feat: enhance Makefile with improved artifact extraction and cleanup processes

Author: adilhusain-s

Makefile

@@ -1,106 +1,135 @@
-PYTHON_VERSION ?= 3.13.3
+# ==============================================================================
+# Project: Python Build System (Containerized)
+# Description: Builds Python artifacts via a multi-stage container process.
+# ==============================================================================
+
+# --- Configuration & Defaults -------------------------------------------------
+
+# Shell safety flags: fail on error, fail on pipe error, fail on unset variables
+SHELL := /bin/bash
+.SHELLFLAGS := -eu -o pipefail -c
+
+# Verbosity control: use 'make V=1' to see full commands
+ifeq ($(origin V), undefined)
+  Q := @
+else
+  Q :=
+endif
+
+# Versioning
+PYTHON_VERSION          ?= 3.13.3
 ACTIONS_PYTHON_VERSIONS ?= 3.13.3-14344076652
-POWERSHELL_VERSION ?= v7.5.2
+POWERSHELL_VERSION      ?= v7.5.2
 POWERSHELL_NATIVE_VERSION ?= v7.4.0
-ARCH ?= $(shell uname -m)
-UBUNTU_VERSION ?= 24.04
-BASE_IMAGE ?= powershell:ubuntu-$(UBUNTU_VERSION)
+UBUNTU_VERSION          ?= 24.04
+
+# System Architecture (Computed Once)
+ARCH := $(shell uname -m)
+
+# Container Engine Detection
 CONTAINER_ENGINE := $(shell command -v podman 2>/dev/null || command -v docker)
 
 # Fail fast if no container runtime is available
 ifeq ($(strip $(CONTAINER_ENGINE)),)
-$(error No container runtime found (install `docker` or `podman` and ensure it's on PATH))
+  $(error No container runtime found. Please install `docker` or `podman`)
 endif
 
-# Deterministic temporary container name used to `create` a stopped
-# container so artifacts can be `cp`'d out. We build this name at Make
-# expansion time to avoid shell-variable quoting/escaping issues inside
-# multiline recipe lines.
-TEMP_CONTAINER_NAME := python-build-$(PYTHON_VERSION)-$(ARCH)-tmp
+# --- Internal Variables -------------------------------------------------------
 
-# Output and artifact naming
+BASE_IMAGE := powershell:ubuntu-$(UBUNTU_VERSION)
+
+# Naming conventions
 OUTPUT_DIR := python-versions/output
 IMAGE_NAME := python:$(PYTHON_VERSION)-ubuntu-$(UBUNTU_VERSION)-$(ARCH)
 ARTIFACT_NAME := python-$(PYTHON_VERSION)-linux-$(ARCH).tar.gz
-CONTAINER_NAME_PREFIX := python-build
 
-.PHONY: all powershell clean help
+# Deterministic temporary container name for artifact extraction
+TEMP_CONTAINER_NAME := python-build-$(PYTHON_VERSION)-$(ARCH)-tmp
 
-ifeq ($(findstring podman,$(CONTAINER_ENGINE)),podman)
-	ifeq ($(shell uname),Linux)
-		VOLUME_FLAG := -v $(abspath ./python-versions/output):/tmp/artifact:z
-	else
-		VOLUME_FLAG := -v ./python-versions/output:/tmp/artifact:z
-	endif
-else
-	VOLUME_FLAG := -v ./python-versions/output:/tmp/artifact
-endif
+# Prerequisite Files for PowerShell Build
+PS_DIR := PowerShell
+PS_PREREQS := \
+    $(PS_DIR)/Dockerfile \
+    $(PS_DIR)/patch/powershell-native-$(POWERSHELL_NATIVE_VERSION).patch \
+    $(PS_DIR)/patch/powershell-$(ARCH)-$(POWERSHELL_VERSION).patch \
+    $(PS_DIR)/patch/powershell-gen-$(POWERSHELL_VERSION).tar.gz
 
-all: python-versions/output/python-$(PYTHON_VERSION)-linux-$(ARCH).tar.gz
+# --- Targets ------------------------------------------------------------------
+
+.PHONY: all powershell clean help
 
