From 534e6f3ad7d4e879b4c460da0052ee59ca82ed4a Mon Sep 17 00:00:00 2001 From: Sachin Sampras M Date: Wed, 25 Mar 2026 09:55:00 +0000 Subject: [PATCH 1/2] add cli-stack for binary distribution Signed-off-by: Sachin Sampras M --- .tekton/cli-v08-push.yaml | 1 + .tekton/conforma-cli-stack-pull-request.yaml | 54 ++++++++++++++++ .tekton/conforma-cli-stack-push.yaml | 51 +++++++++++++++ Dockerfile.cli-stack.rh | 66 ++++++++++++++++++++ 4 files changed, 172 insertions(+) create mode 100644 .tekton/conforma-cli-stack-pull-request.yaml create mode 100644 .tekton/conforma-cli-stack-push.yaml create mode 100644 Dockerfile.cli-stack.rh diff --git a/.tekton/cli-v08-push.yaml b/.tekton/cli-v08-push.yaml index 590546c09..c5bbd450b 100644 --- a/.tekton/cli-v08-push.yaml +++ b/.tekton/cli-v08-push.yaml @@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1 kind: PipelineRun metadata: annotations: + build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh" build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' diff --git a/.tekton/conforma-cli-stack-pull-request.yaml b/.tekton/conforma-cli-stack-pull-request.yaml new file mode 100644 index 000000000..b69a0f242 --- /dev/null +++ b/.tekton/conforma-cli-stack-pull-request.yaml @@ -0,0 +1,54 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "release-v0.8" + creationTimestamp: null + labels: + appstudio.openshift.io/application: cli-stacks + appstudio.openshift.io/component: conforma-cli-stack + pipelines.appstudio.openshift.io/type: build + name: conforma-cli-stack-on-pull-request + namespace: rhtas-tenant +spec: + params: + - name: release-version + value: 1.4.0 + - name: dockerfile + value: Dockerfile.cli-stack.rh + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: 5d + - name: output-image + value: quay.io/securesign/conforma-cli-stack:on-pr-{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: hermetic + value: "true" + - name: build-source-image + value: "true" + pipelineRef: + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: pipelines/docker-build-oci-ta.yaml + resolver: git + taskRunTemplate: + serviceAccountName: build-pipeline-conforma-cli-stack + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/conforma-cli-stack-push.yaml b/.tekton/conforma-cli-stack-push.yaml new file mode 100644 index 000000000..b10b5db0b --- /dev/null +++ b/.tekton/conforma-cli-stack-push.yaml @@ -0,0 +1,51 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "release-v0.8" + creationTimestamp: null + labels: + appstudio.openshift.io/application: cli-stacks + appstudio.openshift.io/component: conforma-cli-stack + pipelines.appstudio.openshift.io/type: build + name: conforma-cli-stack-on-push + namespace: rhtas-tenant +spec: + params: + - name: release-version + value: 1.4.0 + - name: dockerfile + value: Dockerfile.cli-stack.rh + - name: git-url + value: '{{repo_url}}' + - name: output-image + value: quay.io/securesign/conforma-cli-stack:{{revision}} + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: hermetic + value: "true" + - name: build-source-image + value: "true" + pipelineRef: + params: + - name: url + value: https://github.com/securesign/pipelines.git + - name: revision + value: main + - name: pathInRepo + value: pipelines/docker-build-oci-ta.yaml + resolver: git + taskRunTemplate: + serviceAccountName: build-pipeline-conforma-cli-stack + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/Dockerfile.cli-stack.rh b/Dockerfile.cli-stack.rh new file mode 100644 index 000000000..cdb3f2799 --- /dev/null +++ b/Dockerfile.cli-stack.rh @@ -0,0 +1,66 @@ +FROM --platform=linux/amd64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:7d2ecffad4cee873caee676eda74c5acd6254e64bbca8280b1d69f0806426999 AS build-amd64 +FROM --platform=linux/arm64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:9f39e82fd59f414bc26207d18588c5ffbf8c9c0ca00e81e68f80f2c39db01657 AS build-arm64 +FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:2e385572d9cc508288e5a4cc7a44c22de4266be860e725a7795d4402db1314c0 AS build-ppc64le +FROM --platform=linux/s390x quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:e725abfa91aa21d28d2ae5b5c5fa5544bcd3998b48c18d268d981c1ad51d3f1f AS build-s390x + +FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:799cc027d5ad58cdc156b65286eb6389993ec14c496cf748c09834b7251e78dc AS packager +USER root +RUN mkdir -p /binaries + +# Native Linux binaries from each arch variant +COPY --from=build-amd64 /usr/local/bin/ec_linux_amd64.gz /tmp/ec_linux_amd64.gz +RUN gzip -d /tmp/ec_linux_amd64.gz && \ + tar -czf /binaries/ec_linux_amd64.tar.gz -C /tmp ec_linux_amd64 && \ + rm /tmp/ec_linux_amd64 + +COPY --from=build-arm64 /usr/local/bin/ec_linux_arm64.gz /tmp/ec_linux_arm64.gz +RUN gzip -d /tmp/ec_linux_arm64.gz && \ + tar -czf /binaries/ec_linux_arm64.tar.gz -C /tmp ec_linux_arm64 && \ + rm /tmp/ec_linux_arm64 + +COPY --from=build-ppc64le /usr/local/bin/ec_linux_ppc64le.gz /tmp/ec_linux_ppc64le.gz +RUN gzip -d /tmp/ec_linux_ppc64le.gz && \ + tar -czf /binaries/ec_linux_ppc64le.tar.gz -C /tmp ec_linux_ppc64le && \ + rm /tmp/ec_linux_ppc64le + +COPY --from=build-s390x /usr/local/bin/ec_linux_s390x.gz /tmp/ec_linux_s390x.gz +RUN gzip -d /tmp/ec_linux_s390x.gz && \ + tar -czf /binaries/ec_linux_s390x.tar.gz -C /tmp ec_linux_s390x && \ + rm /tmp/ec_linux_s390x + +# Cross-compiled binaries (same across all variants, taken from amd64) +# Darwin amd64 +COPY --from=build-amd64 /usr/local/bin/ec_darwin_amd64.gz /tmp/ec_darwin_amd64.gz +RUN gzip -d /tmp/ec_darwin_amd64.gz && \ + tar -czf /binaries/ec_darwin_amd64.tar.gz -C /tmp ec_darwin_amd64 && \ + rm /tmp/ec_darwin_amd64 + +# Darwin arm64 +COPY --from=build-amd64 /usr/local/bin/ec_darwin_arm64.gz /tmp/ec_darwin_arm64.gz +RUN gzip -d /tmp/ec_darwin_arm64.gz && \ + tar -czf /binaries/ec_darwin_arm64.tar.gz -C /tmp ec_darwin_arm64 && \ + rm /tmp/ec_darwin_arm64 + +# Windows amd64 +COPY --from=build-amd64 /usr/local/bin/ec_windows_amd64.exe.gz /tmp/ec_windows_amd64.exe.gz +RUN gzip -d /tmp/ec_windows_amd64.exe.gz && \ + tar -czf /binaries/ec_windows_amd64.tar.gz -C /tmp ec_windows_amd64.exe && \ + rm /tmp/ec_windows_amd64.exe + +# Final minimal image with all binaries +FROM registry.redhat.io/ubi9/ubi-minimal@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68 + +LABEL description="Flat image containing Conforma CLI binaries for all platforms and architectures" +LABEL io.k8s.description="Flat image containing Conforma CLI binaries for all platforms and architectures" +LABEL io.opencontainers.image.description="Flat image containing Conforma CLI binaries for all platforms and architectures" +LABEL io.k8s.display-name="Conforma CLI stack image for Red Hat Trusted Artifact Signer" +LABEL io.openshift.tags="conforma trusted-artifact-signer cli-stack" +LABEL summary="Provides Conforma CLI binaries as tar.gz archives for CDN distribution." +LABEL com.redhat.component="conforma-cli-stack" + +COPY --from=packager /binaries/ /binaries/ +COPY --from=build-amd64 /licenses/ /licenses/ + +RUN chown -R root:0 /binaries && chmod -R g+r /binaries + +USER 65532:65532 From b75a324300954e0899f765b80241c0d44f6ebd66 Mon Sep 17 00:00:00 2001 From: Sachin Sampras M Date: Wed, 25 Mar 2026 17:21:37 +0000 Subject: [PATCH 2/2] updated dockerfile base images and license Signed-off-by: Sachin Sampras M --- Dockerfile.cli-stack.rh | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/Dockerfile.cli-stack.rh b/Dockerfile.cli-stack.rh index cdb3f2799..17270c810 100644 --- a/Dockerfile.cli-stack.rh +++ b/Dockerfile.cli-stack.rh @@ -1,9 +1,29 @@ +# Copyright The Conforma Contributors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 + +## Build + FROM --platform=linux/amd64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:7d2ecffad4cee873caee676eda74c5acd6254e64bbca8280b1d69f0806426999 AS build-amd64 FROM --platform=linux/arm64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:9f39e82fd59f414bc26207d18588c5ffbf8c9c0ca00e81e68f80f2c39db01657 AS build-arm64 FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:2e385572d9cc508288e5a4cc7a44c22de4266be860e725a7795d4402db1314c0 AS build-ppc64le FROM --platform=linux/s390x quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:e725abfa91aa21d28d2ae5b5c5fa5544bcd3998b48c18d268d981c1ad51d3f1f AS build-s390x -FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:799cc027d5ad58cdc156b65286eb6389993ec14c496cf748c09834b7251e78dc AS packager +# Use "build" to avoid an error from the version checker in +# https://github.com/conforma/github-workflows/tree/main/golang-version-check +FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3@sha256:e8938564f866174a6d79e55dfe577c2ed184b1f53e91d782173fb69b07ce69ef AS build USER root RUN mkdir -p /binaries @@ -48,7 +68,7 @@ RUN gzip -d /tmp/ec_windows_amd64.exe.gz && \ rm /tmp/ec_windows_amd64.exe # Final minimal image with all binaries -FROM registry.redhat.io/ubi9/ubi-minimal@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68 +FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183 LABEL description="Flat image containing Conforma CLI binaries for all platforms and architectures" LABEL io.k8s.description="Flat image containing Conforma CLI binaries for all platforms and architectures" @@ -58,7 +78,7 @@ LABEL io.openshift.tags="conforma trusted-artifact-signer cli-stack" LABEL summary="Provides Conforma CLI binaries as tar.gz archives for CDN distribution." LABEL com.redhat.component="conforma-cli-stack" -COPY --from=packager /binaries/ /binaries/ +COPY --from=build /binaries/ /binaries/ COPY --from=build-amd64 /licenses/ /licenses/ RUN chown -R root:0 /binaries && chmod -R g+r /binaries