add policy build --optimize --entrypoint support (#205)

gertd · web-flow · commit 09799aa4deeb · 2025-10-04T14:44:33.000+02:00
diff --git a/.goreleaser-pre.yml b/.goreleaser-pre.yml
@@ -15,7 +15,7 @@ before:
 
 builds:
   # https://goreleaser.com/customization/build/
-  - id: build
+  - id: policy
     main: ./cmd/policy
     binary: policy
     goos:
@@ -43,7 +43,7 @@ archives:
   - formats: 
       - zip
     ids:
-    - build
+    - policy
     files:
       - LICENSE
       - README.md
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -16,7 +16,7 @@ before:
 
 builds:
   # https://goreleaser.com/customization/build/
-  - id: build
+  - id: policy
     main: ./cmd/policy
     binary: policy
     goos:
@@ -44,7 +44,7 @@ archives:
   - formats: 
       - zip
     ids:
-    - build
+    - policy
     files:
       - LICENSE
       - README.md
diff --git a/Dockerfile b/Dockerfile
@@ -26,7 +26,7 @@ LABEL org.opencontainers.image.url="https://openpolicyregistry.io"
 
 RUN apk add --no-cache bash
 WORKDIR /app
-COPY --from=build /src/dist/build_linux_amd64_v1/policy /app/
+COPY --from=build /src/dist/policy_linux_amd64_v1/policy /app/
 
 COPY --from=build /src/scripts /app/
 RUN  chmod +x /app/*.sh
diff --git a/cmd/policy/main.go b/cmd/policy/main.go
@@ -16,7 +16,10 @@ import (
 )
 
 const (
-	appName string = "policy"
+	appName        string = "policy"
+	verbosityError int    = 0
+	verbosityInfo  int    = 1
+	verbosityDebug int    = 2
 )
 
 var tmpConfig *config.Config
@@ -69,7 +72,10 @@ func resolveTmpConfig(context *kong.Context) {
 		return
 	}
 
-	configPath, _ := context.FlagValue(configFlag).(string)
+	configPath, ok := context.FlagValue(configFlag).(string)
+	if !ok {
+		panic("config path cast failed")
+	}
 
 	cfgLogger, err := config.NewLoggerConfig(config.Path(configPath), nil)
 	if err != nil {
@@ -121,12 +127,6 @@ var PolicyCLI struct {
 	Version   VersionCmd   `cmd:"" help:"Prints version information."`
 }
 
-const (
-	logLevelError int = 0
-	logLevelInfo  int = 1
-	logLevelDebug int = 2
-)
-
 func (g *Globals) setup() func() {
 	configFile := g.Config
 
@@ -136,11 +136,11 @@ func (g *Globals) setup() func() {
 		config.Path(configFile),
 		func(c *config.Config) {
 			switch g.Verbosity {
-			case logLevelError:
+			case verbosityError:
 				c.Logging.LogLevel = "error"
-			case logLevelInfo:
+			case verbosityInfo:
 				c.Logging.LogLevel = "info"
-			case logLevelDebug:
+			case verbosityDebug:
 				c.Logging.LogLevel = "debug"
 			default:
 				c.Logging.LogLevel = "trace"
diff --git a/pkg/app/build.go b/pkg/app/build.go
@@ -12,8 +12,6 @@ import (
 	"github.com/aserto-dev/runtime"
 	"github.com/containerd/errdefs"
 	"github.com/distribution/reference"
-	"github.com/rs/zerolog"
-
 	oras "github.com/opcr-io/oras-go/v2"
 	"github.com/opcr-io/oras-go/v2/content"
 	orasoci "github.com/opcr-io/oras-go/v2/content/oci"
@@ -22,6 +20,7 @@ import (
 	"github.com/opencontainers/go-digest"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/pkg/errors"
+	"github.com/rs/zerolog"
 )
 
 const (
@@ -30,7 +29,10 @@ const (
 )
 
 //nolint:funlen
-func (c *PolicyApp) Build(ref string, path []string, annotations map[string]string,
+func (c *PolicyApp) Build(
+	ref string,
+	path []string,
+	annotations map[string]string,
 	runConfigFile string,
 	target string,
 	optimizationLevel int,
diff --git a/pkg/app/init.go b/pkg/app/init.go
@@ -8,6 +8,7 @@ import (
 
 	"github.com/aserto-dev/scc-lib/generators"
 	"github.com/magefile/mage/sh"
+	"github.com/opcr-io/policy/pkg/x"
 	"github.com/opcr-io/policy/templates"
 
 	"github.com/pkg/errors"
@@ -96,11 +97,9 @@ func (c *PolicyApp) generateContent(generatorConf *generators.Config, outPath, s
 	return nil
 }
 
