common: pin and verify the components

[Vicente-Cheng]

Problem:
pin and verify the components

Solution:
pin and verify the components

Related Issue:
https://github.com/rancher/rancher-security/issues/1512

Test plan:

[Vicente-Cheng]

@Mergifyio backport v1.8

[mergify]

backport v1.8

✅ Backports have been created

Details

• #272 common: pin and verify the components (backport #271) has been created for branch v1.8

[Copilot]

Pull request overview

This PR aims to improve supply-chain integrity and reproducibility by pinning versions/SHAs of build-time components (and adding checksum verification) used in local builds and CI.

Changes:

• Pin the dapper download to a specific version and add SHA-512 verification in Makefile.
• Switch image packaging scripts to use docker buildx (paired with installing buildx in the dapper image).
• Pin/verify Helm download in CI helper script and update the pinned read-vault-secrets GitHub Action SHA.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
scripts/package_webhook	Use docker buildx for building the webhook image.
scripts/package_controller	Use docker buildx for building the controller image.
Makefile	Pin dapper version and verify the downloaded binary via SHA-512.
Dockerfile.dapper	Install buildx via package manager and pin golangci-lint via image digest.
ci/scripts/helpers.sh	Attempt to pin Helm version and verify download checksum.
.github/workflows/fossa.yml	Update pinned SHA for rancher-eio/read-vault-secrets action.
.github/workflows/factory.yaml	Update pinned SHA for rancher-eio/read-vault-secrets action.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The .dapper recipe uses @@chmod, which Make interprets as “silent” (@) plus a literal @ passed to the shell. That results in trying to execute a command named @chmod and will fail, breaking make ci/any target that depends on .dapper. Use a single leading @ (or none) before chmod.

Suggested change

	@@chmod +x .dapper.tmp
	@chmod +x .dapper.tmp

[Copilot]

ARG is Dockerfile syntax, not valid in bash. With the #!/bin/bash -e shebang, the script will exit immediately with “ARG: command not found”, so none of the CI scripts that source helpers.sh will work. Replace these with normal bash variable assignments (and ensure ARCH is set before it’s used).

Suggested change

	ARG HELM_VERSION=v3.20.0
	ARG HELM_SUM_amd64=dbb4c8fc8e19d159d1a63dda8db655f9ffa4aac1b9a6b188b34a40957119b286
	ARG HELM_SUM_arm64=bfb14953295d5324d47ab55f3dfba6da28d46c848978c8fbf412d4271bdc29f1
	ARG HELM_SUM="HELM_SUM_${ARCH}"
	ARCH="${ARCH:-amd64}"
	HELM_VERSION="v3.20.0"
	HELM_SUM_amd64="dbb4c8fc8e19d159d1a63dda8db655f9ffa4aac1b9a6b188b34a40957119b286"
	HELM_SUM_arm64="bfb14953295d5324d47ab55f3dfba6da28d46c848978c8fbf412d4271bdc29f1"
	HELM_SUM="HELM_SUM_${ARCH}"

[Copilot]

The extracted helm binary path is still hardcoded to linux-amd64/helm, but the download/extract is now architecture-dependent (linux-${ARCH}). This will break on arm64 (and is inconsistent even on amd64 if ARCH differs). Point HELM at the extracted linux-${ARCH}/helm directory (or derive it from the tar contents).

Suggested change

	HELM=$TOP_DIR/linux-amd64/helm
	HELM=$TOP_DIR/linux-${ARCH}/helm

[Vicente-Cheng]

@Mergifyio backport v1.8

[mergify]

backport v1.8

☑️ Command backport v1.8 ignored because it is already running from a previous command.