buildah: add WORKINGDIR_MOUNT parameter

chmeliik · chmeliik · commit 9dd10db14f09 · 2025-05-05T08:46:05.000+02:00
Allows to mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build, because we set the workdir to the context dir before calling 'buildah build'. The primary use case for this parameter is for builds that need to write some outputs into a shared directory and reference the output in a later FROM instruction, e.g. FROM oci-archive:./out.ociarchive See konflux-ci/buildah-container#134 for more details. Signed-off-by: Adam Cmiel <acmiel@redhat.com>
diff --git a/task/buildah/0.4/README.md b/task/buildah/0.4/README.md
@@ -38,6 +38,7 @@ When prefetch-dependencies task is activated it is using its artifacts to run bu
 |SBOM_TYPE|Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.|spdx|false|
 |BUILDAH_FORMAT|The format for the resulting image's mediaType. Valid values are oci (default) or docker.|oci|false|
 |ADDITIONAL_BASE_IMAGES|Additional base image references to include to the SBOM. Array of image_reference_with_digest strings|[]|false|
+|WORKINGDIR_MOUNT|Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).|""|false|
 
 ## Results
 |name|description|
diff --git a/task/buildah/0.4/buildah.yaml b/task/buildah/0.4/buildah.yaml
@@ -137,6 +137,13 @@ spec:
       Additional base image references to include to the SBOM. Array of image_reference_with_digest strings
     type: array
     default: []
+  - name: WORKINGDIR_MOUNT
+    description: >-
+      Mount the current working directory into the build using
+      --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the
+      context directory for the build (see the CONTEXT param).
+    type: string
+    default: ""
 
   results:
   - description: Digest of the image just built
@@ -203,6 +210,8 @@ spec:
       value: $(params.SBOM_TYPE)
     - name: ANNOTATIONS_FILE
       value: $(params.ANNOTATIONS_FILE)
+    - name: WORKINGDIR_MOUNT
+      value: $(params.WORKINGDIR_MOUNT)
 
   steps:
   - image: quay.io/konflux-ci/buildah-task:latest@sha256:4d8273444b0f2781264c232e12e88449bbf078c99e3da2a7f6dcaaf27bc53712
@@ -476,6 +485,18 @@ spec:
         echo "Adding the entitlement to the build"
       fi
 
+      if [ -n "$WORKINGDIR_MOUNT" ]; then
+        if [[ "$WORKINGDIR_MOUNT" == *:* ]]; then
+          echo "WORKINGDIR_MOUNT contains ':'" >&2
+          echo "Refusing to proceed in case this is an attempt to set unexpected mount options." >&2
+          exit 1
+        fi
+        # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'
+        # (we set the workdir using 'unshare -w')
+        context_dir=$(realpath "${SOURCE_CODE_DIR}/${CONTEXT}")
+        VOLUME_MOUNTS+=(--volume "$context_dir:${WORKINGDIR_MOUNT}")
+      fi
+
       if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then
         # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
         # Instrumented builds (SAST) use this step as their base and add some other tools.
