From d7ba1ecfdf0105509a6eb1ce6b629b1af2d4c406 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Fri, 1 Aug 2025 09:35:30 -0700
Subject: [PATCH 1/9] X-Smart-Branch-Parent: main


From 413db023b5f234ecc56f1a63924bb5d442636890 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Fri, 1 Aug 2025 09:37:10 -0700
Subject: [PATCH 2/9] X-Smart-Squash: Squashed 19 commits:

4829124 Add arm64 build and test images
591a0a4 matrix
f308f72 format
2bd6ed1 arm runners
c874046 include
029d72f failfastfalse
d088cd2 arch tags
c02366d create multiarch manifest
254e179 space
782ab48 handle
5432a37 fix
14f0332 target
2cfd390 flip
48f9992 amd64
01eddcb push arch
9a6b3ff quotes
407c401 update
4e30669 -
5e4456d flav
---
 .../actions/build-and-push-image/action.yaml  |   7 +-
 .../build-and-push-image.sh                   |  11 +-
 .../create-multiarch-manifest/action.yml      |  37 +++++
 .github/workflows/build.yaml                  |  70 +++++++++-
 Makefile                                      |  11 +-
 images/stackrox-build.Dockerfile              |  36 +++--
 images/stackrox-test.Dockerfile               | 126 +++++++++++-------
 7 files changed, 224 insertions(+), 74 deletions(-)
 create mode 100644 .github/actions/create-multiarch-manifest/action.yml

diff --git a/.github/actions/build-and-push-image/action.yaml b/.github/actions/build-and-push-image/action.yaml
index 9fbb7bfa..ffd37876 100644
--- a/.github/actions/build-and-push-image/action.yaml
+++ b/.github/actions/build-and-push-image/action.yaml
@@ -4,11 +4,14 @@ inputs:
   image-flavor:
     description: A flavor used to tag the apollo-ci image.
     required: true
+  arch:
+    description: Arch for image build (amd64 or arm64)
+    required: true
 runs:
   using: composite
   steps:
-    - name: Build and push image
+    - name: Build and push x86_64 image
       run: |
         .github/actions/build-and-push-image/build-and-push-image.sh \
-          "${{ inputs.image-flavor }}"
+          "${{ inputs.image-flavor }}" "${{ inputs.arch }}"
       shell: bash
diff --git a/.github/actions/build-and-push-image/build-and-push-image.sh b/.github/actions/build-and-push-image/build-and-push-image.sh
index a7cd217c..c0e5d7c0 100755
--- a/.github/actions/build-and-push-image/build-and-push-image.sh
+++ b/.github/actions/build-and-push-image/build-and-push-image.sh
@@ -4,14 +4,21 @@ set -euo pipefail
 
 build_and_push_image() {
     local image_flavor="$1"
+    local target_arch="$2"
+    local tag_suffix="-${target_arch}"
+
+    if [ -z $target_arch ]; then
+        target_arch="amd64"
+        tag_suffix=""
+    fi
 
     # Login may be required for pulling the base image for building (if used) and to avoid rate limits.
     docker login -u "$QUAY_RHACS_ENG_RW_USERNAME" --password-stdin <<<"$QUAY_RHACS_ENG_RW_PASSWORD" quay.io
 
-    TAG="$(scripts/get_tag.sh "$image_flavor")"
+    TAG="$(scripts/get_tag.sh "$image_flavor")${tag_suffix}"
     IMAGE="quay.io/rhacs-eng/apollo-ci:${TAG}"
 
-    make "$image_flavor"-image
+    make TARGETARCH="$target_arch" "$image_flavor"-image
 
     retry 5 true docker push "${IMAGE}"
 
diff --git a/.github/actions/create-multiarch-manifest/action.yml b/.github/actions/create-multiarch-manifest/action.yml
new file mode 100644
index 00000000..c62b3ede
--- /dev/null
+++ b/.github/actions/create-multiarch-manifest/action.yml
@@ -0,0 +1,37 @@
+name: Create and push a multiarch manifest
+description: |
+  This action will create a multiarch manifest and push it to a remote registry.
+
+inputs:
+  base-image:
+    description:
+      The base image to used for the manifest
+    required: true
+  image-flavor:
+    description:
+      The image flavor tag to be used for the manifest
+    required: true
+  suffix:
+    description:
+      Optional suffix for the tags used and the manifest
+    default: ''
+  archs:
+    description:
+      Architectures to be included in the final manifest, separated by a space
+    default: 'amd64 arm64'
+runs:
+  using: composite
+  steps:
+    - shell: bash
+      run: |
+        image_flavor="${{ inputs.image-flavor }}"
+        tag="$(scripts/get_tag.sh ${image_flavor})"
+        read -ra archs <<< "${{ inputs.archs }}"
+        declare -a images=()
+        for arch in "${archs[@]}"; do
+          images+=("${{ inputs.base-image }}:${tag}-${arch}${{ inputs.suffix }}")
+        done
+
+        docker manifest create "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}" "${images[@]}"
+        docker manifest push "${{ inputs.base-image }}:${tag}${{ inputs.suffix }}"
+
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 20d64ad5..7f1cfb0d 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -18,7 +18,15 @@ env:
 jobs:
 
   build-and-push-stackrox-build:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -28,9 +36,18 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-build"
+          arch: ${{ matrix.arch }}
 
   build-and-push-stackrox-test:
-    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: amd64
+            runner: ubuntu-24.04
+          - arch: arm64
+            runner: ubuntu-24.04-arm
+    runs-on: ${{ matrix.runner }}
     needs:
       - build-and-push-stackrox-build
     steps:
@@ -42,7 +59,54 @@ jobs:
       - uses: ./.github/actions/build-and-push-image
         with:
           image-flavor: "stackrox-test"
-  
+          arch: ${{ matrix.arch }}
+
+  build-and-push-multiarch:
+    runs-on: ubuntu-latest
+    needs:
+      - build-and-push-stackrox-build
+      - build-and-push-stackrox-test
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Login to quay.io/stackrox-io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_STACKROX_IO_RW_USERNAME }}
+          password: ${{ secrets.QUAY_STACKROX_IO_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/stackrox-io/apollo-ci
+          image-flavor: stackrox-test
+
+      - name: Login to quay.io/rhacs-eng
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RHACS_ENG_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_RW_PASSWORD }}
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-build
+
+      - uses: ./.github/actions/create-multiarch-manifest
+        with:
+          base-image: quay.io/rhacs-eng/apollo-ci
+          image-flavor: stackrox-test
+
   build-and-push-stackrox-ui-test:
     runs-on: ubuntu-latest
     steps:
diff --git a/Makefile b/Makefile
index 10aed902..f0bcfd49 100644
--- a/Makefile
+++ b/Makefile
@@ -4,12 +4,14 @@ endif
 QUAY_REPO=rhacs-eng
 
