Merge branch 'main' into RHDHBUGS-986

Author: gashcrumb

.cursor/rules/ci-e2e-testing.mdc

@@ -15,3 +15,4 @@ examples
 .ibm/images/*
 !.ibm/images/Dockerfile
 !.yarnrc.yml
+hermeto-cache

.dockerignore

@@ -20,10 +20,10 @@ inputs:
     required: true
   password:
     description: The password to use for the registry
-    required: true
+    required: false
   username:
     description: The username to use for the registry
-    required: true
+    required: false
   imageName:
     description: The name of the image to build
     required: true
@@ -34,18 +34,30 @@ inputs:
     description: The labels for the Docker image
     required: false
   push:
-    description: Whether to push the image
+    description: Whether to push the image (automatically ignored and assumed to be false if enableHermeticBuild is true)
     required: true
   platform:
     description: "Target given CPU platform architecture (default: linux/amd64)"
     required: false
     default: linux/amd64
+  enableHermeticBuild:
+    description: Whether to enable hermetic builds using hermeto (currently only supported for linux/amd64)
+    required: false
+    default: 'false'
+  componentDirectory:
+    description: Path to the component directory for hermetic builds
+    required: false
+    default: '.'
+  dockerfilePath:
+    description: Path to the Dockerfile to use
+    required: false
+    default: 'docker/Dockerfile'
 
 outputs:
   digest:
+    description: The digest of the built Docker image
     value: ${{ steps.build.outputs.digest }}
 
-
 runs:
   using: composite
   steps:
@@ -63,11 +75,15 @@ runs:
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+    # - name: Install qemu dependency
+    #   shell: bash 
+    #   run: |
+    #     set -ex
+    #     sudo apt-get update
+    #     sudo apt-get install -y qemu-user-static
 
-    - name: Log in to the Container registry
-      if: ${{ inputs.push }}
+    - name: Login to Registry
+      if: ${{ inputs.push == 'true' && inputs.enableHermeticBuild != 'true' }}
       uses: docker/login-action@v3
       with:
         registry: ${{ inputs.registry }}
@@ -84,14 +100,151 @@ runs:
         labels: |
           ${{ inputs.imageLabels }}
 
