Skip to content

Latest commit

 

History

History
85 lines (62 loc) · 3.28 KB

File metadata and controls

85 lines (62 loc) · 3.28 KB

npm builder image

Container image for the npm Trusted Libraries factory. Runs onboarder recipes (build.entrypoint.sh, verify.smoke.sh) inside Konflux build tasks.

Toolchain (v1)

All packages from UBI 8 repositories (AppStream/BaseOS) — no rustup or downloads from static.rust-lang.org.

Tool Source Pinning
UBI 8 base registry.access.redhat.com/ubi8/ubi digest in baseimage.lock + Containerfile ARG BASEIMAGE
Node.js 20 LTS AppStream nodejs:20 module stream 20
Go AppStream golang distro default
Rust AppStream rust-toolset module exact RPM VR in rust-toolset.lock
C/C++ / node-gyp gcc, python3, openssl-devel, etc.

Rust pinning (RHEL 8)

Unlike nodejs:20, rust-toolset is a rolling Application Stream — Red Hat rebases the single module in place. There is no dnf module install rust-toolset:1.84 stream selector.

Edit rust-toolset.lock for Rust — the Containerfile and install script read RUST_VERSION and RUST_VR from there. UBI rust-toolset RPMs use epoch (none); we pin by installing exact version-release specs, then dnf versionlock.

Edit baseimage.lock when bumping UBI — keep the same digest in Containerfile ARG BASEIMAGE (required before FROM; buildkit cannot read the lock file into that line).

To refresh the lock file from current UBI (uses baseimage.lock as the query image). Requires docker on the host (CONTAINER_RUNTIME=podman also works):

./hack/update-rust-toolset-lock.sh

Or query manually, then update rust-toolset.lock by hand:

docker run --rm --platform linux/amd64 "$(grep BASEIMAGE= baseimage.lock | cut -d= -f2-)" bash -c \
  'dnf -y module install rust-toolset && rpm -q rust cargo rust-std-static rust-toolset'

Caveat: UBI CDN may eventually drop older module RPMs after a rebase. If a pinned VR disappears, the image build fails until you bump rust-toolset.lock — that is intentional.

The Python plumbing-builder uses rustup from the internet for a specific version; this npm image deliberately uses Red Hat RPMs only.

Quay

Built by Konflux component npm-builder under application calunga-v2:

quay.io/redhat-user-workloads/calunga-tenant/npm-builder:<tag>

Scripts

Script Role
build-npm-package Run entrypoint + smoke for one manifest
build-npm-packages Build multiple package dirs (Tekton PACKAGES args)
collect-npm-artifacts Stage out/*.tgz for OCI push / optional Pulp publish
npm-publish-pulp Optional Pulp npm publish (deferred; Tekton step only)
build_scripts/install-rust-toolset.sh Install + versionlock pinned rust-toolset RPMs

Publishing to Quay (OCI artifact), optional Pulp, and cosign are handled in Tekton steps, not in these scripts.

Local build

Requires docker on the host (CONTAINER_RUNTIME=podman ./hack/update-rust-toolset-lock.sh for lock refresh only).

docker build -t npm-builder -f Containerfile .
docker run --rm npm-builder node --version
docker run --rm npm-builder go version
docker run --rm npm-builder rustc --version
docker run --rm npm-builder cargo --version