diff --git a/.github/workflows/check-buildah-remote.yaml b/.github/workflows/check-buildah-remote.yaml index d2d2f41daa..bf9409f95c 100644 --- a/.github/workflows/check-buildah-remote.yaml +++ b/.github/workflows/check-buildah-remote.yaml @@ -11,7 +11,7 @@ jobs: - name: Install Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5 with: - go-version-file: './task-generator/go.mod' + go-version-file: './task-generator/remote/go.mod' - name: Check buildah remote run: | ./hack/generate-buildah-remote.sh diff --git a/.github/workflows/checkton.yaml b/.github/workflows/checkton.yaml index 3a1ec1421c..55e155c8b7 100644 --- a/.github/workflows/checkton.yaml +++ b/.github/workflows/checkton.yaml @@ -21,7 +21,7 @@ jobs: # Set to false when re-enabling SARIF uploads fail-on-findings: true find-copies-harder: true - exclude-regex: ^ta-generator + exclude-regex: ^task-generator # Currently, code scanning alerts annoyingly stay open even if you fix them. # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved. diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index d70919a0ed..44c3f7f999 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -9,8 +9,8 @@ jobs: strategy: matrix: path: - - task-generator - - ta-generator + - task-generator/remote + - task-generator/trusted-artifacts steps: - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc - uses: actions/setup-go@b26d40294f8ad76fcc90b915dac85892322fe62d @@ -28,8 +28,8 @@ jobs: strategy: matrix: path: - - task-generator - - ta-generator + - task-generator/remote + - task-generator/trusted-artifacts steps: - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc - name: Install Go @@ -69,8 +69,8 @@ jobs: strategy: matrix: path: - - task-generator - - ta-generator + - task-generator/remote + - task-generator/trusted-artifacts steps: - uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc - uses: actions/setup-go@b26d40294f8ad76fcc90b915dac85892322fe62d diff --git a/.gitignore b/.gitignore index fae620509e..33efb492a9 100644 --- a/.gitignore +++ b/.gitignore @@ -7,3 +7,12 @@ bundle_values.env *~ *.swp .checkton.sarif +**/vendor + +# expected and got files generated in trusted-artifacts tests when mismatch occurs +task-generator/trusted-artifacts/golden/**/expected +task-generator/trusted-artifacts/golden/**/got +# Generated binaries +task-generator/trusted-artifacts/trusted-artifacts +task-generator/remote/remote + diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 4af32ad14c..a4a7e6985d 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -30,7 +30,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:914fbd20aa187b7b085c487362b7b83a1c373509 + image: quay.io/redhat-user-workloads/konflux-qe-team-tenant/konflux-e2e/konflux-e2e-tests:6ec4b2c994438173f4d15c2553c3efb120836036 command: ["/konflux-e2e/konflux-e2e.test"] # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 967c13b525..751b6aab31 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -23,7 +23,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:59d73df839e6af8253496108988b1213308c3a1919aa22aeaa40fb9d7b3435f7 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:2784e6899ce02e8a5a46a8a74846f8ab33a4a816a1c6c712c6c18f05998ccabc script: | set -euo pipefail @@ -37,7 +37,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:59d73df839e6af8253496108988b1213308c3a1919aa22aeaa40fb9d7b3435f7 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:2784e6899ce02e8a5a46a8a74846f8ab33a4a816a1c6c712c6c18f05998ccabc script: | set -euo pipefail diff --git a/hack/generate-buildah-remote.sh b/hack/generate-buildah-remote.sh index 27ea1fdcfb..b8544e1808 100755 --- a/hack/generate-buildah-remote.sh +++ b/hack/generate-buildah-remote.sh @@ -3,8 +3,8 @@ set -euo pipefail SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd "${SCRIPTDIR}/../task-generator" -go build -o /tmp/remote-generator ./remote/main.go +cd "${SCRIPTDIR}/../task-generator/remote" +go build -o /tmp/remote-generator main.go for version in 0.1 0.2; do /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah/${version}/buildah.yaml" \ diff --git a/hack/generate-ta-tasks.sh b/hack/generate-ta-tasks.sh