-    - name: Build and push Docker image
+    # Hermetic Build Steps
+    - name: Set up hermetic build variables
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |
+        echo "HERMETO_IMAGE=quay.io/konflux-ci/hermeto:latest" >> $GITHUB_ENV
+        echo "LOCAL_CACHE_DIR=./hermeto-cache/$(basename ${{ inputs.componentDirectory }})" >> $GITHUB_ENV
+        echo "COMPONENT_ABS_DIR=${{ github.workspace }}/${{ inputs.componentDirectory }}" >> $GITHUB_ENV
+
+    - name: Cache dependencies with hermeto
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |        
+        set -ex
+
+        echo "=== Creating local cache directory ==="
+        mkdir -p ${{ env.LOCAL_CACHE_DIR }} || echo "Failed to create local cache directory"
+        
+        echo "=== Fetching dependencies with hermeto ==="
+        # Build hermeto cache for rpm, yarn, and pip (currently does not support ARM64 due to quay.io/konflux-ci/hermeto:latest not having an arm64 image)
+        podman run --rm -v "$PWD:/source:z" -v "$LOCAL_CACHE_DIR:/cachi2:z" -w /source "$HERMETO_IMAGE" \
+          --log-level DEBUG \
+          fetch-deps --dev-package-managers \
+          --source . \
+          --output /cachi2/output \
+          '[{"type": "rpm", "path": "."}, {"type": "yarn","path": "."}, {"type": "yarn","path": "./dynamic-plugins"}, {"type": "pip","path": "./python", "allow_binary": "false"}]'  || echo "Fetch-deps failed"
+        
+        if [ -d ${{ env.LOCAL_CACHE_DIR }}/output ]; then
+          echo "=== Output directory exists, running generate-env ==="
+          
+          # Generate environment file
+          podman run --rm -v "$PWD:/source:z" -v "$LOCAL_CACHE_DIR:/cachi2:z" -w /source "$HERMETO_IMAGE" \
+                      --log-level DEBUG \
+                      generate-env --format env \
+                      --output /cachi2/cachi2.env /cachi2/output
+          
+        else
+          echo "No output directory found, skipping generate-env"
+          exit 1
+        fi
+
+        if [ -d ${{ env.LOCAL_CACHE_DIR }}/output ]; then
+          echo "=== Running inject-files ==="
+          
+          podman run --rm -v "$PWD:/source:z" -v "$LOCAL_CACHE_DIR:/cachi2:z" -w /source "$HERMETO_IMAGE" \
+            --log-level DEBUG \
+            inject-files /cachi2/output || echo "Inject-files failed"
+
+        else
+          echo "No output directory found, skipping inject-files"
+          exit 1
+        fi
+
+        echo LOCAL_CACHE_DIR_REALPATH=$(realpath "${{ env.LOCAL_CACHE_DIR }}") >> $GITHUB_ENV
+
+    - name: "Fix Cache Ownership for Non-Root Buildah"
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |
+        set -ex
+        echo "=== Before ownership fix ==="
+        ls -l ${{ env.LOCAL_CACHE_DIR_REALPATH }}
+        echo "=== Attempting to fix ownership to runner user ==="
+        sudo chown -R runner ${{ env.LOCAL_CACHE_DIR_REALPATH }}
+        echo "=== After ownership fix ==="
+        ls -l ${{ env.LOCAL_CACHE_DIR_REALPATH }}
+        
+    - name: Transform Containerfile for hermetic build
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |
+        set -x
+        
+        CONTAINERFILE_PATH="${{ inputs.dockerfilePath }}"
+        
+        TRANSFORMED_CONTAINERFILE="${CONTAINERFILE_PATH}.hermeto"
+        
+        # Copy original dockerfile for hermetic build modifications
+        cp "$CONTAINERFILE_PATH" "$TRANSFORMED_CONTAINERFILE"
+        
+        # Transform the dockerfile to simulate Konflux build
+        # Configure dnf to use the cachi2 repo
+        sed -i '/RUN *\(dnf\|microdnf\) install/i RUN rm -r /etc/yum.repos.d/* && cp /cachi2/output/deps/rpm/x86_64/repos.d/hermeto.repo /etc/yum.repos.d/' "$TRANSFORMED_CONTAINERFILE"
+        
+        # Inject the cachi2 env variables to every RUN command
+        sed -i 's/^\s*RUN /RUN . \/cachi2\/cachi2.env \&\& /' "$TRANSFORMED_CONTAINERFILE"
+        
+        echo "TRANSFORMED_CONTAINERFILE=$TRANSFORMED_CONTAINERFILE" >> $GITHUB_ENV
+
+    - name: Build and push Docker image (Standard)
+      if: ${{ inputs.enableHermeticBuild != 'true' }}
       uses: docker/build-push-action@v6
       id: build
       with:
         context: .
-        file: docker/Dockerfile
+        file: ${{ inputs.dockerfilePath }}
         push: ${{ inputs.push }}
         provenance: false
         tags: ${{ steps.meta.outputs.tags }}
         labels: ${{ steps.meta.outputs.labels }}
         platforms: ${{ inputs.platform }}
+        
+    - name: "Build Docker Image (Hermetic)"
+      id: hermetic-build
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2.13
+      with:
+        containerfiles: ${{ inputs.dockerfilePath }}.hermeto
+        context: .
+        platform: ${{ inputs.platform }}
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        extra-args: |
+          --network=none
+          --volume ${{ env.LOCAL_CACHE_DIR_REALPATH }}:/cachi2:z
+
+    - name: Set build output for hermetic builds
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |
+        echo "digest=${{ steps.hermetic-build.outputs.digest || 'no-digest-available' }}" >> $GITHUB_OUTPUT
+
+    - name: Save image as artifact (Hermetic)
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      shell: bash
+      run: |
+        mkdir -p ./rhdh-podman-artifacts
+        
+        # Extract the built image tags from the metadata
+        TAGS_LIST="${{ steps.meta.outputs.tags }}"
+        
+        # Save all the built images to tar (podman save can handle multiple tags)
+        echo "Saving images with tags:"
+        echo "$TAGS_LIST"
+        
+        podman save $TAGS_LIST -o ./rhdh-podman-artifacts/image.tar
+        
+        # Save metadata for the push workflow
+        echo "$TAGS_LIST" > ./rhdh-podman-artifacts/tags.txt
+
+    - name: Upload image artifact
+      if: ${{ inputs.enableHermeticBuild == 'true' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: podman-image-${{ github.event.number || 'main' }}-${{ env.SHORT_SHA }}
+        path: ./rhdh-podman-artifacts/
+        retention-days: 1
+        if-no-files-found: error

