containerbuildsystem · ben-alkov · Jul 16, 2024 · Aug 15, 2024 · Sep 24, 2024 · Sep 24, 2024
diff --git a/.github/workflows/linters.yaml b/.github/workflows/linters.yaml
@@ -100,10 +100,26 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
 
       - name: Run ShellCheck
         uses: containerbuildsystem/actions/shellcheck@master
 
+      # ShellCheck for tekton
+      - name: Run Checkton
+        id: checkton
+        uses: chmeliik/[email protected]
+        with:
+          fail-on-findings: false
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.checkton.outputs.sarif }}
+          # Avoid clashing with ShellCheck
+          category: checkton
+
   tekton-lint:
     name: tekton-lint
     runs-on: ubuntu-latest

diff --git a/atomic_reactor/cli/parser.py b/atomic_reactor/cli/parser.py
@@ -78,14 +78,45 @@ def parse_args(args: Optional[Sequence[str]] = None) -> dict:
     )
     clone.set_defaults(func=task.clone)
 
+    binary_container_init = tasks.add_parser(
+        "binary-container-init",
+        help="binary container pre-build step",
+        description="Execute binary container pre-build steps.",
+    )
+    binary_container_init.set_defaults(func=task.binary_container_init)
+    binary_container_init.add_argument("--platforms-result", metavar="FILE", default=None,
+                                       help="file to write final platforms result")
+    binary_container_init.add_argument("--remote-sources-version-result", metavar="FILE",
+                                       default=None,
+                                       help="file to write final remote-sources version result")
+
+    binary_container_cachito = tasks.add_parser(
+        "binary-container-cachito",
+        help="binary container cachito step",
+        description="Execute binary container cachito steps.",
+    )
+    binary_container_cachito.set_defaults(func=task.binary_container_cachito)
+
+    binary_container_cachi2_init = tasks.add_parser(
+        "binary-container-cachi2-init",
+        help="binary container cachi2 init step",
+        description="Execute binary container cachi2 init step.",
+    )
+    binary_container_cachi2_init.set_defaults(func=task.binary_container_cachi2_init)
+
+    binary_container_cachi2_postprocess = tasks.add_parser(
+        "binary-container-cachi2-postprocess",
+        help="binary container cachi2 init step",
+        description="Execute binary container cachi2 postprocess step.",
+    )
+    binary_container_cachi2_postprocess.set_defaults(func=task.binary_container_cachi2_postprocess)
+
     binary_container_prebuild = tasks.add_parser(
         "binary-container-prebuild",
         help="binary container pre-build step",
         description="Execute binary container pre-build steps.",
     )
     binary_container_prebuild.set_defaults(func=task.binary_container_prebuild)
-    binary_container_prebuild.add_argument("--platforms-result", metavar="FILE", default=None,
-                                           help="file to write final platforms result")
 
     binary_container_build = tasks.add_parser(
         "binary-container-build",

diff --git a/atomic_reactor/cli/task.py b/atomic_reactor/cli/task.py
@@ -6,7 +6,9 @@
 of the BSD license. See the LICENSE file for details.
 """
 from atomic_reactor.tasks.binary import (BinaryExitTask, BinaryPostBuildTask, BinaryPreBuildTask,
-                                         PreBuildTaskParams, BinaryExitTaskParams)
+                                         BinaryInitTask, BinaryCachitoTask,
+                                         BinaryCachi2InitTask, BinaryCachi2PostprocessTask,
+                                         InitTaskParams, BinaryExitTaskParams)
 from atomic_reactor.tasks.binary_container_build import BinaryBuildTask, BinaryBuildTaskParams
 from atomic_reactor.tasks.clone import CloneTask
 from atomic_reactor.tasks.common import TaskParams
@@ -44,14 +46,54 @@ def clone(task_args: dict):
     return task.run()
 