 STACKROX_BUILD_TAG=$(shell scripts/get_tag.sh "stackrox-build")
+TARGETARCH?=amd64
 
 .PHONY: stackrox-build-image
 stackrox-build-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
 		-f images/stackrox-build.Dockerfile \
 		images/
 
@@ -18,9 +20,10 @@ STACKROX_TEST_TAG=$(shell scripts/get_tag.sh "stackrox-test")
 .PHONY: stackrox-test-image
 stackrox-test-image:
 	$(DOCKER) build \
-		--platform linux/amd64 \
+		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG) \
-		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG) \
+		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG)-$(TARGETARCH) \
+		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
 		-f images/stackrox-test.Dockerfile \
 		images/
 
@@ -40,7 +43,7 @@ test-cci-export:
 	$(DOCKER) build \
 		--platform linux/amd64 \
 		-t test-cci-export \
-		--build-arg BASE_TAG=$(STACKROX_TEST_TAG) \
+		--build-arg BASE_TAG=$(STACKROX_TEST_TAG)-amd64 \
 		-f images/test.cci-export.Dockerfile \
 		images/
 	$(DOCKER) run \
diff --git a/images/stackrox-build.Dockerfile b/images/stackrox-build.Dockerfile
index 477493e5..b4c530a5 100644
--- a/images/stackrox-build.Dockerfile
+++ b/images/stackrox-build.Dockerfile
@@ -55,31 +55,41 @@ RUN dnf update -y && \
     dnf clean all && \
     rm -rf /var/cache/dnf /var/cache/yum
 
+ENV GOPATH=/go
+ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
 ARG GOLANG_VERSION=1.24.4
-ARG GOLANG_SHA256=77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717
-ENV GOPATH /go
-ENV PATH $GOPATH/bin:/usr/local/go/bin:$PATH
-RUN url="https://dl.google.com/go/go${GOLANG_VERSION}.linux-amd64.tar.gz" && \
-    wget --no-verbose -O go.tgz "$url" && \
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) GOLANG_ARCH="amd64" GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
+        "aarch64") GOLANG_ARCH="arm64" GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac && \
+    wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${GOLANG_ARCH}.tar.gz" && \
     echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c - && \
     tar -C /usr/local -xzf go.tgz && \
     rm go.tgz && \
     mkdir -p "$GOPATH/src" "$GOPATH/bin" && \
     chmod -R 777 "$GOPATH"
 
-ARG FETCH_VERSION=0.3.5
-ARG FETCH_SHA256=8d4d99e903b30dbd24290e9a056a982ea2326a05ded24c63be64df16e7e0d9f0
-RUN wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_amd64 && \
+ARG FETCH_VERSION=0.4.6
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) FETCH_ARCH="amd64" FETCH_SHA256="a67ed3141d6deb7e7841f40505cba11eb7a37abbab78374712a42373e7854209";; \
+        "aarch64") FETCH_ARCH="arm64" FETCH_SHA256="4b9115a1f1a90c7088bff9ffc7d2de3547ef1d21709528e878af09a4c348dea3";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac && \
+    wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_${FETCH_ARCH} && \
     echo "${FETCH_SHA256} fetch" | sha256sum -c - && \
     install fetch /usr/bin && \
     rm fetch
 
 ARG OSSLS_VERSION=0.11.1
-ARG OSSLS_SHA256=f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f
-RUN fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_amd64" . && \
-    echo "${OSSLS_SHA256} *ossls_linux_amd64" | sha256sum -c - && \
-    install ossls_linux_amd64 /usr/bin/ossls && \
-    rm ossls_linux_amd64 && \
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) OSSLS_ARCH="amd64" OSSLS_SHA256="f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f";; \
+        *) echo "Unsupported $(uname -m), skipping."; exit 0;; \
+    esac && \
+    fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_${OSSLS_ARCH}" . && \
+    echo "${OSSLS_SHA256} *ossls_linux_${OSSLS_ARCH}" | sha256sum -c - && \
+    install ossls_linux_${OSSLS_ARCH} /usr/bin/ossls && \
+    rm ossls_linux_${OSSLS_ARCH} && \
     ossls version
 
 ENV CGO_ENABLED=1
diff --git a/images/stackrox-test.Dockerfile b/images/stackrox-test.Dockerfile
index ed7b2ce3..e938aaad 100644
--- a/images/stackrox-test.Dockerfile
+++ b/images/stackrox-test.Dockerfile
@@ -1,8 +1,12 @@
 # Provides the tooling required to build StackRox images and test StackRox
 # binaries and images. Builds upon stackrox-build.Dockerfile.
-
 ARG BASE_TAG
-FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} as base
+FROM docker:28.0.0 AS static-docker-source
+
+FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} AS base
+
+COPY --from=static-docker-source /usr/local/bin/docker /usr/local/bin/docker
+COPY --from=static-docker-source /usr/local/libexec/docker/cli-plugins/docker-buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
 
 # This line makes sure that piped commands in RUN instructions exit early.
 # This should not affect use in CircleCI because Circle doesn't use
@@ -23,23 +27,31 @@ RUN set -ex \
 # an initial BASH_ENV as a foundation for cci-export().
 ENV BASH_ENV /etc/initial-bash.env
 
