diff --git a/Dockerfile b/Dockerfile index 23910ba24..7d04f0c76 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.21.0@sha256:ec457a2fcd235259273428a24e09900c496d0c52207266f96a330062a01e3622 AS builder +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server # Multi-Stage production build -FROM golang:1.21.0@sha256:ec457a2fcd235259273428a24e09900c496d0c52207266f96a330062a01e3622 as deploy +FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff --git a/OWNERS b/OWNERS new file mode 100644 index 000000000..45bb15aeb --- /dev/null +++ b/OWNERS @@ -0,0 +1,12 @@ +# The OWNERS file is used by prow to automatically merge approved PRs. + +approvers: +- lance +- cooktheryan +- lkatalin +- sallom + +reviewers: +- JasonPowr +- tommyd450 + diff --git a/redhat/patches/0001-dockerfile.patch b/redhat/patches/0001-dockerfile.patch new file mode 100644 index 000000000..61c25d4be --- /dev/null +++ b/redhat/patches/0001-dockerfile.patch @@ -0,0 +1,23 @@ +diff --git a/Dockerfile b/Dockerfile +index 23910ba..7d04f0c 100644 +--- a/Dockerfile ++++ b/Dockerfile +@@ -13,7 +13,7 @@ + # See the License for the specific language governing permissions and + # limitations under the License. + +-FROM golang:1.21.0@sha256:ec457a2fcd235259273428a24e09900c496d0c52207266f96a330062a01e3622 AS builder ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 AS builder + ENV APP_ROOT=/opt/app-root + ENV GOPATH=$APP_ROOT + +@@ -31,7 +31,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o + RUN go test -c -ldflags "${SERVER_LDFLAGS}" -cover -covermode=count -coverpkg=./... -o rekor-server_test ./cmd/rekor-server + + # Multi-Stage production build +-FROM golang:1.21.0@sha256:ec457a2fcd235259273428a24e09900c496d0c52207266f96a330062a01e3622 as deploy ++FROM registry.access.redhat.com/ubi9/go-toolset@sha256:52ab391730a63945f61d93e8c913db4cc7a96f200de909cd525e2632055d9fa6 as deploy + + # Retrieve the binary from the previous stage + COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server + diff --git a/redhat/release/update-to-head.sh b/redhat/release/update-to-head.sh new file mode 100755 index 000000000..3dbdc501f --- /dev/null +++ b/redhat/release/update-to-head.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +# Copyright 2023 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# The local git repo must have a remote "upstream" pointing +# to upstream sigstore/rekor, and a remote "origin" +# pointing to securesign/rekor + +# Synchs the release-next branch to either the upstream `main` branch +# or a provided git-ref (typically an upstream release tag) and then triggers CI. +# +# NOTE: This requires a corresponding midstream branch to exist in the securesign fork +# with the same name as the upstream branch/ref, but prefixed with "midstream-". +# +# Usage: update-to-head.sh [] + +if [ "$#" -ne 1 ]; then + upstream_ref="main" + midstream_ref="main" + redhat_ref="release-next" +else + upstream_ref=$1 + midstream_ref="midstream-${upstream_ref}" # The overlays and patches for the given version + redhat_ref="redhat-${upstream_ref}" # The midstream repo with overlays and patches applied +fi + +echo "Synchronizing ${redhat_ref} to upstream/${upstream_ref}..." + +set -e +REPO_NAME=$(basename $(git rev-parse --show-toplevel)) + +# Custom files +custom_files=$(cat <. +git fetch upstream $upstream_ref +if [[ "$upstream_ref" == "main" ]]; then + git checkout upstream/main -B ${redhat_ref} +else + git checkout $upstream_ref -B ${redhat_ref} +fi + +# Update redhat's main and take all needed files from there. +git fetch origin $midstream_ref +git checkout origin/$midstream_ref $custom_files + +# Apply midstream patches +if [[ -d redhat/patches ]]; then + git apply redhat/patches/* +fi + +git add . # Adds applied patches +git add $custom_files # Adds custom files +git commit -m "${redhat_files_msg}" + +# Push the release-next branch +git push -f origin "${redhat_ref}" + +# Trigger CI +# TODO: Set up openshift or github CI to run on release-next-ci +git checkout "${redhat_ref}" -B "${redhat_ref}"-ci +date > ci +git add ci +git commit -m "${robot_trigger_msg}" +git push -f origin "${redhat_ref}-ci" + +if hash hub 2>/dev/null; then + # Test if there is already a sync PR in + COUNT=$(hub api -H "Accept: application/vnd.github.v3+json" repos/securesign/${REPO_NAME}/pulls --flat \ + | grep -c "${robot_trigger_msg}") || true + if [ "$COUNT" = "0" ]; then + hub pull-request --no-edit -l "kind/sync-fork-to-upstream" -b securesign/${REPO_NAME}:${redhat_ref} -h securesign/${REPO_NAME}:${redhat_ref}-ci -m "${robot_trigger_msg}" + fi +else + echo "hub (https://github.com/github/hub) is not installed, so you'll need to create a PR manually." +fi