-.PHONY: powershell
+all: $(OUTPUT_DIR)/$(ARTIFACT_NAME)
 
-python-versions/output/python-$(PYTHON_VERSION)-linux-$(ARCH).tar.gz: powershell
-	cd python-versions; \
-	mkdir -p $(abspath ../$(OUTPUT_DIR)); \
-	$(CONTAINER_ENGINE) build \
+# 1. Build the Python Artifact
+#    Depends on the PowerShell base image being ready.
+$(OUTPUT_DIR)/$(ARTIFACT_NAME): powershell | $(OUTPUT_DIR)
+	@echo "--- Building Python $(PYTHON_VERSION) Image ---"
+	$(Q)cd python-versions && $(CONTAINER_ENGINE) build \
 		--network=host \
 		--build-arg PYTHON_VERSION=$(PYTHON_VERSION) \
 		--build-arg ACTIONS_PYTHON_VERSIONS=$(ACTIONS_PYTHON_VERSIONS) \
 		--build-arg UBUNTU_VERSION=$(UBUNTU_VERSION) \
 		--build-arg TARGETARCH=$(ARCH) \
 		--build-arg BASE_IMAGE=$(BASE_IMAGE) \
-		-t $(IMAGE_NAME) . || exit 1; \
-	#
-# Use a deterministic temporary container name so we can reliably copy
-# artifacts out of the image even if the runtime prints nothing (some
-# container engines/modes may not return an id to backticks reliably).
-# note: TEMP_CONTAINER_NAME is defined above at Makefile parse time.
-# Ensure no stale container exists with the same name
-	$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) 2>/dev/null || true; \
-	$(CONTAINER_ENGINE) create --name $(TEMP_CONTAINER_NAME) $(IMAGE_NAME) >/dev/null || (echo "ERROR: failed to create container $(TEMP_CONTAINER_NAME)" && exit 1); \
-	$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/$(ARTIFACT_NAME) $(abspath ../$(OUTPUT_DIR))/$(ARTIFACT_NAME) || (echo "ERROR: failed to copy artifact from $(TEMP_CONTAINER_NAME)" && $(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) >/dev/null 2>&1 || true; exit 1); \
-	$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/python-$(PYTHON_VERSION)-$(ARCH).sbom.json $(abspath ../$(OUTPUT_DIR))/python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH).sbom.json || true; \
-	$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/trivy-$(PYTHON_VERSION)-$(ARCH)-vuln.json $(abspath ../$(OUTPUT_DIR))/trivy-python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH)-vuln.json || true; \
-	$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/trivy-$(PYTHON_VERSION)-$(ARCH)-secret.json $(abspath ../$(OUTPUT_DIR))/trivy-python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH)-secret.json || true; \
-	$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) >/dev/null 2>&1 || true
-
-powershell: PowerShell/Dockerfile \
-	PowerShell/patch/powershell-native-$(POWERSHELL_NATIVE_VERSION).patch \
-	PowerShell/patch/powershell-$(ARCH)-$(POWERSHELL_VERSION).patch \
-	PowerShell/patch/powershell-gen-$(POWERSHELL_VERSION).tar.gz
-	cd PowerShell; \
-	$(CONTAINER_ENGINE) build \
+		-t $(IMAGE_NAME) .
+	
+	@echo "--- Extracting Artifacts ---"
+	@# Ensure no stale container exists
+	$(Q)$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) 2>/dev/null || true
+	
+	@# Create stopped container for copying
+	$(Q)$(CONTAINER_ENGINE) create --name $(TEMP_CONTAINER_NAME) $(IMAGE_NAME) >/dev/null
+	
+	@# Copy artifacts using strict paths
+	$(Q)$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/$(ARTIFACT_NAME) $(abspath $(OUTPUT_DIR))/$(ARTIFACT_NAME)
+	$(Q)$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/python-$(PYTHON_VERSION)-$(ARCH).sbom.json \
+		$(abspath $(OUTPUT_DIR))/python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH).sbom.json || echo "Warning: SBOM missing"
+	$(Q)$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/trivy-$(PYTHON_VERSION)-$(ARCH)-vuln.json \
+		$(abspath $(OUTPUT_DIR))/trivy-python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH)-vuln.json || echo "Warning: Trivy Vuln report missing"
+	$(Q)$(CONTAINER_ENGINE) cp $(TEMP_CONTAINER_NAME):/tmp/artifact/trivy-$(PYTHON_VERSION)-$(ARCH)-secret.json \
+		$(abspath $(OUTPUT_DIR))/trivy-python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH)-secret.json || echo "Warning: Trivy Secret report missing"
+	
+	@# Cleanup
+	$(Q)$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) >/dev/null
+	@echo "Build complete: $(OUTPUT_DIR)/$(ARTIFACT_NAME)"
+
+# 2. Build the Base PowerShell Image
+powershell: $(PS_PREREQS)
+	@echo "--- Building PowerShell Base Image ---"
+	$(Q)cd $(PS_DIR) && $(CONTAINER_ENGINE) build \
 		--network=host \
 		--build-arg POWERSHELL_VERSION=$(POWERSHELL_VERSION) \
 		--build-arg POWERSHELL_NATIVE_VERSION=$(POWERSHELL_NATIVE_VERSION) \
 		--build-arg UBUNTU_VERSION=$(UBUNTU_VERSION) \
 		--build-arg TARGETARCH=$(ARCH) \
 		--tag powershell:ubuntu-$(UBUNTU_VERSION) .
 
