Refactor update-rpm-lock.sh to work on MacOS

[joejstuart]

User description

There was a file descriptor issue when using podman with the process substitution.

---

PR Type

Bug fix, Enhancement

---

Description

• Replace process substitution with temporary file to fix podman compatibility on macOS

• Add explicit platform specification (linux/amd64) for container builds

• Use mktemp for safe temporary Dockerfile creation with cleanup trap

• Apply platform flag to both build and run commands for consistency

---

Diagram Walkthrough

flowchart LR
  A["Process Substitution<br/>with podman"] -->|Issue on macOS| B["Temporary File<br/>Approach"]
  C["Missing Platform<br/>Specification"] -->|Add Compatibility| D["Explicit linux/amd64<br/>Platform Flag"]
  B --> E["Build & Run<br/>Commands"]
  D --> E
  E --> F["macOS Compatible<br/>Script"]

Loading

File Walkthrough

Relevant files

Bug fix

update-rpm-lock.sh Fix macOS podman compatibility with temp files                      hack/update-rpm-lock.sh Replace process substitution <(cat < with temporary file created via mktemp to resolve podman file descriptor issues on macOS Add PLATFORM="linux/amd64" variable for explicit container platform specification Add trap handler to clean up temporary Dockerfile on script exit Apply --platform "${PLATFORM}" flag to both podman build and podman run commands for consistency +11/-2

---

[qodo-merge-pro]

PR Compliance Guide 🔍

(Compliance updated until commit e35fb50)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The newly added container build/run steps do not add or emit any audit logging for critical actions, which may be acceptable for a local dev script but cannot be confirmed from the diff alone. Referred Code dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT cat > "${dockerfile}" <<DOCKERFILE FROM quay.io/openshift/origin-cli:latest as oc-cli # Python version needs to match whatever version of Python dnf itself depends on FROM registry.access.redhat.com/ubi9/python-39:latest # need to switch to root for dnf install below and for the script to run dnf # config-manager which demands root user USER 0 RUN dnf install --assumeyes --nodocs --setopt=keepcache=0 --refresh skopeo jq RUN pip install https://github.com/konflux-ci/rpm-lockfile-prototype/archive/refs/tags/${latest_release}.tar.gz RUN pip install dockerfile-parse COPY --from=oc-cli /usr/bin/oc /usr/bin ENV PYTHONPATH=/usr/lib64/python3.9/site-packages:/usr/lib/python3.9/site-packages ... (clipped 58 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error checks: Newly added uses of mktemp, trap, heredoc to temporary Dockerfile, and podman build/run lack explicit error checking and contextual error messages, which could lead to silent or unclear failures. Referred Code dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT cat > "${dockerfile}" <<DOCKERFILE FROM quay.io/openshift/origin-cli:latest as oc-cli # Python version needs to match whatever version of Python dnf itself depends on FROM registry.access.redhat.com/ubi9/python-39:latest # need to switch to root for dnf install below and for the script to run dnf # config-manager which demands root user USER 0 RUN dnf install --assumeyes --nodocs --setopt=keepcache=0 --refresh skopeo jq RUN pip install https://github.com/konflux-ci/rpm-lockfile-prototype/archive/refs/tags/${latest_release}.tar.gz RUN pip install dockerfile-parse COPY --from=oc-cli /usr/bin/oc /usr/bin ENV PYTHONPATH=/usr/lib64/python3.9/site-packages:/usr/lib/python3.9/site-packages ... (clipped 58 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: External input trust: The script consumes external data (e.g., Docker/Podman context, base images, gh API output used earlier) without added validation in the new lines, and platform input is hardcoded but other inputs for build/run volumes are not validated in the added code. Referred Code image=$(podman build --platform "${PLATFORM}" --quiet --file "${dockerfile}" .) echo "Built: ${image}" # script that performs everything within the image built above script="$(cat <<"RPM_LOCK_SCRIPT" set -o errexit set -o pipefail set -o nounset # determine the base image base_img=$(python <<SCRIPT from dockerfile_parse import DockerfileParser with open("Dockerfile", "r") as d: dfp = DockerfileParser(fileobj=d) # the last FROM image is the image we want to base on print(dfp.parent_images[-1]) SCRIPT ) ... (clipped 35 lines) Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit e35fb50

