This is an automated email from the ASF dual-hosted git repository.
pcongiusti pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-k.git
The following commit(s) were added to refs/heads/main by this push:
new 64f5b81ac feat(build): use base image SHA for reproducible builds
64f5b81ac is described below
commit 64f5b81ac8736b261ba411a3302c295380e4a49a
Author: Michal Vavřík <[email protected]>
AuthorDate: Sun Mar 8 11:52:52 2026 +0100
feat(build): use base image SHA for reproducible builds
* Closes: https://github.com/apache/camel-k/issues/5986
Signed-off-by: Michal Vavřík <[email protected]>
---
.github/actions/automatic-updates/action.yml | 3 +-
.../ROOT/pages/installation/advanced/advanced.adoc | 2 +-
e2e/common/traits/builder_test.go | 5 ++++
pkg/util/defaults/defaults.go | 2 +-
script/Makefile | 5 +++-
script/update_base_image_sha.sh | 35 ++++++++++++++++++++++
6 files changed, 48 insertions(+), 4 deletions(-)
diff --git a/.github/actions/automatic-updates/action.yml
b/.github/actions/automatic-updates/action.yml
index 5ef75e1e3..fe4c81821 100644
--- a/.github/actions/automatic-updates/action.yml
+++ b/.github/actions/automatic-updates/action.yml
@@ -54,7 +54,8 @@ runs:
- name: Run project refresh actions
shell: bash
run: |
- make generate codegen update-docs
+ # run 'generate' separately from 'codegen' so that changes to Makefile
are reflected
+ make generate && make codegen update-docs
# Coverage badge
- name: Run Test and get coverage badge
diff --git a/docs/modules/ROOT/pages/installation/advanced/advanced.adoc
b/docs/modules/ROOT/pages/installation/advanced/advanced.adoc
index b648e9dba..f4bb80e4b 100644
--- a/docs/modules/ROOT/pages/installation/advanced/advanced.adoc
+++ b/docs/modules/ROOT/pages/installation/advanced/advanced.adoc
@@ -60,7 +60,7 @@ The following environment variables can be configured on the
operator Deployment
|The operator ID used to identify which operator instance manages specific
resources. Can also be set via `OPERATOR_ID`.
|`KAMEL_BASE_IMAGE`
-|`eclipse-temurin:17-jdk`
+|`eclipse-temurin:17-jdk@sha256:<digest>`
|The base image used for building Integration images. Can also be set via
`RELATED_IMAGE_BASE`.
|`CAMEL_K_SYNTHETIC_INTEGRATIONS`
diff --git a/e2e/common/traits/builder_test.go
b/e2e/common/traits/builder_test.go
index 12b40aa34..2a0b44a5a 100644
--- a/e2e/common/traits/builder_test.go
+++ b/e2e/common/traits/builder_test.go
@@ -192,6 +192,11 @@ func TestBuilderTrait(t *testing.T) {
// Check logs
g.Eventually(Logs(t, ctx, integrationKitNamespace,
builderKitName, corev1.PodLogOptions{Container:
"custom1"})).Should(ContainSubstring(`generated-bytecode.jar`))
g.Eventually(Logs(t, ctx, integrationKitNamespace,
builderKitName, corev1.PodLogOptions{Container:
"custom2"})).Should(ContainSubstring(`<artifactId>camel-k-integration</artifactId>`))
+
+ // Verify base image uses a digest for reproducible
builds (see #5986)
+ jibLogs := Logs(t, ctx, integrationKitNamespace,
builderKitName, corev1.PodLogOptions{Container: "jib"})()
+ g.Expect(jibLogs).ToNot(BeEmpty())
+ g.Expect(jibLogs).ToNot(ContainSubstring("does not use
a specific image digest"))
})
t.Run("Run custom pipeline task error", func(t *testing.T) {
diff --git a/pkg/util/defaults/defaults.go b/pkg/util/defaults/defaults.go
index 49d6c9ee0..424143d47 100644
--- a/pkg/util/defaults/defaults.go
+++ b/pkg/util/defaults/defaults.go
@@ -29,7 +29,7 @@ const (
DefaultRuntimeVersion = "3.15.3"
// baseImage --
- baseImage = "eclipse-temurin:17-jdk"
+ baseImage =
"eclipse-temurin:17-jdk@sha256:b624cb9175b71aaeb654dd9def666035332d5abf70318537c1a46e61564dbecd"
// LocalRepository --
LocalRepository = "/etc/maven/m2"
diff --git a/script/Makefile b/script/Makefile
index b3f5e6ab1..ed6e923f9 100644
--- a/script/Makefile
+++ b/script/Makefile
@@ -50,7 +50,9 @@ DEBUG_MODE ?= false
BASE_IMAGE_NAME := eclipse-temurin
BASE_IMAGE_VERSION := 17-jdk
OFFICIAL_IMAGE_VERSION := 17-jdk
-BASE_IMAGE := $(BASE_IMAGE_NAME):$(BASE_IMAGE_VERSION)
+BASE_IMAGE_SHA_VERSION := 17-jdk
+BASE_IMAGE_SHA :=
sha256:b624cb9175b71aaeb654dd9def666035332d5abf70318537c1a46e61564dbecd
+BASE_IMAGE := $(BASE_IMAGE_NAME):$(BASE_IMAGE_VERSION)$(if $(filter
$(BASE_IMAGE_VERSION),$(BASE_IMAGE_SHA_VERSION)),@$(BASE_IMAGE_SHA),)
LOCAL_REPOSITORY := /etc/maven/m2
OPENSHIFT_REGISTRY := image-registry.openshift-image-registry.svc:5000
IMAGE_NAME ?= docker.io/apache/camel-k
@@ -218,6 +220,7 @@ codegen:
generate: codegen-tools-install
@# We better force the developer to generate all the resources
everytime as
@# it happens we tend to forget some code generation in the past
+ ./script/update_base_image_sha.sh
$(BASE_IMAGE_NAME):$(BASE_IMAGE_VERSION)
./script/clone_kamelets.sh
cd pkg/apis && $(CONTROLLER_GEN) paths="./..." object
./script/gen_client.sh
diff --git a/script/update_base_image_sha.sh b/script/update_base_image_sha.sh
new file mode 100755
index 000000000..6de6f2ce4
--- /dev/null
+++ b/script/update_base_image_sha.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+set -e
+
+IMAGE="${1:?image argument required}"
+
+echo "Resolving digest for ${IMAGE}..."
+DIGEST=$(docker buildx imagetools inspect "$IMAGE" --format '{{json
.Manifest}}' | jq -r .digest)
+
+if [ -z "$DIGEST" ] || [ "$DIGEST" = "null" ]; then
+ echo "ERROR: failed to resolve digest for ${IMAGE}"
+ exit 1
+fi
+
+echo "Resolved digest: ${DIGEST}"
+
+MAKEFILE=$(dirname "$0")/Makefile
+sed -i "s|^BASE_IMAGE_SHA :=.*|BASE_IMAGE_SHA := ${DIGEST}|" "$MAKEFILE"
+
+echo "Updated BASE_IMAGE_SHA in ${MAKEFILE}"
