@@ -32,91 +32,21 @@ ARG gooseversion=v1.11.1
3232ARG bcvkversion=v0.9.0
3333# renovate: datasource=github-releases depName=ossf/scorecard
3434ARG scorecardversion=v5.1.1
35- RUN <<EORUN
36- set -xeuo pipefail
37- arch=$(arch)
38-
39- rm -vrf /usr/local/bin/*
40-
41- # goose for local AI
42- target=goose-${arch}-unknown-linux-gnu.tar.bz2
43- /bin/time -f '%E %C' curl -fLO https://github.com/block/goose/releases/download/$gooseversion/$target
44- tar xvjf $target
45- mv goose /usr/local/bin/goose
46-
47- # bcvk
48- if test "${arch}" = x86_64; then
49- td=$(mktemp -d)
50- (
51- cd $td
52- target=bcvk-${arch}-unknown-linux-gnu
53- /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
54- tar xvzf $target.tar.gz
55- mv $target /usr/local/bin/bcvk
56- )
57- rm -rf $td
58- else
59- echo bcvk unavailable for $arch
60- fi
61-
62- # scorecard (OpenSSF security scanner)
63- td=$(mktemp -d)
64- (
65- cd $td
66- # Map arch to scorecard naming convention
67- case "${arch}" in
68- x86_64) scarch=amd64 ;;
69- aarch64) scarch=arm64 ;;
70- *) echo "scorecard unavailable for $arch"; exit 0 ;;
71- esac
72- target=scorecard_${scorecardversion#v}_linux_${scarch}.tar.gz
73- /bin/time -f '%E %C' curl -fLO https://github.com/ossf/scorecard/releases/download/$scorecardversion/$target
74- tar xvzf $target
75- mv scorecard /usr/local/bin/scorecard
76- )
77- rm -rf $td
78- EORUN
35+ COPY fetch-tools.sh /run/src/
36+ RUN gooseversion=$gooseversion bcvkversion=$bcvkversion scorecardversion=$scorecardversion /run/src/fetch-tools.sh
7937
8038FROM base as rust
81- RUN <<EORUN
82- set -xeuo pipefail
83- # Setup rust; the idea here though is we install system-wide into /usr/local
84- # as if it was packaged.
85- export RUSTUP_HOME=/usr/local/rustup
86- export CARGO_HOME=/usr/local/cargo
87- # Install Rust system-wide
88- curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
89- # Move binaries to /usr/local/bin (system-managed, root-owned)
90- mv /usr/local/cargo/bin/* /usr/local/bin/
91- # Recreate bin directory with symlink to rustup - rustup's self-update check
92- # looks for itself at $CARGO_HOME/bin/rustup
93- mkdir -p /usr/local/cargo/bin
94- ln -sf /usr/local/bin/rustup /usr/local/cargo/bin/rustup
95- EORUN
39+ COPY install-rust.sh /run/src/
40+ RUN /run/src/install-rust.sh
9641
9742# Kani formal verification tool - requires rustup for toolchain management
9843FROM rust as kani
9944# renovate: datasource=crate depName=kani-verifier
10045ARG kaniversion=0.67.0
101- RUN <<EORUN
102- set -xeuo pipefail
10346# Install build dependencies needed to compile kani-verifier
104- apt-get update && apt-get install -y --no-install-recommends build-essential
105- export RUSTUP_HOME=/usr/local/rustup
106- export CARGO_HOME=/usr/local/cargo
107- export PATH="/usr/local/bin:$PATH"
108- # Install Kani to a system-wide location so all users can access it
109- export KANI_HOME=/usr/local/kani
110-
111- # Install kani-verifier
112- /bin/time -f '%E %C' cargo install --locked kani-verifier --version $kaniversion
113-
114- # Run kani setup - downloads bundle and installs required nightly toolchain
115- /bin/time -f '%E %C' /usr/local/cargo/bin/cargo-kani setup
116-
117- # Move kani binaries to /usr/local/bin, keep rustup symlink
118- mv /usr/local/cargo/bin/cargo-kani /usr/local/cargo/bin/kani /usr/local/bin/
119- EORUN
47+ RUN apt-get update && apt-get install -y --no-install-recommends build-essential
48+ COPY install-kani.sh /run/src/
49+ RUN kaniversion=$kaniversion /run/src/install-kani.sh
12050
12151# This builds the image.
12252# Build this using `just devenv-build-debian` from the root of the repository.
0 commit comments