Skip to content

Switch ldap-server build to hermetic mode#99

Open
lubomir wants to merge 1 commit into
mainfrom
overseer/95
Open

Switch ldap-server build to hermetic mode#99
lubomir wants to merge 1 commit into
mainfrom
overseer/95

Conversation

@lubomir

@lubomir lubomir commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

🤖 This was posted automatically by an AI agent.

Switch the ldap-server container build to hermetic mode by replacing the fedora-minimal base image with python:3.12-slim and locking all pip dependencies with cryptographic hashes.

Changes

  • integration-tests/images/ldap-server/requirements.in – lists the two direct runtime dependencies (ldaptor, twisted).
  • integration-tests/images/ldap-server/requirements.txt – pip-compiled lock file with --hash= annotations for every package (direct and transitive). Regenerate with pip-compile --generate-hashes when dependencies change.
  • integration-tests/images/ldap-server/Containerfile – switches base image from registry.fedoraproject.org/fedora-minimal:44 to python:3.12-slim; removes the microdnf installation steps; installs dependencies via pip install --require-hashes -r requirements.txt.
  • .tekton/ldap-server-pull-request.yaml and .tekton/ldap-server-push.yaml – add hermetic: "true" and prefetch-input: pip to the top-level spec.params block, enabling Cachi2 pip prefetch and network-isolated builds without any structural pipeline changes.

- Replace fedora-minimal base image with python:3.12-slim, removing
  the need for microdnf and RPM dependency management
- Add requirements.in listing direct dependencies (ldaptor, twisted)
- Add requirements.txt generated with pip-compile --generate-hashes,
  pinning all transitive dependencies with cryptographic hashes
- Update Containerfile to install from the locked requirements.txt
  using --require-hashes for supply-chain integrity
- Enable hermetic mode in both Tekton pipeline definitions and set
  prefetch-input to pip so Cachi2 prefetches PyPI packages before
  the hermetic build

Closes #95

Generated-By: OpenCode (google-vertex-anthropic/claude-sonnet-4-6@default)
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.69%. Comparing base (e3ec3bc) to head (40dad59).

Additional details and impacted files
@@           Coverage Diff           @@
##             main      #99   +/-   ##
=======================================
  Coverage   83.69%   83.69%           
=======================================
  Files          13       13           
  Lines        1325     1325           
=======================================
  Hits         1109     1109           
  Misses        216      216           
Flag Coverage Δ
unit-tests 83.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@lubomir

lubomir commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

Hermeto is trying to prefetch the root-level requirements.txt. That is bound to fail. The pipeline must be configured so that hermeto interacts only with the new requirements.txt for the ldap-server image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants