ci: temp rootfs rpm integration test (#924)

Signed-off-by: ashnamehrotra <ashnamehrotra@gmail.com>
Co-authored-by: Sertaç Özercan <852750+sozercan@users.noreply.github.com>

Author: ashnamehrotra

.github/workflows/build.yml

@@ -191,7 +191,60 @@ jobs:
         run: |
           set -eu -o pipefail
           . .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}}
+          echo "COPA_BUILDKIT_ADDR=${COPA_BUILDKIT_ADDR}" >> "$GITHUB_ENV"
           go test -v ./integration --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0
+      - name: Test RPM validation - noreplace files
+        shell: bash
+        run: |
+            set -eux -o pipefail
+
+            if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then
+                export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}"
+            fi
+      
+            docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-patched /bin/sh
+            tmp="$(mktemp)"
+            docker cp test:/etc/pki/tls/openssl.cnf "${tmp}"
+            
+            if ! grep -q foo "${tmp}"; then
+                echo "Error: openssl.cnf content replaced" >&2
+                rm "${tmp}"
+                docker rm -f test
+                exit 1
+            fi
+
+            rm "${tmp}"
+            docker rm -f test
+      - name: Test RPM validation - symlink
+        shell: bash
+        run: |
+          set -eux -o pipefail
+
+          _cleanup() {
+              docker rm -f "$DOCKER_CUSTOM_UNIX_ID"
+              sudo rm -rf "$SOCK_DIR"
+          }
+
+          if [[ -n "${COPA_BUILDKIT_ADDR}" && "${COPA_BUILDKIT_ADDR}" == docker://* ]]; then
+              export DOCKER_HOST="${COPA_BUILDKIT_ADDR#docker://}"
+              trap '_cleanup' EXIT
+          fi
+
+          docker create --name test ghcr.io/project-copacetic/copacetic/test/openssl:test-patched /bin/sh
+          tmp="$(mktemp)"
+
+          symlink_path="/sbin"
+          docker cp test:"$symlink_path" "${tmp}_symlink"
+
+          if [ ! -L "${tmp}_symlink" ]; then
+              echo "Error: The path $symlink_path is not a symlink."
+              rm "${tmp}" "${tmp}_symlink"
+              docker rm -f test
+              exit 1
+          fi
+
+          rm "${tmp}" "${tmp}_symlink"
+          docker rm -f test
 
   test-plugin:
     needs: build

.github/workflows/scripts/buildkitenvs/docker/custom-unix

@@ -12,6 +12,8 @@ EOF
 sock_dir="$(mktemp -d)"
 
 docker_custom_unix_id="$(docker run -d --privileged --mount=type=bind,source="${sock_dir}",target=/run --mount=type=volume,source="${DOCKER_DIND_VOLUME}",target=/var/lib/docker dind --group "$(id -g)")"
+echo "DOCKER_CUSTOM_UNIX_ID=$docker_custom_unix_id" >> $GITHUB_ENV
+echo "SOCK_DIR=$sock_dir" >> $GITHUB_ENV
 
 
 timeout 5m bash -c '
@@ -21,13 +23,6 @@ until [ "$(docker inspect -f "{{.State.Status}}" $docker_custom_unix_id)" == "ru
 done
 ' -- "$docker_custom_unix_id"
 
-_cleanup() {
-    docker rm -f "$docker_custom_unix_id"
-    sudo rm -rf "${sock_dir}"
-}
-
-trap '_cleanup' EXIT
-
 _check_docker_dind() {
     docker -H "unix://${sock_dir}/docker.sock" info
 }

integration/fixtures/openssl-test-img/Dockerfile

@@ -0,0 +1,2 @@
+FROM mcr.microsoft.com/cbl-mariner/distroless/base:2.0.20240112
+COPY openssl.cnf /etc/pki/tls/

integration/fixtures/openssl-test-img/openssl.cnf

@@ -0,0 +1 @@
+foo

integration/fixtures/test-images.json

@@ -184,5 +184,13 @@
         "distro": "AlmaLinux",
         "description": "Valid rpm DB, microdnf & rpm present",
         "ignoreErrors": false
+    },
+    {
+        "image": "ghcr.io/project-copacetic/copacetic/test/openssl",
+        "tag": "test",
+        "digest": "sha256:164dbe64a682513e341b6262646c8bee2fb72fca3801aedd9f720765704af995",
+        "distro": "Mariner Distroless",
+        "description": "Custom rpmmanifest files, no yum/tdnf/dnf/microdnf/rpm, custom openssl.cnf",
+        "ignoreErrors": false
     }
 ]