KFLUXVNGD-504: Switch to go-toolset RPM for hermetic builds

[kelchen123]

User description

Replace manual Go tarball download with Red Hat's go-toolset package to comply with Conforma policy requiring approved package sources.

Changes:

• Add go-toolset to rpms.in.yaml
• Regenerate rpms.lock.yaml with go-toolset dependencies
• Empty artifacts.lock.yaml (no more tarball downloads)
• Update Containerfile and test.Containerfile to use microdnf install
  Ensures Go 1.25.3 is installed from Red Hat UBI10 repositories instead of downloading from golang.org.

Assisted by: Cursor

Author's Checklist

• I understand the problem that the PR is trying to address.
• I understand the solution and its role and impact within the wider system.
• I opted for automation and automated tests over documenting multiple steps.

Reviewer's Guide

• What is the PR trying to solve?
• Does the solution make sense?
• How does this affect the wider system?
• Is it being tested properly?
• Does it keep documentation concise and maintainable?

---

PR Type

Enhancement

---

Description

• Replace manual Go tarball downloads with go-toolset RPM package

• Comply with Conforma policy requiring approved package sources

• Simplify Go installation via microdnf in Containerfiles

• Update documentation to reflect automatic dependency management

---

Diagram Walkthrough

flowchart LR
  A["Manual Go Tarball<br/>Download"] -->|"Replace with"| B["go-toolset RPM<br/>Package"]
  C["artifacts.lock.yaml<br/>with Go tarball"] -->|"Empty"| D["artifacts.lock.yaml<br/>empty"]
  E["rpms.in.yaml"] -->|"Add go-toolset"| F["rpms.lock.yaml<br/>regenerated"]
  B -->|"Install via"| G["microdnf install"]
  G -->|"Result"| H["Go 1.25.3 from<br/>UBI10 repos"]

Loading

File Walkthrough

	Relevant files
Enhancement	Containerfile Replace tarball download with go-toolset RPM install          Containerfile Remove manual Go tarball download logic and version arguments Add go-toolset to microdnf install command Simplify PATH environment variable (remove /usr/local/go/bin) Update comments to indicate go-toolset is prefetched by Cachi2 +6/-18    test.Containerfile Replace tarball download with go-toolset RPM install          test.Containerfile Remove manual Go tarball download logic and version arguments Add go-toolset to microdnf install command Simplify PATH environment variable (remove /usr/local/go/bin) Update comments to indicate go-toolset is prefetched by Cachi2 +6/-17
Configuration changes	rpms.in.yaml Add go-toolset package declaration                                              rpms.in.yaml Add go-toolset package to the packages list Enables automatic dependency resolution via Mintmaker +1/-0      artifacts.lock.yaml Empty artifacts list, remove Go tarball                                    artifacts.lock.yaml Remove Go 1.25.4 tarball entry (download_url, checksum, filename) Empty artifacts list as Go is now installed via RPM package Metadata version remains at 1.0 +1/-4
Dependencies	rpms.lock.yaml Regenerate lock file with go-toolset dependencies                rpms.lock.yaml Add go-toolset and golang package dependencies (go-toolset, golang, golang-bin, golang-race, golang-src) Add transitive dependencies for go-toolset (apr, apr-util, delve, libserf, openssl-devel, subversion, utf8proc, file-libs, lmdb-libs) Update kernel-headers to version 6.12.0-124.20.1.el10_1 Regenerated lock file reflects all transitive RPM dependencies +124/-5
Documentation	HERMETIC-BUILDS.md Update documentation for automatic Go version management  HERMETIC-BUILDS.md Update artifacts.lock.yaml description to indicate it is now empty Replace manual Go version upgrade instructions with automatic Mintmaker tracking Remove Helm version upgrade section (only Go mentioned now) Clarify that go-toolset is declared in rpms.in.yaml Update troubleshooting section to note Go versions are automatically updated Simplify maintenance tasks documentation +14/-23

