Hermetic build of cachi2 image using Docker multi-stage building

.github/dependabot.yml

@@ -17,8 +17,3 @@ updates:
         update-types:
           - "minor"
           - "patch"
-
-  - package-ecosystem: "npm"
-    directory: "/js-deps"
-    schedule:
-      interval: "monthly"

Containerfile

@@ -1,45 +1,55 @@
-FROM registry.fedoraproject.org/fedora-minimal:39
-LABEL maintainer="Red Hat"
+# hadolint global ignore=DL3007
 
-WORKDIR /src
+########################
+# PREPARE OUR BASE IMAGE
+########################
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest as base
 RUN microdnf -y install \
     --setopt install_weak_deps=0 \
     --nodocs \
-    gcc \
-    golang \
     git-core \
     nodejs \
-    nodejs-npm \
     python3 \
+    && microdnf clean all
+
+######################
+# BUILD/INSTALL CACHI2
+######################
+FROM base as builder
+WORKDIR /src
+COPY . .
+RUN microdnf -y install \
+    --setopt install_weak_deps=0 \
+    --nodocs \
+    gcc \
+    golang-bin \
+    nodejs \
+    npm \
     python3-devel \
     python3-pip \
+    python3-setuptools \
     && microdnf clean all
 
-COPY . .
+RUN python3 -m venv /venv && \
+    /venv/bin/pip install -r requirements.txt --no-deps --no-cache-dir --require-hashes && \
+    /venv/bin/pip install --no-cache-dir .
 
-RUN pip3 install -r requirements.txt --no-deps --no-cache-dir --require-hashes && \
-    pip3 install --no-cache-dir . && \
-    # the git folder is only needed to determine the package version
-    rm -rf .git
+##########################
+# ASSEMBLE THE FINAL IMAGE
+##########################
+FROM base
+LABEL maintainer="Red Hat"
 
-WORKDIR /src/js-deps
-RUN npm install && \
-    ln -s "${PWD}/node_modules/.bin/corepack" /usr/local/bin/corepack && \
-    corepack enable yarn && \
-    microdnf -y remove nodejs-npm
+# copy Go SDKs from official Debian images, corepack from official Node.js Alpine
+COPY --from=docker.io/library/golang:1.20.0-bullseye /usr/local/go /usr/local/go/go1.20
+COPY --from=docker.io/library/golang:1.21.0-bullseye /usr/local/go /usr/local/go/go1.21
+COPY --from=docker.io/library/node:21-alpine /usr/local/lib/node_modules/corepack /usr/local/lib/corepack
+COPY --from=builder /venv /venv
 
-# Install an older version of Go fixed at 1.20 (along with the base >=1.21):
-#   - install Go's official shim
-#   - let the shim download the actual Go SDK (the download forces the output parent dir to $HOME)
-#   - move the SDK to a host local install system-wide location
-#   - remove the shim as it forces and expects the SDK to be used from $HOME
-#   - clean any build artifacts Go creates as part of the process.
-RUN for go_ver in "go1.20" "go1.21.0"; do \
-        go install "golang.org/dl/${go_ver}@latest" && \
-        "$HOME/go/bin/$go_ver" download && \
-        mkdir -p /usr/local/go && \
-        mv "$HOME/sdk/$go_ver" /usr/local/go && \
-        rm -rf "$HOME/go" "$HOME/.cache/go-build/"; \
-    done
+# link corepack, yarn, and go to standard PATH location
+RUN ln -s /usr/local/lib/corepack/dist/corepack.js /usr/local/bin/corepack && \
+    ln -s /usr/local/lib/corepack/dist/yarn.js /usr/local/bin/yarn && \
+    ln -s /usr/local/go/go1.21/bin/go /usr/local/bin/go && \
+    ln -s /venv/bin/cachi2 /usr/local/bin/cachi2
 