+RUN cat <<EOF > /etc/yum.repos.d/google-cloud-sdk.repo
+[google-cloud-cli]
+name=Google Cloud CLI
+baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-aarch64
+enabled=1
+gpgcheck=1
+repo_gpgcheck=0
+gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
+EOF
+
 # Install Postgres repo
-RUN dnf --disablerepo="*" install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
+RUN dnf --disablerepo="*" install -y "https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-$(uname -m)/pgdg-redhat-repo-latest.noarch.rpm"
 
 # Install all the packages
 RUN dnf update -y \
   && dnf install -y \
         expect \
-        gcc \
-        gcc-c++ \
-        google-cloud-cli \
-        google-cloud-cli-gke-gcloud-auth-plugin \
         java-17-openjdk-devel \
         kubectl \
         lsof \
         lz4 \
         openssl \
-        python3-devel \
+        google-cloud-cli \
+        google-cloud-cli-gke-gcloud-auth-plugin \
+        python3.12-devel python3.12-setuptools python3.12-pip \
         unzip \
         xmlstarlet \
         xz \
@@ -51,6 +63,11 @@ RUN dnf update -y \
   && dnf clean all \
   && rm -rf /var/cache/dnf /var/cache/yum
 
+# Symlink python to python3
+RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.12 1
+RUN update-alternatives --install /usr/bin/pip-3 pip-3 /usr/bin/pip3.12 1
+RUN ln -s /usr/bin/python3.12 /usr/bin/python
+
 # Use updated auth plugin for GCP
 ENV USE_GKE_GCLOUD_AUTH_PLUGIN=True
 RUN gke-gcloud-auth-plugin --version
@@ -60,25 +77,14 @@ RUN set -ex \
   && npm install -g bats@1.10.0 bats-support@0.3.0 bats-assert@2.0.0 tap-junit \
   && bats -v
 
-# Install docker binary
-ARG DOCKER_VERSION=20.10.6
-RUN set -ex \
- && DOCKER_URL="https://download.docker.com/linux/static/stable/x86_64/docker-${DOCKER_VERSION}.tgz" \
- && echo Docker URL: $DOCKER_URL \
- && wget --no-verbose -O /tmp/docker.tgz "${DOCKER_URL}" \
- && ls -lha /tmp/docker.tgz \
- && tar -xz -C /tmp -f /tmp/docker.tgz \
- && install /tmp/docker/docker /usr/local/bin \
- && rm -rf /tmp/docker /tmp/docker.tgz \
- && command -v docker \
- && (docker version --format '{{.Client.Version}}' || true)
-
- # Symlink python to python3
- RUN ln -s /usr/bin/python3 /usr/bin/python
-
-# oc
-RUN set -ex \
- && wget --no-verbose -O oc.tgz https://github.com/okd-project/okd/releases/download/4.11.0-0.okd-2022-12-02-145640/openshift-client-linux-4.11.0-0.okd-2022-12-02-145640.tar.gz \
+# Install oc
+RUN set -e; \
+    case "$(uname -m)" in \
+        "x86_64" ) OC_ARCH="";; \
+        "aarch64") OC_ARCH="arm64-";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac \
+ && wget --no-verbose -O oc.tgz https://github.com/okd-project/okd/releases/download/4.11.0-0.okd-2023-01-14-152430/openshift-client-linux-${OC_ARCH}4.11.0-0.okd-2023-01-14-152430.tar.gz \
  && mkdir "oc-dir" \
  && tar -C "oc-dir" -xf oc.tgz \
  && install oc-dir/oc /usr/local/bin \
@@ -86,11 +92,16 @@ RUN set -ex \
  && command -v oc
 
 # helm
-RUN set -ex \
- && wget --no-verbose -O helm.tgz https://get.helm.sh/helm-v3.11.2-linux-amd64.tar.gz \
+RUN set -e; \
+    case "$(uname -m)" in \
+        "x86_64" ) HELM_ARCH="amd64";; \
+        "aarch64") HELM_ARCH="arm64";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac \
+ && wget --no-verbose -O helm.tgz https://get.helm.sh/helm-v3.11.2-linux-${HELM_ARCH}.tar.gz \
  && tar -xf helm.tgz \
- && install linux-amd64/helm /usr/local/bin \
- && rm -rf helm.tgz linux-amd64 \
+ && install linux-${HELM_ARCH}/helm /usr/local/bin \
+ && rm -rf helm.tgz linux-${HELM_ARCH} \
  && command -v helm
 
 # Install gradle
@@ -106,8 +117,7 @@ RUN set -ex \
  && command -v gradle
 
 # Install aws cli
-RUN set -ex \
- && wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-x86_64-2.7.17.zip" \
+RUN wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m)-2.7.17.zip" \
  && unzip awscliv2.zip \
  && ./aws/install \
  && rm awscliv2.zip \
@@ -115,14 +125,20 @@ RUN set -ex \
  && aws --version
 
 # Install yq v4.16.2
-RUN set -ex \
-  && wget --no-verbose "https://github.com/mikefarah/yq/releases/download/v4.16.2/yq_linux_amd64" \
-  && sha256sum --check --status <<< "5c911c4da418ae64af5527b7ee36e77effb85de20c2ce732ed14c7f72743084d  yq_linux_amd64" \
-  && mv yq_linux_amd64 /usr/bin/yq \
+RUN set -e; case "$(uname -m)" in \
+        "x86_64" ) YQ_ARCH="amd64";; \
+        "aarch64") YQ_ARCH="arm64";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac \
+  && wget --no-verbose "https://github.com/mikefarah/yq/releases/download/v4.16.2/yq_linux_${YQ_ARCH}" \
+  && mv yq_linux_${YQ_ARCH} /usr/bin/yq \
   && chmod +x /usr/bin/yq
 