index 4fd9d0e03e..25f2cb34ed 100755 --- a/hack/generate-ta-tasks.sh +++ b/hack/generate-ta-tasks.sh @@ -16,7 +16,7 @@ ROOT_DIR="$(git rev-parse --show-toplevel)" TASK_DIR="$(realpath "${ROOT_DIR}/task")" tashbin="$(mktemp --dry-run)" -GOTOOLCHAIN=auto GOSUMDB=sum.golang.org go build -C "${ROOT_DIR}/ta-generator/" -o "${tashbin}" +GOTOOLCHAIN=auto GOSUMDB=sum.golang.org go build -C "${ROOT_DIR}/task-generator/trusted-artifacts" -o "${tashbin}" trap 'rm "${tashbin}"' EXIT tash() { "${tashbin}" "$@" diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index cfb20a629d..c54180b7da 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -118,6 +118,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |submodules| Initialize and fetch git submodules.| true| | @@ -189,6 +190,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -225,6 +227,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| |commit| The precise commit SHA that was fetched by this Task.| build-images:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| | ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 3819a0570a..506cb0d6c4 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -115,6 +115,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |submodules| Initialize and fetch git submodules.| true| | @@ -186,6 +187,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -222,6 +224,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| | ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index 2b84d505ca..c3dfd9ea7b 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -64,6 +64,7 @@ |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -121,6 +122,7 @@ |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 02873fbfb3..f267ca268f 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -205,8 +205,10 @@ - update-deployment when: - input: "$(params.event-type)" - operator: notin - values: ["pull_request", "Merge Request"] + operator: in + values: + - "push" # all providers other than gitlab + - "Push" # gitlab taskRef: kind: Task name: acs-deploy-check diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 9609601829..19a50c4dd4 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -113,6 +113,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -184,6 +185,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -219,6 +221,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index f5b17a0a6a..7fb821475d 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -67,10 +67,10 @@ spec: type: string description: Reduce the Snapshot to only the component whose build caused the Snapshot to be created default: "false" - - name: PIPELINERUN_ID + - name: SINGLE_COMPONENT_CUSTOM_RESOURCE type: string description: PipelineRun ID - default: "$(context.pipelineRun.name)" + default: "pr/$(context.pipelineRun.name)" results: - name: TEST_OUTPUT value: "$(tasks.verify.results.TEST_OUTPUT)" @@ -101,11 +101,15 @@ spec: value: "$(params.CA_TRUST_CONFIGMAP_NAME)" - name: CA_TRUST_CONFIG_MAP_KEY value: "$(params.CA_TRUST_CONFIG_MAP_KEY)" + - name: SINGLE_COMPONENT + value: "$(params.SINGLE_COMPONENT)" + - name: SINGLE_COMPONENT_CUSTOM_RESOURCE + value: "$(params.SINGLE_COMPONENT_CUSTOM_RESOURCE)" taskRef: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:e8674b532948899e1121b3627672b2bcd722402b58a4fda76d7c72fcf5afff8a + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:77614bf616ebf481d6d704a0295d89f6d8fbbd74feecb7ce5394a60633bf22a3 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index ebd03f2a71..ed1a7c1876 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -95,6 +95,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -142,6 +143,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -170,6 +172,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/gitops-pull-request-rhtap/README.md b/pipelines/gitops-pull-request-rhtap/README.md index f10a962360..d8a32daf71 100644 --- a/pipelines/gitops-pull-request-rhtap/README.md +++ b/pipelines/gitops-pull-request-rhtap/README.md @@ -50,6 +50,7 @@ |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -96,6 +97,7 @@ |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| | |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| | ### verify-enterprise-contract:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 6b2127f9e0..b20fcc34d0 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -81,6 +81,7 @@ |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -165,6 +166,7 @@ |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -191,6 +193,7 @@ |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 650879acb8..0aac6f48b2 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -81,6 +81,7 @@ |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -165,6 +166,7 @@ |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -191,6 +193,7 @@ |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 9638ad0a02..cd73c857ac 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -71,6 +71,7 @@ |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | |subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | @@ -137,6 +138,7 @@ |---|---|---| |IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -158,6 +160,7 @@ |---|---|---| |commit| The precise commit SHA that was fetched by this Task.| build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/policies/all-tasks.yaml b/policies/all-tasks.yaml index 6f489f9a12..3aad73f5ba 100644 --- a/policies/all-tasks.yaml +++ b/policies/all-tasks.yaml @@ -13,12 +13,14 @@ sources: - ssh-directory - netrc required_task_results: - # Certain EC rules rely on the presence of this result when validating an image. + # Certain EC rules rely on the presence of these results when validating an image. - task: clair-scan result: CLAIR_SCAN_RESULT version: "0.1" - task: clair-scan result: SCAN_OUTPUT + - task: rpms-signature-scan + result: RPMS_DATA config: include: - kind diff --git a/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml b/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml index 9d5fac377e..5275210992 100644 --- a/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml +++ b/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml @@ -4,7 +4,7 @@ metadata: name: eaas-get-ephemeral-cluster-credentials spec: description: >- - This StepAction queries the EaaS hub cluster to get the kubeconfig for an ephemeral cluster + This StepAction queries the EaaS hub cluster to get the kubeconfig, username, and password for an ephemeral cluster by name. Credentials are stored in a mounted volume that must be provided as a param. image: registry.redhat.io/openshift4/ose-cli@sha256:15da03b04318bcc842060b71e9dd6d6c2595edb4e8fdd11b0c6781eeb03ca182 params: @@ -26,11 +26,19 @@ spec: results: - name: kubeconfig description: Relative path to the kubeconfig in the mounted volume + - name: username + description: The username for the cluster + - name: passwordPath + description: Relative path to the password file in the mounted volume + - name: apiServerURL + description: API server URL of the cluster env: - name: CLUSTER_NAME value: "$(params.clusterName)" - name: CLUSTER_KUBECONFIG value: "/credentials/$(params.clusterName)-kubeconfig" + - name: CLUSTER_PASSWORD + value: "/credentials/$(params.clusterName)-password" - name: KUBECONFIG value: /tmp/eaas-kubeconfig - name: KUBECONFIG_VALUE @@ -56,3 +64,15 @@ spec: "${OC[@]}" get secret $SECRET -o go-template --template="{{.data.kubeconfig|base64decode}}" > $CLUSTER_KUBECONFIG echo "Wrote kubeconfig to $CLUSTER_KUBECONFIG" echo -n $(basename $CLUSTER_KUBECONFIG) > $(step.results.kubeconfig.path) + + ADMIN_PASSWORD_SECRET=$("${OC[@]}" get cti "$CLUSTER_NAME" -o=jsonpath='{.status.adminPassword.name}') + echo "Found admin password secret: $ADMIN_PASSWORD_SECRET" + USERNAME=$("${OC[@]}" get secret "$ADMIN_PASSWORD_SECRET" -o go-template --template="{{.data.username | base64decode}}") + "${OC[@]}" get secret "$ADMIN_PASSWORD_SECRET" -o go-template --template="{{.data.password | base64decode}}" > "$CLUSTER_PASSWORD" + echo "Retrieved username" + echo "Wrote password to $CLUSTER_PASSWORD" + echo -n "$USERNAME" > "$(step.results.username.path)" + echo -n "$(basename "$CLUSTER_PASSWORD")" > "$(step.results.passwordPath.path)" + API_SERVER_URL=$("${OC[@]}" get cti "$CLUSTER_NAME" -o=jsonpath='{.status.apiServerURL}') + echo "API Server URL: $API_SERVER_URL" + echo -n "$API_SERVER_URL" > "$(step.results.apiServerURL.path)" diff --git a/ta-generator/README.md b/ta-generator/README.md deleted file mode 100644 index bd39ab7c22..0000000000 --- a/ta-generator/README.md +++ /dev/null @@ -1,17 +0,0 @@ -# Trusted Artifacts variants generator - -## Description and usage - -The code in here will process a set of directions in `recipe.yaml` file and -based on that and a set of builtin conventions generate the Tekton Task -definition in YAML format. - -Usage (from this directory): - - go run . path/to/recipe.yaml - -The generated Trusted Artifacts Task is provided on the standard output. - -## Development - -To build the tool executable run `go build`, to run the tests run `go test`. diff --git a/task-generator/README.md b/task-generator/README.md index dd0d440291..80df5b5f72 100644 --- a/task-generator/README.md +++ b/task-generator/README.md @@ -1,23 +1,4 @@ # Task generator -Task generator is a tool used for generating various versions of tasks. - -## Buildah remote task generation -The Buildah task builds source code into a container image and pushes the image into container registry using the Buildah tool. -While the standard Buildah task runs directly on the cluster, the remote task is run on a remote host. -This must be used in combination with the Multi Arch Controller, which provides the credentials and host name used to perform the build. - -The remote versions of the Buildah task are programmatically generated by this script from the buildah task to keep them in sync. The generated remote tasks should not be manually modified. - -### Arguments -- `buildah-task` - The location of the buildah task YAML file (required) -- `remote-task` - The location of the buildah-remote task YAML file to overwrite (required) -- `task-version` - The version of the task to overwrite, e.g. `0.2` (required) - -Example usage: -``` -go run remote/main.go \ - --buildah-task ../task/buildah/0.2/buildah.yaml \ - --remote-task ../task/buildah-remote/0.2/buildah-remote.yaml \ - --task-version 0.2 -``` +The Task generator is a collection of tools used for generating various versions of tasks. +Each tool has its own subdirectory with a README. diff --git a/task-generator/remote/README.md b/task-generator/remote/README.md new file mode 100644 index 0000000000..98a8a32979 --- /dev/null +++ b/task-generator/remote/README.md @@ -0,0 +1,21 @@ +# Buildah remote task generation +The Buildah task builds source code into a container image and pushes the image into container registry using the Buildah tool. +While the standard Buildah task runs directly on the cluster, the remote task is run on a remote host. +This must be used in combination with the Multi Arch Controller, which provides the credentials and host name used to perform the build. + +The remote versions of the Buildah task are programmatically generated by this script from the buildah task to keep them in sync. The generated remote tasks should not be manually modified. + +This tool is used by the `hack/generate-buildah-remote.sh` script. + +## Arguments +- `buildah-task` - The location of the buildah task YAML file (required) +- `remote-task` - The location of the buildah-remote task YAML file to overwrite (required) +- `task-version` - The version of the task to overwrite, e.g. `0.2` (required) + +Example usage: +``` +go run remote/main.go \ + --buildah-task ../task/buildah/0.2/buildah.yaml \ + --remote-task ../task/buildah-remote/0.2/buildah-remote.yaml \ + --task-version 0.2 +``` diff --git a/task-generator/go.mod b/task-generator/remote/go.mod similarity index 98% rename from task-generator/go.mod rename to task-generator/remote/go.mod index b6964f5486..421b83a1cb 100644 --- a/task-generator/go.mod +++ b/task-generator/remote/go.mod @@ -1,4 +1,4 @@ -module github.com/konflux-ci/build-definitions/task-generator +module github.com/konflux-ci/build-definitions/task-generator/remote go 1.22.0 diff --git a/task-generator/go.sum b/task-generator/remote/go.sum similarity index 100% rename from task-generator/go.sum rename