frontend: rewrite HandleDepsOnly to use pkg/container build infra

The way depsonly worked was always a bit janky and didn't actually
support the full dependency constraint specification.
Additionally I found the shift to dnf from tdnf broke due to `--alldeps`
being missing (possibly just in mariner2, but still missing).

This shifts depsonly to use BuildPkg and BuildContainer where we create
a meta package with just the runtime deps.
Because depsonly allows specifying a partial spec (ie missing things
like name, license, other normally required fields) we have to fill in
those details so rpmbuild can succeed.

Add deps-only integration tests for all RPM distros with two sub-tests:
- minimal spec: only runtime deps, verifies curl is installed
- full spec: includes sources, build steps, and a shell script artifact;
  verifies runtime deps are installed and build artifacts are excluded
- replaces the "e2e" test in docker-bake.hcl and tets all relevant
  distros

Signed-off-by: Brian Goff <cpuguy83@gmail.com>

Author: cpuguy83

docker-bake.hcl

@@ -3,7 +3,7 @@ group "default" {
 }
 
 group "test" {
-    targets = ["runc-test", "test-deps-only"]
+    targets = ["runc-test"]
 }
 
 variable "FRONTEND_REF" {
@@ -227,42 +227,6 @@ target "examples" {
     tags = ["local/dalec/examples/${f}:${distro}"]
 }
 
-target "deps-only" {
-    name = "deps-only-${distro}"
-    matrix = {
-        distro = ["mariner2"]
-    }
-    dockerfile-inline = <<EOT
-dependencies:
-    runtime:
-        patch: {}
-        bash: {}
-    EOT
-    args = {
-        "BUILDKIT_SYNTAX" = "dalec_frontend"
-    }
-    contexts = {
-        "dalec_frontend" = "target:frontend"
-    }
-    target = "${distro}/container/depsonly"
-    tags = ["local/dalec/deps-only:${distro}"]
-}
-
-target "test-deps-only" {
-    dockerfile-inline = <<EOT
-    FROM deps-only-context
-    # Make sure the deps-only target has the runtime dependencies we expect and not, for instance, "rpm"
-    RUN command -v bash
-    RUN command -v patch
-    RUN if command -v rpm; then echo should be a distroless image but rpm binary is installed; exit 1; fi
-    EOT
-
-    contexts = {
-        "deps-only-context" = "target:deps-only-mariner2"
-    }
-}
-
-
 variable "CI_FRONTEND_CACHE_SCOPE" {
     default = "dalec/frontend/ci"
 }

targets/linux/rpm/distro/container.go

@@ -95,16 +95,36 @@ func (cfg *Config) HandleDepsOnly(ctx context.Context, client gwclient.Client) (
 		}
 
 		pc := dalec.Platform(platform)
-		worker := cfg.Worker(sOpt, pg, pc)
 
-		deps := dalec.SortMapKeys(rtDeps)
+		// NOTE: Deps-only allows bare specs, ie specs with just the runtime deps included.
+		// This means we may need to fill in some of the details that are required by the package manager.
+		depsSpec := &dalec.Spec{
+			Name:        spec.Name + "-runtime-deps",
+			License:     spec.License,
+			Version:     spec.Version,
+			Revision:    spec.Revision,
+			Description: "Runtime dependencies meta package",
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: rtDeps,
+			},
+		}
 
-		withDownloads := worker.Run(dalec.ShArgs("set -ex; mkdir -p /tmp/rpms/RPMS/$(uname -m)")).
-			Run(cfg.Install(deps,
-				DnfDownloadAllDeps("/tmp/rpms/RPMS/$(uname -m)")), pg).Root()
-		rpmDir := llb.Scratch().File(llb.Copy(withDownloads, "/tmp/rpms", "/", dalec.WithDirContentsOnly()), pg)
+		if depsSpec.Name == "-runtime-deps" {
+			// Name cannot start with "-"
+			depsSpec.Name = "dalec-user" + depsSpec.Name
+		}
+		if depsSpec.Version == "" {
+			depsSpec.Version = "0.0.1"
+		}
+		if depsSpec.Revision == "" {
+			depsSpec.Revision = "1"
+		}
+		if depsSpec.License == "" {
+			depsSpec.License = "MIT"
+		}
 