-ENTRYPOINT ["cachi2"]
+ENTRYPOINT ["/usr/local/bin/cachi2"]

pyproject.toml

@@ -35,8 +35,10 @@ dependencies = [
   "requests",
   "semver",
   "setuptools",
+  "setuptools-scm",
   "tomli",
   "typer",
+  "wheel",
 ]
 [project.optional-dependencies]
 dev = [

requirements-extras.txt

@@ -241,9 +241,7 @@ charset-normalizer==3.3.2 \
     --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \
     --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
     --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
-    # via
-    #   aiohttp
-    #   requests
+    # via requests
 click==8.1.7 \
     --hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
     --hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
@@ -420,9 +418,7 @@ gitdb==4.0.11 \
 gitpython==3.1.42 \
     --hash=sha256:1bf9cd7c9e7255f77778ea54359e54ac22a72a5b51288c457c881057b7bb9ecd \
     --hash=sha256:2d99869e0fef71a73cbd242528105af1d6c1b108c60dfabd994bf292f76c3ceb
-    # via
-    #   bandit
-    #   cachi2 (pyproject.toml)
+    # via cachi2 (pyproject.toml)
 idna==3.7 \
     --hash=sha256:028ff3aadf0609c1fd278d8ea3089299412a7a8b9bd005dd08b9f8285bcb5cfc \
     --hash=sha256:82fee1fc78add43492d3a1898bfa6d8a904cc97d8427f683ed8e798d07761aa0
@@ -602,6 +598,7 @@ packaging==24.0 \
     #   cachi2 (pyproject.toml)
     #   pypi-simple
     #   pytest
+    #   setuptools-scm
 pathspec==0.12.1 \
     --hash=sha256:a0d503e138a4c123b27490a4f7beda6a01c6f288df0e4a8b79c7eb0dc7b4cc08 \
     --hash=sha256:a482d51503a1ab33b1c67a6c3813a26953dbdc71c31dacaef9a838c4e29f5712
@@ -922,6 +919,10 @@ semver==3.0.2 \
     --hash=sha256:6253adb39c70f6e51afed2fa7152bcd414c411286088fb4b9effb133885ab4cc \
     --hash=sha256:b1ea4686fe70b981f85359eda33199d60c53964284e0cfb4977d243e37cf4bf4
     # via cachi2 (pyproject.toml)
+setuptools-scm==8.0.4 \
+    --hash=sha256:b47844cd2a84b83b3187a5782c71128c28b4c94cad8bfb871da2784a5cb54c4f \
+    --hash=sha256:b5f43ff6800669595193fd09891564ee9d1d7dcb196cab4b2506d53a2e1c95c7
+    # via cachi2 (pyproject.toml)
 smmap==5.0.1 \
     --hash=sha256:dceeb6c0028fdb6734471eb07c0cd2aae706ccaecab45965ee83f11c8d3b1f62 \
     --hash=sha256:e6d8668fa5f93e706934a62d7b4db19c8d9eb8cf2adbb75ef1b675aa332b69da
@@ -947,6 +948,8 @@ tomli==2.0.1 \
     #   coverage
     #   mypy
     #   pytest
+    #   pytest-env
+    #   setuptools-scm
 typer==0.9.0 \
     --hash=sha256:50922fd79aea2f4751a8e0408ff10d2662bd0c8bbfa84755a699f3bada2978b2 \
     --hash=sha256:5d96d986a21493606a358cae4461bd8cdf83cbf33a5aa950ae629ca3b51467ee
@@ -960,11 +963,16 @@ typing-extensions==4.10.0 \
     #   mypy
     #   pydantic
     #   pydantic-core
+    #   setuptools-scm
     #   typer
 urllib3==2.2.1 \
     --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
     --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
     # via requests
+wheel==0.43.0 \
+    --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \
+    --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81
+    # via cachi2 (pyproject.toml)
 yarl==1.9.4 \
     --hash=sha256:008d3e808d03ef28542372d01057fd09168419cdc8f848efe2804f894ae03e51 \
     --hash=sha256:03caa9507d3d3c83bca08650678e25364e1843b484f19986a527630ca376ecce \
@@ -1062,4 +1070,6 @@ yarl==1.9.4 \
 setuptools==69.2.0 \
     --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \
     --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c
-    # via cachi2 (pyproject.toml)
+    # via
+    #   cachi2 (pyproject.toml)
+    #   setuptools-scm

