diff --git a/Dockerfile b/Dockerfile index f2d39ace3..16989b132 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server # Multi-Stage production build -FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/OWNERS b/OWNERS new file mode 100644 index 000000000..45bb15aeb --- /dev/null +++ b/OWNERS @@ -0,0 +1,12 @@ +# The OWNERS file is used by prow to automatically merge approved PRs. + +approvers: +- lance +- cooktheryan +- lkatalin +- sallom + +reviewers: +- JasonPowr +- tommyd450 + diff --git a/redhat/overlays/rekor-cli/Dockerfile.cli b/redhat/overlays/rekor-cli/Dockerfile.cli new file mode 100644 index 000000000..46d89dd59 --- /dev/null +++ b/redhat/overlays/rekor-cli/Dockerfile.cli @@ -0,0 +1,14 @@ +#Build stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS build-env +USER root +RUN git config --global --add safe.directory /opt/app-root/src +COPY . . +RUN make rekor-cli + +#Install stage +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 +COPY --from=build-env /opt/app-root/src/rekor-cli /usr/local/bin/rekor-cli +WORKDIR /opt/app-root/src/home + +#ENTRYPOINT +ENTRYPOINT [ "rekor-cli" ] diff --git a/redhat/patches/0001-dockerfile.patch b/redhat/patches/0001-dockerfile.patch new file mode 100644 index 000000000..fc419caaa --- /dev/null +++ b/redhat/patches/0001-dockerfile.patch @@ -0,0 +1,22 @@ +diff --git a/Dockerfile b/Dockerfile +index f2d39ac..16989b1 100644 +--- a/Dockerfile ++++ b/Dockerfile +@@ -13,7 +13,7 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 AS builder ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder + ENV APP_ROOT=/opt/app-root + ENV GOPATH=$APP_ROOT + +@@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o + RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server + + # Multi-Stage production build +-FROM golang:1.20.5@sha256:344193a70dc3588452ea39b4a1e465a8d3c91f788ae053f7ee168cebf18e0a50 as deploy ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy + + # Retrieve the binary from the previous stage + COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh new file mode 100755 index 000000000..71843e301 --- /dev/null +++ b/redhat/release/update-to-head.sh @@ -0,0 +1,103 @@ +#!/usr/bin/env bash + +# Copyright 2023 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The local git repo must have a remote "upstream" pointing +# to upstream sigstore/rekor, and a remote "origin" +# pointing to securesign/rekor + +# Synchs the release-next branch to either the upstream `main` branch +# or a provided git-ref (typically an upstream release tag) and then triggers CI. +# +# NOTE: This requires a corresponding midstream branch to exist in the securesign fork +# with the same name as the upstream branch/ref, but prefixed with "midstream-". +# +# Usage: update-to-head.sh [] + +if [ "$#" -ne 1 ]; then + upstream_ref="main" + midstream_ref="main" +else + upstream_ref=$1 + midstream_ref="midstream-${upstream_ref}" + redhat_ref="redhat-${upstream_ref}" +fi + +echo "Synchronizing release-next to upstream/${upstream_ref}..." + +set -e +REPO_NAME=$(basename $(git rev-parse --show-toplevel)) + +# Custom files +custom_files=$(cat <. +git fetch upstream $upstream_ref +if [[ "$upstream_ref" == "main" ]]; then + git checkout upstream/main -B release-next +else + git checkout $upstream_ref -B release-next +fi + +# Update redhat's main and take all needed files from there. +git fetch origin $midstream_ref +git checkout origin/$midstream_ref $custom_files + +# Apply midstream patches +if [[ -d redhat/patches ]]; then + git apply redhat/patches/* +fi + +# Move .tekton files to root +if [[ -d redhat/.tekton ]]; then + git mv redhat/.tekton . +fi + +git add . # Adds applied patches +git add $custom_files # Adds custom files +git commit -m "${redhat_files_msg}" + +# Push the release-next branch +git push -f origin release-next + +# Copy and push the release-next branch to $redhat_ref we're not working with main +if [[ "$redhat_ref" != "" ]]; then + git push -f origin release-next:$redhat_ref +fi + +# Trigger CI +# TODO: Set up openshift or github CI to run on release-next-ci +git checkout release-next -B release-next-ci +date > ci +git add ci +git commit -m "${robot_trigger_msg}" +git push -f origin release-next-ci + +if hash hub 2>/dev/null; then + # Test if there is already a sync PR in + COUNT=$(hub api -H "Accept: application/vnd.github.v3+json" repos/securesign/${REPO_NAME}/pulls --flat \ + | grep -c "${robot_trigger_msg}") || true + if [ "$COUNT" = "0" ]; then + hub pull-request --no-edit -l "kind/sync-fork-to-upstream" -b securesign/${REPO_NAME}:release-next -h securesign/${REPO_NAME}:release-next-ci -m "${robot_trigger_msg}" + fi +else + echo "hub (https://github.com/github/hub) is not installed, so you'll need to create a PR manually." +fi