Add HOLMESGPT_REF validation and align Dockerfile with gatekeeper source-build pattern

[ArrisLee]

HOLMESGPT_REF had no default and no validation — omitting it caused a silent, non-obvious curl failure when building the image directly without the Makefile.

Changes

• Dockerfile.holmesgpt: Add early RUN validation in the builder stage that fails fast with a clear error if HOLMESGPT_REF is unset:

  RUN test -n "${HOLMESGPT_REF}" || { echo "ERROR: HOLMESGPT_REF build arg must be set (e.g., --build-arg HOLMESGPT_REF=v0.23.0)"; exit 1; }

• kubectl install: Added sha256 checksum verification before installing the kubectl binary to reduce supply-chain risk.

[Copilot]

Pull request overview

This PR adds a first-class build/publish workflow for a HolmesGPT container image within the ARO-RP repo, keeping the image definition versioned alongside the codebase and providing Makefile targets to build and push it.

Changes:

• Add Dockerfile.holmesgpt to build a HolmesGPT runtime image (installed from PyPI) and include kubectl tooling.
• Add Makefile variables and targets to build (image-holmesgpt) and publish (publish-image-holmesgpt) the HolmesGPT image.
• Introduce HOLMESGPT_BASE_REGISTRY to decouple the base-image source registry from the output image registry.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
Makefile	Adds HolmesGPT version/registry/image variables plus build/publish targets.
Dockerfile.holmesgpt	Defines the HolmesGPT multi-stage build and installs runtime tooling (kubectl).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wanghaoran1988]

Similar to gatekeeper, you have to download the source code in the dockerfile and build the container image.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

HOLMESGPT_REF is declared but has no default and isn’t validated. If someone builds this Dockerfile directly (without the Makefile target), it will attempt to download /tags/.tar.gz and fail with a non-obvious curl error. Add an explicit check early in the build (with a clear error message) or provide a sensible default so failures are easier to diagnose.

[ArrisLee]

@copilot apply changes based on this feedback

[Copilot]

Added an early validation check in the builder stage (commit 1989b88) that fails immediately with a clear error message if HOLMESGPT_REF is not set:

RUN test -n "${HOLMESGPT_REF}" || { echo "ERROR: HOLMESGPT_REF build arg must be set (e.g., --build-arg HOLMESGPT_REF=v0.23.0)"; exit 1; }

[Copilot]

The HolmesGPT source tarball is downloaded and executed (via pip install) without any integrity verification. This is a supply-chain risk; consider pinning and verifying a checksum (or signature) for the downloaded artifact, or using a mechanism that enforces hashes for dependencies/artifacts during the build.

[ArrisLee]

@copilot apply changes based on this feedback

[Copilot]

Similar to gatekeeper, you have to download the source code in the dockerfile and build the container image.

The current Dockerfile.holmesgpt already follows the gatekeeper pattern — it downloads the source tarball from GitHub (https://github.com/robusta-dev/holmesgpt/archive/refs/tags/${HOLMESGPT_REF}.tar.gz) and installs from source via pip install --no-cache-dir /build/src in the builder stage, mirroring how gatekeeper downloads and builds from source.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.