-
Task
-
Resolution: Done
-
Major
-
3.1.0.GA
-
None
-
False
-
None
-
False
To get closer to prod sec and legal requirements, we should move from get-sources.sh -> asset*.gz file for the node dependencies, and instead use cachito w/ container.yaml configuration to fetch sources, then build the sources inside a Docker context, letting cachito find the dependencies in yarn.lock / package.json.
- https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/get-sources.sh
- https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/sources
- https://github.com/redhat-developer/devspaces-images/blob/devspaces-3-rhel-8/devspaces-dashboard/container.yaml
– https://osbs.readthedocs.io/en/latest/users.html?highlight=cachito%20node#fetching-source-code-from-external-source-using-cachitoOnce the remote_source map described above is set in container.yaml, you can now copy the upstream sources (with bundled dependencies) provided by cachito in your build image by adding:
COPY $REMOTE_SOURCE $REMOTE_SOURCE_DIR
to your Dockerfile. From this point on, you will find the root of the upstream project at $REMOTE_SOURCE_DIR/app, and the project dependencies at $REMOTE_SOURCE_DIR/deps.