---

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit scope: The PR only updates build/container and RPM lock files without introducing application logic where audit trails would apply, so compliance cannot be determined from the diff alone. Referred Code # go-toolset already declared in rpms.in.yaml (prefetched by Cachi2) RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: No identifiers: Changes are Dockerfile-style package installs and docs with no new variables/functions added, so naming conventions cannot be fully evaluated from this diff. Referred Code # go-toolset already declared in rpms.in.yaml (prefetched by Cachi2) RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all # Set Go environment (GOPATH needed for go mod download) # go-toolset installs to /usr/bin/go (already in PATH) ENV PATH="/root/go/bin:$PATH" ENV GOPATH="/root/go" Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Shell error handling: The RUN layers invoke microdnf and other commands without explicit error checks beyond shell defaults; however, container build steps may be sufficient and full error handling cannot be assessed from these build scripts alone. Referred Code RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Not applicable: The changes affect build configuration and documentation without user-facing error messages, so secure error handling cannot be evaluated from this diff. Referred Code | `artifacts.lock.yaml` | Version locks for external artifacts (currently empty) | Rarely (only if external downloads needed) | | `rpms.in.yaml` | Declares required RPM packages (including go-toolset) | When adding system packages | | `rpms.lock.yaml` | Auto-generated transitive RPM dependencies | After changing `rpms.in.yaml` | | `go.mod` / `go.sum` | Go module dependencies | When adding/updating Go modules | | `tools.go` | Build-time Go tool dependencies | When adding build tools | | `ubi-10.repo` | RPM repository definitions | Rarely (only if UBI repos change) | ## Common Maintenance Tasks ### Upgrading Go Version Go is installed via the `go-toolset` RPM package from UBI10 repositories. **Step 1:** Update the package in `rpms.in.yaml`. ```yaml packages: - go-toolset # Uses latest available from UBI10 (currently 1.25.x) Step 2: Regenerate the lock file. ... (clipped 7 lines) </details> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td><details> <summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** <br><a href='https://github.com/konflux-ci/caching/pull/404/files#diff-12ad029239a0d65008a4ef2acf077d3c0752760a6ad2f80823fa2f631735919aR6-R16'><strong>Build-time inputs</strong></a>: The changes switch to repository-sourced go-toolset and do not handle runtime external <br>inputs, so input validation of application data cannot be judged from this diff alone.<br> <details open><summary>Referred Code</summary> ```txt # go-toolset already declared in rpms.in.yaml (prefetched by Cachi2) RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ which \ procps-ng \ gcc \ shadow-utils \ go-toolset && \ microdnf clean all Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Investigate minimizing dependencies from go-toolset To reduce the builder image's size and security attack surface, investigate minimizing the transitive dependencies introduced by go-toolset. This can be achieved by using microdnf flags like --setopt=install_weak_deps=false. Examples: Containerfile [27-36] RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all rpms.lock.yaml [665-671] - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi10/10/x86_64/appstream/os/Packages/s/subversion-1.14.5-3.el10.x86_64.rpm repoid: ubi-10-for-x86_64-appstream-rpms size: 1062483 checksum: sha256:255c26aec3a47b57e66dbfff334fe9af48439efcc782132c5e5b3239c78699a1 name: subversion evr: 1.14.5-3.el10 sourcerpm: subversion-1.14.5-3.el10.src.rpm Solution Walkthrough: Before: # Containerfile RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all After: # Containerfile RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ --setopt=install_weak_deps=false \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies that using go-toolset adds many transitive dependencies, and proposes a valid method to reduce the image size and attack surface, which is a significant improvement.	Medium
General	Remove unnecessary package from build Remove the curl package from the microdnf install command in the go-builder stage of the Containerfile, as it is no longer necessary after the switch to installing Go via go-toolset. Containerfile [27-36] RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ - curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all Apply / Chat Suggestion importance[1-10]: 5 __ Why: The suggestion correctly identifies that curl is no longer needed in the go-builder stage since the Go installation method changed, and removing it is a good practice for image size reduction.	Low
More