 
+def binary_container_init(task_args: dict):
+    """Run binary container pre-build steps.
+
+    :param task_args: CLI arguments for a binary-container-init task
+    """
+    params = InitTaskParams.from_cli_args(task_args)
+    task = BinaryInitTask(params)
+    return task.run()
+
+
+def binary_container_cachito(task_args: dict):
+    """Run binary container Cachito steps.
+
+    :param task_args: CLI arguments for a binary-container-cachito task
+    """
+    params = TaskParams.from_cli_args(task_args)
+    task = BinaryCachitoTask(params)
+    return task.run(init_build_dirs=True)
+
+
+def binary_container_cachi2_init(task_args: dict):
+    """Run binary container Cachi2 init step.
+
+    :param task_args: CLI arguments for a binary-container-cachi2-init task
+    """
+    params = TaskParams.from_cli_args(task_args)
+    task = BinaryCachi2InitTask(params)
+    return task.run(init_build_dirs=True)
+
+
+def binary_container_cachi2_postprocess(task_args: dict):
+    """Run binary container Cachi2 postprocess step.
+
+    :param task_args: CLI arguments for a binary-container-cachi2-postprocess task
+    """
+    params = TaskParams.from_cli_args(task_args)
+    task = BinaryCachi2PostprocessTask(params)
+    return task.run(init_build_dirs=True)
+
+
 def binary_container_prebuild(task_args: dict):
     """Run binary container pre-build steps.
 
     :param task_args: CLI arguments for a binary-container-prebuild task
     """
-    params = PreBuildTaskParams.from_cli_args(task_args)
+    params = TaskParams.from_cli_args(task_args)
     task = BinaryPreBuildTask(params)
-    return task.run()
+    return task.run(init_build_dirs=True)
 
 
 def binary_container_build(task_args: dict):

diff --git a/atomic_reactor/config.py b/atomic_reactor/config.py
@@ -187,6 +187,7 @@ class ReactorConfigKeys(object):
     OPERATOR_MANIFESTS_KEY = 'operator_manifests'
     IMAGE_SIZE_LIMIT_KEY = 'image_size_limit'
     BUILDER_CA_BUNDLE_KEY = 'builder_ca_bundle'
+    REMOTE_SOURCES_DEFAULT_VERSION = 'remote_sources_default_version'
 
 
 class ODCSConfig(object):
@@ -511,3 +512,7 @@ def image_size_limit(self):
     @property
     def builder_ca_bundle(self):
         return self._get_value(ReactorConfigKeys.BUILDER_CA_BUNDLE_KEY, fallback=None)
+
+    @property
+    def remote_sources_default_version(self):
+        return self._get_value(ReactorConfigKeys.REMOTE_SOURCES_DEFAULT_VERSION, fallback=1)
diff --git a/atomic_reactor/constants.py b/atomic_reactor/constants.py
@@ -112,6 +112,8 @@
 PLUGIN_FLATPAK_CREATE_OCI = 'flatpak_create_oci'
 PLUGIN_GENERATE_SBOM = 'generate_sbom'
 PLUGIN_RPMQA = 'all_rpm_packages'
+PLUGIN_CACHI2_INIT = "cachi2_init"
+PLUGIN_CACHI2_POSTPROCESS = "cachi2_postprocess"
 
 # some shared dict keys for build metadata that gets recorded with koji.
 # for consistency of metadata in historical builds, these values basically cannot change.
@@ -197,6 +199,15 @@
 REMOTE_SOURCE_JSON_ENV_FILENAME = 'remote-source.env.json'
 ICM_JSON_FILENAME = 'icm-{}.json'
 
+# Cachi2 constants
+CACHI2_BUILD_DIR = "_cachi2_remote_sources"
+CACHI2_BUILD_APP_DIR = "app"
+CACHI2_ENV_JSON = "cachi2.env.json"
+CACHI2_PKG_OPTIONS_FILE = "cachi2_pkg_options.json"
+CACHI2_FOR_OUTPUT_DIR_OPT_FILE = "cachi2_for_output_dir_opt.txt"
+CACHI2_SINGLE_REMOTE_SOURCE_NAME = "remote-source"
+CACHI2_SBOM_JSON = "bom.json"
+
 # koji osbs_build metadata
 KOJI_KIND_IMAGE_BUILD = 'container_build'
 KOJI_KIND_IMAGE_SOURCE_BUILD = 'source_container_build'