 # Install hub-comment
-RUN set -ex \
+RUN set -ex; case "$(uname -m)" in \
+        "x86_64" );; \
+        *) echo "Unsupported $(uname -m), skipping."; exit 0;; \
+    esac \
   && wget --quiet https://github.com/joshdk/hub-comment/releases/download/0.1.0-rc6/hub-comment_linux_amd64 \
   && sha256sum --check --status <<< "2a2640f44737873dfe30da0d5b8453419d48a494f277a70fd9108e4204fc4a53  hub-comment_linux_amd64" \
   && mv hub-comment_linux_amd64 /usr/bin/hub-comment \
@@ -130,26 +146,36 @@ RUN set -ex \
 
 # Install shellcheck
 ARG SHELLCHECK_VERSION=0.10.0
-ARG SHELLCHECK_SHA256=6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87
-RUN set -ex \
-  && wget --quiet "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
-  && sha256sum --check --status <<< "${SHELLCHECK_SHA256}  shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
-  && tar -xJf "shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
+RUN set -ex; case "$(uname -m)" in \
+        "x86_64" ) SHELLCHECK_ARCH="x86_64" \
+        SHELLCHECK_SHA256="6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87";; \
+        "aarch64") SHELLCHECK_ARCH="aarch64" \
+        SHELLCHECK_SHA256="324a7e89de8fa2aed0d0c28f3dab59cf84c6d74264022c00c22af665ed1a09bb";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+  esac \
+  && wget --quiet "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
+  && sha256sum --check --status <<< "${SHELLCHECK_SHA256}  shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
+  && tar -xJf "shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
   && cp "shellcheck-v${SHELLCHECK_VERSION}/shellcheck" /usr/bin/shellcheck \
-  && rm "shellcheck-v${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" \
+  && rm "shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
   && rm -rf "shellcheck-v${SHELLCHECK_VERSION}" \
   && shellcheck --version
 
 # Install hashicorp vault
 ARG VAULT_VERSION=1.12.1
-ARG VAULT_SHA256=839fa81eacd250e0b0298e518751a792cd5d7194650af78cf5da74d7b7b1e5fb
-RUN set -ex \
-  && wget --quiet "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip" \
-  && sha256sum --check --status <<< "${VAULT_SHA256}  vault_${VAULT_VERSION}_linux_amd64.zip" \
-  && unzip "vault_${VAULT_VERSION}_linux_amd64.zip" \
+RUN set -ex; case "$(uname -m)" in \
+        "x86_64" ) VAULT_ARCH="amd64" \
+        VAULT_SHA256="839fa81eacd250e0b0298e518751a792cd5d7194650af78cf5da74d7b7b1e5fb";; \
+        "aarch64") VAULT_ARCH="arm64" \
+        VAULT_SHA256="f583cdd21ed1fdc99ec50f5400e79ebc723ed3ce92d2d1d42490cff9143ed693";; \
+        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    esac \
+  && wget --quiet "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
+  && sha256sum --check --status <<< "${VAULT_SHA256}  vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
+  && unzip "vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
   && strip "vault" \
   && mv "vault" /usr/bin/vault \
-  && rm "vault_${VAULT_VERSION}_linux_amd64.zip" \
+  && rm "vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
   && vault --version
 
 # Add python development tooling. If these versions have to change check for

From 439998c263a5eaf9aecf9f047bf47c1f57a4b216 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Thu, 8 May 2025 09:20:48 -0700
Subject: [PATCH 3/9] order

---
 images/stackrox-build.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/images/stackrox-build.Dockerfile b/images/stackrox-build.Dockerfile
index b4c530a5..1c1f9a29 100644
--- a/images/stackrox-build.Dockerfile
+++ b/images/stackrox-build.Dockerfile
@@ -55,9 +55,9 @@ RUN dnf update -y && \
     dnf clean all && \
     rm -rf /var/cache/dnf /var/cache/yum
 
+ARG GOLANG_VERSION=1.24.4
 ENV GOPATH=/go
 ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
-ARG GOLANG_VERSION=1.24.4
 RUN set -e; case "$(uname -m)" in \
         "x86_64" ) GOLANG_ARCH="amd64" GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
         "aarch64") GOLANG_ARCH="arm64" GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \

From dd0bbdde5bb66a63f373446de28fac8febfba88d Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Thu, 29 May 2025 15:04:31 -0700
Subject: [PATCH 4/9] use TARGETARCH instead of uname -m

---
 Makefile                         |   1 +
 images/stackrox-build.Dockerfile |  32 +++++-----
 images/stackrox-test.Dockerfile  | 102 ++++++++++++++++---------------
 3 files changed, 70 insertions(+), 65 deletions(-)

diff --git a/Makefile b/Makefile
index f0bcfd49..9790603b 100644
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,7 @@ TARGETARCH?=amd64
 .PHONY: stackrox-build-image
 stackrox-build-image:
 	$(DOCKER) build \
+		--progress=plain \
 		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
diff --git a/images/stackrox-build.Dockerfile b/images/stackrox-build.Dockerfile
index 1c1f9a29..b0b85b76 100644
--- a/images/stackrox-build.Dockerfile
+++ b/images/stackrox-build.Dockerfile
@@ -2,6 +2,8 @@
 
 FROM registry.access.redhat.com/ubi8:latest
 
+ARG TARGETARCH
+
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 RUN touch /i-am-rox-ci-image
@@ -58,12 +60,12 @@ RUN dnf update -y && \
 ARG GOLANG_VERSION=1.24.4
 ENV GOPATH=/go
 ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
-RUN set -e; case "$(uname -m)" in \
+RUN set -e; case "$TARGETARCH" in \
         "x86_64" ) GOLANG_ARCH="amd64" GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
         "aarch64") GOLANG_ARCH="arm64" GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac && \
-    wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${GOLANG_ARCH}.tar.gz" && \
+    wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${TARGETARCH}.tar.gz" && \
     echo "${GOLANG_SHA256} *go.tgz" | sha256sum -c - && \
     tar -C /usr/local -xzf go.tgz && \
     rm go.tgz && \
@@ -71,25 +73,25 @@ RUN set -e; case "$(uname -m)" in \
     chmod -R 777 "$GOPATH"
 
