[use-trusted-artifact] Using token for quay.io/opendatahub/kserve [use-trusted-artifact] Executing: oras blob fetch --registry-config /tmp/use-oci.sh.GtZxjb/auth-S23VMR.json quay.io/opendatahub/kserve@sha256:4e3569ab2c0d50172b3fd43f515168efb4f5909b5105d0095f68e6445847622b --output - [use-trusted-artifact] Restored artifact quay.io/opendatahub/kserve@sha256:4e3569ab2c0d50172b3fd43f515168efb4f5909b5105d0095f68e6445847622b to /var/workdir/source [use-trusted-artifact] WARN: artifact URI not provided, (given: =/var/workdir/cachi2) [use-trusted-artifact] [build] [build] echo "[$(date --utc -Ins)] Prepare connection" [build] [2026-04-22T18:32:51,834490376+00:00] Prepare connection [build] [build] mkdir -p ~/.ssh [build] if [ -e "/ssh/error" ]; then [build] #no server could be provisioned [build] cat /ssh/error [build] exit 1 [build] fi [build] export SSH_HOST=$(cat /ssh/host) [build] [build] if [ "$SSH_HOST" == "localhost" ] ; then [build] IS_LOCALHOST=true [build] echo "Localhost detected; running build in cluster" [build] elif [ -e "/ssh/otp" ]; then [build] curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa [build] echo "" >> ~/.ssh/id_rsa [build] else [build] cp /ssh/id_rsa ~/.ssh [build] fi [build] Localhost detected; running build in cluster [build] [build] mkdir -p scripts [build] [build] if ! [[ $IS_LOCALHOST ]]; then [build] echo "[$(date --utc -Ins)] Setup VM" [build] [build] if [[ "$BUILDAH_HTTP_PROXY" =~ .+\.cluster\.local ]]; then [build] echo "[$(date --utc -Ins)] Ignoring cluster local proxy for remote build" [build] unset BUILDAH_HTTP_PROXY BUILDAH_NO_PROXY [build] fi [build] [build] chmod 0400 ~/.ssh/id_rsa [build] export BUILD_DIR=$(cat /ssh/user-dir) [build] export SSH_ARGS="-o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=10" [build] echo "$BUILD_DIR" [build] # shellcheck disable=SC2086 [build] ssh $SSH_ARGS "$SSH_HOST" mkdir -p "${BUILD_DIR@Q}/workspaces" "${BUILD_DIR@Q}/scripts" "${BUILD_DIR@Q}/volumes" [build] [build] PORT_FORWARD="" [build] PODMAN_PORT_FORWARD="" [build] if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then [build] PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80" [build] PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost" [build] fi [build] [build] echo "[$(date --utc -Ins)] Rsync data" [build] [build] rsync -razW /shared/ "$SSH_HOST:$BUILD_DIR/volumes/shared/" [build] rsync -razW /var/workdir/ "$SSH_HOST:$BUILD_DIR/volumes/workdir/" [build] rsync -razW /entitlement/ "$SSH_HOST:$BUILD_DIR/volumes/etc-pki-entitlement/" [build] rsync -razW /activation-key/ "$SSH_HOST:$BUILD_DIR/volumes/activation-key/" [build] rsync -razW /additional-secret/ "$SSH_HOST:$BUILD_DIR/volumes/additional-secret/" [build] rsync -razW /mnt/trusted-ca/ "$SSH_HOST:$BUILD_DIR/volumes/trusted-ca/" [build] rsync -razW /mnt/proxy-ca-bundle/ "$SSH_HOST:$BUILD_DIR/volumes/proxy-ca-bundle/" [build] rsync -razW "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" [build] rsync -razW --mkpath "/usr/bin/retry" "$SSH_HOST:$BUILD_DIR/usr/bin/retry" [build] rsync -razW "/tekton/results/" "$SSH_HOST:$BUILD_DIR/results/" [build] fi [build] if [ "${IMAGE_APPEND_PLATFORM}" == "true" ]; then [build] IMAGE="${IMAGE}-${PLATFORM//[^a-zA-Z0-9]/-}" [build] export IMAGE [build] fi [build] [build] cat >scripts/script-build.sh <<'REMOTESSHEOF' [build] #!/bin/bash [build] set -euo pipefail [build] cd /var/workdir [build] [build] function set_proxy { [build] if [ -n "${BUILDAH_HTTP_PROXY}" ]; then [build] echo "[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}" [build] export HTTP_PROXY="${BUILDAH_HTTP_PROXY}" [build] export HTTPS_PROXY="${BUILDAH_HTTP_PROXY}" [build] export ALL_PROXY="${BUILDAH_HTTP_PROXY}" [build] if [ -n "${BUILDAH_NO_PROXY}" ]; then [build] echo "[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}" [build] export NO_PROXY="${BUILDAH_NO_PROXY}" [build] fi [build] fi [build] } [build] [build] function unset_proxy { [build] echo "[$(date --utc -Ins)] Unsetting proxy" [build] unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY [build] } [build] [build] echo "[$(date --utc -Ins)] Validate context path" [build] [build] if [ -z "$CONTEXT" ]; then [build] echo "WARNING: CONTEXT is empty. Defaulting to '.' (the source directory)." >&2 [build] CONTEXT="." [build] fi [build] [build] source_dir_path=$(realpath "$SOURCE_CODE_DIR") [build] context_dir_path=$(realpath "$SOURCE_CODE_DIR/$CONTEXT") [build] [build] case "$context_dir_path" in [build] "$source_dir_path" | "$source_dir_path/"*) [build] # path is valid, do nothing [build] ;; [build] *) [build] echo "ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory." >&2 [build] echo "Source path: $source_dir_path" >&2 [build] echo "Resolved path: $context_dir_path" >&2 [build] exit 1 [build] ;; [build] esac [build] [build] echo "[$(date --utc -Ins)] Update CA trust" [build] [build] ca_bundle=/mnt/trusted-ca/ca-bundle.crt [build] proxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt [build] update_ca_trust=false [build] [build] if [ -f "$ca_bundle" ]; then [build] echo "[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle" [build] cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt [build] update_ca_trust=true [build] fi [build] [build] if [ -f "$proxy_ca_bundle" ] && [ -n "${BUILDAH_HTTP_PROXY}" ]; then [build] echo "[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle" [build] cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt [build] update_ca_trust=true [build] fi [build] [build] if [ "$update_ca_trust" = "true" ]; then [build] update-ca-trust [build] fi [build] [build] echo "[$(date --utc -Ins)] Prepare Dockerfile" [build] [build] if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then [build] dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" [build] elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then [build] dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" [build] elif [ -e "$DOCKERFILE" ]; then [build] # Instrumented builds (SAST) use this custom dockerfile step as their base [build] dockerfile_path="$DOCKERFILE" [build] elif echo "$DOCKERFILE" | grep -q "^https\?://"; then [build] echo "Fetch Dockerfile from $DOCKERFILE" [build] dockerfile_path=$(mktemp --suffix=-Dockerfile) [build] http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE") [build] if [ "$http_code" != 200 ]; then [build] echo "No Dockerfile is fetched. Server responds $http_code" [build] exit 1 [build] fi [build] http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore") [build] if [ "$http_code" = 200 ]; then [build] echo "Fetched .dockerignore from $DOCKERFILE.dockerignore" [build] mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" [build] fi [build] else [build] echo "Cannot find Dockerfile $DOCKERFILE" [build] exit 1 [build] fi [build] [build] dockerfile_copy=$(mktemp --tmpdir "$(basename "$dockerfile_path").XXXXXX") [build] cp "$dockerfile_path" "$dockerfile_copy" [build] [build] # Inject the image content manifest into the container we are producing. [build] # This will generate the content-sets.json file and copy it by appending a COPY [build] # instruction to the Containerfile. [build] icm_opts=() [build] if [ "${ICM_KEEP_COMPAT_LOCATION}" = "true" ]; then [build] icm_opts+=(-c) [build] fi [build] if [ "${SKIP_INJECTIONS}" = "false" ]; then [build] inject-icm-to-containerfile "${icm_opts[@]}" "$dockerfile_copy" "/var/workdir/cachi2/output/bom.json" "$SOURCE_CODE_DIR/$CONTEXT" [build] fi [build] [build] echo "[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))" [build] [build] # Fixing group permission on /var/lib/containers [build] chown root:root /var/lib/containers [build] [build] sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf [build] [build] # Setting new namespace to run buildah - 2^32-2 [build] echo 'root:1:4294967294' | tee -a /etc/subuid >>/etc/subgid [build] [build] build_args=() [build] if [ -n "${BUILD_ARGS_FILE}" ]; then [build] # Parse BUILD_ARGS_FILE ourselves because dockerfile-json doesn't support it [build] echo "Parsing ARGs from $BUILD_ARGS_FILE" [build] mapfile -t build_args < <( [build] # https://www.mankier.com/1/buildah-build#--build-arg-file [build] # delete lines that start with # [build] # delete blank lines [build] sed -e '/^#/d' -e '/^\s*$/d' "${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}" [build] ) [build] fi [build] [build] LABELS=() [build] ANNOTATIONS=() [build] # Append any annotations from the specified file [build] if [ -n "${ANNOTATIONS_FILE}" ] && [ -f "${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}" ]; then [build] echo "Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}" [build] while IFS= read -r line || [[ -n "$line" ]]; do [build] # Skip empty lines and comments [build] if [[ -n "$line" && ! "$line" =~ ^[[:space:]]*# ]]; then [build] ANNOTATIONS+=("--annotation" "$line") [build] fi [build] done <"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}" [build] fi [build] [build] # Split `args` into two sets of arguments. [build] while [[ $# -gt 0 ]]; do [build] case $1 in [build] --build-args) [build] shift [build] # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being [build] # passed to buildah. In that case, the *last* occurrence takes precedence. This is why [build] # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE [build] while [[ $# -gt 0 && $1 != --* ]]; do [build] build_args+=("$1") [build] shift [build] done [build] ;; [build] --labels) [build] shift [build] while [[ $# -gt 0 && $1 != --* ]]; do [build] LABELS+=("--label" "$1") [build] shift [build] done [build] ;; [build] --annotations) [build] shift [build] while [[ $# -gt 0 && $1 != --* ]]; do [build] ANNOTATIONS+=("--annotation" "$1") [build] shift [build] done [build] ;; [build] *) [build] echo "unexpected argument: $1" >&2 [build] exit 2 [build] ;; [build] esac [build] done [build] [build] BUILD_ARG_FLAGS=() [build] for build_arg in "${build_args[@]}"; do [build] BUILD_ARG_FLAGS+=("--build-arg=$build_arg") [build] done [build] [build] # Dockerfile-json cannot parse Buildah's host variables, we have to pass them manually [build] BUILDAH_INFO=$(buildah info) [build] BUILDAH_OS=$(jq -r '.host.os' <<<"$BUILDAH_INFO") [build] BUILDAH_ARCH=$(jq -r '.host.arch' <<<"$BUILDAH_INFO") [build] BUILDAH_VARIANT=$(jq -r '.host.variant' <<<"$BUILDAH_INFO") [build] BUILDAH_PLATFORM="${BUILDAH_OS}/${BUILDAH_ARCH}" [build] [build] DOCKERFILE_ARG_FLAGS=() [build] [build] # Reference for variables: [build] # https://docs.docker.com/build/building/variables/#pre-defined-build-arguments [build] PREFIXES=('BUILD' 'TARGET') [build] for PREFIX in "${PREFIXES[@]}"; do [build] DOCKERFILE_ARG_FLAGS+=("--build-arg=${PREFIX}PLATFORM=${BUILDAH_PLATFORM}") [build] DOCKERFILE_ARG_FLAGS+=("--build-arg=${PREFIX}OS=${BUILDAH_OS}") [build] DOCKERFILE_ARG_FLAGS+=("--build-arg=${PREFIX}ARCH=${BUILDAH_ARCH}") [build] DOCKERFILE_ARG_FLAGS+=("--build-arg=${PREFIX}VARIANT=${BUILDAH_VARIANT}") [build] done [build] [build] DOCKERFILE_ARG_FLAGS+=("${BUILD_ARG_FLAGS[@]}") [build] [build] dockerfile-json "${DOCKERFILE_ARG_FLAGS[@]}" "$dockerfile_copy" >/shared/parsed_dockerfile.json [build] BASE_IMAGES=$( [build] jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json | [build] tr -d '"' | [build] tr -d "'" [build] ) [build] [build] BUILDAH_ARGS=() [build] UNSHARE_ARGS=() [build] [build] if [ "${HERMETIC}" == "true" ]; then [build] BUILDAH_ARGS+=("--pull=never") [build] UNSHARE_ARGS+=("--net") [build] buildah_retries=3 [build] [build] set_proxy [build] [build] for image in $BASE_IMAGES; do [build] if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry "$buildah_retries" "$image"; then [build] echo "Failed to pull base image ${image}" [build] exit 1 [build] fi [build] done [build] [build] unset_proxy [build] [build] echo "Build will be executed with network isolation" [build] fi [build] [build] if [ -n "${TARGET_STAGE}" ]; then [build] BUILDAH_ARGS+=("--target=${TARGET_STAGE}") [build] fi [build] [build] BUILDAH_ARGS+=("${BUILD_ARG_FLAGS[@]}") [build] [build] # Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux [build] # TODO remove the option once all hosts were updated [build] BUILDAH_ARGS+=("--security-opt=unmask=/proc/interrupts") [build] [build] if [ "${PRIVILEGED_NESTED}" == "true" ]; then [build] BUILDAH_ARGS+=("--security-opt=label=disable") [build] BUILDAH_ARGS+=("--cap-add=all") [build] BUILDAH_ARGS+=("--device=/dev/fuse") [build] fi [build] [build] if [ -n "${ADD_CAPABILITIES}" ]; then [build] BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}") [build] fi [build] [build] if [ "${SQUASH}" == "true" ]; then [build] BUILDAH_ARGS+=("--squash") [build] fi [build] [build] if [ "${SKIP_UNUSED_STAGES}" != "true" ]; then [build] BUILDAH_ARGS+=("--skip-unused-stages=false") [build] fi [build] [build] if [ "${INHERIT_BASE_IMAGE_LABELS}" != "true" ]; then [build] BUILDAH_ARGS+=("--inherit-labels=false") [build] fi [build] [build] if [ -n "${BUILDAH_SOURCE_DATE_EPOCH}" ]; then [build] BUILDAH_ARGS+=("--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}") [build] if [ "${BUILDAH_REWRITE_TIMESTAMP}" = "true" ]; then [build] BUILDAH_ARGS+=("--rewrite-timestamp") [build] fi [build] if [ -n "$BUILD_TIMESTAMP" ]; then [build] echo "ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH" [build] exit 1 [build] fi [build] # but do set it so that we get all the labels/annotations associated with it [build] BUILD_TIMESTAMP="$BUILDAH_SOURCE_DATE_EPOCH" [build] fi [build] [build] if [ "${BUILDAH_OMIT_HISTORY}" == "true" ]; then [build] BUILDAH_ARGS+=("--omit-history") [build] fi [build] [build] VOLUME_MOUNTS=() [build] [build] echo "[$(date --utc -Ins)] Setup prefetched" [build] [build] if [ -f "/var/workdir/cachi2/cachi2.env" ]; then [build] cp -r "/var/workdir/cachi2" /tmp/ [build] chmod -R go+rwX /tmp/cachi2 [build] VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2) [build] # Read in the whole file (https://unix.stackexchange.com/questions/533277), then [build] # for each RUN ... line insert the cachi2.env command *after* any options like --mount [build] sed -E -i \ [build] -e 'H;1h;$!d;x' \ [build] -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n @igM' \ [build] "$dockerfile_copy" [build] echo "Prefetched content will be made available" [build] [build] prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo" [build] if [ -f "$prefetched_repo_for_my_arch" ]; then [build] echo "Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED" [build] mkdir -p "$YUM_REPOS_D_FETCHED" [build] if [ ! -f "${YUM_REPOS_D_FETCHED}/cachi2.repo" ]; then [build] cp "$prefetched_repo_for_my_arch" "$YUM_REPOS_D_FETCHED" [build] fi [build] fi [build] fi [build] [build] # if yum repofiles stored in git, copy them to mount point outside the source dir [build] if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then [build] mkdir -p "${YUM_REPOS_D_FETCHED}" [build] cp -r "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}"/* "${YUM_REPOS_D_FETCHED}" [build] fi [build] [build] # if anything in the repofiles mount point (either fetched or from git), mount it [build] if [ -d "${YUM_REPOS_D_FETCHED}" ]; then [build] chmod -R go+rwX "${YUM_REPOS_D_FETCHED}" [build] mount_point=$(realpath "${YUM_REPOS_D_FETCHED}") [build] VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}") [build] fi [build] [build] DEFAULT_LABELS=( [build] "--label" "architecture=$(uname -m)" [build] "--label" "vcs-type=git" [build] ) [build] if [ -n "$COMMIT_SHA" ]; then [build] DEFAULT_LABELS+=("--label" "vcs-ref=${COMMIT_SHA}" "--label" "org.opencontainers.image.revision=${COMMIT_SHA}") [build] ANNOTATIONS+=("--annotation" "org.opencontainers.image.revision=${COMMIT_SHA}") [build] fi [build] if [ -n "$SOURCE_URL" ]; then [build] DEFAULT_LABELS+=("--label" "org.opencontainers.image.source=${SOURCE_URL}") [build] ANNOTATIONS+=("--annotation" "org.opencontainers.image.source=${SOURCE_URL}") [build] fi [build] [ -n "$IMAGE_EXPIRES_AFTER" ] && DEFAULT_LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER") [build] [build] BUILD_TIMESTAMP_RFC3339="" [build] if [ -n "$BUILD_TIMESTAMP" ]; then [build] BUILD_TIMESTAMP_RFC3339=$(date -u -d "@$BUILD_TIMESTAMP" +'%Y-%m-%dT%H:%M:%SZ') [build] else [build] BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ') [build] fi [build] [build] DEFAULT_LABELS+=("--label" "build-date=${BUILD_TIMESTAMP_RFC3339}") [build] DEFAULT_LABELS+=("--label" "org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}") [build] ANNOTATIONS+=("--annotation" "org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}") [build] [build] label_pairs=() [build] # If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only [build] touch base_images_labels.json [build] if [[ "$INHERIT_BASE_IMAGE_LABELS" == "true" ]] && [[ -n "$BASE_IMAGES" ]]; then [build] FINAL_BASE_IMAGE=$( [build] # Get the base image of the final stage [build] # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...' [build] # Define a function that keeps nesting recursively into the parent stages until it finds the original base image [build] # Run the find_root_stage() function on the final stage [build] # If the final stage is scratch or oci-archive, return empty [build] jq -r '.Stages as $all_stages | [build] def find_root_stage($stage): [build] if $stage.From.Stage then [build] find_root_stage($all_stages[$stage.From.Stage.Index]) [build] else [build] $stage [build] end; [build] [build] find_root_stage(.Stages[-1]) | [build] if .From.Scratch or (.BaseName | test("^oci-archive:")) then [build] empty [build] else [build] .BaseName [build] end' /shared/parsed_dockerfile.json | [build] tr -d '"' | [build] tr -d "'" [build] ) [build] if [[ -n "$FINAL_BASE_IMAGE" ]]; then [build] set_proxy [build] buildah pull "$FINAL_BASE_IMAGE" >/dev/null$() [build] unset_proxy [build] buildah inspect "$FINAL_BASE_IMAGE" | jq '.OCIv1.config.Labels' >"base_images_labels.json" [build] fi [build] fi [build] [build] # Concatenate defaults and explicit labels. If a label appears twice, the last one wins. [build] LABELS=("${DEFAULT_LABELS[@]}" "${LABELS[@]}") [build] [build] # Get all the default and explicit labels so that they can be written into labels.json [build] for label in "${LABELS[@]}"; do [build] if [[ "$label" != "--label" ]]; then [build] label_pairs+=("$label") [build] fi [build] done [build] [build] # Labels that we explicitly add to the image [build] label_pairs+=("org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}") [build] label_pairs+=("io.buildah.version=$(buildah version --json | jq -r '.version')") [build] [build] while IFS= read -r label; do [build] label_pairs+=("$label") [build] done < <(jq -r '.Stages[].Commands[] | select(.Name == "LABEL") | .Labels[] | "\(.Key)=\(.Value)"' /shared/parsed_dockerfile.json | sed 's/"//g') [build] [build] printf '%s\n' "${label_pairs[@]}" | jq -Rn ' [build] [ inputs | select(length>0) ] [build] | map( split("=") | {(.[0]): (.[1] // "")} ) [build] | add' >"image_labels.json" [build] [build] jq -s '(.[0] // {}) * (.[1] // {})' "base_images_labels.json" "image_labels.json" >"$SOURCE_CODE_DIR/$CONTEXT/labels.json" [build] [build] jq '.' "$SOURCE_CODE_DIR/$CONTEXT/labels.json" [build] [build] if [ "${SKIP_INJECTIONS}" = "false" ]; then [build] echo "" >>"$dockerfile_copy" [build] # Always write labels.json to the new standard location [build] echo 'COPY labels.json /usr/share/buildinfo/labels.json' >>"$dockerfile_copy" [build] # Conditionally write to the old location for backward compatibility [build] if [ "${ICM_KEEP_COMPAT_LOCATION}" = "true" ]; then [build] echo 'COPY labels.json /root/buildinfo/labels.json' >>"$dockerfile_copy" [build] fi [build] fi [build] [build] # Make sure our labels.json file isn't filtered out [build] containerignore="" [build] if [ -f "$SOURCE_CODE_DIR/$CONTEXT/.containerignore" ]; then [build] containerignore="$SOURCE_CODE_DIR/$CONTEXT/.containerignore" [build] elif [ -f "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" ]; then [build] containerignore="$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" [build] fi [build] [build] if [ -n "$containerignore" ]; then [build] ignorefile_copy=$(mktemp --tmpdir "$(basename "$containerignore").XXXXXX") [build] cp "$containerignore" "$ignorefile_copy" [build] { [build] echo "" [build] echo "!/labels.json" [build] echo "!/content-sets.json" [build] } >>"$ignorefile_copy" [build] BUILDAH_ARGS+=(--ignorefile "$ignorefile_copy") [build] fi [build] [build] echo "[$(date --utc -Ins)] Register sub-man" [build] [build] ACTIVATION_KEY_PATH="/activation-key" [build] ENTITLEMENT_PATH="/entitlement" [build] [build] # 0. if hermetic=true, skip all subscription related stuff [build] # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. [build] # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. [build] # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. [build] # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume [build] # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on [build] # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included [build] [build] if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then [build] cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key [build] mkdir -p /shared/rhsm/etc/pki/entitlement [build] mkdir -p /shared/rhsm/etc/pki/consumer [build] [build] VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key [build] -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z [build] -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) [build] echo "Adding activation key to the build" [build] [build] if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then [build] # user is not running registration in the Containerfile: pre-register. [build] echo "Pre-registering with subscription manager." [build] export RETRY_MAX_TRIES=6 [build] if ! retry subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)"; then [build] echo "Subscription-manager register failed" [build] exit 1 [build] fi [build] unset RETRY_MAX_TRIES [build] trap 'subscription-manager unregister || true' EXIT [build] [build] # copy generated certificates to /shared volume [build] cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement [build] cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer [build] [build] # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca [build] VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) [build] fi [build] [build] elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then [build] cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement [build] VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) [build] echo "Adding the entitlement to the build" [build] fi [build] [build] if [ -n "$WORKINGDIR_MOUNT" ]; then [build] if [[ "$WORKINGDIR_MOUNT" == *:* ]]; then [build] echo "WORKINGDIR_MOUNT contains ':'" >&2 [build] echo "Refusing to proceed in case this is an attempt to set unexpected mount options." >&2 [build] exit 1 [build] fi [build] # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build' [build] # (we set the workdir using 'unshare -w') [build] context_dir=$(realpath "${SOURCE_CODE_DIR}/${CONTEXT}") [build] VOLUME_MOUNTS+=(--volume "$context_dir:${WORKINGDIR_MOUNT}") [build] fi [build] [build] if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then [build] # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. [build] # Instrumented builds (SAST) use this step as their base and add some other tools. [build] while read -r volume_mount; do [build] VOLUME_MOUNTS+=("--volume=$volume_mount") [build] done <<<"$ADDITIONAL_VOLUME_MOUNTS" [build] fi [build] [build] echo "[$(date --utc -Ins)] Add secrets" [build] [build] ADDITIONAL_SECRET_PATH="/additional-secret" [build] ADDITIONAL_SECRET_TMP="/tmp/additional-secret" [build] if [ -d "$ADDITIONAL_SECRET_PATH" ]; then [build] cp -r --preserve=mode -L "$ADDITIONAL_SECRET_PATH" $ADDITIONAL_SECRET_TMP [build] while read -r filename; do [build] echo "Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}" [build] BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}") [build] done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;) [build] fi [build] [build] # Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not. [build] declare IMAGE [build] [build] buildah_cmd_array=( [build] buildah build [build] "${VOLUME_MOUNTS[@]}" [build] "${BUILDAH_ARGS[@]}" [build] "${LABELS[@]}" [build] "${ANNOTATIONS[@]}" [build] --tls-verify="$TLSVERIFY" --no-cache [build] --ulimit nofile=4096:4096 [build] --http-proxy=false [build] -f "$dockerfile_copy" -t "$IMAGE" . [build] ) [build] buildah_cmd=$(printf "%q " "${buildah_cmd_array[@]}") [build] [build] if [ "${HERMETIC}" == "true" ]; then [build] # enabling loopback adapter enables Bazel builds to work in hermetic mode. [build] command="ip link set lo up && $buildah_cmd" [build] else [build] command="$buildah_cmd" [build] fi [build] [build] # disable host subcription manager integration [build] find /usr/share/rhel/secrets -type l -exec unlink {} \; [build] [build] set_proxy [build] [build] echo "[$(date --utc -Ins)] Run buildah build" [build] echo "[$(date --utc -Ins)] ${command}" [build] [build] unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" --mount -- sh -c "$command" [build] [build] unset_proxy [build] [build] echo "[$(date --utc -Ins)] Add metadata" [build] [build] # Save the SBOM produced in prefetch so it can be merged into the final SBOM later [build] if [ -f "/tmp/cachi2/output/bom.json" ]; then [build] echo "Making copy of sbom-prefetch.json" [build] cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json [build] fi [build] [build] touch /shared/base_images_digests [build] echo "Recording base image digests used" [build] for image in $BASE_IMAGES; do [build] # Get the image pullspec and filter out a tag if it is not set [build] # Use head -n 1 to ensure we only get one result even if multiple images match the filter [build] base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag "" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference="$image" | head -n 1) [build] # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens [build] # if buildah did not use that particular image during build because it was skipped [build] if [ -n "$base_image_digest" ]; then [build] echo "$image $base_image_digest" | tee -a /shared/base_images_digests [build] fi [build] done [build] [build] image_name=$(echo "${IMAGE##*/}" | tr ':' '-') [build] buildah push "$IMAGE" oci:"/shared/$image_name.oci" [build] echo "/shared/$image_name.oci" >/shared/container_path [build] [build] echo "[$(date --utc -Ins)] End build" [build] [build] buildah push "$IMAGE" "oci:konflux-final-image:$IMAGE" [build] echo "[$(date --utc -Ins)] End push remote" [build] REMOTESSHEOF [build] chmod +x scripts/script-build.sh [build] [build] PODMAN_NVIDIA_ARGS=() [build] if [[ "$PLATFORM" == "linux-g"* ]]; then [build] PODMAN_NVIDIA_ARGS+=("--device=nvidia.com/gpu=all" "--security-opt=label=disable") [build] fi [build] [build] if ! [[ $IS_LOCALHOST ]]; then [build] PRIVILEGED_NESTED_FLAGS=() [build] if [[ "${PRIVILEGED_NESTED}" == "true" ]]; then [build] # This is a workaround for building bootc images because the cache filesystem (/var/tmp/ on the host) must be a real filesystem that supports setting SELinux security attributes. [build] # https://github.com/coreos/rpm-ostree/discussions/4648 [build] # shellcheck disable=SC2086 [build] ssh $SSH_ARGS "$SSH_HOST" mkdir -p "${BUILD_DIR@Q}/var/tmp" [build] PRIVILEGED_NESTED_FLAGS=(--privileged --mount "type=bind,source=$BUILD_DIR/var/tmp,target=/var/tmp,relabel=shared") [build] fi [build] rsync -ra scripts "$SSH_HOST:$BUILD_DIR" [build] echo "[$(date --utc -Ins)] Build via ssh" [build] # shellcheck disable=SC2086 [build] # Please note: all variables below the first ssh line must be quoted with ${var@Q}! [build] # See https://stackoverflow.com/questions/6592376/prevent-ssh-from-breaking-up-shell-script-parameters [build] ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \ [build] --tmpfs /run/secrets \ [build] -e ACTIVATION_KEY="${ACTIVATION_KEY@Q}" \ [build] -e ADDITIONAL_SECRET="${ADDITIONAL_SECRET@Q}" \ [build] -e ADD_CAPABILITIES="${ADD_CAPABILITIES@Q}" \ [build] -e ANNOTATIONS_FILE="${ANNOTATIONS_FILE@Q}" \ [build] -e BUILD_ARGS_FILE="${BUILD_ARGS_FILE@Q}" \ [build] -e BUILD_TIMESTAMP="${BUILD_TIMESTAMP@Q}" \ [build] -e CONTEXT="${CONTEXT@Q}" \ [build] -e CONTEXTUALIZE_SBOM="${CONTEXTUALIZE_SBOM@Q}" \ [build] -e ENTITLEMENT_SECRET="${ENTITLEMENT_SECRET@Q}" \ [build] -e HERMETIC="${HERMETIC@Q}" \ [build] -e IMAGE="${IMAGE@Q}" \ [build] -e IMAGE_EXPIRES_AFTER="${IMAGE_EXPIRES_AFTER@Q}" \ [build] -e INHERIT_BASE_IMAGE_LABELS="${INHERIT_BASE_IMAGE_LABELS@Q}" \ [build] -e PRIVILEGED_NESTED="${PRIVILEGED_NESTED@Q}" \ [build] -e SBOM_SKIP_VALIDATION="${SBOM_SKIP_VALIDATION@Q}" \ [build] -e SBOM_SOURCE_SCAN_ENABLED="${SBOM_SOURCE_SCAN_ENABLED@Q}" \ [build] -e SBOM_SYFT_SELECT_CATALOGERS="${SBOM_SYFT_SELECT_CATALOGERS@Q}" \ [build] -e SBOM_TYPE="${SBOM_TYPE@Q}" \ [build] -e SKIP_INJECTIONS="${SKIP_INJECTIONS@Q}" \ [build] -e SKIP_SBOM_GENERATION="${SKIP_SBOM_GENERATION@Q}" \ [build] -e SKIP_UNUSED_STAGES="${SKIP_UNUSED_STAGES@Q}" \ [build] -e SOURCE_CODE_DIR="${SOURCE_CODE_DIR@Q}" \ [build] -e SQUASH="${SQUASH@Q}" \ [build] -e STORAGE_DRIVER="${STORAGE_DRIVER@Q}" \ [build] -e TARGET_STAGE="${TARGET_STAGE@Q}" \ [build] -e TLSVERIFY="${TLSVERIFY@Q}" \ [build] -e WORKINGDIR_MOUNT="${WORKINGDIR_MOUNT@Q}" \ [build] -e YUM_REPOS_D_FETCHED="${YUM_REPOS_D_FETCHED@Q}" \ [build] -e YUM_REPOS_D_SRC="${YUM_REPOS_D_SRC@Q}" \ [build] -e YUM_REPOS_D_TARGET="${YUM_REPOS_D_TARGET@Q}" \ [build] -e COMMIT_SHA="${COMMIT_SHA@Q}" \ [build] -e SOURCE_URL="${SOURCE_URL@Q}" \ [build] -e DOCKERFILE="${DOCKERFILE@Q}" \ [build] -e BUILDAH_HTTP_PROXY="${BUILDAH_HTTP_PROXY@Q}" \ [build] -e BUILDAH_NO_PROXY="${BUILDAH_NO_PROXY@Q}" \ [build] -e ICM_KEEP_COMPAT_LOCATION="${ICM_KEEP_COMPAT_LOCATION@Q}" \ [build] -e BUILDAH_OMIT_HISTORY="${BUILDAH_OMIT_HISTORY@Q}" \ [build] -e BUILDAH_SOURCE_DATE_EPOCH="${BUILDAH_SOURCE_DATE_EPOCH@Q}" \ [build] -e BUILDAH_REWRITE_TIMESTAMP="${BUILDAH_REWRITE_TIMESTAMP@Q}" \ [build] -v "${BUILD_DIR@Q}/volumes/shared:/shared:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/workdir:/var/workdir:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/etc-pki-entitlement:/entitlement:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/activation-key:/activation-key:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/additional-secret:/additional-secret:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/trusted-ca:/mnt/trusted-ca:Z" \ [build] -v "${BUILD_DIR@Q}/volumes/proxy-ca-bundle:/mnt/proxy-ca-bundle:Z" \ [build] -v "${BUILD_DIR@Q}/.docker/:/root/.docker:Z" \ [build] -v "${BUILD_DIR@Q}/usr/bin/retry:/usr/bin/retry:Z" \ [build] -v "${BUILD_DIR@Q}/results/:/tekton/results:Z" \ [build] -v "${BUILD_DIR@Q}/scripts:/scripts:Z" \ [build] "${PRIVILEGED_NESTED_FLAGS[@]@Q}" \ [build] --user=0 "${PODMAN_NVIDIA_ARGS[@]@Q}" --rm "${BUILDER_IMAGE@Q}" /scripts/script-build.sh "${@@Q}" [build] echo "[$(date --utc -Ins)] Rsync back" [build] rsync -razW --stats "$SSH_HOST:$BUILD_DIR/volumes/shared/" /shared/ [build] rsync -razW --stats "$SSH_HOST:$BUILD_DIR/volumes/workdir/" /var/workdir/ [build] rsync -razW --stats "$SSH_HOST:$BUILD_DIR/results/" "/tekton/results/" [build] echo "[$(date --utc -Ins)] Buildah pull" [build] buildah pull "oci:konflux-final-image:$IMAGE" [build] else [build] bash scripts/script-build.sh "$@" [build] fi [build] [2026-04-22T18:32:51,847728317+00:00] Validate context path [build] [2026-04-22T18:32:51,852795382+00:00] Update CA trust [build] [2026-04-22T18:32:51,854517687+00:00] Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt [build] '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' [build] [2026-04-22T18:32:54,671666876+00:00] Prepare Dockerfile [build] Checking if /var/workdir/cachi2/output/bom.json exists. [build] Could not find prefetched sbom. No content_sets found for ICM [build] [2026-04-22T18:32:54,681459239+00:00] Prepare system (architecture: x86_64) [build] [2026-04-22T18:32:56,288923629+00:00] Setup prefetched [build] Trying to pull registry.access.redhat.com/ubi9/python-311:9.7... [build] Getting image source signatures [build] Checking if image destination supports signatures [build] Copying blob sha256:e297114e105cf1599d6f765e5139f67ae2a1c8e9e363a894a7973a2f30e64601 [build] Copying blob sha256:b6465ca781aee78355d6e3fb79fcf2437d6666324b86768319788e1dd559c04e [build] Copying blob sha256:645dc2e3584ea640906773e625dbe756eb10fc7be5663149644218a3538d3064 [build] Copying blob sha256:ee475114bdbdddd41853a0ad76086fb125f077ca2bd8ac3aec85361a9702c266 [build] Copying config sha256:0c27e03b1628831feaf950f2336c3fce788ceb24b2749a436c2c7b03f98caff5 [build] Writing manifest to image destination [build] Storing signatures [build] [2026-04-22T18:33:05,998521755+00:00] Unsetting proxy [build] { [build] "architecture": "x86_64", [build] "build-date": "2026-04-22T18:32:56Z", [build] "com.redhat.component": "python-311-container", [build] "com.redhat.license_terms": "https://www.redhat.com/en/about/red-hat-end-user-license-agreements#UBI", [build] "cpe": "cpe:/a:redhat:enterprise_linux:9::appstream", [build] "description": "Python 3.11 available as container is a base platform for building and running various Python 3.11 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.", [build] "distribution-scope": "public", [build] "io.buildah.version": "1.41.4", [build] "io.buildpacks.stack.id": "com.redhat.stacks.ubi9-python-311", [build] "io.k8s.description": "Python 3.11 available as container is a base platform for building and running various Python 3.11 applications and frameworks. Python is an easy to learn, powerful programming language. It has efficient high-level data structures and a simple but effective approach to object-oriented programming. Python's elegant syntax and dynamic typing, together with its interpreted nature, make it an ideal language for scripting and rapid application development in many areas on most platforms.", [build] "io.k8s.display-name": "Python 3.11", [build] "io.openshift.expose-services": "8080:http", [build] "io.openshift.s2i.scripts-url": "image:///usr/libexec/s2i", [build] "io.openshift.tags": "builder,python,python311,python-311,rh-python311", [build] "io.s2i.scripts-url": "image:///usr/libexec/s2i", [build] "maintainer": "SoftwareCollections.org ", [build] "name": "ubi9/python-311", [build] "org.opencontainers.image.created": "2026-04-22T18:32:56Z", [build] "org.opencontainers.image.revision": "b66ec6807a6399bd604826d170d20ff5bf430811", [build] "release": "1776848357", [build] "summary": "Platform for building and running Python 3.11 applications", [build] "url": "https://catalog.redhat.com/en/search?searchType=containers", [build] "usage": "s2i build https://github.com/sclorg/s2i-python-container.git --context-dir=3.11/test/setup-test-app/ ubi9/python-311 python-sample-app", [build] "vcs-ref": "b66ec6807a6399bd604826d170d20ff5bf430811", [build] "vcs-type": "git", [build] "vendor": "Red Hat, Inc.", [build] "version": "1", [build] "git.url": "https://github.com/israel-hdez/kserve", [build] "git.commit": "b66ec6807a6399bd604826d170d20ff5bf430811" [build] } [build] [2026-04-22T18:33:06,067006167+00:00] Register sub-man [build] Adding activation key to the build [build] Pre-registering with subscription manager. [build] Executing: subscription-manager register --org 11009103 --activationkey b5fd5ca4-06d5-4b45-86e6-e78776aaa8c1 [build] The system has been registered with ID: f0a9b270-b102-42e2-8a9e-b2bf88abb18b [build] The registered system name is: kserve-group-test-gxcvx-build-custom-transformer-pod [build] [2026-04-22T18:33:11,112129997+00:00] Add secrets [build] [2026-04-22T18:33:11,125259580+00:00] Run buildah build [build] [2026-04-22T18:33:11,127180600+00:00] buildah build -v /tmp/activation-key:/activation-key -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z --volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z --security-opt=unmask=/proc/interrupts --ignorefile /tmp/.dockerignore.CJ6QjM --label architecture=x86_64 --label vcs-type=git --label vcs-ref=b66ec6807a6399bd604826d170d20ff5bf430811 --label org.opencontainers.image.revision=b66ec6807a6399bd604826d170d20ff5bf430811 --label build-date=2026-04-22T18:32:56Z --label org.opencontainers.image.created=2026-04-22T18:32:56Z --label