Add conforma executable symlink in container images

[simonbaird]

User description

Also fix a bug related to mounting go cache volumes when doing a local image build.

---

PR Type

Enhancement, Bug fix

---

Description

• Add symlink for "conforma" command in container images

• Fix missing Go cache volume mounts in local builds

---

Diagram Walkthrough

flowchart LR
  A["Container Build"] --> B["Mount Go Cache Volumes"]
  A --> C["Create conforma Symlink"]
  B --> D["Successful Local Build"]
  C --> E["Alternative Command Name"]

Loading

File Walkthrough

	Relevant files
Enhancement	Dockerfile Add conforma command symlink                                                          Dockerfile Added symlink from /usr/local/bin/ec to /usr/local/bin/conforma Allows users to invoke the binary using the "conforma" command name Includes explanatory comment about the temporary naming approach +3/-0      Dockerfile.dist Add conforma command symlink                                                          Dockerfile.dist Added identical symlink from /usr/local/bin/ec to /usr/local/bin/conforma Maintains consistency with main Dockerfile Includes explanatory comment about the temporary naming approach +3/-0
Bug fix	Makefile Fix Go cache volume mounts in build                                            Makefile Added --volume flags to mount Go cache directory at /go/cache Added --volume flags to mount Go modules directory at /go/mod Added environment variables GOCACHE and GOMODCACHE for buildah Fixes missing cache mounts that caused make dist-container failures +4/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Host path mount Description: The new buildah bud invocation mounts host-provided paths from $(GOCACHE_DIR) and $(GOMODCACHE_DIR) into the build container, which could unintentionally expose or allow modification of sensitive host files if these variables are set to unexpected locations (or crafted values), so ensure they are constrained to safe directories and not user-controlled in untrusted build environments (e.g., CI from PRs). Makefile [73-76] Referred Code --volume "$(GOCACHE_DIR)":/go/cache:Z \ --volume "$(GOMODCACHE_DIR)":/go/mod:Z \ --env GOCACHE=/go/cache \ --env GOMODCACHE=/go/mod \
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing preflight checks: The new buildah bud flags assume GOCACHE_DIR and GOMODCACHE_DIR are always set and valid paths, but the Make target does not validate them or provide a clear error message if they are empty/undefined. Referred Code --volume "$(GOCACHE_DIR)":/go/cache:Z \ --volume "$(GOMODCACHE_DIR)":/go/mod:Z \ --env GOCACHE=/go/cache \ --env GOMODCACHE=/go/mod \ Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unvalidated external inputs: The new volume mount sources use externally-provided variables (GOCACHE_DIR, GOMODCACHE_DIR) without validation/sanitization, which could lead to unexpected host-path mounts in local build environments. Referred Code --volume "$(GOCACHE_DIR)":/go/cache:Z \ --volume "$(GOMODCACHE_DIR)":/go/mod:Z \ Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Improve build portability across systems Replace the hardcoded SELinux label :Z on volume mounts with --security-opt label=disable to improve build portability on systems where SELinux is not enabled, such as macOS. Makefile [67-77] dist-container: clean buildah bud --file Dockerfile.dist \ --tag dist-container \ --platform $(BUILD_LOCAL_PLATFORM) \ --build-arg BUILD_SUFFIX=local \ --build-arg BUILD_LIST=$(BUILD_LOCAL_ARCH) \ - --volume "$(GOCACHE_DIR)":/go/cache:Z \ - --volume "$(GOMODCACHE_DIR)":/go/mod:Z \ + --security-opt label=disable \ + --volume "$(GOCACHE_DIR)":/go/cache \ + --volume "$(GOMODCACHE_DIR)":/go/mod \ --env GOCACHE=/go/cache \ --env GOMODCACHE=/go/mod \ . [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that the :Z flag for buildah can cause build failures on non-SELinux systems and proposes a valid fix that improves portability.	Low
General	Force overwrite existing symlink Use ln -sf instead of ln -s to forcefully create the symlink, preventing potential build failures if the link target already exists. Dockerfile [84] -RUN ln -s /usr/local/bin/ec /usr/local/bin/conforma +RUN ln -sf /usr/local/bin/ec /usr/local/bin/conforma Apply / Chat Suggestion importance[1-10]: 4 __ Why: This is a good practice for making the Docker build more robust and idempotent, although the chance of the symlink already existing in a clean build is low.	Low
More

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
acceptance	55.98% <ø> (+<0.01%)	⬆️
generative	18.97% <ø> (ø)
integration	28.44% <ø> (ø)
unit	67.96% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.