 ARG FETCH_VERSION=0.4.6
-RUN set -e; case "$(uname -m)" in \
-        "x86_64" ) FETCH_ARCH="amd64" FETCH_SHA256="a67ed3141d6deb7e7841f40505cba11eb7a37abbab78374712a42373e7854209";; \
-        "aarch64") FETCH_ARCH="arm64" FETCH_SHA256="4b9115a1f1a90c7088bff9ffc7d2de3547ef1d21709528e878af09a4c348dea3";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
+RUN set -e; case "$TARGETARCH" in \
+        "amd64" ) FETCH_SHA256="a67ed3141d6deb7e7841f40505cba11eb7a37abbab78374712a42373e7854209";; \
+        "arm64")  FETCH_SHA256="4b9115a1f1a90c7088bff9ffc7d2de3547ef1d21709528e878af09a4c348dea3";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac && \
-    wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_${FETCH_ARCH} && \
+    wget --no-verbose -O fetch https://github.com/gruntwork-io/fetch/releases/download/v${FETCH_VERSION}/fetch_linux_${TARGETARCH} && \
     echo "${FETCH_SHA256} fetch" | sha256sum -c - && \
     install fetch /usr/bin && \
     rm fetch
 
 ARG OSSLS_VERSION=0.11.1
-RUN set -e; case "$(uname -m)" in \
-        "x86_64" ) OSSLS_ARCH="amd64" OSSLS_SHA256="f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f";; \
-        *) echo "Unsupported $(uname -m), skipping."; exit 0;; \
+RUN set -e; case "$TARGETARCH" in \
+        "amd64" ) OSSLS_SHA256="f1bf3012961c1d90ba307a46263f29025028d35c209b9a65e5c7d502c470c95f";; \
+        *) echo "Unsupported $TARGETARCH, skipping."; exit 0;; \
     esac && \
-    fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_${OSSLS_ARCH}" . && \
-    echo "${OSSLS_SHA256} *ossls_linux_${OSSLS_ARCH}" | sha256sum -c - && \
-    install ossls_linux_${OSSLS_ARCH} /usr/bin/ossls && \
-    rm ossls_linux_${OSSLS_ARCH} && \
+    fetch --repo="https://github.com/stackrox/ossls" --tag="${OSSLS_VERSION}" --release-asset="ossls_linux_amd64" . && \
+    echo "${OSSLS_SHA256} *ossls_linux_amd64" | sha256sum -c - && \
+    install ossls_linux_amd64 /usr/bin/ossls && \
+    rm ossls_linux_amd64 && \
     ossls version
 
 ENV CGO_ENABLED=1
diff --git a/images/stackrox-test.Dockerfile b/images/stackrox-test.Dockerfile
index e938aaad..3f4052c2 100644
--- a/images/stackrox-test.Dockerfile
+++ b/images/stackrox-test.Dockerfile
@@ -5,6 +5,14 @@ FROM docker:28.0.0 AS static-docker-source
 
 FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} AS base
 
+ARG TARGETARCH
+
+RUN case "$TARGETARCH" in \
+      amd64)  echo "TARGETARCH_ALT=x86_64" ;; \
+      arm64)  echo "TARGETARCH_ALT=aarch64" ;; \
+      *) echo "Unsupported $TARGETARCH"; exit 1;; \
+    esac > /arch.env
+
 COPY --from=static-docker-source /usr/local/bin/docker /usr/local/bin/docker
 COPY --from=static-docker-source /usr/local/libexec/docker/cli-plugins/docker-buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
 
@@ -27,10 +35,14 @@ RUN set -ex \
 # an initial BASH_ENV as a foundation for cci-export().
 ENV BASH_ENV /etc/initial-bash.env
 
-RUN cat <<EOF > /etc/yum.repos.d/google-cloud-sdk.repo
+# Install cloud-sdk repo from https://cloud.google.com/sdk/docs/install#rpm, which
+# is not configured by default on arm64
+RUN set -ex \
+  && . /arch.env \
+  && cat <<EOF > /etc/yum.repos.d/google-cloud-sdk.repo
 [google-cloud-cli]
 name=Google Cloud CLI
-baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-aarch64
+baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-${TARGETARCH_ALT}
 enabled=1
 gpgcheck=1
 repo_gpgcheck=0
@@ -38,19 +50,21 @@ gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 EOF
 
 # Install Postgres repo
-RUN dnf --disablerepo="*" install -y "https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-$(uname -m)/pgdg-redhat-repo-latest.noarch.rpm"
+RUN . /arch.env && dnf --disablerepo="*" install -y "https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${TARGETARCH_ALT}/pgdg-redhat-repo-latest.noarch.rpm"
 
 # Install all the packages
 RUN dnf update -y \
   && dnf install -y \
         expect \
+        gcc \
+        gcc-c++ \
+        google-cloud-cli \
+        google-cloud-cli-gke-gcloud-auth-plugin \
         java-17-openjdk-devel \
         kubectl \
         lsof \
         lz4 \
         openssl \
-        google-cloud-cli \
-        google-cloud-cli-gke-gcloud-auth-plugin \
         python3.12-devel python3.12-setuptools python3.12-pip \
         unzip \
         xmlstarlet \
@@ -63,7 +77,7 @@ RUN dnf update -y \
   && dnf clean all \
   && rm -rf /var/cache/dnf /var/cache/yum
 
-# Symlink python to python3
+## Symlink python to python3
 RUN update-alternatives --install /usr/bin/pip3 pip3 /usr/bin/pip3.12 1
 RUN update-alternatives --install /usr/bin/pip-3 pip-3 /usr/bin/pip3.12 1
 RUN ln -s /usr/bin/python3.12 /usr/bin/python
@@ -79,10 +93,10 @@ RUN set -ex \
 
