part of the code, it's hardcoded Move the command into a separate step in the buildah task in order to fix the buildah-remote task. Signed-off-by: Adam Cmiel <[email protected]>
konflux-ci · Mar 12, 2024 · 570681d · 570681d
1 parent 18da9a0
commit 570681d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 4 deletions.
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -280,8 +280,6 @@ spec:
 
       container=$(buildah from --pull-never $IMAGE)
       buildah mount $container | tee /workspace/container_path
-      # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
-      find $(cat /workspace/container_path) -xtype l -delete
       echo $container > /workspace/container_name
 
       # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
@@ -343,6 +341,13 @@ spec:
       name: ssh
       readOnly: true
     workingDir: $(workspaces.source.path)
+  - computeResources: {}
+    image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
+    name: remove-symlinks
+    script: |
+      # Delete symlinks - they may point outside the container rootfs, messing with SBOM scanners.
+      # Has to be done in a separate step due to buildah-remote limitations.
+      find $(cat /workspace/container_path) -xtype l -delete
   - computeResources: {}
     image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
     name: sbom-syft-generate

diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
@@ -231,8 +231,6 @@ spec:
 
       container=$(buildah from --pull-never $IMAGE)
       buildah mount $container | tee /workspace/container_path
-      # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
-      find $(cat /workspace/container_path) -xtype l -delete
       echo $container > /workspace/container_name
 
       # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
@@ -258,6 +256,13 @@ spec:
       name: etc-pki-entitlement
     workingDir: $(workspaces.source.path)
 
+  - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
+    name: remove-symlinks
+    script: |
+      # Delete symlinks - they may point outside the container rootfs, messing with SBOM scanners.
+      # Has to be done in a separate step due to buildah-remote limitations.
+      find $(cat /workspace/container_path) -xtype l -delete
+
   - name: sbom-syft-generate
     image: quay.io/redhat-appstudio/syft:v0.105.0@sha256:32a9d2007f2b042ceec4ef32fa1d90b8d28141822e7d9748f240da9d55c56601
     # Respect Syft configuration if the user has it in the root of their repository