requirements.txt

@@ -265,9 +265,7 @@ charset-normalizer==3.3.2 \
     --hash=sha256:fb69256e180cb6c8a894fee62b3afebae785babc1ee98b81cdf68bbca1987f33 \
     --hash=sha256:fd1abc0d89e30cc4e02e4064dc67fcc51bd941eb395c502aac3ec19fab46b519 \
     --hash=sha256:ff8fa367d09b717b2a17a052544193ad76cd49979c805768879cb63d9ca50561
-    # via
-    #   aiohttp
-    #   requests
+    # via requests
 click==8.1.7 \
     --hash=sha256:ae74fb96c20a0277a1d615f1e4d73c8414f5a98db8b799a7931d1582f3390c28 \
     --hash=sha256:ca9853ad459e787e2192211578cc907e7594e294c7ccc834310722b41b9ca6de
@@ -484,10 +482,7 @@ packaging==24.0 \
     # via
     #   cachi2 (pyproject.toml)
     #   pypi-simple
-pycparser==2.21 \
-    --hash=sha256:8ee45429555515e1f6b185e78100aea234072576aa43ab53aefcae078162fca9 \
-    --hash=sha256:e644fdec12f7872f86c58ff790da456218b10f863970249516d60a5eaca77206
-    # via cffi
+    #   setuptools-scm
 pydantic==2.6.4 \
     --hash=sha256:b1704e0847db01817624a6b86766967f552dd9dbf3afba4004409f908dcc84e6 \
     --hash=sha256:cc46fce86607580867bdc3361ad462bab9c222ef042d3da86f2fb333e1d916c5
@@ -646,6 +641,10 @@ semver==3.0.2 \
     --hash=sha256:6253adb39c70f6e51afed2fa7152bcd414c411286088fb4b9effb133885ab4cc \
     --hash=sha256:b1ea4686fe70b981f85359eda33199d60c53964284e0cfb4977d243e37cf4bf4
     # via cachi2 (pyproject.toml)
+setuptools-scm==8.0.4 \
+    --hash=sha256:b47844cd2a84b83b3187a5782c71128c28b4c94cad8bfb871da2784a5cb54c4f \
+    --hash=sha256:b5f43ff6800669595193fd09891564ee9d1d7dcb196cab4b2506d53a2e1c95c7
+    # via cachi2 (pyproject.toml)
 smmap==5.0.1 \
     --hash=sha256:dceeb6c0028fdb6734471eb07c0cd2aae706ccaecab45965ee83f11c8d3b1f62 \
     --hash=sha256:e6d8668fa5f93e706934a62d7b4db19c8d9eb8cf2adbb75ef1b675aa332b69da
@@ -657,7 +656,9 @@ soupsieve==2.5 \
 tomli==2.0.1 \
     --hash=sha256:939de3e7a6161af0c887ef91b7d41a53e7c5a1ca976325f429cb46ea9bc30ecc \
     --hash=sha256:de526c12914f0c550d15924c62d72abc48d6fe7364aa87328337a31007fe8a4f
-    # via cachi2 (pyproject.toml)
+    # via
+    #   cachi2 (pyproject.toml)
+    #   setuptools-scm
 typer==0.9.0 \
     --hash=sha256:50922fd79aea2f4751a8e0408ff10d2662bd0c8bbfa84755a699f3bada2978b2 \
     --hash=sha256:5d96d986a21493606a358cae4461bd8cdf83cbf33a5aa950ae629ca3b51467ee
@@ -668,11 +669,16 @@ typing-extensions==4.10.0 \
     # via
     #   pydantic
     #   pydantic-core
+    #   setuptools-scm
     #   typer
 urllib3==2.2.1 \
     --hash=sha256:450b20ec296a467077128bff42b73080516e71b56ff59a60a02bef2232c4fa9d \
     --hash=sha256:d0570876c61ab9e520d776c38acbbb5b05a776d3f9ff98a5c8fd5162a444cf19
     # via requests
+wheel==0.43.0 \
+    --hash=sha256:465ef92c69fa5c5da2d1cf8ac40559a8c940886afcef87dcf14b9470862f1d85 \
+    --hash=sha256:55c570405f142630c6b9f72fe09d9b67cf1477fcf543ae5b8dcb1f5b7377da81
+    # via cachi2 (pyproject.toml)
 yarl==1.9.4 \
     --hash=sha256:008d3e808d03ef28542372d01057fd09168419cdc8f848efe2804f894ae03e51 \
     --hash=sha256:03caa9507d3d3c83bca08650678e25364e1843b484f19986a527630ca376ecce \
@@ -770,4 +776,6 @@ yarl==1.9.4 \
 setuptools==69.2.0 \
     --hash=sha256:0ff4183f8f42cd8fa3acea16c45205521a4ef28f73c6391d8a25e92893134f2e \
     --hash=sha256:c21c49fb1042386df081cb5d86759792ab89efca84cf114889191cd09aacc80c
-    # via cachi2 (pyproject.toml)
+    # via
+    #   cachi2 (pyproject.toml)
+    #   setuptools-scm