-		ctr := cfg.BuildContainer(ctx, client, sOpt, spec, targetKey, rpmDir, pg, pc)
+		pkg := cfg.BuildPkg(ctx, client, sOpt, depsSpec, targetKey, pg)
+		ctr := cfg.BuildContainer(ctx, client, sOpt, spec, targetKey, pkg, pg)
 
 		def, err := ctr.Marshal(ctx, pc)
 		if err != nil {

targets/linux/rpm/distro/dnf_install.go

@@ -34,12 +34,6 @@ type dnfInstallConfig struct {
 
 	constraints []llb.ConstraintsOpt
 
-	downloadOnly bool
-
-	allDeps bool
-
-	downloadDir string
-
 	// When true, don't omit docs from the installed RPMs.
 	includeDocs bool
 
@@ -82,14 +76,6 @@ func DnfForceArch(arch string) DnfInstallOpt {
 	}
 }
 
-func DnfDownloadAllDeps(dest string) DnfInstallOpt {
-	return func(cfg *dnfInstallConfig) {
-		cfg.downloadOnly = true
-		cfg.allDeps = true
-		cfg.downloadDir = dest
-	}
-}
-
 func IncludeDocs(v bool) DnfInstallOpt {
 	return func(cfg *dnfInstallConfig) {
 		cfg.includeDocs = v
@@ -110,18 +96,6 @@ func dnfInstallFlags(cfg *dnfInstallConfig) string {
 		cmdOpts += " --setopt=reposdir=/etc/yum.repos.d"
 	}
 
-	if cfg.downloadOnly {
-		cmdOpts += " --downloadonly"
-	}
-
-	if cfg.allDeps {
-		cmdOpts += " --alldeps"
-	}
-
-	if cfg.downloadDir != "" {
-		cmdOpts += " --downloaddir " + cfg.downloadDir
-	}
-
 	if !cfg.includeDocs {
 		cmdOpts += " --setopt=tsflags=nodocs"
 	}

test/linux_target_test.go

@@ -61,6 +61,8 @@ type targetConfig struct {
 	Package string
 	// Container is the target for creating a container
 	Container string
+	// DepsOnly is the target for creating a deps-only container (no package built, only runtime deps installed).
+	DepsOnly string
 	// Worker is the target for creating the worker image.
 	Worker string
 	// Sysext is the target for creating a systemd system extension.
@@ -718,6 +720,16 @@ index 0000000..5260cb1
 	t.Run("container", func(t *testing.T) {
 		t.Parallel()
 
+		t.Run("depsonly", func(t *testing.T) {
+			if testConfig.Target.DepsOnly == "" {
+				t.Skip("depsonly target not defined")
+			}
+
+			t.Parallel()
+			ctx := startTestSpan(ctx, t)
+			testDepsOnly(ctx, t, testConfig)
+		})
+
 		t.Run("creates_post_install_symlinks", func(t *testing.T) {
 			t.Parallel()
 