-const ownerReadWriteExecute os.FileMode = 0o700
-
 func (c *PolicyApp) validatePath(path string) error {
 	if exist, _ := generators.DirExist(path); !exist {
-		if err := os.MkdirAll(path, ownerReadWriteExecute); err != nil {
+		if err := os.MkdirAll(path, x.OwnerReadWriteExecute); err != nil {
 			return errors.Errorf("root path not a directory '%s'", path)
 		}
 	}
diff --git a/pkg/app/rm.go b/pkg/app/rm.go
@@ -49,11 +49,12 @@ func (c *PolicyApp) Rm(existingRef string, force bool) error {
 	if !ok {
 		return errors.ErrNotFound.WithMessage("policy [%s] not in the local store", existingRef)
 	}
+
 	// attach ref name annotation for comparison.
 	if len(ref.Annotations) == 0 || ref.Annotations[ocispec.AnnotationRefName] == "" {
 		oldAnnotations := ref.Annotations
-
 		ref.Annotations = make(map[string]string)
+
 		if oldAnnotations != nil {
 			ref.Annotations = oldAnnotations
 		}
@@ -84,7 +85,7 @@ func (c *PolicyApp) Rm(existingRef string, force bool) error {
 }
 
 func (c *PolicyApp) removeBasedOnManifest(ociClient *oci.Oci, ref *ocispec.Descriptor, refString string) error {
-	anotherImagewithSameDigest, err := c.buildFromSameImage(ref)
+	anotherImageWithSameDigest, err := c.buildFromSameImage(ref)
 	if err != nil {
 		return err
 	}
@@ -94,7 +95,7 @@ func (c *PolicyApp) removeBasedOnManifest(ociClient *oci.Oci, ref *ocispec.Descr
 		return err
 	}
 
-	if anotherImagewithSameDigest {
+	if anotherImageWithSameDigest {
 		return nil
 	}
 
diff --git a/pkg/app/tag.go b/pkg/app/tag.go
@@ -17,6 +17,7 @@ func (c *PolicyApp) Tag(existingRef, newRef string) error {
 	}
 
 	existingRefParsed := existingRef
+
 	if strings.Contains(existingRef, ":") || strings.Contains(existingRef, "/") {
 		existingRefParsed, err = parser.CalculatePolicyRef(existingRef, c.Configuration.DefaultDomain)
 		if err != nil {
diff --git a/pkg/app/transport.go b/pkg/app/transport.go
@@ -18,13 +18,14 @@ func (c *PolicyApp) TransportWithTrustedCAs() *http.Transport {
 		rootCAs *x509.CertPool
 		err     error
 	)
+
 	if runtime.GOOS != `windows` {
 		rootCAs, err = x509.SystemCertPool()
 		if err != nil {
 			c.UI.Problem().WithErr(err).WithEnd(1).Msg("Failed to load system cert pool.")
 		}
 	} else {
-		// remove runtime check when updating to go1.18 https://github.com/deviceinsight/kafkactl/issues/108.
+		// CLEANUP: Remove runtime check when updating to go1.18 https://github.com/deviceinsight/kafkactl/issues/108
 		if len(c.Configuration.CA) > 0 {
 			c.UI.Exclamation().Msg("Cannot use custom CAs on Windows. Please configure your system store to trust your CAs.")
 		}
diff --git a/pkg/cc/config/config.go b/pkg/cc/config/config.go
@@ -10,15 +10,12 @@ import (
 	"github.com/docker/cli/cli/config"
 	"github.com/docker/cli/cli/config/credentials"
 	"github.com/go-viper/mapstructure/v2"
+	"github.com/opcr-io/policy/pkg/x"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
 	"github.com/spf13/viper"
 )
 
-const (
-	OwnerReadWrite os.FileMode = 0o600
-)
-
 // Overrider is a func that mutates configuration.
 type Overrider func(*Config)
 
@@ -150,12 +147,12 @@ func (c *Config) ReplHistoryFile() string {
 
 func (c *Config) SaveDefaultDomain() error {
 	if _, err := os.Stat(c.FileStoreRoot); err != nil {
-		if err := os.Mkdir(c.FileStoreRoot, OwnerReadWrite); err != nil {
+		if err := os.Mkdir(c.FileStoreRoot, x.OwnerReadWrite); err != nil {
 			return err
 		}
 	}
 
-	return os.WriteFile(filepath.Join(c.FileStoreRoot, defaultDomain), []byte(c.DefaultDomain), OwnerReadWrite)
+	return os.WriteFile(filepath.Join(c.FileStoreRoot, defaultDomain), []byte(c.DefaultDomain), x.OwnerReadWrite)
 }
 
 func (c *Config) LoadDefaultDomain() error {
diff --git a/pkg/x/fs.go b/pkg/x/fs.go
@@ -0,0 +1,8 @@
+package x
+
+import "os"
+
+const (
+	OwnerReadWrite        os.FileMode = 0o600
+	OwnerReadWriteExecute os.FileMode = 0o700
+)
diff --git a/scripts/build.sh b/scripts/build.sh
@@ -1,17 +1,20 @@
 #!/usr/bin/env bash
 