git.url=https://github.com/israel-hdez/kserve --label git.commit=b66ec6807a6399bd604826d170d20ff5bf430811 --annotation org.opencontainers.image.revision=b66ec6807a6399bd604826d170d20ff5bf430811 --annotation org.opencontainers.image.created=2026-04-22T18:32:56Z --tls-verify=true --no-cache --ulimit nofile=4096:4096 --http-proxy=false -f /tmp/custom_transformer.Dockerfile.p2ABBd -t quay.io/opendatahub/custom-transformer:odh-pr-1293 . [build] [1/2] STEP 1/22: FROM registry.access.redhat.com/ubi9/python-311:9.7 AS builder [build] [1/2] STEP 2/22: WORKDIR / [build] [1/2] STEP 3/22: USER 0 [build] [1/2] STEP 4/22: RUN dnf install -y gcc gcc-c++ make python3.11-devel && dnf clean all [build] Updating Subscription Management repositories. [build] [build] This system has release set to 9.6 and it receives updates only for this release. [build] [build] Red Hat Enterprise Linux 9 for x86_64 - AppStre 60 MB/s | 73 MB 00:01 [build] Red Hat Enterprise Linux 9 for x86_64 - BaseOS 68 MB/s | 87 MB 00:01 [build] Red Hat Universal Base Image 9 (RPMs) - BaseOS 6.4 MB/s | 533 kB 00:00 [build] Red Hat Universal Base Image 9 (RPMs) - AppStre 22 MB/s | 2.6 MB 00:00 [build] Red Hat Universal Base Image 9 (RPMs) - CodeRea 3.8 MB/s | 288 kB 00:00 [build] Package gcc-11.5.0-11.el9.x86_64 is already installed. [build] Package gcc-c++-11.5.0-11.el9.x86_64 is already installed. [build] Package make-1:4.3-8.el9.x86_64 is already installed. [build] Package python3.11-devel-3.11.13-5.2.el9_7.x86_64 is already installed. [build] Dependencies resolved. [build] Nothing to do. [build] Complete! [build] Updating Subscription Management repositories. [build] [build] This system has release set to 9.6 and it receives updates only for this release. [build] [build] 43 files removed [build] [1/2] STEP 5/22: RUN curl -LsSf https://astral.sh/uv/install.sh | sh && ln -s /root/.local/bin/uv /usr/local/bin/uv [build] downloading uv 0.11.7 x86_64-unknown-linux-gnu [build] installing to /opt/app-root/src/.local/bin [build] uv [build] uvx [build] everything's installed! [build] [build] To add $HOME/.local/bin to your PATH, either restart your shell or run: [build] [build] source $HOME/.local/bin/env (sh, bash, zsh) [build] source $HOME/.local/bin/env.fish (fish) [build] [1/2] STEP 6/22: ARG VENV_PATH [build] [1/2] STEP 7/22: ENV VIRTUAL_ENV=${VENV_PATH} [build] [1/2] STEP 8/22: RUN uv venv $VIRTUAL_ENV [build] Using CPython 3.9.25 interpreter at: /usr/bin/python3 [build] Creating virtual environment at: /prod_venv [build] [1/2] STEP 9/22: ENV PATH="$VIRTUAL_ENV/bin:$PATH" [build] [1/2] STEP 10/22: COPY storage/pyproject.toml storage/uv.lock storage/ [build] [1/2] STEP 11/22: COPY kserve/pyproject.toml kserve/uv.lock kserve/ [build] [1/2] STEP 12/22: RUN cd kserve && uv sync --active --no-cache [build] Using CPython 3.11.13 interpreter at: /usr/bin/python3.11 [build] Removed virtual environment at: /prod_venv [build] Creating virtual environment at: /prod_venv [build] Resolved 263 packages in 1ms [build] Building kserve @ file:///kserve [build] Downloading kubernetes (1.9MiB) [build] Downloading cryptography (4.3MiB) [build] Downloading uvloop (3.8MiB) [build] Downloading pydantic-core (2.0MiB) [build] Downloading pandas (12.5MiB) [build] Downloading aiohttp (1.7MiB) [build] Downloading grpcio-tools (2.5MiB) [build] Downloading grpcio (6.4MiB) [build] Downloading black (1.6MiB) [build] Downloading numpy (15.7MiB) [build] Downloading setuptools (1.2MiB) [build] Downloaded aiohttp [build] Downloaded black [build] Downloaded pydantic-core [build] Downloaded grpcio-tools [build] Downloaded setuptools [build] Downloaded uvloop [build] Downloaded grpcio [build] Downloaded cryptography [build] Downloaded kubernetes [build] Downloaded numpy [build] Downloaded pandas [build] Built kserve @ file:///kserve [build] Prepared 74 packages in 1.63s [build] Installed 74 packages in 1.69s [build] + aiohappyeyeballs==2.6.1 [build] + aiohttp==3.13.3 [build] + aiosignal==1.4.0 [build] + annotated-doc==0.0.4 [build] + annotated-types==0.7.0 [build] + anyio==4.9.0 [build] + attrs==25.3.0 [build] + black==24.3.0 [build] + cachetools==5.5.2 [build] + certifi==2025.1.31 [build] + cffi==2.0.0 [build] + charset-normalizer==3.4.1 [build] + click==8.1.8 [build] + cloudevents==1.11.0 [build] + colorama==0.4.6 [build] + cryptography==46.0.5 [build] + deprecation==2.1.0 [build] + durationpy==0.9 [build] + fastapi==0.121.3 [build] + frozenlist==1.5.0 [build] + google-auth==2.39.0 [build] + grpc-interceptor==0.15.4 [build] + grpcio==1.78.1 [build] + grpcio-tools==1.78.1 [build] + h11==0.16.0 [build] + httpcore==1.0.9 [build] + httptools==0.6.4 [build] + httpx==0.27.2 [build] + idna==3.10 [build] + kserve==0.17.0 (from file:///kserve) [build] + kubernetes==32.0.1 [build] + multidict==6.4.3 [build] + mypy-extensions==1.0.0 [build] + numpy==2.2.4 [build] + oauthlib==3.2.2 [build] + orjson==3.10.16 [build] + packaging==24.2 [build] + pandas==2.2.3 [build] + pathspec==0.12.1 [build] + platformdirs==4.3.7 [build] + prometheus-client==0.21.1 [build] + propcache==0.3.1 [build] + protobuf==6.33.5 [build] + psutil==5.9.8 [build] + pyasn1==0.6.1 [build] + pyasn1-modules==0.4.2 [build] + pycparser==2.22 [build] + pydantic==2.12.4 [build] + pydantic-core==2.41.5 [build] + pyjwt==2.12.1 [build] + python-dateutil==2.9.0.post0 [build] + python-dotenv==1.1.0 [build] + python-multipart==0.0.22 [build] + pytz==2025.2 [build] + pyyaml==6.0.2 [build] + requests==2.32.3 [build] + requests-oauthlib==2.0.0 [build] + rsa==4.9.1 [build] + setuptools==78.1.0 [build] + six==1.17.0 [build] + sniffio==1.3.1 [build] + starlette==0.49.1 [build] + tabulate==0.9.0 [build] + timing-asgi==0.3.1 [build] + typing-extensions==4.15.0 [build] + typing-inspection==0.4.2 [build] + tzdata==2025.2 [build] + urllib3==2.6.2 [build] + uvicorn==0.34.1 [build] + uvloop==0.21.0 [build] + watchfiles==1.0.5 [build] + websocket-client==1.8.0 [build] + websockets==15.0.1 [build] + yarl==1.20.0 [build] [1/2] STEP 13/22: COPY kserve kserve [build] [1/2] STEP 14/22: RUN cd kserve && uv sync --active --no-cache [build] Resolved 263 packages in 1ms [build] Building kserve @ file:///kserve [build] Built kserve @ file:///kserve [build] Prepared 1 package in 1.32s [build] Uninstalled 1 package in 0.48ms [build] Installed 1 package in 8ms [build] ~ kserve==0.17.0 (from file:///kserve) [build] [1/2] STEP 15/22: COPY custom_transformer/pyproject.toml custom_transformer/uv.lock custom_transformer/ [build] [1/2] STEP 16/22: RUN cd custom_transformer && uv sync --active --no-cache [build] Resolved 88 packages in 3.43s [build] Building kserve @ file:///kserve [build] Downloading uvloop (3.6MiB) [build] Downloading kubernetes (1.9MiB) [build] Downloading sympy (6.0MiB) [build] Downloading grpcio (6.5MiB) [build] Downloading cryptography (4.3MiB) [build] Downloading aiohttp (1.7MiB) [build] Downloading numpy (16.1MiB) [build] Downloading grpcio-tools (2.5MiB) [build] Downloading networkx (2.0MiB) [build] Downloading pandas (12.2MiB) [build] Downloading pillow (4.3MiB) [build] Downloaded aiohttp [build] Downloaded grpcio-tools [build] Downloaded uvloop [build] Downloaded pillow [build] Downloaded cryptography [build] Downloaded grpcio [build] Downloaded networkx [build] Downloaded kubernetes [build] Downloaded