 # Install oc
 RUN set -e; \
-    case "$(uname -m)" in \
-        "x86_64" ) OC_ARCH="";; \
-        "aarch64") OC_ARCH="arm64-";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
+    case "$TARGETARCH" in \
+        "amd64") OC_ARCH="";; \
+        "arm64") OC_ARCH="arm64-";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac \
  && wget --no-verbose -O oc.tgz https://github.com/okd-project/okd/releases/download/4.11.0-0.okd-2023-01-14-152430/openshift-client-linux-${OC_ARCH}4.11.0-0.okd-2023-01-14-152430.tar.gz \
  && mkdir "oc-dir" \
@@ -92,16 +106,11 @@ RUN set -e; \
  && command -v oc
 
 # helm
-RUN set -e; \
-    case "$(uname -m)" in \
-        "x86_64" ) HELM_ARCH="amd64";; \
-        "aarch64") HELM_ARCH="arm64";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
-    esac \
- && wget --no-verbose -O helm.tgz https://get.helm.sh/helm-v3.11.2-linux-${HELM_ARCH}.tar.gz \
+RUN set -ex \
+ && wget --no-verbose -O helm.tgz https://get.helm.sh/helm-v3.11.2-linux-${TARGETARCH}.tar.gz \
  && tar -xf helm.tgz \
- && install linux-${HELM_ARCH}/helm /usr/local/bin \
- && rm -rf helm.tgz linux-${HELM_ARCH} \
+ && install linux-${TARGETARCH}/helm /usr/local/bin \
+ && rm -rf helm.tgz linux-${TARGETARCH} \
  && command -v helm
 
 # Install gradle
@@ -117,7 +126,8 @@ RUN set -ex \
  && command -v gradle
 
 # Install aws cli
-RUN wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-$(uname -m)-2.7.17.zip" \
+RUN . /arch.env \
+ && wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-${TARGETARCH_ALT}-2.7.17.zip" \
  && unzip awscliv2.zip \
  && ./aws/install \
  && rm awscliv2.zip \
@@ -125,19 +135,15 @@ RUN wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe
  && aws --version
 
 # Install yq v4.16.2
-RUN set -e; case "$(uname -m)" in \
-        "x86_64" ) YQ_ARCH="amd64";; \
-        "aarch64") YQ_ARCH="arm64";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
-    esac \
-  && wget --no-verbose "https://github.com/mikefarah/yq/releases/download/v4.16.2/yq_linux_${YQ_ARCH}" \
-  && mv yq_linux_${YQ_ARCH} /usr/bin/yq \
+RUN set -ex \
+  && wget --no-verbose "https://github.com/mikefarah/yq/releases/download/v4.16.2/yq_linux_${TARGETARCH}" \
+  && mv yq_linux_${TARGETARCH} /usr/bin/yq \
   && chmod +x /usr/bin/yq
 
 # Install hub-comment
-RUN set -ex; case "$(uname -m)" in \
-        "x86_64" );; \
-        *) echo "Unsupported $(uname -m), skipping."; exit 0;; \
+RUN set -ex; case "$TARGETARCH" in \
+        "amd64");; \
+        *) echo "Unsupported ${TARGETARCH}, skipping."; exit 0;; \
     esac \
   && wget --quiet https://github.com/joshdk/hub-comment/releases/download/0.1.0-rc6/hub-comment_linux_amd64 \
   && sha256sum --check --status <<< "2a2640f44737873dfe30da0d5b8453419d48a494f277a70fd9108e4204fc4a53  hub-comment_linux_amd64" \
@@ -146,36 +152,32 @@ RUN set -ex; case "$(uname -m)" in \
 
 # Install shellcheck
 ARG SHELLCHECK_VERSION=0.10.0
-RUN set -ex; case "$(uname -m)" in \
-        "x86_64" ) SHELLCHECK_ARCH="x86_64" \
-        SHELLCHECK_SHA256="6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87";; \
-        "aarch64") SHELLCHECK_ARCH="aarch64" \
-        SHELLCHECK_SHA256="324a7e89de8fa2aed0d0c28f3dab59cf84c6d74264022c00c22af665ed1a09bb";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
+RUN set -ex; . /arch.env && case "$TARGETARCH" in \
+        "amd64") SHELLCHECK_SHA256="6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87";; \
+        "arm64") SHELLCHECK_SHA256="324a7e89de8fa2aed0d0c28f3dab59cf84c6d74264022c00c22af665ed1a09bb";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
   esac \
-  && wget --quiet "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
-  && sha256sum --check --status <<< "${SHELLCHECK_SHA256}  shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
-  && tar -xJf "shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
+  && wget --quiet "https://github.com/koalaman/shellcheck/releases/download/v${SHELLCHECK_VERSION}/shellcheck-v${SHELLCHECK_VERSION}.linux.${TARGETARCH_ALT}.tar.xz" \
+  && sha256sum --check --status <<< "${SHELLCHECK_SHA256}  shellcheck-v${SHELLCHECK_VERSION}.linux.${TARGETARCH_ALT}.tar.xz" \
+  && tar -xJf "shellcheck-v${SHELLCHECK_VERSION}.linux.${TARGETARCH_ALT}.tar.xz" \
   && cp "shellcheck-v${SHELLCHECK_VERSION}/shellcheck" /usr/bin/shellcheck \
-  && rm "shellcheck-v${SHELLCHECK_VERSION}.linux.${SHELLCHECK_ARCH}.tar.xz" \
+  && rm "shellcheck-v${SHELLCHECK_VERSION}.linux.${TARGETARCH_ALT}.tar.xz" \
   && rm -rf "shellcheck-v${SHELLCHECK_VERSION}" \
   && shellcheck --version
 
