From 667f78b67e62cf30ef9606dd4d3434f51e63fae5 Mon Sep 17 00:00:00 2001
From: Zoran Regvart <zoran@regvart.com>
Date: Mon, 15 Jul 2024 12:01:28 +0200
Subject: [PATCH] Configure hermetic build

---
 .tekton/cli-main-ci-push.yaml |   4 +-
 hack/update-rpm-lock.sh       |  94 ++++++++++++++++++++++++
 rpms.in.yaml                  |  27 +++++++
 rpms.lock.yaml                | 130 ++++++++++++++++++++++++++++++++++
 4 files changed, 254 insertions(+), 1 deletion(-)
 create mode 100755 hack/update-rpm-lock.sh
 create mode 100644 rpms.in.yaml
 create mode 100644 rpms.lock.yaml

diff --git a/.tekton/cli-main-ci-push.yaml b/.tekton/cli-main-ci-push.yaml
index 507114707..200b0b308 100644
--- a/.tekton/cli-main-ci-push.yaml
+++ b/.tekton/cli-main-ci-push.yaml
@@ -30,7 +30,7 @@ spec:
   - name: revision
     value: '{{revision}}'
   - name: prefetch-input
-    value: gomod
+    value: '[{"type": "gomod"}, {"type": "rpm"}]'
   - name: build-source-image
     value: 'true'
   - name: build-args-file
@@ -184,6 +184,8 @@ spec:
         value: $(params.output-image).prefetch
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
+      - name: dev-package-managers
+        value: 'true'
       runAfter:
       - clone-repository
       taskRef:
diff --git a/hack/update-rpm-lock.sh b/hack/update-rpm-lock.sh
new file mode 100755
index 000000000..f894ba78c
--- /dev/null
+++ b/hack/update-rpm-lock.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# Updates the rpms.lock.yaml file
+
+set -o errexit
+set -o pipefail
+set -o nounset
+
+root_dir=$(git rev-parse --show-toplevel)
+
+latest_release=$(gh api '/repos/konflux-ci/rpm-lockfile-prototype/tags?per_page=1' --jq '.[0].name')
+
+# build the image for running the RPM lock tool
+echo Building...
+image=$(podman build --quiet --file <(cat <<DOCKERFILE
+FROM registry.access.redhat.com/ubi9/python-39:latest
+
+USER 0
+
+RUN dnf install --assumeyes --nodocs --setopt=keepcache=0 --refresh skopeo jq
+
+RUN pip install https://github.com/konflux-ci/rpm-lockfile-prototype/archive/refs/tags/${latest_release}.tar.gz
+RUN pip install dockerfile-parse
+
+ENV PYTHONPATH=/usr/lib64/python3.9/site-packages:/usr/lib/python3.9/site-packages
+ENV XDG_DATA_HOME=/opt/app-root
+DOCKERFILE
+))
+
+echo "Built: ${image}"
+
+# script that performs everything within the image built above
+# shellcheck disable=SC2016,SC2125
+script='
+set -o errexit
+set -o pipefail
+set -o nounset
+shopt -s extglob
+
+# determine the base image
+base_img=$(python <<SCRIPT
+from dockerfile_parse import DockerfileParser
+
+dfp = DockerfileParser()
+with open("Dockerfile") as d:
+    dfp.content = d.read()
+
+# assume the last mentioned FROM is the image we want to base on
+print(dfp.parent_images[-1])
+
+SCRIPT
+)
+
+# copy the base image to temporary directory
+base_img_dir=$(mktemp -d --tmpdir)
+skopeo copy --quiet "docker://${base_img/:!(:)@/@}" "dir:/${base_img_dir}"
+
+# extract all /etc/yum.repos.d/* files from the base image
+tar --dir "${base_img_dir}" --extract --ignore-zeros 'etc/yum.repos.d/*' -f "${base_img_dir}/$(jq -r '\''.layers[].digest | sub("sha256:"; "")'\'' "${base_img_dir}/manifest.json")"
+
+# enable source repositories
+for r in $(dnf repolist --setopt=reposdir="${base_img_dir}/etc/yum.repos.d" --disabled --quiet|grep -- '\''-source'\'' | sed '\''s/ .*//'\''); do
+    dnf config-manager --quiet --setopt=reposdir="${base_img_dir}/etc/yum.repos.d" "${r}" --set-enabled
+done
+
+cp "${base_img_dir}/etc/yum.repos.d"/*.repo /opt/app-root/src/
+
+# generate/update the RPM lock file
+/opt/app-root/bin/rpm-lockfile-prototype -f Dockerfile --outfile rpms.lock.yaml rpms.in.yaml
+'
+
+echo Running...
+podman run \
+    --rm \
+    --mount type=bind,source="${root_dir}/Dockerfile.dist",destination=/opt/app-root/src/Dockerfile \
+    --mount type=bind,source="${root_dir}/rpms.in.yaml",destination=/opt/app-root/src/rpms.in.yaml \
+    --mount type=bind,source="${root_dir}/rpms.lock.yaml",destination=/opt/app-root/src/rpms.lock.yaml \
+    "${image}" \
+    bash -c "${script}"
diff --git a/rpms.in.yaml b/rpms.in.yaml
new file mode 100644
index 000000000..0706da62d
--- /dev/null
+++ b/rpms.in.yaml
@@ -0,0 +1,27 @@
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+---
+packages:
+  - jq
+reinstallPackages:
+  - git-core
+arches:
+  - x86_64
+  - aarch64
+  - ppc64le
+contentOrigin:
+  repofiles:
+    - ubi.repo
diff --git a/rpms.lock.yaml b/rpms.lock.yaml
new file mode 100644
index 000000000..dcf97e015
--- /dev/null
+++ b/rpms.lock.yaml
@@ -0,0 +1,130 @@
+---
+lockfileVersion: 1
+lockfileVendor: redhat
+arches:
+- arch: aarch64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/os/Packages/g/git-core-2.43.5-1.el9_4.aarch64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 4738888
+    checksum: sha256:1d9f1dbd09aeb6032082edb07d8429d7f1476ade1fa484ac6c135b516b3a6ed8
+    name: git-core
+    evr: 2.43.5-1.el9_4
+    sourcerpm: git-2.43.5-1.el9_4.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/os/Packages/j/jq-1.6-15.el9.aarch64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 187128
+    checksum: sha256:e21b572bcb332664bb342fe53d5ced4714ccd5008f2170049ef77fa2162183a0
+    name: jq
+    evr: 1.6-15.el9
+    sourcerpm: jq-1.6-15.el9.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/os/Packages/o/oniguruma-6.9.6-1.el9.5.aarch64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 222582
+    checksum: sha256:bc2305dad655ddb94f966158112efd6cefa6824d5aa2e80f63881f16cee74598
+    name: oniguruma
+    evr: 6.9.6-1.el9.5
+    sourcerpm: oniguruma-6.9.6-1.el9.5.src.rpm
+  source:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/source/SRPMS/Packages/g/git-2.43.5-1.el9_4.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 7444986
+    checksum: sha256:ca1d24f27e78e423b507052cdffff2fc1a182a74bb5a6876a9f3bed1b2078852
+    name: git
+    evr: 2.43.5-1.el9_4
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/source/SRPMS/Packages/j/jq-1.6-15.el9.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 1472643
+    checksum: sha256:0a24a71d0f1ceab183d903f840a6c548e6868cd3f67ea794e57108c313321553
+    name: jq
+    evr: 1.6-15.el9
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/appstream/source/SRPMS/Packages/o/oniguruma-6.9.6-1.el9.5.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 934541
+    checksum: sha256:cba17754ccaffd886995aec7f152aadbc5d9932a2a2cdf1d983291c7b2838404
+    name: oniguruma
+    evr: 6.9.6-1.el9.5
+- arch: ppc64le
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/os/Packages/g/git-core-2.43.5-1.el9_4.ppc64le.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 5085315
+    checksum: sha256:ca54d61fed798231dac7e5fd619022b0f9010315a9ab3ba3a0fc3e134702d577
+    name: git-core
+    evr: 2.43.5-1.el9_4
+    sourcerpm: git-2.43.5-1.el9_4.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/os/Packages/j/jq-1.6-15.el9.ppc64le.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 207041