Security Compliance
⚪	Insecure temp file handling Description: Temporary Dockerfile path stored in a predictable directory under $TMPDIR or /tmp and removed only via EXIT trap could be left behind on abnormal termination or if trap is bypassed, potentially exposing build instructions to other local users on shared systems. update-rpm-lock.sh [34-36] Referred Code dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT
	Risky container volume mounts Description: Mounting host files into the container with SELinux :Z relabeling may grant the container broader read/write access to sensitive project files (Dockerfile, rpms.in.yaml, rpms.lock.yaml); if the image or its dependencies are untrusted this could allow data exfiltration or modification. update-rpm-lock.sh [108-112] Referred Code --platform "${PLATFORM}" \ --rm \ --volume "${root_dir}/Dockerfile.dist:/opt/app-root/src/Dockerfile:Z" \ --volume "${root_dir}/rpms.in.yaml:/opt/app-root/src/rpms.in.yaml:Z" \ --volume "${root_dir}/rpms.lock.yaml:/opt/app-root/src/rpms.lock.yaml:Z" \
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The new container build/run steps (e.g., setting PLATFORM and building/running images) add critical actions without any auditing or structured logging that captures user, timestamp, action, and outcome. Referred Code # Platform to use for building and running containers # Use linux/amd64 for compatibility with base images that may not have ARM64 variants PLATFORM="linux/amd64" latest_release=$(gh api '/repos/konflux-ci/rpm-lockfile-prototype/tags?per_page=1' --jq '.[0].name') # build the image for running the RPM lock tool echo Building RPM lock tooling image... dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT cat > "${dockerfile}" <<DOCKERFILE FROM quay.io/openshift/origin-cli:latest as oc-cli # Python version needs to match whatever version of Python dnf itself depends on FROM registry.access.redhat.com/ubi9/python-39:latest # need to switch to root for dnf install below and for the script to run dnf # config-manager which demands root user USER 0 ... (clipped 66 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing error handling: External command failures (mktemp, podman build/run, gh api) lack explicit error checks and contextual messages, risking silent or unclear failures. Referred Code dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT cat > "${dockerfile}" <<DOCKERFILE FROM quay.io/openshift/origin-cli:latest as oc-cli # Python version needs to match whatever version of Python dnf itself depends on FROM registry.access.redhat.com/ubi9/python-39:latest # need to switch to root for dnf install below and for the script to run dnf # config-manager which demands root user USER 0 RUN dnf install --assumeyes --nodocs --setopt=keepcache=0 --refresh skopeo jq RUN pip install https://github.com/konflux-ci/rpm-lockfile-prototype/archive/refs/tags/${latest_release}.tar.gz RUN pip install dockerfile-parse COPY --from=oc-cli /usr/bin/oc /usr/bin ENV PYTHONPATH=/usr/lib64/python3.9/site-packages:/usr/lib/python3.9/site-packages ... (clipped 57 lines) Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated inputs: The script consumes external inputs and dependencies (gh API results, container images, mounted files) without validating availability or contents, which may introduce security risks. Referred Code latest_release=$(gh api '/repos/konflux-ci/rpm-lockfile-prototype/tags?per_page=1' --jq '.[0].name') # build the image for running the RPM lock tool echo Building RPM lock tooling image... dockerfile=$(mktemp "${TMPDIR:-/tmp}/rpm-lock-dockerfile.XXXXXX") trap "rm -f ${dockerfile}" EXIT cat > "${dockerfile}" <<DOCKERFILE FROM quay.io/openshift/origin-cli:latest as oc-cli # Python version needs to match whatever version of Python dnf itself depends on FROM registry.access.redhat.com/ubi9/python-39:latest # need to switch to root for dnf install below and for the script to run dnf # config-manager which demands root user USER 0 RUN dnf install --assumeyes --nodocs --setopt=keepcache=0 --refresh skopeo jq RUN pip install https://github.com/konflux-ci/rpm-lockfile-prototype/archive/refs/tags/${latest_release}.tar.gz RUN pip install dockerfile-parse ... (clipped 62 lines) Learn more about managing compliance generic rules or creating your own custom rules

[qodo-merge-pro]

PR Code Suggestions ✨

No code suggestions found for the PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
generative	68.80% <ø> (ø)
integration	68.80% <ø> (ø)
unit	68.80% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[joejstuart]

Merging this.