Merge branch 'main' into improve-dockerfile-parsing

.github/workflows/checkton.yaml

@@ -21,6 +21,7 @@ jobs:
           # Set to false when re-enabling SARIF uploads
           fail-on-findings: true
           find-copies-harder: true
+          exclude-regex: ^ta-generator
 
       # Currently, code scanning alerts annoyingly stay open even if you fix them.
       # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved.

.github/workflows/go-ci.yaml

@@ -6,27 +6,39 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path:
+          - task-generator
+          - ta-generator
     steps:
       - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version-file: './task-generator/go.mod'
+          go-version-file: './${{matrix.path}}/go.mod'
+          cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
         uses: golangci/golangci-lint-action@e13590484647602042886c51e2a8e43a670a22b7
         with:
-          working-directory: task-generator
+          working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
   go:
     name: Check sources
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path:
+          - task-generator
+          - ta-generator
     steps:
       - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
       - name: Install Go
         uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version-file: './task-generator/go.mod'
+          go-version-file: './${{matrix.path}}/go.mod'
+          cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: Check go mod status
-        working-directory: task-generator
+        working-directory: ${{matrix.path}}
         run: |
           go mod tidy
           if [[ ! -z $(git status -s) ]]
@@ -36,7 +48,7 @@ jobs:
             exit 1
           fi
       - name: Check format
-        working-directory: task-generator
+        working-directory: ${{matrix.path}}
         run: |
           go fmt ./...
 
@@ -46,21 +58,31 @@ jobs:
             git --no-pager diff
             exit 1
           fi
+      - name: Tests
+        working-directory: ${{matrix.path}}
+        run: |
+          go test ./...
 
   security_scan:
     name: Security scan
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        path:
+          - task-generator
+          - ta-generator
     steps:
       - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08
       - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
         with:
-          go-version-file: './task-generator/go.mod'
+          go-version-file: './${{matrix.path}}/go.mod'
+          cache-dependency-path: ./${{matrix.path}}/go.sum
       # https://github.com/securego/gosec/blob/12be14859bc7d4b956b71bef0b443694aa519d8a/README.md#integrating-with-code-scanning
       - name: Run Gosec Security Scanner
         uses: securego/gosec@master
         with:
           # we let the report trigger content trigger a failure using the GitHub Security features.
-          args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ./...'
+          args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
         uses: github/codeql-action/upload-sarif@9c646c24a4c8410122b0d6a1311088e9377eea95
         with:

.tekton/tasks/e2e-test.yaml

@@ -26,7 +26,7 @@ spec:
       type: string
   steps:
     - name: e2e-test
-      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:efcb425bd32dcf61b82b1214c45e58f68f6f445d
+      image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:e51393f156f418cdb2e5997b1ced6193e369c717
       command: ["/konflux-e2e/konflux-e2e.test"]
       # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
       # against build-definitions to update this tag

.tekton/tasks/ec-checks.yaml

@@ -23,7 +23,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:42280235d719778d03fc4fdda27e7eb24ba47b0f1eb3d3ff647261872b9ab7c8
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:43e0bd0727ac27ec34cee59999c8cc22b42086efdd004f379fb160c84bb1cdf7
     script: |
       set -euo pipefail
 
@@ -37,7 +37,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:42280235d719778d03fc4fdda27e7eb24ba47b0f1eb3d3ff647261872b9ab7c8
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:43e0bd0727ac27ec34cee59999c8cc22b42086efdd004f379fb160c84bb1cdf7
     script: |
       set -euo pipefail
 

hack/generate-ta-tasks.sh

@@ -1,29 +1,26 @@
 #!/usr/bin/env bash
 
 set -o errexit
+set -o errtrace
 set -o nounset
 set -o pipefail
 set -o posix
 
 shopt -s globstar nullglob
 
+command -v go &> /dev/null || { echo Please install golang to run this tool; exit 1; }
+[[ "$(go env GOVERSION)" == @(go1|go1.[1-9]+(|.*|rc*|beta*)|go1.1[0-9]+(|.*|rc*|beta*)|go1.20*) ]] && { echo Please install golang 1.21.0 or newer; exit 1; }
+
 HACK_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
 ROOT_DIR="$(git rev-parse --show-toplevel)"
 TASK_DIR="$(realpath "${ROOT_DIR}/task")"
 