-# Pattern rule to help diagnose missing patch files
-PowerShell/patch/%.tar.gz:
-	@if [ ! -f "$@" ]; then \
-		echo "Error: Required patch file $@ is missing."; \
-		exit 1; \
-	fi
+# Order-only prerequisite: Create output directory if it doesn't exist
+$(OUTPUT_DIR):
+	$(Q)mkdir -p $@
 
-# Show a short help message describing common targets
-help:
-	echo "Usage: make [target]"
-	echo "Common targets:"
-	echo "  all (default) - build the Python artifact and export to $(OUTPUT_DIR)"
-	echo "  powershell    - build the PowerShell base image used as builder base"
-	echo "  clean         - remove generated artifacts and temporary container"
-	echo "  help          - show this message"
-
-# Remove artifacts and any temporary container created by this Makefile.
-# This is conservative: it removes files under $(OUTPUT_DIR) and attempts
-# to remove the temporary container name used by the recipe. It does NOT
-# remove images by default to avoid surprising the user.
+# Diagnostic pattern rule for missing patches
+$(PS_DIR)/patch/%.tar.gz:
+	$(error Required patch file $@ is missing)
+
+# Cleanup
 clean:
-	echo "Removing artifacts in $(OUTPUT_DIR)..."
-	rm -rf $(OUTPUT_DIR) || true
-	echo "Attempting to remove temporary container $(TEMP_CONTAINER_NAME) if present..."
-	$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) >/dev/null 2>&1 || true
-	echo "Clean complete."
+	@echo "Cleaning up artifacts and temporary containers..."
+	$(Q)rm -rf $(OUTPUT_DIR)
+	$(Q)$(CONTAINER_ENGINE) rm -f $(TEMP_CONTAINER_NAME) 2>/dev/null || true
+	@echo "Clean complete."
+
+# Help
+help:
+	@echo "Usage: make [target] [V=1]"
+	@echo ""
+	@echo "Targets:"
+	@echo "  all (default)  Build Python artifact and export to $(OUTPUT_DIR)"
+	@echo "  powershell     Build the PowerShell base image (builder dependency)"
+	@echo "  clean          Remove artifacts and temporary containers"
+	@echo "  help           Show this help message"
+	@echo ""
+	@echo "Variables:"
+	@echo "  PYTHON_VERSION = $(PYTHON_VERSION)"
+	@echo "  ARCH           = $(ARCH)"
+	@echo "  ENGINE         = $(CONTAINER_ENGINE)"