Skip to content

Commit 3bfc00a

Browse files
adilhusain-sadilhusain-s
committed
fix(Makefile): enhance comments for clarity and update caching strategy in build process
Signed-off-by: Adilhusain Shaikh <[email protected]>
1 parent 9dc81a8 commit 3bfc00a

File tree

1 file changed

+24
-17
lines changed

1 file changed

+24
-17
lines changed

Makefile

Lines changed: 24 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
# ==============================================================================
22
# Project: Python Build System (Containerized & Secured)
3+
# Description: Multi-stage build system with caching and security gates.
34
# ==============================================================================
45

56
# --- Configuration & Defaults -------------------------------------------------
@@ -13,24 +14,24 @@ else
1314
Q :=
1415
endif
1516

16-
# Versioning
17+
# --- Versioning ---------------------------------------------------------------
1718
PYTHON_VERSION ?= 3.13.3
1819
ACTIONS_PYTHON_VERSIONS ?= 3.13.3-14344076652
1920
POWERSHELL_VERSION ?= v7.5.2
2021
POWERSHELL_NATIVE_VERSION ?= v7.4.0
2122
UBUNTU_VERSION ?= 24.04
2223

23-
# [UPDATED] Security Scanning & Gates
24-
# Latest Trivy version as of Dec 2025
24+
# --- Security Scanning --------------------------------------------------------
25+
# Latest Trivy version (Dec 2025)
2526
TRIVY_VERSION ?= v0.68.2
2627

27-
# [UPDATED] Gates Enabled (1 = Fail Build)
28+
# Gates: 0 = Log Only, 1 = Fail Build
2829
FAIL_ON_CRITICAL ?= 1
2930
FAIL_ON_HIGH ?= 1
3031
FAIL_ON_MEDIUM ?= 0
3132
FAIL_ON_SECRET ?= 1
3233

33-
# Architecture
34+
# --- System Architecture ------------------------------------------------------
3435
ARCH_RAW := $(shell uname -m)
3536
ifeq ($(ARCH_RAW),x86_64)
3637
ARCH := amd64
@@ -40,22 +41,24 @@ else
4041
ARCH := $(ARCH_RAW)
4142
endif
4243

43-
# Container Engine
44+
# --- Container Engine ---------------------------------------------------------
4445
CONTAINER_ENGINE := $(shell command -v podman 2>/dev/null || command -v docker)
4546
ifeq ($(strip $(CONTAINER_ENGINE)),)
4647
$(error No container runtime found. Please install `docker` or `podman`)
4748
endif
4849

4950
# --- Internal Variables -------------------------------------------------------
5051

52+
# The base image tag used internally between stages
5153
BASE_IMAGE := powershell:ubuntu-$(UBUNTU_VERSION)
5254

5355
OUTPUT_DIR := python-versions/output
5456
IMAGE_NAME := python:$(PYTHON_VERSION)-ubuntu-$(UBUNTU_VERSION)-$(ARCH)
5557
TEMP_CONTAINER_NAME := python-build-$(PYTHON_VERSION)-$(ARCH)-tmp
5658

59+
# Artifact filenames
5760
INTERNAL_ARTIFACT_NAME := python-$(PYTHON_VERSION)-linux-$(ARCH).tar.gz
58-
HOST_ARTIFACT_NAME := python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH).tar.gz
61+
HOST_ARTIFACT_NAME := python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH).tar.gz
5962

6063
PS_DIR := PowerShell
6164
PS_PREREQS := \
@@ -66,20 +69,17 @@ PS_PREREQS := \
6669

6770
# --- Build Strategy Logic -----------------------------------------------------
6871

69-
# Default: Standard local build
72+
# Default: Standard local build (Works for local dev)
7073
BUILD_CMD := $(CONTAINER_ENGINE) build
7174
BUILD_OPTS :=
7275

73-
# GHA Override: Use Buildx with Caching and explicit Loading
76+
# GHA Override: Use Buildx with Caching
77+
# Critical Fix: We use '--load' to ensure the built image is exported
78+
# from the isolated BuildKit container to the local Docker daemon.
7479
ifeq ($(USE_GHA_CACHE),1)
7580
BUILDX_BUILDER ?= gha-builder
76-
CACHE_SCOPE ?= default
77-
7881
BUILD_CMD := $(CONTAINER_ENGINE) buildx build
79-
BUILD_OPTS := --builder $(BUILDX_BUILDER) \
80-
--load \
81-
--cache-from type=gha,scope=$(CACHE_SCOPE) \
82-
--cache-to type=gha,mode=max,scope=$(CACHE_SCOPE)
82+
BUILD_OPTS := --builder $(BUILDX_BUILDER) --load
8383
endif
8484

8585
# --- Targets ------------------------------------------------------------------
@@ -88,11 +88,15 @@ endif
8888

8989
all: $(OUTPUT_DIR)/$(HOST_ARTIFACT_NAME) verify-gate
9090

91-
# 1. Build the Python Artifact
91+
# 1. Build the Python Artifact (Stage 2)
92+
# Depends on 'powershell' target being run first to create the BASE_IMAGE
9293
$(OUTPUT_DIR)/$(HOST_ARTIFACT_NAME): powershell | $(OUTPUT_DIR)
9394
@echo "--- Building Python $(PYTHON_VERSION) Image ($(ARCH)) ---"
9495
@echo " Security Gate: CRIT=$(FAIL_ON_CRITICAL) HIGH=$(FAIL_ON_HIGH) SECRET=$(FAIL_ON_SECRET)"
96+
9597
$(Q)cd python-versions && $(BUILD_CMD) $(BUILD_OPTS) \
98+
--cache-from type=gha,scope=python-$(ARCH)-$(UBUNTU_VERSION) \
99+
--cache-to type=gha,mode=max,scope=python-$(ARCH)-$(UBUNTU_VERSION) \
96100
--network=host \
97101
--build-arg PYTHON_VERSION=$(PYTHON_VERSION) \
98102
--build-arg ACTIONS_PYTHON_VERSIONS=$(ACTIONS_PYTHON_VERSIONS) \
@@ -138,10 +142,13 @@ verify-gate:
138142
echo ""; \
139143
fi
140144

141-
# 3. Build Base PowerShell Image
145+
# 3. Build Base PowerShell Image (Stage 1)
146+
# Uses separate cache scope to prevent overwriting the Python cache
142147
powershell: $(PS_PREREQS)
143148
@echo "--- Building PowerShell Base Image ---"
144149
$(Q)cd $(PS_DIR) && $(BUILD_CMD) $(BUILD_OPTS) \
150+
--cache-from type=gha,scope=powershell-$(ARCH)-$(UBUNTU_VERSION) \
151+
--cache-to type=gha,mode=max,scope=powershell-$(ARCH)-$(UBUNTU_VERSION) \
145152
--network=host \
146153
--build-arg POWERSHELL_VERSION=$(POWERSHELL_VERSION) \
147154
--build-arg POWERSHELL_NATIVE_VERSION=$(POWERSHELL_NATIVE_VERSION) \

0 commit comments

Comments
 (0)