Open lyoung-confluent opened 2 weeks ago
Here's a pipeline YAML for promu
:
package:
name: prometheus-promu
version: 0.17.0
epoch: 0
description: Prometheus Utility Tool
copyright:
- license: Apache-2.0
environment:
contents:
packages:
- build-base
- busybox
- ca-certificates-bundle
- curl
- go
- wolfi-baselayout
pipeline:
- uses: git-checkout
with:
repository: https://github.com/prometheus/promu
tag: v${{package.version}}
expected-commit: 3912dec4ab83971903015cc7b2a8d8ff93b73910
- runs: |
make build
mkdir -p ${{targets.destdir}}/usr/bin
cp promu ${{targets.destdir}}/usr/bin/
update:
enabled: true
github:
identifier: prometheus/promu
strip-prefix: v
use-tag: true
tag-filter: v
Alternatively, it might make more sense to just refactor out the use of make common-build
and instead directly use the go/build
pipeline instead of using the repository Makefile. This seems to be how the prometheus
package is built already: https://github.com/wolfi-dev/os/blob/5aab5b05a758082581d7c463dbff8b3ab58c8dfc/prometheus-2.52.yaml#L34-L38
Currently the build steps for various
prometheus-*
packages use theMakefile
within the repository to build a binary, ex:Within these makefiles they fetch the Prometheus Utility Tool (promu) to use when building. This is an binary fetched at the time of each build without any checksum validation from a GitHub release, ex: https://github.com/prometheus/blackbox_exporter/blob/6efcf0ce7f1722e973979af78710607441fc11c0/Makefile.common#L59
It would be safer to create a Wolfi
prometheus-promu
package and build that tool from source, then use that package in the builds of other prometheus packages instead of the hosted binary.