diff --git a/atomic_reactor/inner.py b/atomic_reactor/inner.py
@@ -462,6 +462,7 @@ def __init__(
         plugin_files: Optional[List[str]] = None,
         keep_plugins_running: bool = False,
         platforms_result: Optional[str] = None,
+        remote_sources_version_result: Optional[str] = None,
         annotations_result: Optional[str] = None,
     ):
         """
@@ -483,6 +484,7 @@ def __init__(
         :param bool keep_plugins_running: keep plugins running even if error is
             raised from previous one. This is passed to ``PluginsRunner`` directly.
         :param platforms_result: path to platform results for prebuild task
+        :param remote_sources_version_result: path to remote_sources_version result
         :param annotations_result: path to annotations result for exit task
         """
         self.context_dir = context_dir
@@ -493,6 +495,7 @@ def __init__(
         self.source = source or DummySource(None, None)
         self.user_params = user_params or self._default_user_params.copy()
         self.platforms_result = platforms_result
+        self.remote_sources_version_result = remote_sources_version_result
         self.annotations_result = annotations_result
 
         self.keep_plugins_running = keep_plugins_running

diff --git a/atomic_reactor/plugins/add_image_content_manifest.py b/atomic_reactor/plugins/add_image_content_manifest.py
@@ -16,15 +16,18 @@
 
 from atomic_reactor.constants import (IMAGE_BUILD_INFO_DIR, INSPECT_ROOTFS,
                                       INSPECT_ROOTFS_LAYERS,
+                                      CACHI2_BUILD_DIR,
                                       PLUGIN_ADD_IMAGE_CONTENT_MANIFEST,
                                       PLUGIN_FETCH_MAVEN_KEY,
+                                      PLUGIN_CACHI2_POSTPROCESS,
                                       PLUGIN_RESOLVE_REMOTE_SOURCE)
 from atomic_reactor.config import get_cachito_session
 from atomic_reactor.dirs import BuildDir
 from atomic_reactor.plugin import Plugin
 from atomic_reactor.util import (validate_with_schema, read_content_sets, map_to_user_params,
                                  allow_path_in_dockerignore)
 from atomic_reactor.utils.pnc import PNCUtil
+from atomic_reactor.utils.cachi2 import convert_SBOM_to_ICM
 
 
 class AddImageContentManifestPlugin(Plugin):
@@ -100,6 +103,8 @@ def __init__(self, workflow, destdir=IMAGE_BUILD_INFO_DIR):
         remote_source_results = wf_data.plugins_results.get(PLUGIN_RESOLVE_REMOTE_SOURCE) or []
         self.remote_source_ids = [remote_source['id'] for remote_source in remote_source_results]
 
+        self.cachi2_remote_sources = wf_data.plugins_results.get(PLUGIN_CACHI2_POSTPROCESS) or []
+
         fetch_maven_results = wf_data.plugins_results.get(PLUGIN_FETCH_MAVEN_KEY) or {}
         self.pnc_artifact_ids = fetch_maven_results.get('pnc_artifact_ids') or []
 
@@ -130,6 +135,12 @@ def layer_index(self) -> int:
 
         return len(inspect[INSPECT_ROOTFS][INSPECT_ROOTFS_LAYERS])
 
+    def _get_cachi2_icm(self) -> dict:
+        global_sbom_path = self.workflow.build_dir.path/CACHI2_BUILD_DIR/"bom.json"
+        with open(global_sbom_path, "r") as f:
+            sbom = json.load(f)
+        return convert_SBOM_to_ICM(sbom)
+
     @functools.cached_property
     def _icm_base(self) -> dict:
         """Create the platform-independent skeleton of the ICM document.
@@ -140,6 +151,8 @@ def _icm_base(self) -> dict:
 
         if self.remote_source_ids:
             icm = self.cachito_session.get_image_content_manifest(self.remote_source_ids)
+        elif self.cachi2_remote_sources:  # we doesn't support Cachito and Cachi2 together
+            icm = self._get_cachi2_icm()
 
         if self.pnc_artifact_ids:
             purl_specs = self.pnc_util.get_artifact_purl_specs(self.pnc_artifact_ids)