+    checksum: sha256:f1e01ff06dee639c707ff605d9566b8dd9a962bd61845ce2fcdb426dfcb007c6
+    name: jq
+    evr: 1.6-15.el9
+    sourcerpm: jq-1.6-15.el9.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/os/Packages/o/oniguruma-6.9.6-1.el9.5.ppc64le.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 246370
+    checksum: sha256:0b700ed36523819c0dd5066cf5835c7ffb3691dbc13657e3f49acc71635fd6a6
+    name: oniguruma
+    evr: 6.9.6-1.el9.5
+    sourcerpm: oniguruma-6.9.6-1.el9.5.src.rpm
+  source:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/source/SRPMS/Packages/g/git-2.43.5-1.el9_4.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 7444986
+    checksum: sha256:ca1d24f27e78e423b507052cdffff2fc1a182a74bb5a6876a9f3bed1b2078852
+    name: git
+    evr: 2.43.5-1.el9_4
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/source/SRPMS/Packages/j/jq-1.6-15.el9.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 1472643
+    checksum: sha256:0a24a71d0f1ceab183d903f840a6c548e6868cd3f67ea794e57108c313321553
+    name: jq
+    evr: 1.6-15.el9
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/appstream/source/SRPMS/Packages/o/oniguruma-6.9.6-1.el9.5.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 934541
+    checksum: sha256:cba17754ccaffd886995aec7f152aadbc5d9932a2a2cdf1d983291c7b2838404
+    name: oniguruma
+    evr: 6.9.6-1.el9.5
+- arch: x86_64
+  packages:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/g/git-core-2.43.5-1.el9_4.x86_64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 4651148
+    checksum: sha256:5f59cef4ff08d8fe3a53064d417fab92ea9389fb9af19919755e8b4d12ee1373
+    name: git-core
+    evr: 2.43.5-1.el9_4
+    sourcerpm: git-2.43.5-1.el9_4.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/j/jq-1.6-15.el9.x86_64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 194271
+    checksum: sha256:d3157267cce88006c2ad3327ea7eb8983bea6f69327c157228b89814a3c473ae
+    name: jq
+    evr: 1.6-15.el9
+    sourcerpm: jq-1.6-15.el9.src.rpm
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/os/Packages/o/oniguruma-6.9.6-1.el9.5.x86_64.rpm
+    repoid: ubi-9-appstream-rpms
+    size: 226331
+    checksum: sha256:6c884cc2216e5b4699ebd8cde27b39e99532520b367f645ed6cc660d081916dc
+    name: oniguruma
+    evr: 6.9.6-1.el9.5
+    sourcerpm: oniguruma-6.9.6-1.el9.5.src.rpm
+  source:
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/source/SRPMS/Packages/g/git-2.43.5-1.el9_4.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 7444986
+    checksum: sha256:ca1d24f27e78e423b507052cdffff2fc1a182a74bb5a6876a9f3bed1b2078852
+    name: git
+    evr: 2.43.5-1.el9_4
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/source/SRPMS/Packages/j/jq-1.6-15.el9.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 1472643
+    checksum: sha256:0a24a71d0f1ceab183d903f840a6c548e6868cd3f67ea794e57108c313321553
+    name: jq
+    evr: 1.6-15.el9
+  - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/appstream/source/SRPMS/Packages/o/oniguruma-6.9.6-1.el9.5.src.rpm
+    repoid: ubi-9-appstream-source
+    size: 934541
+    checksum: sha256:cba17754ccaffd886995aec7f152aadbc5d9932a2a2cdf1d983291c7b2838404
+    name: oniguruma
+    evr: 6.9.6-1.el9.5