 # Install hashicorp vault
 ARG VAULT_VERSION=1.12.1
-RUN set -ex; case "$(uname -m)" in \
-        "x86_64" ) VAULT_ARCH="amd64" \
-        VAULT_SHA256="839fa81eacd250e0b0298e518751a792cd5d7194650af78cf5da74d7b7b1e5fb";; \
-        "aarch64") VAULT_ARCH="arm64" \
-        VAULT_SHA256="f583cdd21ed1fdc99ec50f5400e79ebc723ed3ce92d2d1d42490cff9143ed693";; \
-        *) echo "Unsupported $(uname -m)"; exit 1;; \
+RUN set -ex; case "$TARGETARCH" in \
+        "amd64") VAULT_SHA256="839fa81eacd250e0b0298e518751a792cd5d7194650af78cf5da74d7b7b1e5fb";; \
+        "arm64") VAULT_SHA256="f583cdd21ed1fdc99ec50f5400e79ebc723ed3ce92d2d1d42490cff9143ed693";; \
+        *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac \
-  && wget --quiet "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
-  && sha256sum --check --status <<< "${VAULT_SHA256}  vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
-  && unzip "vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
+  && wget --quiet "https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_${TARGETARCH}.zip" \
+  && sha256sum --check --status <<< "${VAULT_SHA256}  vault_${VAULT_VERSION}_linux_${TARGETARCH}.zip" \
+  && unzip "vault_${VAULT_VERSION}_linux_${TARGETARCH}.zip" \
   && strip "vault" \
   && mv "vault" /usr/bin/vault \
-  && rm "vault_${VAULT_VERSION}_linux_${VAULT_ARCH}.zip" \
+  && rm "vault_${VAULT_VERSION}_linux_${TARGETARCH}.zip" \
   && vault --version
 
 # Add python development tooling. If these versions have to change check for

From 0f6a1ea96c488322212f786d8255e1e31b09fa6f Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Fri, 30 May 2025 09:57:24 -0700
Subject: [PATCH 5/9] Update pylint versions

---
 images/stackrox-test.Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/stackrox-test.Dockerfile b/images/stackrox-test.Dockerfile
index 3f4052c2..1c89dc15 100644
--- a/images/stackrox-test.Dockerfile
+++ b/images/stackrox-test.Dockerfile
@@ -183,8 +183,8 @@ RUN set -ex; case "$TARGETARCH" in \
 # Add python development tooling. If these versions have to change check for
 # dependent repos. e.g. stackrox/stackrox has .openshift-ci/dev-requirements.txt
 # for local development style & lint.
-ARG PYCODESTYLE_VERSION=2.10.0
-ARG PYLINT_VERSION=2.13.9
+ARG PYCODESTYLE_VERSION=2.13.0
+ARG PYLINT_VERSION=3.3.7
 RUN set -ex \
   && pip3 install pycodestyle=="${PYCODESTYLE_VERSION}" \
                   pylint=="${PYLINT_VERSION}"

From 245511b4504afdbdfb0ba30fa7d2d5c66531f20a Mon Sep 17 00:00:00 2001
From: Robby Cochran <rc@stackrox.com>
Date: Thu, 26 Jun 2025 00:15:41 -0400
Subject: [PATCH 6/9] Apply suggestions from code review

Co-authored-by: Tom Martensen <tmartens@redhat.com>
---
 .github/actions/build-and-push-image/action.yaml             | 2 +-
 .github/actions/build-and-push-image/build-and-push-image.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/actions/build-and-push-image/action.yaml b/.github/actions/build-and-push-image/action.yaml
index ffd37876..0a8b4715 100644
--- a/.github/actions/build-and-push-image/action.yaml
+++ b/.github/actions/build-and-push-image/action.yaml
@@ -10,7 +10,7 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Build and push x86_64 image
+    - name: Build and push ${{ inputs.arch }} image
       run: |
         .github/actions/build-and-push-image/build-and-push-image.sh \
           "${{ inputs.image-flavor }}" "${{ inputs.arch }}"
diff --git a/.github/actions/build-and-push-image/build-and-push-image.sh b/.github/actions/build-and-push-image/build-and-push-image.sh
index c0e5d7c0..a8961e98 100755
--- a/.github/actions/build-and-push-image/build-and-push-image.sh
+++ b/.github/actions/build-and-push-image/build-and-push-image.sh
@@ -7,7 +7,7 @@ build_and_push_image() {
     local target_arch="$2"
     local tag_suffix="-${target_arch}"
 
-    if [ -z $target_arch ]; then
+    if [ -z "${target_arch}" ]; then
         target_arch="amd64"
         tag_suffix=""
     fi

From 93fa2974c16307dfb6506cf7ebcceb01d40b3553 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Fri, 1 Aug 2025 10:20:57 -0700
Subject: [PATCH 7/9] fix format

---
 images/stackrox-build.Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/images/stackrox-build.Dockerfile b/images/stackrox-build.Dockerfile
index b0b85b76..5dc547af 100644
--- a/images/stackrox-build.Dockerfile
+++ b/images/stackrox-build.Dockerfile
@@ -61,8 +61,8 @@ ARG GOLANG_VERSION=1.24.4
 ENV GOPATH=/go
 ENV PATH=$GOPATH/bin:/usr/local/go/bin:$PATH
 RUN set -e; case "$TARGETARCH" in \
-        "x86_64" ) GOLANG_ARCH="amd64" GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
-        "aarch64") GOLANG_ARCH="arm64" GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \
+        "amd64" ) GOLANG_SHA256="77e5da33bb72aeaef1ba4418b6fe511bc4d041873cbf82e5aa6318740df98717";; \
+        "arm64")  GOLANG_SHA256="d5501ee5aca0f258d5fe9bfaed401958445014495dc115f202d43d5210b45241";; \
         *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac && \
     wget --no-verbose -O go.tgz "https://dl.google.com/go/go${GOLANG_VERSION}.linux-${TARGETARCH}.tar.gz" && \

From d6827c7734b8003857fcdab76cf078d33a7ffcc6 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Fri, 1 Aug 2025 13:43:31 -0700
Subject: [PATCH 8/9] oc version

---
 images/stackrox-test.Dockerfile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/images/stackrox-test.Dockerfile b/images/stackrox-test.Dockerfile
index 1c89dc15..2c72f12b 100644
--- a/images/stackrox-test.Dockerfile
+++ b/images/stackrox-test.Dockerfile
@@ -92,13 +92,14 @@ RUN set -ex \
   && bats -v
 
