Skip to content

add cli-stack for binary distribution #3195

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sampras343 wants to merge 2 commits into
base: release-v0.8
Choose a base branch
from
+192 −0
Open

add cli-stack for binary distribution #3195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
534e6f3
add cli-stack for binary distribution
sampras343 Mar 25, 2026
b75a324
updated dockerfile base images and license
sampras343 Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .tekton/cli-v08-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh"
build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
Expand Down
54 changes: 54 additions & 0 deletions .tekton/conforma-cli-stack-pull-request.yaml
View file
Open in desktop
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was expecting to see a verion number in the filename.

We are a little bit "multi-stream", i.e. we maintain and build more than one parallel release branch build. Right now we have v0.6, v0.7 and v0.8. (v0.6 would be retired soon after RHTAS 1.4 is shipped.).

So I think it's likely we should version the component name, so we can have say "conforma-cli-stack-v08" and later in the year we can introduce "conforma-cli-stack-v09". Wdyt?

Copy link
Author

@sampras343 sampras343 Mar 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Similar multi stream approach here as well.
The current component created is under main$ by default, so the naming is conforma-cli-stack.
I will address this issue when I create the stack under 1.4 release of rhtas.
So the application would be like cli-stacks-v1-4 and the component under that could be conforma-cli-stack-v08.

Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm okay.

Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
== "release-v0.8"
creationTimestamp: null
labels:
appstudio.openshift.io/application: cli-stacks
appstudio.openshift.io/component: conforma-cli-stack
pipelines.appstudio.openshift.io/type: build
name: conforma-cli-stack-on-pull-request
namespace: rhtas-tenant
spec:
params:
- name: release-version
value: 1.4.0
- name: dockerfile
value: Dockerfile.cli-stack.rh
- name: git-url
value: '{{repo_url}}'
- name: image-expires-after
value: 5d
- name: output-image
value: quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
- name: path-context
value: .
- name: revision
value: '{{revision}}'
- name: hermetic
value: "true"
- name: build-source-image
value: "true"
pipelineRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
Copy link
Contributor

@robnester-rh robnester-rh Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be a good idea to pin to a known revision.

- name: pathInRepo
value: pipelines/docker-build-oci-ta.yaml
resolver: git
taskRunTemplate:
serviceAccountName: build-pipeline-conforma-cli-stack
workspaces:
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
status: {}
51 changes: 51 additions & 0 deletions .tekton/conforma-cli-stack-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
== "release-v0.8"
creationTimestamp: null
labels:
appstudio.openshift.io/application: cli-stacks
appstudio.openshift.io/component: conforma-cli-stack
pipelines.appstudio.openshift.io/type: build
name: conforma-cli-stack-on-push
namespace: rhtas-tenant
spec:
params:
- name: release-version
value: 1.4.0
- name: dockerfile
value: Dockerfile.cli-stack.rh
- name: git-url
value: '{{repo_url}}'
- name: output-image
value: quay.io/securesign/conforma-cli-stack:{{revision}}
- name: path-context
value: .
- name: revision
value: '{{revision}}'
- name: hermetic
value: "true"
- name: build-source-image
value: "true"
pipelineRef:
params:
- name: url
value: https://github.com/securesign/pipelines.git
- name: revision
value: main
- name: pathInRepo
value: pipelines/docker-build-oci-ta.yaml
resolver: git
taskRunTemplate:
serviceAccountName: build-pipeline-conforma-cli-stack
workspaces:
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
status: {}
86 changes: 86 additions & 0 deletions Dockerfile.cli-stack.rh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
# Copyright The Conforma Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# SPDX-License-Identifier: Apache-2.0

## Build

FROM --platform=linux/amd64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:7d2ecffad4cee873caee676eda74c5acd6254e64bbca8280b1d69f0806426999 AS build-amd64
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it needs a license preamble to avoid a lint error.

Copy link
Author

@sampras343 sampras343 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

addressed

FROM --platform=linux/arm64 quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:9f39e82fd59f414bc26207d18588c5ffbf8c9c0ca00e81e68f80f2c39db01657 AS build-arm64
FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:2e385572d9cc508288e5a4cc7a44c22de4266be860e725a7795d4402db1314c0 AS build-ppc64le
FROM --platform=linux/s390x quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:e725abfa91aa21d28d2ae5b5c5fa5544bcd3998b48c18d268d981c1ad51d3f1f AS build-s390x
Copy link
Member

@simonbaird simonbaird Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking we should use the registry.redhat.io/rhtas/ec-rhel9:0.8 image here, but IIUC using the quay.io image means it works better with Konflux's nudging mechanism.