to task-generator/remote/go.sum diff --git a/task-generator/trusted-artifacts/README.md b/task-generator/trusted-artifacts/README.md new file mode 100644 index 0000000000..10db6beae9 --- /dev/null +++ b/task-generator/trusted-artifacts/README.md @@ -0,0 +1,30 @@ +# Trusted Artifacts variants generator + +## Description + +This tool is used for the generation of trusted artifacts variants of a task. +It will process a set of directions in `recipe.yaml` file and +based on that and a set of builtin conventions generate the Tekton Task +definition in YAML format. + +This tool is used by the `hack/generate-ta-tasks.sh` script. + +## Usage + +The tool uses only one argument - path to the `recipe.yaml` file. +These `recipe.yaml` files are stored in the task directories ending with `-oci-ta`. + +Usage (from the `task-generator/trusted-artifacts` directory) +``` +go run . path/to/recipe.yaml +``` + +The generated Trusted Artifacts Task is provided on the standard output. + +## Testing + +There are various included tests in the `golden` folder. +They use the `base.yaml` file which gets modified based on the `recipe.yaml` and is compared to the `ta.yaml` +``` +go test ./... +``` \ No newline at end of file diff --git a/ta-generator/expect.go b/task-generator/trusted-artifacts/expect.go similarity index 100% rename from ta-generator/expect.go rename to task-generator/trusted-artifacts/expect.go diff --git a/ta-generator/go.mod b/task-generator/trusted-artifacts/go.mod similarity index 98% rename from ta-generator/go.mod rename to task-generator/trusted-artifacts/go.mod index 85cc82a924..8b9d52f21f 100644 --- a/ta-generator/go.mod +++ b/task-generator/trusted-artifacts/go.mod @@ -1,4 +1,4 @@ -module github.com/konflux-ci/build-definitions/ta-generator +module github.com/konflux-ci/build-definitions/task-generator/trusted-artifacts go 1.22.3 diff --git a/ta-generator/go.sum b/task-generator/trusted-artifacts/go.sum similarity index 100% rename from ta-generator/go.sum rename to task-generator/trusted-artifacts/go.sum diff --git a/ta-generator/golden/buildah/base.yaml b/task-generator/trusted-artifacts/golden/buildah/base.yaml similarity index 100% rename from ta-generator/golden/buildah/base.yaml rename to task-generator/trusted-artifacts/golden/buildah/base.yaml diff --git a/ta-generator/golden/buildah/recipe.yaml b/task-generator/trusted-artifacts/golden/buildah/recipe.yaml similarity index 100% rename from ta-generator/golden/buildah/recipe.yaml rename to task-generator/trusted-artifacts/golden/buildah/recipe.yaml diff --git a/ta-generator/golden/buildah/ta.yaml b/task-generator/trusted-artifacts/golden/buildah/ta.yaml similarity index 100% rename from ta-generator/golden/buildah/ta.yaml rename to task-generator/trusted-artifacts/golden/buildah/ta.yaml diff --git a/ta-generator/golden/git-clone/base.yaml b/task-generator/trusted-artifacts/golden/git-clone/base.yaml similarity index 100% rename from ta-generator/golden/git-clone/base.yaml rename to task-generator/trusted-artifacts/golden/git-clone/base.yaml diff --git a/ta-generator/golden/git-clone/recipe.yaml b/task-generator/trusted-artifacts/golden/git-clone/recipe.yaml similarity index 100% rename from ta-generator/golden/git-clone/recipe.yaml rename to task-generator/trusted-artifacts/golden/git-clone/recipe.yaml diff --git a/ta-generator/golden/git-clone/ta.yaml b/task-generator/trusted-artifacts/golden/git-clone/ta.yaml similarity index 100% rename from ta-generator/golden/git-clone/ta.yaml rename to task-generator/trusted-artifacts/golden/git-clone/ta.yaml diff --git a/ta-generator/golden/prefetch-dependencies/base.yaml b/task-generator/trusted-artifacts/golden/prefetch-dependencies/base.yaml similarity index 100% rename from ta-generator/golden/prefetch-dependencies/base.yaml rename to task-generator/trusted-artifacts/golden/prefetch-dependencies/base.yaml diff --git a/ta-generator/golden/prefetch-dependencies/recipe.yaml b/task-generator/trusted-artifacts/golden/prefetch-dependencies/recipe.yaml similarity index 100% rename from ta-generator/golden/prefetch-dependencies/recipe.yaml rename to