-if ! command -v tash &> /dev/null; then
-  echo INFO: tash command is not available will download and use the latest version
-  tash_dir="$(mktemp -d)"
-  trap 'rm -rf ${tash_dir}' EXIT
-  tash_url=https://github.com/enterprise-contract/hacks/releases/download/latest/tash
-  echo INFO: downloading from ${tash_url} to "${tash_dir}"
-  curl --no-progress-meter --location --output "${tash_dir}/tash" "${tash_url}"
-  echo INFO: SHA256: "$(sha256sum "${tash_dir}/tash")"
-  chmod +x "${tash_dir}/tash"
-  tash() {
-    "${tash_dir}/tash" "$@"
-  }
-fi
+tashbin="$(mktemp --dry-run)"
+GOTOOLCHAIN=auto GOSUMDB=sum.golang.org go build -C "${ROOT_DIR}/ta-generator/" -o "${tashbin}"
+trap 'rm "${tashbin}"' EXIT
+tash() {
+  "${tashbin}" "$@"
+}
 
 declare -i changes=0
 emit() {
@@ -44,7 +41,8 @@ fi
 cd "${TASK_DIR}"
 for recipe_path in **/recipe.yaml; do
     task_path="${recipe_path%/recipe.yaml}/$(basename "${recipe_path%/*/*}").yaml"
-    cat <<< "$(tash "${recipe_path}")" > "${task_path}"
+    sponge=$(tash "${TASK_DIR}/${recipe_path}")
+    echo "${sponge}" > "${task_path}"
     readme_path="${recipe_path%/recipe.yaml}/README.md"
     "${HACK_DIR}/generate-readme.sh" "${task_path}" > "${readme_path}"
     if ! git diff --quiet HEAD "${task_path}"; then

pipelines/docker-build-oci-ta/README.md

@@ -21,6 +21,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### buildah-oci-ta:0.2 task parameters
 |name|description|default value|already set by|
@@ -61,6 +63,8 @@
 ### clamav-scan:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |docker-auth| unused| | |
 |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
 |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'|
@@ -77,6 +81,8 @@
 ### ecosystem-cert-preflight-checks:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### git-clone-oci-ta:0.1 task parameters
 |name|description|default value|already set by|

pipelines/docker-build/README.md

@@ -21,6 +21,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### buildah:0.2 task parameters
 |name|description|default value|already set by|
@@ -59,6 +61,8 @@
 ### clamav-scan:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |docker-auth| unused| | |
 |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
 |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'|
@@ -75,6 +79,8 @@
 ### ecosystem-cert-preflight-checks:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### git-clone:0.1 task parameters
 |name|description|default value|already set by|

pipelines/enterprise-contract.yaml

@@ -91,7 +91,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:49cca2035fdbac06931f8d15fa588013576de84a4c4cb760e0d5df8a4dc5c59e
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:972e4f3c695865eadc79dbb65e955f75385184e0c92a312d3769716e8db0849b
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/fbc-builder/README.md

@@ -19,6 +19,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### buildah:0.1 task parameters
 |name|description|default value|already set by|

pipelines/java-builder/README.md

@@ -19,6 +19,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### clair-scan:0.1 task parameters
 |name|description|default value|already set by|
@@ -31,6 +33,8 @@
 ### clamav-scan:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |docker-auth| unused| | |
 |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
 |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'|
@@ -47,6 +51,8 @@
 ### ecosystem-cert-preflight-checks:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### git-clone:0.1 task parameters
 |name|description|default value|already set by|

pipelines/nodejs-builder/README.md

@@ -19,6 +19,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### clair-scan:0.1 task parameters
 |name|description|default value|already set by|
@@ -31,6 +33,8 @@
 ### clamav-scan:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |docker-auth| unused| | |
 |image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
 |image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'|
@@ -47,6 +51,8 @@
 ### ecosystem-cert-preflight-checks:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### git-clone:0.1 task parameters
 |name|description|default value|already set by|

pipelines/tekton-bundle-builder/README.md

@@ -19,6 +19,8 @@
 |name|description|default value|already set by|
 |---|---|---|---|
 |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
+|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### clair-scan:0.1 task parameters
 |name|description|default value|already set by|
@@ -31,6 +33,8 @@
 ### ecosystem-cert-preflight-checks:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
+|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| |
+|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| |
 |image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### git-clone:0.1 task parameters
 |name|description|default value|already set by|

ta-generator/README.md

@@ -0,0 +1,17 @@
+# Trusted Artifacts variants generator
+
+## Description and usage
+
+The code in here will process a set of directions in `recipe.yaml` file and
+based on that and a set of builtin conventions generate the Tekton Task
+definition in YAML format.
+
+Usage (from this directory):
+
+    go run . path/to/recipe.yaml
+
+The generated Trusted Artifacts Task is provided on the standard output.
+
+## Development
+
+To build the tool executable run `go build`, to run the tests run `go test`.

ta-generator/expect.go

@@ -0,0 +1,22 @@
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+func expect(err error) {
+	if err == nil {
+		return
+	}
+	fmt.Fprint(os.Stderr, err)
+	os.Exit(1)
+}
+
+func expectValue[T any](val T, err error) T {
+	if err != nil {
+		expect(err)
+	}
+
+	return val
+}