search

wolfi-dev / os

Main package repository for production Wolfi images
Other
713 stars 171 forks source link

Prometheus Packages use promu binary from GitHub #19700

Open lyoung-confluent opened 2 weeks ago

lyoung-confluent commented 2 weeks ago

Currently the build steps for various prometheus-* packages use the Makefile within the repository to build a binary, ex:

  - runs: |
      make common-build

  - runs: |
      mkdir -p "${{targets.destdir}}"/usr/bin
      mkdir -p "${{targets.destdir}}"/etc/blackbox_exporter
      install -Dm755 blackbox_exporter "${{targets.destdir}}"/usr/bin/blackbox_exporter
      install -Dm644 blackbox.yml "${{targets.destdir}}"/etc/blackbox_exporter/config.yml

Within these makefiles they fetch the Prometheus Utility Tool (promu) to use when building. This is an binary fetched at the time of each build without any checksum validation from a GitHub release, ex: https://github.com/prometheus/blackbox_exporter/blob/6efcf0ce7f1722e973979af78710607441fc11c0/Makefile.common#L59

It would be safer to create a Wolfi prometheus-promu package and build that tool from source, then use that package in the builds of other prometheus packages instead of the hosted binary.

lyoung-confluent commented 2 weeks ago

Here's a pipeline YAML for promu:

package:
  name: prometheus-promu
  version: 0.17.0
  epoch: 0
  description: Prometheus Utility Tool
  copyright:
    - license: Apache-2.0

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - curl
      - go
      - wolfi-baselayout

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/prometheus/promu
      tag: v${{package.version}}
      expected-commit: 3912dec4ab83971903015cc7b2a8d8ff93b73910

  - runs: |
      make build
      mkdir -p ${{targets.destdir}}/usr/bin
      cp promu ${{targets.destdir}}/usr/bin/

update:
  enabled: true
  github:
    identifier: prometheus/promu
    strip-prefix: v
    use-tag: true
    tag-filter: v
lyoung-confluent commented 2 weeks ago

Alternatively, it might make more sense to just refactor out the use of make common-build and instead directly use the go/build pipeline instead of using the repository Makefile. This seems to be how the prometheus package is built already: https://github.com/wolfi-dev/os/blob/5aab5b05a758082581d7c463dbff8b3ab58c8dfc/prometheus-2.52.yaml#L34-L38