task-generator/trusted-artifacts/golden/prefetch-dependencies/recipe.yaml diff --git a/ta-generator/golden/prefetch-dependencies/ta.yaml b/task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml similarity index 100% rename from ta-generator/golden/prefetch-dependencies/ta.yaml rename to task-generator/trusted-artifacts/golden/prefetch-dependencies/ta.yaml diff --git a/ta-generator/golden/sast-snyk-check/base.yaml b/task-generator/trusted-artifacts/golden/sast-snyk-check/base.yaml similarity index 100% rename from ta-generator/golden/sast-snyk-check/base.yaml rename to task-generator/trusted-artifacts/golden/sast-snyk-check/base.yaml diff --git a/ta-generator/golden/sast-snyk-check/recipe.yaml b/task-generator/trusted-artifacts/golden/sast-snyk-check/recipe.yaml similarity index 100% rename from ta-generator/golden/sast-snyk-check/recipe.yaml rename to task-generator/trusted-artifacts/golden/sast-snyk-check/recipe.yaml diff --git a/ta-generator/golden/sast-snyk-check/ta.yaml b/task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml similarity index 100% rename from ta-generator/golden/sast-snyk-check/ta.yaml rename to task-generator/trusted-artifacts/golden/sast-snyk-check/ta.yaml diff --git a/ta-generator/golden/source-build/base.yaml b/task-generator/trusted-artifacts/golden/source-build/base.yaml similarity index 100% rename from ta-generator/golden/source-build/base.yaml rename to task-generator/trusted-artifacts/golden/source-build/base.yaml diff --git a/ta-generator/golden/source-build/recipe.yaml b/task-generator/trusted-artifacts/golden/source-build/recipe.yaml similarity index 100% rename from ta-generator/golden/source-build/recipe.yaml rename to task-generator/trusted-artifacts/golden/source-build/recipe.yaml diff --git a/ta-generator/golden/source-build/ta.yaml b/task-generator/trusted-artifacts/golden/source-build/ta.yaml similarity index 100% rename from ta-generator/golden/source-build/ta.yaml rename to task-generator/trusted-artifacts/golden/source-build/ta.yaml diff --git a/ta-generator/main.go b/task-generator/trusted-artifacts/main.go similarity index 100% rename from ta-generator/main.go rename to task-generator/trusted-artifacts/main.go diff --git a/ta-generator/main_test.go b/task-generator/trusted-artifacts/main_test.go similarity index 100% rename from ta-generator/main_test.go rename to task-generator/trusted-artifacts/main_test.go diff --git a/ta-generator/recipe.go b/task-generator/trusted-artifacts/recipe.go similarity index 100% rename from ta-generator/recipe.go rename to task-generator/trusted-artifacts/recipe.go diff --git a/ta-generator/shell.go b/task-generator/trusted-artifacts/shell.go similarity index 100% rename from ta-generator/shell.go rename to task-generator/trusted-artifacts/shell.go diff --git a/ta-generator/ta.go b/task-generator/trusted-artifacts/ta.go similarity index 100% rename from ta-generator/ta.go rename to task-generator/trusted-artifacts/ta.go diff --git a/ta-generator/tekton.go b/task-generator/trusted-artifacts/tekton.go similarity index 100% rename from ta-generator/tekton.go rename to task-generator/trusted-artifacts/tekton.go diff --git a/task/build-image-index/0.1/README.md b/task/build-image-index/0.1/README.md index fb6a891194..0e92d3c934 100644 --- a/task/build-image-index/0.1/README.md +++ b/task/build-image-index/0.1/README.md @@ -10,13 +10,14 @@ This takes existing Image Manifests and combines them in an Image Index. |COMMIT_SHA|The commit the image is built from.|""|false| |IMAGES|List of Image Manifests to be referenced by the Image Index||true| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|ALWAYS_BUILD_INDEX|Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.|true|false| +|ALWAYS_BUILD_INDEX|Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.