@@ -5403,6 +5415,85 @@ echo "This is a third test binary"
 	})
 }
 
+func testDepsOnly(ctx context.Context, t *testing.T, testConfig testLinuxConfig) {
+	t.Run("minimal spec", func(t *testing.T) {
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+
+		spec := &dalec.Spec{
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: map[string]dalec.PackageConstraints{
+					"curl": {},
+				},
+			},
+		}
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, client gwclient.Client) {
+			req := newSolveRequest(withSpec(ctx, t, spec), withBuildTarget(testConfig.Target.DepsOnly))
+			res := solveT(ctx, t, client, req)
+
+			ref, err := res.SingleRef()
+			assert.NilError(t, err)
+
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/curl"})
+			assert.NilError(t, err)
+		})
+	})
+
+	t.Run("full spec", func(t *testing.T) {
+		t.Parallel()
+		ctx := startTestSpan(ctx, t)
+
+		// Full spec includes sources, build steps, and a shell script artifact.
+		// The deps-only target should install only runtime deps (curl) and NOT
+		// include the built artifact (/usr/bin/my-script) or its implicit dep.
+		spec := fillMetadata("test-deps-only-full", &dalec.Spec{
+			Sources: map[string]dalec.Source{
+				"my-script": {
+					Inline: &dalec.SourceInline{
+						File: &dalec.SourceInlineFile{
+							Contents:    "#!/usr/bin/env bash\necho hello from deps-only test\n",
+							Permissions: 0o700,
+						},
+					},
+				},
+			},
+			Build: dalec.ArtifactBuild{
+				Steps: []dalec.BuildStep{
+					{Command: "/bin/true"},
+				},
+			},
+			Artifacts: dalec.Artifacts{
+				Binaries: map[string]dalec.ArtifactConfig{
+					"my-script": {},
+				},
+			},
+			Dependencies: &dalec.PackageDependencies{
+				Runtime: map[string]dalec.PackageConstraints{
+					"curl": {},
+				},
+			},
+		})
+
+		testEnv.RunTest(ctx, t, func(ctx context.Context, client gwclient.Client) {
+			req := newSolveRequest(withSpec(ctx, t, spec), withBuildTarget(testConfig.Target.DepsOnly))
+			res := solveT(ctx, t, client, req)
+
+			ref, err := res.SingleRef()
+			assert.NilError(t, err)
+
+			// Runtime dep should be installed.
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/curl"})
+			assert.NilError(t, err)
+
+			// The shell script artifact should NOT be present — deps-only
+			// never builds the package, so no artifacts are installed.
+			_, err = ref.StatFile(ctx, gwclient.StatRequest{Path: "/usr/bin/my-script"})
+			assert.ErrorContains(t, err, "no such file")
+		})
+	})
+}
+
 func testLinuxSpec(t *testing.T, userSpec dalec.Spec) dalec.Spec {
 	t.Helper()
 

test/target_almalinux_test.go

@@ -17,6 +17,7 @@ func TestAlmalinux9(t *testing.T) {
 			Key:       "almalinux9",
 			Package:   "almalinux9/rpm",
 			Container: "almalinux9/container",
+			DepsOnly:  "almalinux9/container/depsonly",
 			Worker:    "almalinux9/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -65,6 +66,7 @@ func TestAlmalinux8(t *testing.T) {
 		Target: targetConfig{
 			Package:   "almalinux8/rpm",
 			Container: "almalinux8/container",
+			DepsOnly:  "almalinux8/container/depsonly",
 			Worker:    "almalinux8/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v

test/target_azlinux_test.go

@@ -46,6 +46,7 @@ func TestMariner2(t *testing.T) {
 			Key:       azlinux.Mariner2TargetKey,
 			Package:   "mariner2/rpm",
 			Container: "mariner2/container",
+			DepsOnly:  "mariner2/container/depsonly",
 			Worker:    "mariner2/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -91,6 +92,7 @@ func TestAzlinux3(t *testing.T) {
 			Key:                   "azlinux3",
 			Package:               "azlinux3/rpm",
 			Container:             "azlinux3/container",
+			DepsOnly:              "azlinux3/container/depsonly",
 			Worker:                "azlinux3/worker",
 			Sysext:                "azlinux3/testing/sysext",
 			ListExpectedSignFiles: azlinuxListSignFiles("azl3"),

test/target_rockylinux_test.go

@@ -17,6 +17,7 @@ func TestRockylinux9(t *testing.T) {
 			Key:       "rockylinux9",
 			Package:   "rockylinux9/rpm",
 			Container: "rockylinux9/container",
+			DepsOnly:  "rockylinux9/container/depsonly",
 			Worker:    "rockylinux9/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v
@@ -65,6 +66,7 @@ func TestRockylinux8(t *testing.T) {
 		Target: targetConfig{
 			Package:   "rockylinux8/rpm",
 			Container: "rockylinux8/container",
+			DepsOnly:  "rockylinux8/container/depsonly",
 			Worker:    "rockylinux8/worker",
 			FormatDepEqual: func(v, _ string) string {
 				return v