Container image for the npm Trusted Libraries factory. Runs onboarder recipes
(build.entrypoint.sh, verify.smoke.sh) inside Konflux build tasks.
All packages from UBI 8 repositories (AppStream/BaseOS) — no rustup or
downloads from static.rust-lang.org.
| Tool | Source | Pinning |
|---|---|---|
| UBI 8 base | registry.access.redhat.com/ubi8/ubi |
digest in baseimage.lock + Containerfile ARG BASEIMAGE |
| Node.js 20 LTS | AppStream nodejs:20 module |
stream 20 |
| Go | AppStream golang |
distro default |
| Rust | AppStream rust-toolset module |
exact RPM VR in rust-toolset.lock |
| C/C++ / node-gyp | gcc, python3, openssl-devel, etc. |
— |
Unlike nodejs:20, rust-toolset is a rolling Application Stream — Red Hat
rebases the single module in place. There is no dnf module install rust-toolset:1.84
stream selector.
Edit rust-toolset.lock for Rust — the Containerfile and
install script read RUST_VERSION and RUST_VR from there. UBI rust-toolset RPMs
use epoch (none); we pin by installing exact version-release specs, then
dnf versionlock.
Edit baseimage.lock when bumping UBI — keep the same
digest in Containerfile ARG BASEIMAGE (required before FROM; buildkit cannot
read the lock file into that line).
To refresh the lock file from current UBI (uses baseimage.lock as the query image).
Requires docker on the host (CONTAINER_RUNTIME=podman also works):
./hack/update-rust-toolset-lock.shOr query manually, then update rust-toolset.lock by hand:
docker run --rm --platform linux/amd64 "$(grep BASEIMAGE= baseimage.lock | cut -d= -f2-)" bash -c \
'dnf -y module install rust-toolset && rpm -q rust cargo rust-std-static rust-toolset'Caveat: UBI CDN may eventually drop older module RPMs after a rebase. If a
pinned VR disappears, the image build fails until you bump rust-toolset.lock —
that is intentional.
The Python plumbing-builder uses rustup from the internet for a specific
version; this npm image deliberately uses Red Hat RPMs only.
Built by Konflux component npm-builder under application calunga-v2:
quay.io/redhat-user-workloads/calunga-tenant/npm-builder:<tag>
| Script | Role |
|---|---|
build-npm-package |
Run entrypoint + smoke for one manifest |
build-npm-packages |
Build multiple package dirs (Tekton PACKAGES args) |
collect-npm-artifacts |
Stage out/*.tgz for OCI push / optional Pulp publish |
npm-publish-pulp |
Optional Pulp npm publish (deferred; Tekton step only) |
build_scripts/install-rust-toolset.sh |
Install + versionlock pinned rust-toolset RPMs |
Publishing to Quay (OCI artifact), optional Pulp, and cosign are handled in Tekton steps, not in these scripts.
Requires docker on the host (CONTAINER_RUNTIME=podman ./hack/update-rust-toolset-lock.sh for lock refresh only).
docker build -t npm-builder -f Containerfile .
docker run --rm npm-builder node --version
docker run --rm npm-builder go version
docker run --rm npm-builder rustc --version
docker run --rm npm-builder cargo --version