.github/actions/docker-build/action.yaml

@@ -0,0 +1,45 @@
+name: E2E Tests
+
+on:
+  pull_request:
+    paths:
+      - 'e2e-tests/**'
+  push:
+    branches:
+      - "main"
+      - "release-*"
+    paths:
+      - 'e2e-tests/**'
+
+jobs:
+  lint:
+    name: ESLint and Prettier
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          sparse-checkout: |
+            e2e-tests
+            .nvmrc
+            .yarnrc.yml
+            .yarn
+            yarn.lock
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: ".nvmrc"
+
+      - name: Install dependencies
+        working-directory: ./e2e-tests
+        run: yarn install --mode=skip-build
+
+      - name: Run ESLint check
+        working-directory: ./e2e-tests
+        run: yarn lint:check
+
+      - name: Run Prettier check
+        working-directory: ./e2e-tests
+        run: yarn prettier:check

.github/workflows/e2e-tests-lint.yaml

@@ -6,21 +6,6 @@ on:
       - 'PR Build Image (Hermetic)'
     types:
       - completed
-  workflow_call:
-    inputs:
-      buildId:
-        type: string
-        description: The build identifier for artifact naming (e.g., PR number, 'nightly', 'main')
-        required: false
-      shortSha:
-        type: string
-        description: The short SHA for artifact naming
-        required: false
-      registry:
-        type: string
-        description: The registry to push to
-        required: false
-        default: quay.io
 
 jobs:
   podman-push:
@@ -35,16 +20,11 @@ jobs:
     steps:
       - name: Determine artifact name
         run: |
-          if [ "${{ github.event_name }}" == "workflow_run" ]; then
-            # For workflow_run, extract from the event context
-            BUILD_ID="${{ github.event.workflow_run.pull_requests[0].number || 'main' }}"
-            SHORT_SHA="${{ github.event.workflow_run.head_sha }}"
-            SHORT_SHA="${SHORT_SHA:0:8}"
-          else
-            # For workflow_call, use the inputs
-            BUILD_ID="${{ inputs.buildId || 'main' }}"
-            SHORT_SHA="${{ inputs.shortSha }}"
-          fi
+          # For workflow_run, extract from the event context
+          BUILD_ID="${{ github.event.workflow_run.pull_requests[0].number || 'main' }}"
+          SHORT_SHA="${{ github.event.workflow_run.head_sha }}"
+          SHORT_SHA="${SHORT_SHA:0:8}"
+
           
           echo "SHORT_SHA=$SHORT_SHA" >> $GITHUB_ENV
           ARTIFACT_NAME="podman-image-${BUILD_ID}-${SHORT_SHA}"
@@ -99,13 +79,8 @@ jobs:
           podman load -i ./rhdh-podman-artifacts/image.tar
           
           # Read metadata
-          REGISTRY=$(cat ./rhdh-podman-artifacts/registry.txt)
-          IMAGE_NAME=$(cat ./rhdh-podman-artifacts/imageName.txt)
           TAGS_LIST=$(cat ./rhdh-podman-artifacts/tags.txt)
-          
-          echo "REGISTRY=$REGISTRY" >> $GITHUB_ENV
-          echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_OUTPUT
-          
+                    
           echo "Loaded images:"
           podman images
           
@@ -127,7 +102,6 @@ jobs:
 
       - name: Extract PR info for commenting
         id: get-pr
-        if: ${{ github.event_name == 'workflow_run' }}
         env:
           WORKFLOW_RUN_PR_NUMBER: ${{ github.event.workflow_run.pull_requests[0].number || '' }}
           WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_sha }}