# Use "build" to avoid an error from the version checker in
# https://github.com/conforma/github-workflows/tree/main/golang-version-check
FROM registry.access.redhat.com/ubi9/go-toolset:1.25.3@sha256:e8938564f866174a6d79e55dfe577c2ed184b1f53e91d782173fb69b07ce69ef AS build
USER root
RUN mkdir -p /binaries

# Native Linux binaries from each arch variant
COPY --from=build-amd64 /usr/local/bin/ec_linux_amd64.gz /tmp/ec_linux_amd64.gz
RUN gzip -d /tmp/ec_linux_amd64.gz && \
tar -czf /binaries/ec_linux_amd64.tar.gz -C /tmp ec_linux_amd64 && \
rm /tmp/ec_linux_amd64

COPY --from=build-arm64 /usr/local/bin/ec_linux_arm64.gz /tmp/ec_linux_arm64.gz
RUN gzip -d /tmp/ec_linux_arm64.gz && \
tar -czf /binaries/ec_linux_arm64.tar.gz -C /tmp ec_linux_arm64 && \
rm /tmp/ec_linux_arm64

COPY --from=build-ppc64le /usr/local/bin/ec_linux_ppc64le.gz /tmp/ec_linux_ppc64le.gz
RUN gzip -d /tmp/ec_linux_ppc64le.gz && \
tar -czf /binaries/ec_linux_ppc64le.tar.gz -C /tmp ec_linux_ppc64le && \
rm /tmp/ec_linux_ppc64le

COPY --from=build-s390x /usr/local/bin/ec_linux_s390x.gz /tmp/ec_linux_s390x.gz
RUN gzip -d /tmp/ec_linux_s390x.gz && \
tar -czf /binaries/ec_linux_s390x.tar.gz -C /tmp ec_linux_s390x && \
rm /tmp/ec_linux_s390x

# Cross-compiled binaries (same across all variants, taken from amd64)
# Darwin amd64
COPY --from=build-amd64 /usr/local/bin/ec_darwin_amd64.gz /tmp/ec_darwin_amd64.gz
RUN gzip -d /tmp/ec_darwin_amd64.gz && \
tar -czf /binaries/ec_darwin_amd64.tar.gz -C /tmp ec_darwin_amd64 && \
rm /tmp/ec_darwin_amd64

# Darwin arm64
COPY --from=build-amd64 /usr/local/bin/ec_darwin_arm64.gz /tmp/ec_darwin_arm64.gz
RUN gzip -d /tmp/ec_darwin_arm64.gz && \
tar -czf /binaries/ec_darwin_arm64.tar.gz -C /tmp ec_darwin_arm64 && \
rm /tmp/ec_darwin_arm64

# Windows amd64
COPY --from=build-amd64 /usr/local/bin/ec_windows_amd64.exe.gz /tmp/ec_windows_amd64.exe.gz
RUN gzip -d /tmp/ec_windows_amd64.exe.gz && \
tar -czf /binaries/ec_windows_amd64.tar.gz -C /tmp ec_windows_amd64.exe && \
rm /tmp/ec_windows_amd64.exe

# Final minimal image with all binaries
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest@sha256:83006d535923fcf1345067873524a3980316f51794f01d8655be55d6e9387183

LABEL description="Flat image containing Conforma CLI binaries for all platforms and architectures"
LABEL io.k8s.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
LABEL io.opencontainers.image.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
LABEL io.k8s.display-name="Conforma CLI stack image for Red Hat Trusted Artifact Signer"
LABEL io.openshift.tags="conforma trusted-artifact-signer cli-stack"
LABEL summary="Provides Conforma CLI binaries as tar.gz archives for CDN distribution."
LABEL com.redhat.component="conforma-cli-stack"

COPY --from=build /binaries/ /binaries/
COPY --from=build-amd64 /licenses/ /licenses/

RUN chown -R root:0 /binaries && chmod -R g+r /binaries

USER 65532:65532
Loading