refactor: tarball uses hermetic coreutils (#635)

oci/private/load.bzl

@@ -83,9 +83,9 @@ attrs = {
         default = Label("//oci/private:load.sh.tpl"),
         doc = """ \
               The template used to load the container when using `bazel run` on this target.
-              
+
               See the `loader` attribute to replace the tool which is called.
-              Please reference the default template to see available substitutions. 
+              Please reference the default template to see available substitutions.
         """,
         allow_single_file = True,
     ),
@@ -96,6 +96,7 @@ attrs = {
 
 def _load_impl(ctx):
     jq = ctx.toolchains["@aspect_bazel_lib//lib:jq_toolchain_type"]
+    coreutils = ctx.toolchains["@aspect_bazel_lib//lib:coreutils_toolchain_type"]
     bsdtar = ctx.toolchains["@aspect_bazel_lib//lib:tar_toolchain_type"]
 
     image = ctx.file.image
@@ -109,6 +110,7 @@ def _load_impl(ctx):
     substitutions = {
         "{{format}}": ctx.attr.format,
         "{{jq_path}}": jq.jqinfo.bin.path,
+        "{{coreutils_path}}": coreutils.coreutils_info.bin.path,
         "{{tar}}": bsdtar.tarinfo.binary.path,
         "{{image_dir}}": image.path,
         "{{output}}": mtree_spec.path,
@@ -134,7 +136,10 @@ def _load_impl(ctx):
         executable = util.maybe_wrap_launcher_for_windows(ctx, executable),
         inputs = mtree_inputs,
         outputs = mtree_outputs,
-        tools = [jq.jqinfo.bin],
+        tools = [
+            jq.jqinfo.bin,
+            coreutils.coreutils_info.bin,
+        ],
         mnemonic = "OCITarballManifest",
     )
 
@@ -194,6 +199,7 @@ oci_load = rule(
     doc = doc,
     toolchains = [
         "@bazel_tools//tools/sh:toolchain_type",
+        "@aspect_bazel_lib//lib:coreutils_toolchain_type",
         "@aspect_bazel_lib//lib:jq_toolchain_type",
         "@aspect_bazel_lib//lib:tar_toolchain_type",
     ],

oci/private/tarball.sh.tpl

@@ -5,9 +5,10 @@ set -o pipefail -o errexit -o nounset
 
 readonly FORMAT="{{format}}"
 readonly JQ="{{jq_path}}"
+readonly COREUTILS="{{coreutils_path}}"
 readonly TAR="{{tar}}"
 readonly IMAGE_DIR="{{image_dir}}"
-readonly REPOTAGS=($(cat "{{tags}}"))
+readonly REPOTAGS=($("${COREUTILS}" cat "{{tags}}"))
 readonly INDEX_FILE="${IMAGE_DIR}/index.json"
 
 readonly OUTPUT="{{output}}"
@@ -20,7 +21,7 @@ function add_to_tar() {
     echo >>"${OUTPUT}" "${tar_path} uid=0 gid=0 mode=0755 time=1672560000 type=file content=${content}"
 }
 
-MANIFEST_DIGEST=$(${JQ} -r '.manifests[0].digest | sub(":"; "/")' "${INDEX_FILE}" | tr  -d '"')
+MANIFEST_DIGEST=$(${JQ} -r '.manifests[0].digest | sub(":"; "/")' "${INDEX_FILE}" | "${COREUTILS}" tr  -d '"')
 
 MANIFESTS_LENGTH=$("${JQ}" -r '.manifests | length' "${INDEX_FILE}")
 if [[ "${MANIFESTS_LENGTH}" != 1 ]]; then
@@ -51,7 +52,7 @@ if [[ "${FORMAT}" == "oci" ]]; then
 
   add_to_tar "${IMAGE_DIR}/oci-layout" oci-layout
 
-  INDEX_FILE_MANIFEST_DIGEST=$("${JQ}" -r '.manifests[0].digest | sub(":"; "/")' "${INDEX_FILE}" | tr  -d '"')
+  INDEX_FILE_MANIFEST_DIGEST=$("${JQ}" -r '.manifests[0].digest | sub(":"; "/")' "${INDEX_FILE}" | "${COREUTILS}" tr  -d '"')
   INDEX_FILE_MANIFEST_BLOB_PATH="${IMAGE_DIR}/blobs/${INDEX_FILE_MANIFEST_DIGEST}"
 
   add_to_tar "${INDEX_FILE_MANIFEST_BLOB_PATH}" "blobs/${INDEX_FILE_MANIFEST_DIGEST}"
@@ -83,7 +84,7 @@ if [[ "${FORMAT}" == "oci" ]]; then
   exit 0
 fi
 
-MANIFEST_DIGEST=$(${JQ} -r '.manifests[0].digest | sub(":"; "/")' "${IMAGE_DIR}/index.json" | tr  -d '"')
+MANIFEST_DIGEST=$(${JQ} -r '.manifests[0].digest | sub(":"; "/")' "${IMAGE_DIR}/index.json" | "${COREUTILS}" tr  -d '"')
 MANIFEST_BLOB_PATH="${IMAGE_DIR}/blobs/${MANIFEST_DIGEST}"
 
 CONFIG_DIGEST=$(${JQ} -r '.config.digest  | sub(":"; "/")' ${MANIFEST_BLOB_PATH})
@@ -93,7 +94,7 @@ LAYERS=$(${JQ} -cr '.layers | map(.digest | sub(":"; "/"))' ${MANIFEST_BLOB_PATH
 
 add_to_tar "${CONFIG_BLOB_PATH}" "blobs/${CONFIG_DIGEST}"
 
-for LAYER in $(${JQ} -r ".[]" <<< $LAYERS); do 
+for LAYER in $(${JQ} -r ".[]" <<< $LAYERS); do
   add_to_tar "${IMAGE_DIR}/blobs/${LAYER}" "blobs/${LAYER}.tar.gz"
 done