 # set defaults when not set
-[ -z "${INPUT_REVISION}" ]   && INPUT_REVISION=${GITHUB_SHA}
-[ -z "${INPUT_VERBOSITY}" ]  && INPUT_VERBOSITY="error"
-[ -z "${INPUT_SOURCE_URL}" ] && INPUT_SOURCE_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"
-[ -z "${INPUT_REGO_VERSION}"] && INPUT_REGO_VERSION="rego.v0"
+[ -z "${INPUT_REVISION}" ]    && INPUT_REVISION=${GITHUB_SHA}
+[ -z "${INPUT_VERBOSITY}" ]   && INPUT_VERBOSITY="error"
+[ -z "${INPUT_SOURCE_URL}" ]  && INPUT_SOURCE_URL="${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"
+[ -z "${INPUT_REGO_VERSION}"] && INPUT_REGO_VERSION="rego.v1"
+[ -z "${INPUT_OPTIMIZE}"]     && INPUT_OPTIMIZE="disabled"
+[ -z "${INPUT_ENTRYPOINT}"]   && INPUT_ENTRYPOINT=""
 
 # validate if values are set
 [ -z "${INPUT_SRC}" ]        && echo "INPUT_SRC is not set exiting" && exit 2
 [ -z "${INPUT_TAG}" ]        && exit "INPUT_TAG is not set exiting" && exit 2
 [ -z "${INPUT_REVISION}" ]   && exit "INPUT_REVISION is not set exiting" && exit 2
 [ -z "${INPUT_VERBOSITY}" ]  && exit "INPUT_VERBOSITY is not set exiting" && exit 2
 [ -z "${INPUT_SOURCE_URL}" ] && exit "INPUT_SOURCE_URL is not set exiting" && exit 2
+[ -z "${INPUT_OPTIMIZE}" ]   && exit "INPUT_OPTIMIZE is not set exiting" && exit 2
 
 if [[ -z "${GITHUB_WORKSPACE}" ]]; then
   SRC_PATH=$PWD/$INPUT_SRC
@@ -42,6 +45,20 @@ case ${INPUT_VERBOSITY} in
     ;;
 esac
 
+OPTIMIZE=0
+case ${INPUT_OPTIMIZE} in
+  "disabled")
+    OPTIMIZE=0
+    ;;
+  "recommended")
+    OPTIMIZE=1
+    ;;
+  "aggressive")
+    OPTIMIZE=2
+    ;;
+esac
+
+
 # output all inputs env variables
 echo "POLICY-BUILD        $(/app/policy version | sed 's/Policy CLI.//g')"
 printf "\n"
@@ -52,6 +69,8 @@ echo "INPUT_REVISION      ${INPUT_REVISION}"
 echo "INPUT_VERBOSITY     ${INPUT_VERBOSITY} (${VERBOSITY})"
 echo "INPUT_SOURCE_URL    ${INPUT_SOURCE_URL}"
 echo "INPUT_REGO_VERSION  ${INPUT_REGO_VERSION}"
+echo "INPUT_OPTIMIZE      ${INPUT_OPTIMIZE} (${OPTIMIZE})"
+echo "INPUT_ENTRYPOINT    ${INPUT_ENTRYPOINT}"
 echo "SRC_PATH            ${SRC_PATH}"
 printf "\n"
 
@@ -61,7 +80,7 @@ printf "\n"
 e_code=0
 
 # construct commandline arguments 
-CMD="/app/policy build ${SRC_PATH} --tag ${INPUT_TAG} --rego-version=${INPUT_REGO_VERSION} --verbosity=${VERBOSITY} --annotations=org.opencontainers.image.source=${INPUT_SOURCE_URL}"
+CMD="/app/policy build ${SRC_PATH} --tag ${INPUT_TAG} --rego-version=${INPUT_REGO_VERSION} --verbosity=${VERBOSITY} --optimize=${OPTIMIZE} --annotations=org.opencontainers.image.source=${INPUT_SOURCE_URL} --entrypoint=${INPUT_ENTRYPOINT}"
 
 # execute command
 eval "$CMD" || e_code=1
diff --git a/templates/github/.github/workflows/build-release-policy.yaml.tmpl b/templates/github/.github/workflows/build-release-policy.yaml.tmpl