 # Install oc
+ARG OC_VERSION=4.11.0-0.okd-2023-01-14-152430
 RUN set -e; \
     case "$TARGETARCH" in \
         "amd64") OC_ARCH="";; \
         "arm64") OC_ARCH="arm64-";; \
         *) echo "Unsupported $TARGETARCH"; exit 1;; \
     esac \
- && wget --no-verbose -O oc.tgz https://github.com/okd-project/okd/releases/download/4.11.0-0.okd-2023-01-14-152430/openshift-client-linux-${OC_ARCH}4.11.0-0.okd-2023-01-14-152430.tar.gz \
+ && wget --no-verbose -O oc.tgz https://github.com/okd-project/okd/releases/download/${OC_VERSION}/openshift-client-linux-${OC_ARCH}${OC_VERSION}.tar.gz \
  && mkdir "oc-dir" \
  && tar -C "oc-dir" -xf oc.tgz \
  && install oc-dir/oc /usr/local/bin \

From e7836f2caf8f169d61881bbec8ba583c74041a45 Mon Sep 17 00:00:00 2001
From: Robby Cochran <rcochran@redhat.com>
Date: Mon, 4 Aug 2025 10:17:19 -0700
Subject: [PATCH 9/9] PR comment: don't write arch.env file

---
 Makefile                        | 10 +++++++++-
 images/stackrox-test.Dockerfile | 15 ++++-----------
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/Makefile b/Makefile
index 9790603b..b30b877b 100644
--- a/Makefile
+++ b/Makefile
@@ -6,10 +6,17 @@ QUAY_REPO=rhacs-eng
 STACKROX_BUILD_TAG=$(shell scripts/get_tag.sh "stackrox-build")
 TARGETARCH?=amd64
 
+ifeq ($(TARGETARCH),amd64)
+  TARGETARCH_ALT = x86_64
+else ifeq ($(TARGETARCH),arm64)
+  TARGETARCH_ALT = aarch64
+else
+  TARGETARCH_ALT = $(TARGETARCH)
+endif
+
 .PHONY: stackrox-build-image
 stackrox-build-image:
 	$(DOCKER) build \
-		--progress=plain \
 		--platform linux/$(TARGETARCH) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
@@ -25,6 +32,7 @@ stackrox-test-image:
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG) \
 		-t quay.io/$(QUAY_REPO)/apollo-ci:$(STACKROX_TEST_TAG)-$(TARGETARCH) \
 		--build-arg BASE_TAG=$(STACKROX_BUILD_TAG)-$(TARGETARCH) \
+		--build-arg TARGETARCH_ALT=$(TARGETARCH_ALT) \
 		-f images/stackrox-test.Dockerfile \
 		images/
 
diff --git a/images/stackrox-test.Dockerfile b/images/stackrox-test.Dockerfile
index 2c72f12b..5f42b3b1 100644
--- a/images/stackrox-test.Dockerfile
+++ b/images/stackrox-test.Dockerfile
@@ -6,12 +6,7 @@ FROM docker:28.0.0 AS static-docker-source
 FROM quay.io/rhacs-eng/apollo-ci:${BASE_TAG} AS base
 
 ARG TARGETARCH
-
-RUN case "$TARGETARCH" in \
-      amd64)  echo "TARGETARCH_ALT=x86_64" ;; \
-      arm64)  echo "TARGETARCH_ALT=aarch64" ;; \
-      *) echo "Unsupported $TARGETARCH"; exit 1;; \
-    esac > /arch.env
+ARG TARGETARCH_ALT
 
 COPY --from=static-docker-source /usr/local/bin/docker /usr/local/bin/docker
 COPY --from=static-docker-source /usr/local/libexec/docker/cli-plugins/docker-buildx /usr/local/libexec/docker/cli-plugins/docker-buildx
@@ -38,7 +33,6 @@ ENV BASH_ENV /etc/initial-bash.env
 # Install cloud-sdk repo from https://cloud.google.com/sdk/docs/install#rpm, which
 # is not configured by default on arm64
 RUN set -ex \
-  && . /arch.env \
   && cat <<EOF > /etc/yum.repos.d/google-cloud-sdk.repo
 [google-cloud-cli]
 name=Google Cloud CLI
@@ -50,7 +44,7 @@ gpgkey=https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
 EOF
 
 # Install Postgres repo
-RUN . /arch.env && dnf --disablerepo="*" install -y "https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${TARGETARCH_ALT}/pgdg-redhat-repo-latest.noarch.rpm"
+RUN dnf --disablerepo="*" install -y "https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-${TARGETARCH_ALT}/pgdg-redhat-repo-latest.noarch.rpm"
 
 # Install all the packages
 RUN dnf update -y \
@@ -127,8 +121,7 @@ RUN set -ex \
  && command -v gradle
 
 # Install aws cli
-RUN . /arch.env \
- && wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-${TARGETARCH_ALT}-2.7.17.zip" \
+RUN wget --no-verbose -O "awscliv2.zip" "https://awscli.amazonaws.com/awscli-exe-linux-${TARGETARCH_ALT}-2.7.17.zip" \
  && unzip awscliv2.zip \
  && ./aws/install \
  && rm awscliv2.zip \
@@ -153,7 +146,7 @@ RUN set -ex; case "$TARGETARCH" in \
 
 # Install shellcheck
 ARG SHELLCHECK_VERSION=0.10.0
-RUN set -ex; . /arch.env && case "$TARGETARCH" in \
+RUN set -ex; case "$TARGETARCH" in \
         "amd64") SHELLCHECK_SHA256="6c881ab0698e4e6ea235245f22832860544f17ba386442fe7e9d629f8cbedf87";; \
         "arm64") SHELLCHECK_SHA256="324a7e89de8fa2aed0d0c28f3dab59cf84c6d74264022c00c22af665ed1a09bb";; \
         *) echo "Unsupported $TARGETARCH"; exit 1;; \