numpy [build] Downloaded sympy [build] Downloaded pandas [build] Built kserve @ file:///kserve [build] Prepared 56 packages in 1.87s [build] Uninstalled 54 packages in 319ms [build] Installed 58 packages in 16.86s [build] - aiohttp==3.13.3 [build] + aiohttp==3.13.5 [build] - anyio==4.9.0 [build] + anyio==4.13.0 [build] - attrs==25.3.0 [build] + attrs==26.1.0 [build] - cachetools==5.5.2 [build] - certifi==2025.1.31 [build] + certifi==2026.2.25 [build] - charset-normalizer==3.4.1 [build] + charset-normalizer==3.4.7 [build] - click==8.1.8 [build] + click==8.3.2 [build] - cloudevents==1.11.0 [build] + cloudevents==1.12.1 [build] - cryptography==46.0.5 [build] + cryptography==46.0.7 [build] - durationpy==0.9 [build] + durationpy==0.10 [build] - fastapi==0.121.3 [build] + fastapi==0.135.3 [build] + filelock==3.25.2 [build] - frozenlist==1.5.0 [build] + frozenlist==1.8.0 [build] + fsspec==2026.3.0 [build] - google-auth==2.39.0 [build] - grpcio==1.78.1 [build] + grpcio==1.80.0 [build] - grpcio-tools==1.78.1 [build] + grpcio-tools==1.80.0 [build] - httptools==0.6.4 [build] + httptools==0.7.1 [build] - httpx==0.27.2 [build] + httpx==0.28.1 [build] - idna==3.10 [build] + idna==3.11 [build] + jinja2==3.1.6 [build] ~ kserve==0.17.0 (from file:///kserve) [build] - kubernetes==32.0.1 [build] + kubernetes==35.0.0 [build] + markupsafe==3.0.3 [build] + mpmath==1.3.0 [build] - multidict==6.4.3 [build] + multidict==6.7.1 [build] - mypy-extensions==1.0.0 [build] + mypy-extensions==1.1.0 [build] + networkx==3.6.1 [build] - numpy==2.2.4 [build] + numpy==2.4.4 [build] - oauthlib==3.2.2 [build] + oauthlib==3.3.1 [build] - orjson==3.10.16 [build] + orjson==3.11.8 [build] - packaging==24.2 [build] + packaging==26.0 [build] - pandas==2.2.3 [build] + pandas==2.3.3 [build] - pathspec==0.12.1 [build] + pathspec==1.0.4 [build] + pillow==10.4.0 [build] - platformdirs==4.3.7 [build] + platformdirs==4.9.4 [build] - prometheus-client==0.21.1 [build] + prometheus-client==0.24.1 [build] - propcache==0.3.1 [build] + propcache==0.4.1 [build] - protobuf==6.33.5 [build] + protobuf==6.33.6 [build] - pyasn1==0.6.1 [build] - pyasn1-modules==0.4.2 [build] - pycparser==2.22 [build] + pycparser==3.0 [build] - pydantic==2.12.4 [build] + pydantic==2.12.5 [build] - python-dotenv==1.1.0 [build] + python-dotenv==1.2.2 [build] - python-multipart==0.0.22 [build] + python-multipart==0.0.24 [build] - pytz==2025.2 [build] + pytz==2026.1.post1 [build] - pyyaml==6.0.2 [build] + pyyaml==6.0.3 [build] - requests==2.32.3 [build] + requests==2.33.1 [build] - rsa==4.9.1 [build] - setuptools==78.1.0 [build] + setuptools==82.0.1 [build] - sniffio==1.3.1 [build] + sympy==1.14.0 [build] - tabulate==0.9.0 [build] + tabulate==0.10.0 [build] - timing-asgi==0.3.1 [build] + timing-asgi==0.3.2 [build] + torch==2.9.0+cpu (from https://download.pytorch.org/whl/cpu/torch-2.9.0%2Bcpu-cp311-cp311-manylinux_2_28_x86_64.whl) [build] + torchvision==0.24.0+cpu (from https://download.pytorch.org/whl/cpu/torchvision-0.24.0%2Bcpu-cp311-cp311-manylinux_2_28_x86_64.whl) [build] - tzdata==2025.2 [build] + tzdata==2026.1 [build] - urllib3==2.6.2 [build] + urllib3==2.6.3 [build] - uvicorn==0.34.1 [build] + uvicorn==0.44.0 [build] - uvloop==0.21.0 [build] + uvloop==0.22.1 [build] - watchfiles==1.0.5 [build] + watchfiles==1.1.1 [build] - websocket-client==1.8.0 [build] + websocket-client==1.9.0 [build] - websockets==15.0.1 [build] + websockets==16.0 [build] - yarl==1.20.0 [build] + yarl==1.23.0 [build] [1/2] STEP 17/22: COPY custom_transformer custom_transformer [build] [1/2] STEP 18/22: RUN cd custom_transformer && uv sync --active --no-cache [build] Resolved 88 packages in 3.48s [build] Checked 78 packages in 26ms [build] [1/2] STEP 19/22: COPY pyproject.toml pyproject.toml [build] [1/2] STEP 20/22: COPY third_party/pip-licenses.py pip-licenses.py [build] [1/2] STEP 21/22: RUN pip install --no-cache-dir tomli [build] Collecting tomli [build] Downloading tomli-2.4.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl.metadata (10 kB) [build] Downloading tomli-2.4.1-cp311-cp311-manylinux2014_x86_64.manylinux_2_17_x86_64.manylinux_2_28_x86_64.whl (243 kB) [build] Installing collected packages: tomli [build] Successfully installed tomli-2.4.1 [build] [build] [notice] A new release of pip is available: 24.2 -> 26.0.1 [build] [notice] To update, run: pip install --upgrade pip [build] [1/2] STEP 22/22: RUN mkdir -p third_party/library && python3 pip-licenses.py [build] 2026-04-22 18:34:19,102 [INFO] {'from': 'mixed', 'format': 'plain-vertical', 'with_license_file': True, 'with_notice_file': True, 'with_urls': True, 'output_path': 'third_party/library', 'ignore_packages': ['nvidia-cublas-cu12', 'nvidia-cuda-cupti-cu12', 'nvidia-cuda-nvrtc-cu12', 'nvidia-cuda-runtime-cu12', 'nvidia-cudnn-cu12', 'nvidia-cufft-cu12', 'nvidia-cufile-cu12', 'nvidia-curand-cu12', 'nvidia-cusolver-cu12', 'nvidia-cusparse-cu12', 'nvidia-nccl-cu12', 'nvidia-nvjitlink-cu12', 'nvidia-nvtx-cu12', 'nvidia-cutlass-dsl', 'nvidia-cutlass-dsl-libs-base', 'nvidia-cusparselt-cu12', 'nvidia-cudnn-frontend', 'nvidia-nvshmem-cu12', 'intel-openmp', 'intel-cmplr-lib-ur', 'umf', 'tcmlib'], 'allow_only': 'Apache Software License;MIT License;BSD License;Mozilla Public License 2.0 (MPL 2.0);Python Software Foundation License;CMU License (MIT-CMU);The Unlicense (Unlicense);ISC License (ISCL);GNU Lesser General Public License v2 (LGPLv2);GNU General Public License (GPL);Historical Permission Notice and Disclaimer (HPND);'} [build] [2/2] STEP 1/17: FROM registry.access.redhat.com/ubi9/python-311:9.7 AS prod [build] [2/2] STEP 2/17: WORKDIR / [build] [2/2] STEP 3/17: ARG VENV_PATH [build] [2/2] STEP 4/17: ENV VIRTUAL_ENV=${VENV_PATH} [build] [2/2] STEP 5/17: ENV PATH="${VIRTUAL_ENV}/bin:$PATH" [build] [2/2] STEP 6/17: USER 0 [build] [2/2] STEP 7/17: RUN useradd kserve -m -u 1000 -d /home/kserve [build] [2/2] STEP 8/17: COPY --from=builder --chown=kserve:kserve third_party third_party [build] [2/2] STEP 9/17: COPY --from=builder --chown=kserve:kserve $VIRTUAL_ENV $VIRTUAL_ENV [build] [2/2] STEP 10/17: COPY --from=builder kserve kserve [build] [2/2] STEP 11/17: COPY --from=builder custom_transformer custom_transformer [build] [2/2] STEP 12/17: USER 1000 [build] [2/2] STEP 13/17: ENV PYTHONPATH=/custom_transformer [build] [2/2] STEP 14/17: ENTRYPOINT ["python", "-m", "custom_transformer.model"] [build] [2/2] STEP 15/17: COPY labels.json /usr/share/buildinfo/labels.json [build] [2/2] STEP 16/17: COPY labels.json /root/buildinfo/labels.json [build] [2/2] STEP 17/17: LABEL "architecture"="x86_64" "vcs-type"="git" "vcs-ref"="b66ec6807a6399bd604826d170d20ff5bf430811" "org.opencontainers.image.revision"="b66ec6807a6399bd604826d170d20ff5bf430811" "build-date"="2026-04-22T18:32:56Z" "org.opencontainers.image.created"="2026-04-22T18:32:56Z" "git.url"="https://github.com/israel-hdez/kserve" "git.commit"="b66ec6807a6399bd604826d170d20ff5bf430811" [build] [2/2] COMMIT quay.io/opendatahub/custom-transformer:odh-pr-1293 [build] --> 59399b8c32e0 [build] Successfully tagged quay.io/opendatahub/custom-transformer:odh-pr-1293 [build] 59399b8c32e05bed6ebaeaa04b611911a3e65edd0acda3c9e39f14793c84c9d4 [build] [2026-04-22T18:34:54,545557286+00:00] Unsetting proxy [build] [2026-04-22T18:34:54,547450444+00:00] Add metadata [build] Recording base image digests used [build] registry.access.redhat.com/ubi9/python-311:9.7 registry.access.redhat.com/ubi9/python-311:9.7@sha256:0cac2a058d26c2353e8b24f8ccfeb2a7b637c81c45d72adddd4d78a7dd9b813b [build] registry.access.redhat.com/ubi9/python-311:9.7 registry.access.redhat.com/ubi9/python-311:9.7@sha256:0cac2a058d26c2353e8b24f8ccfeb2a7b637c81c45d72adddd4d78a7dd9b813b [build] Getting image source signatures [build] Copying blob sha256:ed1b1797d9bd5b45cdfe9b323fd1d2ba88f833e4f1624a815c5630a552371941 [build] Copying blob sha256:d288bd004441f9c61e6cc9a83cb214e3ba309312b4f1e71f144ac131d19b0bb8 [build] Copying blob sha256:fd57cdd1ab1929f95f4c95660dba57f758a0c69dbc15c6e45b2eedff6c8803df [build] Copying blob sha256:f3076d947f3de060c9c0a173c8a1f07121d0580aaa8b0caf25515f99531f2144 [build] Copying blob sha256:699503a334beee92db1479887dcada1641276721594f456eb35b2e389c06c640 [build] Copying config sha256:59399b8c32e05bed6ebaeaa04b611911a3e65edd0acda3c9e39f14793c84c9d4 [build] Writing manifest to image destination [build] [2026-04-22T18:35:02,610449767+00:00] End build [build] Getting image source signatures [build] Copying blob sha256:ed1b1797d9bd5b45cdfe9b323fd1d2ba88f833e4f1624a815c5630a552371941 [build] Copying blob sha256:d288bd004441f9c61e6cc9a83cb214e3ba309312b4f1e71f144ac131d19b0bb8 [build] Copying blob sha256:fd57cdd1ab1929f95f4c95660dba57f758a0c69dbc15c6e45b2eedff6c8803df [build] Copying blob sha256:f3076d947f3de060c9c0a173c8a1f07121d0580aaa8b0caf25515f99531f2144 [build] Copying blob sha256:699503a334beee92db1479887dcada1641276721594f456eb35b2e389c06c640 [build] Copying config sha256:59399b8c32e05bed6ebaeaa04b611911a3e65edd0acda3c9e39f14793c84c9d4 [build] Writing manifest to image destination [build] [2026-04-22T18:35:13,128451565+00:00] End push remote [build] Unregistering from: subscription.rhsm.redhat.com:443/subscription [build] System has been unregistered. [build] echo "Build on remote host $SSH_HOST finished" [build] [build] echo "[$(date --utc -Ins)] Final touches" [build] Build on remote host localhost finished [build] [2026-04-22T18:35:13,861455819+00:00] Final touches [build] [build] buildah images [build] REPOSITORY TAG IMAGE ID CREATED SIZE [build] quay.io/opendatahub/custom-transformer odh-pr-1293 59399b8c32e0 35 seconds ago 2.09 GB [build] registry.access.redhat.com/ubi9/python-311 9.7 0c27e03b1628 10 hours ago 1.1 GB [build] echo "[$(date --utc -Ins)] End remote" [build] [2026-04-22T18:35:13,891973144+00:00] End remote [push] [2026-04-22T18:35:14,011474510+00:00] Update CA trust [push] INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt [push] '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' [push] [2026-04-22T18:35:16,835007349+00:00] Convert image [push] [2026-04-22T18:35:16,837168298+00:00] Push image with unique tag [push] Pushing to quay.io/opendatahub/custom-transformer:kserve-group-test-gxcvx-build-custom-transformer [push] Executing: buildah push --format=docker --retry 3 --tls-verify=true quay.io/opendatahub/custom-transformer:odh-pr-1293 docker://quay.io/opendatahub/custom-transformer:kserve-group-test-gxcvx-build-custom-transformer [push] [2026-04-22T18:35:40,408721487+00:00] Push image with git revision [push] Pushing to quay.io/opendatahub/custom-transformer:odh-pr-1293 [push] Executing: buildah push --format=docker --retry 3 --tls-verify=true --digestfile /var/workdir/image-digest quay.io/opendatahub/custom-transformer:odh-pr-1293 docker://quay.io/opendatahub/custom-transformer:odh-pr-1293 [push] sha256:bc0acb4e0ac758258baaae7f70e78c1964a36a805f1c38e8eae74a5a535be1ddquay.io/opendatahub/custom-transformer:odh-pr-1293 [push] [2026-04-22T18:35:41,121596620+00:00] End push [sbom-syft-generate] [2026-04-22T18:35:41,135403646+00:00] Generate SBOM [sbom-syft-generate] Running syft on the image [sbom-syft-generate] Running syft on the source code [sbom-syft-generate] [0000] WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) [sbom-syft-generate] [2026-04-22T18:36:11,487802132+00:00] End sbom-syft-generate [prepare-sboms] [2026-04-22T18:36:12,274716830+00:00] Prepare SBOM [prepare-sboms] [2026-04-22T18:36:12,280680005+00:00] Generate SBOM with mobster [prepare-sboms] Skipping SBOM validation [prepare-sboms] 2026-04-22 18:36:13,364 [INFO] mobster.log: Logging level set to 20 [prepare-sboms] 2026-04-22 18:36:14,178 [INFO] mobster.oci: Fetching manifest for registry.access.redhat.com/ubi9/python-311@sha256:0cac2a058d26c2353e8b24f8ccfeb2a7b637c81c45d72adddd4d78a7dd9b813b [prepare-sboms] 2026-04-22 18:36:14,834 [INFO] mobster.cmd.generate.oci_image.contextual_sbom.contextualize: Contextual workflow will be used. Parent SBOM used for contextualization: https://konflux-ci.dev/spdxdocs/quay.io/redhat-user-workloads/osci-rhel-containers-tenant/rhel-9-7/python-311-9-7@sha256:0f709dda3f03bf72fbc12eb34a5b4f871f90598514ef81531a2c4418ba2bfa6d-0f030963-f87e-478b-9913-8c3dba710420 [prepare-sboms] 2026-04-22 18:36:15,043 [INFO] mobster.cmd.generate.oci_image.contextual_sbom.logging: {"event_type": "contextual_sbom_matching_statistics", "parent_sbom_reference": "https://konflux-ci.dev/spdxdocs/quay.io/redhat-user-workloads/osci-rhel-containers-tenant/rhel-9-7/python-311-9-7@sha256:0f709dda3f03bf72fbc12eb34a5b4f871f90598514ef81531a2c4418ba2bfa6d-0f030963-f87e-478b-9913-8c3dba710420", "component_sbom_reference": "https://konflux-ci.dev/spdxdocs/quay.io/opendatahub/custom-transformer@sha256:bc0acb4e0ac758258baaae7f70e78c1964a36a805f1c38e8eae74a5a535be1dd-4c773eff-63b2-4c3c-8759-d55220a77408", "component_packages": {"total": 1288, "matched": 681, "unmatched_all": 607, "unmatched_component_only": 599, "unmatched_without_unique_id": 8}, "parent_packages": {"total": 756, "matched": 751, "unmatched_all": 5, "unmatched_removed_at_build": 5, "unmatched_without_unique_id": 0}, "match_methods": {"by_checksum": 0, "by_verification_code": 461, "by_purl": 220, "total": 681}, "match_origins": {"syft_to_syft": 681, "syft_to_hermeto": 0, "hermeto_to_syft": 0, "hermeto_to_hermeto": 0}, "duplicate_identifiers": {"checksums": {"count": 0, "details": []}, "verification_codes": {"count": 0, "details": []}, "purls": {"count": 0, "details": []}}} [prepare-sboms] 2026-04-22 18:36:15,046 [INFO] mobster.cmd.generate.oci_image: Contextual SBOM workflow finished successfully. [prepare-sboms] 2026-04-22 18:36:15,046 [INFO] mobster.log: Contextual workflow completed in 1.13s [prepare-sboms] 2026-04-22 18:36:15,421 [INFO] mobster.main: Exiting with code 0. [prepare-sboms] [2026-04-22T18:36:15,509382134+00:00] End prepare-sboms [upload-sbom] [2026-04-22T18:36:16,393603383+00:00] Upload SBOM [upload-sbom] INFO: Using mounted CA bundle: /mnt/trusted-ca/ca-bundle.crt [upload-sbom] '/mnt/trusted-ca/ca-bundle.crt' -> '/etc/pki/ca-trust/source/anchors/ca-bundle.crt' [upload-sbom] Using token for quay.io/opendatahub/custom-transformer [upload-sbom] Pushing sbom to registry [upload-sbom] Executing: cosign attach sbom --sbom sbom.json --type spdx quay.io/opendatahub/custom-transformer:odh-pr-1293@sha256:bc0acb4e0ac758258baaae7f70e78c1964a36a805f1c38e8eae74a5a535be1dd [upload-sbom] quay.io/opendatahub/custom-transformer@sha256:5f4d3bc6e718c5310f10f71814cc82d09c2ee8d15dc57704b2ae00dbce100ae9 [upload-sbom] [2026-04-22T18:36:19,005155248+00:00] End upload-sbom