Use a multi-stage build to create the Flatpak Indexer container image

Instead of building a differ image and then copying files around in
a build script (which causes much complexity in CI), we can use
a multi-stage Containerfile to build and test everything in one place.

Author: owtaylor

.dockerignore

@@ -0,0 +1,9 @@
+Containerfile
+differ
+dist
+out
+tls-secrets
+.venv
+work
+**/__pycache__
+

.gitignore

@@ -2,6 +2,7 @@
 /.test-data
 /dist
 /out/*
+/uv.lock
 /tls-secrets/*
 /work/*
 /flatpak_indexer/certs/RH-IT-Root-CA.crt

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "differ/tar-diff"]
-	path = differ/tar-diff
+[submodule "tar-diff"]
+	path = tar-diff
 	url = https://github.com/containers/tar-diff

Containerfile

@@ -0,0 +1,43 @@
+FROM registry.access.redhat.com/ubi9/go-toolset as tar-diff-builder
+
+USER root
+ADD tar-diff /tmp/src
+RUN chown -R 1001:0 /tmp/src
+
+USER 1001
+
+# We need to pass -buildvcs=false because we only copy part of the git checkout
+RUN cd /tmp/src && go build -buildvcs=false -o /opt/app-root/bin/tar-diff ./cmd/tar-diff
+
+FROM registry.access.redhat.com/ubi9/python-312 as builder
+
+ARG FLATPAK_INDEXER_UPDATE_TEST_DATA=false
+ENV FLATPAK_INDEXER_UPDATE_TEST_DATA=${FLATPAK_INDEXER_UPDATE_TEST_DATA}
+
+# Add application sources to a directory that the assemble script expects them
+# and set permissions so that the container runs without root access
+USER 0
+ADD . /tmp/src
+RUN /usr/bin/fix-permissions /tmp/src
+USER 1001
+
+# Install the application's dependencies from PyPI
+RUN /bin/sh /tmp/src/.s2i/bin/assemble
+
+FROM registry.access.redhat.com/ubi9/python-312-minimal
+
+USER 0
+RUN microdnf -y install time && microdnf clean all
+USER 1001
+
+# Copy the tar-diff binary from the tar-diff-builder image
+COPY --from=tar-diff-builder /opt/app-root/bin/tar-diff /opt/app-root/bin/
+
+# Copy app sources together with the whole virtual environment from the builder image
+COPY --from=builder /opt/app-root /opt/app-root
+
+# Run tests
+RUN $APP_ROOT/src/tools/test.sh
+
+# Set the default command for the resulting image
+CMD /usr/libexec/s2i/run

differ/Dockerfile

@@ -4,32 +4,4 @@ set -ex
 
 origin=$(cd $(dirname $0)/.. && pwd)
 
-tmp_container=
-work=$(mktemp -d)
-cleanup() {
-    :
-    #    rm -rf $work
-    [ -n "$tmp_container" ] && podman rm $tmp_container
-}
-trap cleanup EXIT
-
-set -x
-
-podman build $origin/differ -t flatpak-indexer-tar-diff
-
-s2i build --copy --as-dockerfile=$work/Dockerfile $origin registry.access.redhat.com/ubi8/python-39 flatpak-indexer
-
-tmp_container=$(podman create flatpak-indexer-tar-diff)
-mkdir -p -m 0755 $work/upload/src/bin
-podman cp $tmp_container:/opt/app-root/tar-diff $work/upload/src/bin/tar-diff
-podman cp $tmp_container:/usr/bin/time $work/upload/src/bin/time
-
-tmp_tag="flatpak-indexer:$(date +%Y%m%d-%H%M%S)"
-podman build $work -t $tmp_tag
-if podman run --network=none --rm $tmp_tag tools/test.sh ; then
-    podman tag $tmp_tag flatpak-indexer:latest
-    podman rmi $tmp_tag
-else
-    podman rmi $tmp_tag
-    exit 1
-fi
+podman build -t flatpak-indexer:latest $origin