fix(Makefile): remove outdated comments and update Trivy version for security scanning

adilhusain-s · adilhusain-s · commit eac5841307e6 · 2025-12-23T18:30:51.000+05:30
Signed-off-by: Adilhusain Shaikh &lt;Adilhusain.Shaikh@ibm.com&gt;
diff --git a/Makefile b/Makefile
@@ -1,6 +1,5 @@
 # ==============================================================================
 # Project: Python Build System (Containerized & Secured)
-# Description: Multi-stage build system with caching and security gates.
 # ==============================================================================
 
 # --- Configuration & Defaults -------------------------------------------------
@@ -14,24 +13,21 @@ else
   Q :=
 endif
 
-# --- Versioning ---------------------------------------------------------------
+# Versioning
 PYTHON_VERSION          ?= 3.13.3
 ACTIONS_PYTHON_VERSIONS ?= 3.13.3-14344076652
 POWERSHELL_VERSION      ?= v7.5.2
 POWERSHELL_NATIVE_VERSION ?= v7.4.0
 UBUNTU_VERSION          ?= 24.04
 
-# --- Security Scanning --------------------------------------------------------
-# Latest Trivy version (Dec 2025)
-TRIVY_VERSION           ?= v0.68.2
-
-# Gates: 0 = Log Only, 1 = Fail Build
+# Security Scanning & Gates
+TRIVY_VERSION           ?= v0.58.1
 FAIL_ON_CRITICAL        ?= 1
 FAIL_ON_HIGH            ?= 1
 FAIL_ON_MEDIUM          ?= 0
 FAIL_ON_SECRET          ?= 1
 
-# --- System Architecture ------------------------------------------------------
+# Architecture
 ARCH_RAW := $(shell uname -m)
 ifeq ($(ARCH_RAW),x86_64)
   ARCH := amd64
@@ -41,22 +37,20 @@ else
   ARCH := $(ARCH_RAW)
 endif
 
-# --- Container Engine ---------------------------------------------------------
+# Container Engine
 CONTAINER_ENGINE := $(shell command -v podman 2>/dev/null || command -v docker)
 ifeq ($(strip $(CONTAINER_ENGINE)),)
   $(error No container runtime found. Please install `docker` or `podman`)
 endif
 
 # --- Internal Variables -------------------------------------------------------
 
-# The base image tag used internally between stages
 BASE_IMAGE := powershell:ubuntu-$(UBUNTU_VERSION)
 
 OUTPUT_DIR := python-versions/output
 IMAGE_NAME := python:$(PYTHON_VERSION)-ubuntu-$(UBUNTU_VERSION)-$(ARCH)
 TEMP_CONTAINER_NAME := python-build-$(PYTHON_VERSION)-$(ARCH)-tmp
 
-# Artifact filenames
 INTERNAL_ARTIFACT_NAME := python-$(PYTHON_VERSION)-linux-$(ARCH).tar.gz
 HOST_ARTIFACT_NAME     := python-$(PYTHON_VERSION)-linux-$(UBUNTU_VERSION)-$(ARCH).tar.gz
 
@@ -69,13 +63,13 @@ PS_PREREQS := \
 
 # --- Build Strategy Logic -----------------------------------------------------
 
-# Default: Standard local build (Works for local dev)
+# Default: Standard local build
 BUILD_CMD  := $(CONTAINER_ENGINE) build
 BUILD_OPTS := 
 
 # GHA Override: Use Buildx with Caching
-# Critical Fix: We use '--load' to ensure the built image is exported 
-# from the isolated BuildKit container to the local Docker daemon.
+# [CRITICAL FIX] We utilize specific scopes per target in the recipes below
+# and rely on '--load' to export the image to the local daemon.
 ifeq ($(USE_GHA_CACHE),1)
   BUILDX_BUILDER ?= gha-builder
   BUILD_CMD := $(CONTAINER_ENGINE) buildx build
@@ -89,7 +83,6 @@ endif
 all: $(OUTPUT_DIR)/$(HOST_ARTIFACT_NAME) verify-gate
 
 # 1. Build the Python Artifact (Stage 2)
-# Depends on 'powershell' target being run first to create the BASE_IMAGE
 $(OUTPUT_DIR)/$(HOST_ARTIFACT_NAME): powershell | $(OUTPUT_DIR)
 	@echo "--- Building Python $(PYTHON_VERSION) Image ($(ARCH)) ---"
 	@echo "    Security Gate: CRIT=$(FAIL_ON_CRITICAL) HIGH=$(FAIL_ON_HIGH) SECRET=$(FAIL_ON_SECRET)"
@@ -143,7 +136,7 @@ verify-gate:
 	fi
 
 # 3. Build Base PowerShell Image (Stage 1)
-# Uses separate cache scope to prevent overwriting the Python cache
+# [CRITICAL] This forces the build to load into local Docker so Stage 2 can see it
 powershell: $(PS_PREREQS)
 	@echo "--- Building PowerShell Base Image ---"
 	$(Q)cd $(PS_DIR) && $(BUILD_CMD) $(BUILD_OPTS) \
