feat: unify Dockerfile with ARG HERMETIC and add hermetic CI

[Fortune-Ndlovu]

Replace the dual-Dockerfile approach (.rhdh/docker/Dockerfile + Dockerfile) with a single Dockerfile using ARG HERMETIC=false to conditionally skip dnf/microdnf updates and source /cachi2/cachi2.env in hermetic (Konflux+Cachi2) builds.

Add a GitHub Actions workflow (pr-hermetic-build.yaml) that runs on every PR, using Hermeto to prefetch Go modules and RPMs, then builds with --network=none to catch hermetic build failures upstream before they reach downstream.

• Delete redundant .rhdh/docker/Dockerfile
• Add .github/actions/docker-build composite action (Hermeto-based)
• Add .github/workflows/pr-hermetic-build.yaml
• Add Makefile target: image-build-hermetic
• Update update-rpm-lockfile.yaml and rpms.in.yaml to reference Dockerfile

Description

Which issue(s) does this PR fix or relate to

• Fixes: https://redhat.atlassian.net/browse/RHIDP-15044

PR acceptance criteria

• Tests
• Documentation

How to test changes / Special notes to the reviewer

[sonarqubecloud]

Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[rhdh-qodo-merge]

Code Review by Qodo

Sorry, something went wrong

We weren't able to complete the code review on our side. Please try again

[rhdh-qodo-merge]

PR Summary by Qodo

Unify Dockerfile with HERMETIC arg and add hermetic PR build workflow
✨ Enhancement ⚙️ Configuration changes 🕐 40+ Minutes

Description

• Replace dual Dockerfiles with one Dockerfile gated by ARG HERMETIC for Konflux+Cachi2 builds.
• Add a PR GitHub Actions workflow that prefetches deps via Hermeto and builds with network
 disabled.
• Update rpm-lockfile automation and Makefile targets to use the unified Dockerfile.

Diagram

graph TD
  PR["Pull Request"] --> WF(["PR Hermetic Build workflow"]) --> ACT(["docker-build composite action"]) --> HERMETO{{"Hermeto (podman)"}} --> CACHE[("hermeto-cache")] --> BUILDAH(["buildah-build (--network=none)"]) --> IMG["Operator image"]
  ACT(["docker-build composite action"]) --> DF["Dockerfile (ARG HERMETIC)"] --> BUILDAH(["buildah-build (--network=none)"])
  subgraph Legend
    direction LR
    _wf(["Workflow/Action"]) ~~~ _ext{{"External tool"}} ~~~ _cache[("Cache/volume")] ~~~ _art["Artifact/config"]
  end

Loading

High-Level Assessment

The following are alternative approaches to this PR:

1. Keep a dedicated hermetic Dockerfile

• ➕ Avoids CI-time Dockerfile mutation via sed
• ➕ Reduces risk of transform logic breaking on future Dockerfile refactors
• ➖ Reintroduces drift between Dockerfiles (the problem this PR fixes)
• ➖ More maintenance and review overhead for build changes

2. Use BuildKit-native mounts instead of sed transforms

• ➕ More robust than rewriting Dockerfile text
• ➕ Can explicitly mount repo files and pre-fetched deps via build mounts
• ➖ Requires BuildKit/buildx support; current workflow uses buildah-build
• ➖ May diverge from Konflux/buildah behavior you’re trying to simulate

Recommendation: Current approach (single Dockerfile + hermetic PR workflow) is the best fit for keeping build logic unified while catching hermetic failures early. The main risk is the sed-based Dockerfile transformation in CI; keep the Dockerfile’s RUN formatting stable (or add a small validation step) to avoid future breakage, and fall back to a separate hermetic Dockerfile only if transforms become too brittle.

Files changed (6) +195 / -14

Documentation (1) +1 / -1

rpms.in.yamlUpdate rpm-lockfile-prototype instructions to reference Dockerfile +1/-1

Update rpm-lockfile-prototype instructions to reference Dockerfile

• Adjusts the comment showing how to regenerate rpms.lock.yaml so the lockfile tool uses the unified Dockerfile path.

rpms.in.yaml

Other (5) +194 / -13

action.yamlAdd composite action for Hermeto-prefetch + offline buildah build +132/-0

Add composite action for Hermeto-prefetch + offline buildah build

• Introduces a composite GitHub Action that uses Hermeto to prefetch RPM and Go module dependencies, generates cachi2.env, and injects prefetched artifacts. It then transforms the Dockerfile to source /cachi2/cachi2.env and point yum repos at hermeto output, finally building with buildah using --network=none and mounting the cache volume.

.github/actions/docker-build/action.yaml

pr-hermetic-build.yamlAdd PR workflow to run hermetic image build on every PR +49/-0

Add PR workflow to run hermetic image build on every PR

• Adds a pull_request workflow targeting main and release branches. The job checks out the repo and invokes the new composite docker-build action to build a tagged hermetic PR image for linux/amd64.

.github/workflows/pr-hermetic-build.yaml

update-rpm-lockfile.yamlSwitch rpm lockfile workflow to use the unified Dockerfile +2/-2

Switch rpm lockfile workflow to use the unified Dockerfile

• Updates the workflow path filters and DOCKERFILE_PATH env var to point at Dockerfile instead of .rhdh/docker/Dockerfile, aligning lockfile regeneration with the single-Dockerfile approach.

.github/workflows/update-rpm-lockfile.yaml

DockerfileGate dnf/microdnf updates and cachi2.env usage behind ARG HERMETIC +7/-11

Gate dnf/microdnf updates and cachi2.env usage behind ARG HERMETIC

• Adds ARG HERMETIC to both build and runtime stages. Replaces unconditional dnf/microdnf update steps with conditional execution when HERMETIC=false, and conditionally cats /cachi2/cachi2.env when HERMETIC=true to support Konflux+Cachi2 hermetic builds.

Dockerfile

MakefileAdd image-build-hermetic target that sets HERMETIC=true +4/-0

Add image-build-hermetic target that sets HERMETIC=true

• Adds a new make target to build the container image with --build-arg HERMETIC=true. This provides a local/manual way to simulate the hermetic build path without maintaining a separate Dockerfile.

Makefile

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.