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply chain drift risk Description: Installing development toolchains (e.g., go-toolset, gcc, git) directly in the build stage without explicit version pinning in the Dockerfile can lead to non-reproducible and potentially supply-chain-risky builds if the lockfile is bypassed (e.g., missing or altered /cachi2/cachi2.env)—consider enforcing locked repos or verifying that rpms.lock.yaml is always applied in CI to prevent unintended upgrades. Containerfile [27-36] Referred Code RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all
	Expanded attack surface in test image Description: The test image installs go-toolset and build utilities at runtime, which increases the attack surface if this image is ever used beyond ephemeral CI; ensure this image is not published or add a stage separation and minimize installed tooling in any runtime-distributed images. test.Containerfile [7-16] Referred Code RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ which \ procps-ng \ gcc \ shadow-utils \ go-toolset && \ microdnf clean all
	Uncontrolled auto-upgrades in docs Description: Documentation states Mintmaker auto-updates RPMs (including go-toolset) and encourages unpinned package names in rpms.in.yaml, which may implicitly allow silent major upgrades; require policy or CI checks to gate major version bumps and ensure lockfile diffs are reviewed to avoid accidental breaking or vulnerable updates. HERMETIC-BUILDS.md [41-50] Referred Code **Automatic updates:** Mintmaker tracks the latest version of `go-toolset` available in UBI10 repositories and will automatically update `rpms.lock.yaml` when new versions are released. No manual intervention is typically required. **Manual upgrade (if needed):** To force an immediate update to the latest available version: ```bash rpm-lockfile-prototype --image <BASE_IMAGE_WITH_DIGEST> --outfile rpms.lock.yaml rpms.in.yaml The rpms.in.yaml file specifies only the package name without a version, allowing Mintmaker to automatically track the latest available version. </details></details></td></tr> <tr><td colspan='2'><strong>Ticket Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary>🎫 <strong>No ticket provided </strong></summary> - [ ] Create ticket/issue <!-- /create_ticket --create_ticket=true --> </details></td></tr> <tr><td colspan='2'><strong>Codebase Duplication Compliance</strong></td></tr> <tr><td>⚪</td><td><details><summary><strong>Codebase context is not defined </strong></summary> Follow the <a href='https://qodo-merge-docs.qodo.ai/core-abilities/rag_context_enrichment/'>guide</a> to enable codebase context checks. </details></td></tr> <tr><td colspan='2'><strong>Custom Compliance</strong></td></tr> <tr><td rowspan=4>🟢</td><td> <details><summary><strong>Generic: Meaningful Naming and Self-Documenting Code</strong></summary><br> **Objective:** Ensure all identifiers clearly express their purpose and intent, making code <br>self-documenting<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Error Handling</strong></summary><br> **Objective:** To prevent the leakage of sensitive system information through error messages while <br>providing sufficient detail for internal debugging.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Secure Logging Practices</strong></summary><br> **Objective:** To ensure logs are useful for debugging and auditing without exposing sensitive <br>information like PII, PHI, or cardholder data.<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td> <details><summary><strong>Generic: Security-First Input Validation and Data Handling</strong></summary><br> **Objective:** Ensure all data inputs are validated, sanitized, and handled securely to prevent <br>vulnerabilities<br> **Status:** Passed<br> > Learn more about managing compliance <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#configuration-options'>generic rules</a> or creating your own <a href='https://qodo-merge-docs.qodo.ai/tools/compliance/#custom-compliance'>custom rules</a> </details></td></tr> <tr><td rowspan=2>⚪</td> <td><details> <summary><strong>Generic: Comprehensive Audit Trails</strong></summary><br> **Objective:** To create a detailed and reliable record of critical system actions for security analysis <br>and compliance.<br> **Status:** <br><a href='https://github.com/konflux-ci/caching/pull/404/files#diff-5fcdf9b4580789697d834d1456a22bcfaa236d668fc180cad4775afc36ed5914R26-R41'><strong>No auditing</strong></a>: The added container build steps do not introduce or configure any audit logging for <br>critical actions, which may be acceptable given this is build infrastructure but cannot be <br>verified from the diff alone.<br> <details open><summary>Referred Code</summary> ```txt # go-toolset already declared in rpms.in.yaml (prefetched by Cachi2) RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all # Set Go environment (GOPATH needed for go mod download) # go-toolset installs to /usr/bin/go (already in PATH) ENV PATH="/root/go/bin:$PATH" ENV GOPATH="/root/go" Learn more about managing compliance generic rules or creating your own custom rules
Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Limited error handling: The shell RUN commands rely on package manager exit codes without explicit error context or retries, which may be acceptable for container builds but cannot be fully assessed from the diff. Referred Code RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ which \ procps-ng \ gcc \ shadow-utils \ go-toolset && \ microdnf clean all Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
High-level	Consider using a more minimal Go package Replace the go-toolset RPM with the more minimal golang-bin package in rpms.in.yaml. This change aims to reduce the builder image size and attack surface by avoiding unnecessary dependencies like delve and subversion. Examples: rpms.in.yaml [13] - go-toolset rpms.lock.yaml [42-48] - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi10/10/x86_64/appstream/os/Packages/d/delve-1.25.2-1.el10_1.x86_64.rpm repoid: ubi-10-for-x86_64-appstream-rpms size: 5488878 checksum: sha256:218f5cfc64180fc25e5c4d244756739ae90161a96ba9ff89e2371c531a57d7e1 name: delve evr: 1.25.2-1.el10_1 sourcerpm: delve-1.25.2-1.el10_1.src.rpm Solution Walkthrough: Before: # In rpms.in.yaml packages: - ca-certificates - curl - gcc - git - go-toolset - gzip - squid - tar ... # Resulting rpms.lock.yaml includes extra packages # - delve # - subversion # - ... and others After: # In rpms.in.yaml packages: - ca-certificates - curl - gcc - git - golang-bin # Use a more minimal package - gzip - squid - tar ... # Resulting rpms.lock.yaml would be smaller, # excluding packages like delve and subversion. Suggestion importance[1-10]: 8 __ Why: The suggestion correctly identifies that go-toolset introduces potentially unnecessary dependencies like delve and subversion, and proposes a valid alternative (golang-bin) to reduce image size and attack surface.	Medium
General	Remove unnecessary package from installation In the go-builder stage, remove the curl package from the microdnf install command as it is no longer required after switching to the go-toolset RPM for Go installation. Containerfile [27-36] RUN if [ -f /cachi2/cachi2.env ]; then . /cachi2/cachi2.env; fi && \ microdnf install -y \ tar \ gzip \ gcc \ - curl \ ca-certificates \ git \ go-toolset && \ microdnf clean all Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that curl is no longer needed for the Go installation, and removing it from the go-builder stage is a valid optimization to reduce dependencies.	Low
More