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,7 @@ import (`
`8`	`8`
`9`	`9`	`"github.com/aserto-dev/scc-lib/generators"`
`10`	`10`	`"github.com/magefile/mage/sh"`
	`11`	`+ "github.com/opcr-io/policy/pkg/x"`
`11`	`12`	`"github.com/opcr-io/policy/templates"`
`12`	`13`
`13`	`14`	`"github.com/pkg/errors"`
`@@ -96,11 +97,9 @@ func (c PolicyApp) generateContent(generatorConf generators.Config, outPath, s`
`96`	`97`	`return nil`
`97`	`98`	`}`
`98`	`99`
`99`		`-const ownerReadWriteExecute os.FileMode = 0o700`
`100`		`-`
`101`	`100`	`func (c *PolicyApp) validatePath(path string) error {`
`102`	`101`	`if exist, _ := generators.DirExist(path); !exist {`
`103`		`- if err := os.MkdirAll(path, ownerReadWriteExecute); err != nil {`
	`102`	`+ if err := os.MkdirAll(path, x.OwnerReadWriteExecute); err != nil {`
`104`	`103`	`return errors.Errorf("root path not a directory '%s'", path)`
`105`	`104`	`}`
`106`	`105`	`}`
Original file line number	Diff line number	Diff line change
`@@ -49,11 +49,12 @@ func (c *PolicyApp) Rm(existingRef string, force bool) error {`
`49`	`49`	`if !ok {`
`50`	`50`	`return errors.ErrNotFound.WithMessage("policy [%s] not in the local store", existingRef)`
`51`	`51`	`}`
	`52`	`+`
`52`	`53`	`// attach ref name annotation for comparison.`
`53`	`54`	`if len(ref.Annotations) == 0 \|\| ref.Annotations[ocispec.AnnotationRefName] == "" {`
`54`	`55`	`oldAnnotations := ref.Annotations`
`55`		`-`
`56`	`56`	`ref.Annotations = make(map[string]string)`
	`57`	`+`
`57`	`58`	`if oldAnnotations != nil {`
`58`	`59`	`ref.Annotations = oldAnnotations`
`59`	`60`	`}`
`@@ -84,7 +85,7 @@ func (c *PolicyApp) Rm(existingRef string, force bool) error {`
`84`	`85`	`}`
`85`	`86`
`86`	`87`	`func (c PolicyApp) removeBasedOnManifest(ociClient oci.Oci, ref *ocispec.Descriptor, refString string) error {`
`87`		`- anotherImagewithSameDigest, err := c.buildFromSameImage(ref)`
	`88`	`+ anotherImageWithSameDigest, err := c.buildFromSameImage(ref)`
`88`	`89`	`if err != nil {`
`89`	`90`	`return err`
`90`	`91`	`}`
`@@ -94,7 +95,7 @@ func (c PolicyApp) removeBasedOnManifest(ociClient oci.Oci, ref *ocispec.Descr`
`94`	`95`	`return err`
`95`	`96`	`}`
`96`	`97`
`97`		`- if anotherImagewithSameDigest {`
	`98`	`+ if anotherImageWithSameDigest {`
`98`	`99`	`return nil`
`99`	`100`	`}`
`100`	`101`
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,7 @@ func (c *PolicyApp) Tag(existingRef, newRef string) error {`
`17`	`17`	`}`
`18`	`18`
`19`	`19`	`existingRefParsed := existingRef`
	`20`	`+`
`20`	`21`	`if strings.Contains(existingRef, ":") \|\| strings.Contains(existingRef, "/") {`
`21`	`22`	`existingRefParsed, err = parser.CalculatePolicyRef(existingRef, c.Configuration.DefaultDomain)`
`22`	`23`	`if err != nil {`
Original file line number	Diff line number	Diff line change
`@@ -18,13 +18,14 @@ func (c PolicyApp) TransportWithTrustedCAs() http.Transport {`
`18`	`18`	`rootCAs *x509.CertPool`
`19`	`19`	`err error`
`20`	`20`	`)`
	`21`	`+`
`21`	`22`	if runtime.GOOS != `windows` {
`22`	`23`	`rootCAs, err = x509.SystemCertPool()`
`23`	`24`	`if err != nil {`
`24`	`25`	`c.UI.Problem().WithErr(err).WithEnd(1).Msg("Failed to load system cert pool.")`
`25`	`26`	`}`
`26`	`27`	`} else {`
`27`		`- // remove runtime check when updating to go1.18 https://github.com/deviceinsight/kafkactl/issues/108.`
	`28`	`+ // CLEANUP: Remove runtime check when updating to go1.18 https://github.com/deviceinsight/kafkactl/issues/108`
`28`	`29`	`if len(c.Configuration.CA) > 0 {`
`29`	`30`	`c.UI.Exclamation().Msg("Cannot use custom CAs on Windows. Please configure your system store to trust your CAs.")`
`30`	`31`	`}`