add cli-stack for binary distribution

sampras343 · sampras343 · commit a2bbf8ce3431 · 2026-03-25T09:47:55.000Z
Signed-off-by: Sachin Sampras M &lt;sampras343@gmail.com&gt;
diff --git a/.tekton/cli-v08-push.yaml b/.tekton/cli-v08-push.yaml
@@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1
 kind: PipelineRun
 metadata:
   annotations:
+    build.appstudio.openshift.io/build-nudge-files: "Dockerfile.cli-stack.rh"
     build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
diff --git a/.tekton/conforma-cli-stack-pull-request.yaml b/.tekton/conforma-cli-stack-pull-request.yaml
@@ -0,0 +1,54 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: cli-stacks
+    appstudio.openshift.io/component: conforma-cli-stack
+    pipelines.appstudio.openshift.io/type: build
+  name: conforma-cli-stack-on-pull-request
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
+    value: Dockerfile.cli-stack.rh
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: image-expires-after
+    value: 5d
+  - name: output-image
+    value: quay.io/securesign/conforma-cli-stack:on-pr-{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-conforma-cli-stack
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/.tekton/conforma-cli-stack-push.yaml b/.tekton/conforma-cli-stack-push.yaml
@@ -0,0 +1,51 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  annotations:
+    build.appstudio.openshift.io/repo: https://github.com/conforma/cli?rev={{revision}}
+    build.appstudio.redhat.com/commit_sha: '{{revision}}'
+    build.appstudio.redhat.com/target_branch: '{{target_branch}}'
+    pipelinesascode.tekton.dev/max-keep-runs: "3"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
+      == "release-v0.8"
+  creationTimestamp: null
+  labels:
+    appstudio.openshift.io/application: cli-stacks
+    appstudio.openshift.io/component: conforma-cli-stack
+    pipelines.appstudio.openshift.io/type: build
+  name: conforma-cli-stack-on-push
+  namespace: rhtas-tenant
+spec:
+  params:
+  - name: release-version
+    value: 1.4.0
+  - name: dockerfile
+    value: Dockerfile.cli-stack.rh
+  - name: git-url
+    value: '{{repo_url}}'
+  - name: output-image
+    value: quay.io/securesign/conforma-cli-stack:{{revision}}
+  - name: path-context
+    value: .
+  - name: revision
+    value: '{{revision}}'
+  - name: hermetic
+    value: "true"
+  - name: build-source-image
+    value: "true"
+  pipelineRef:
+    params:
+    - name: url
+      value: https://github.com/securesign/pipelines.git
+    - name: revision
+      value: main
+    - name: pathInRepo
+      value: pipelines/docker-build-oci-ta.yaml
+    resolver: git
+  taskRunTemplate:
+    serviceAccountName: build-pipeline-conforma-cli-stack
+  workspaces:
+  - name: git-auth
+    secret:
+      secretName: '{{ git_auth_secret }}'
+status: {}
diff --git a/Dockerfile.cli-stack.rh b/Dockerfile.cli-stack.rh
@@ -0,0 +1,68 @@
+# Per-arch digests are managed by the Konflux nudge mechanism.
+# Replace placeholders with actual per-arch digests before first build.
+FROM --platform=linux/amd64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_AMD64 AS build-amd64
+FROM --platform=linux/arm64   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_ARM64 AS build-arm64
+FROM --platform=linux/ppc64le quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_PPC64LE AS build-ppc64le
+FROM --platform=linux/s390x   quay.io/redhat-user-workloads/rhtap-contract-tenant/ec-v08/cli-v08@sha256:REPLACE_S390X AS build-s390x
+
+FROM registry.redhat.io/ubi9/go-toolset:9.7@sha256:799cc027d5ad58cdc156b65286eb6389993ec14c496cf748c09834b7251e78dc AS packager
+USER root
+RUN mkdir -p /binaries
+
+# Native Linux binaries from each arch variant
+COPY --from=build-amd64 /usr/local/bin/ec_linux_amd64.gz /tmp/ec_linux_amd64.gz
+RUN gzip -d /tmp/ec_linux_amd64.gz && \
+    tar -czf /binaries/ec_linux_amd64.tar.gz -C /tmp ec_linux_amd64 && \
+    rm /tmp/ec_linux_amd64
+
+COPY --from=build-arm64 /usr/local/bin/ec_linux_arm64.gz /tmp/ec_linux_arm64.gz
+RUN gzip -d /tmp/ec_linux_arm64.gz && \
+    tar -czf /binaries/ec_linux_arm64.tar.gz -C /tmp ec_linux_arm64 && \
+    rm /tmp/ec_linux_arm64
+
+COPY --from=build-ppc64le /usr/local/bin/ec_linux_ppc64le.gz /tmp/ec_linux_ppc64le.gz
+RUN gzip -d /tmp/ec_linux_ppc64le.gz && \
+    tar -czf /binaries/ec_linux_ppc64le.tar.gz -C /tmp ec_linux_ppc64le && \
+    rm /tmp/ec_linux_ppc64le
+
+COPY --from=build-s390x /usr/local/bin/ec_linux_s390x.gz /tmp/ec_linux_s390x.gz
+RUN gzip -d /tmp/ec_linux_s390x.gz && \
+    tar -czf /binaries/ec_linux_s390x.tar.gz -C /tmp ec_linux_s390x && \
+    rm /tmp/ec_linux_s390x
+
+# Cross-compiled binaries (same across all variants, taken from amd64)
+# Darwin amd64
+COPY --from=build-amd64 /usr/local/bin/ec_darwin_amd64.gz /tmp/ec_darwin_amd64.gz
+RUN gzip -d /tmp/ec_darwin_amd64.gz && \
+    tar -czf /binaries/ec_darwin_amd64.tar.gz -C /tmp ec_darwin_amd64 && \
+    rm /tmp/ec_darwin_amd64
+
+# Darwin arm64
+COPY --from=build-amd64 /usr/local/bin/ec_darwin_arm64.gz /tmp/ec_darwin_arm64.gz
+RUN gzip -d /tmp/ec_darwin_arm64.gz && \
+    tar -czf /binaries/ec_darwin_arm64.tar.gz -C /tmp ec_darwin_arm64 && \
+    rm /tmp/ec_darwin_arm64
+
+# Windows amd64
+COPY --from=build-amd64 /usr/local/bin/ec_windows_amd64.exe.gz /tmp/ec_windows_amd64.exe.gz
+RUN gzip -d /tmp/ec_windows_amd64.exe.gz && \
+    tar -czf /binaries/ec_windows_amd64.tar.gz -C /tmp ec_windows_amd64.exe && \
+    rm /tmp/ec_windows_amd64.exe
+
+# Final minimal image with all binaries
+FROM registry.redhat.io/ubi9/ubi-minimal@sha256:69f5c9886ecb19b23e88275a5cd904c47dd982dfa370fbbd0c356d7b1047ef68
+
+LABEL description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.k8s.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.opencontainers.image.description="Flat image containing Conforma CLI binaries for all platforms and architectures"
+LABEL io.k8s.display-name="Conforma CLI stack image for Red Hat Trusted Artifact Signer"
+LABEL io.openshift.tags="conforma trusted-artifact-signer cli-stack"
+LABEL summary="Provides Conforma CLI binaries as tar.gz archives for CDN distribution."
+LABEL com.redhat.component="conforma-cli-stack"
+
+COPY --from=packager /binaries/ /binaries/
+COPY --from=build-amd64 /licenses/ /licenses/
+
+RUN chown -R root:0 /binaries && chmod -R g+r /binaries
+
+USER 65532:65532