|true|false| |STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_URL|Image repository and tag where the built image was pushed| |IMAGES|List of all referenced image manifests| +|IMAGE_REF|Image reference of the built image containing both the repository and the digest| diff --git a/task/build-image-index/0.1/build-image-index.yaml b/task/build-image-index/0.1/build-image-index.yaml index bd3d3e0a07..fe19fa2a18 100644 --- a/task/build-image-index/0.1/build-image-index.yaml +++ b/task/build-image-index/0.1/build-image-index.yaml @@ -45,6 +45,8 @@ spec: name: IMAGE_URL - description: List of all referenced image manifests name: IMAGES + - description: Image reference of the built image containing both the repository and the digest + name: IMAGE_REF stepTemplate: env: - name: BUILDAH_FORMAT @@ -136,6 +138,10 @@ spec: cat image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + { + echo -n "${IMAGE}@" + cat "image-digest" + } > "$(results.IMAGE_REF.path)" echo -n "${image_manifests:1:-1}" > "$(results.IMAGES.path)" securityContext: capabilities: diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 7bd77e37cd..6f7a4e39f4 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -65,7 +65,7 @@ spec: name: varlibcontainers steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:0379f5c2feec921a01300b386ce9414b10acfbc4499b187700d972b2360e1585 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 6df0b6bc8b..7563bab725 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -214,7 +214,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -489,7 +489,7 @@ spec: securityContext: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 workingDir: /var/workdir script: | if [ -f "sbom-cachi2.json" ]; then diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index cfd252a6a1..46635c4489 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -216,7 +216,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index feb904a9bd..3ae20e205e 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -196,7 +196,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) @@ -577,7 +577,7 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index d59cd3c6a6..a3012954eb 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -207,7 +207,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 530db59a53..58f45f4c9e 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -570,7 +570,7 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 39e4d90562..fbc9fb9fcc 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -449,7 +449,7 @@ spec: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" diff --git a/task/clair-scan/0.1/clair-scan.yaml b/task/clair-scan/0.1/clair-scan.yaml index 5c4be34bad..da4bcb93c3 100644 --- a/task/clair-scan/0.1/clair-scan.yaml +++ b/task/clair-scan/0.1/clair-scan.yaml @@ -42,7 +42,7 @@ spec: readOnly: true steps: - name: get-image-manifests - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests computeResources: limits: @@ -123,7 +123,7 @@ spec: images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") echo "$images_processed" > /tekton/home/images-processed.json - name: conftest-vulnerabilities - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent computeResources: diff --git a/task/clair-scan/0.2/clair-scan.yaml b/task/clair-scan/0.2/clair-scan.yaml index e45ed5b2b9..c68c565b6b 100644 --- a/task/clair-scan/0.2/clair-scan.yaml +++ b/task/clair-scan/0.2/clair-scan.yaml @@ -42,7 +42,7 @@ spec: readOnly: true steps: - name: get-image-manifests - image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # the clair-in-ci image neither has skopeo or jq installed. Hence, we create an extra step to get the image manifest digests computeResources: limits: @@ -119,7 +119,7 @@ spec: images_processed=$(echo "${images_processed_template/\[%s]/[$digests_processed_string]}") echo "$images_processed" > /tekton/home/images-processed.json - name: conftest-vulnerabilities - image: quay.io/redhat-appstudio/konflux-test:v1.4.5@sha256:801a105ba0f9c7f58f5ba5cde1a3b4404009fbebb1028779ca2c5de211e94940 + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent computeResources: diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml index 21f2791a97..bfbee93412 100644 --- a/task/clamav-scan/0.1/clamav-scan.yaml +++ b/task/clamav-scan/0.1/clamav-scan.yaml @@ -34,7 +34,7 @@ spec: steps: - name: extract-and-scan-image - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: /work diff --git a/task/deprecated-image-check/0.1/deprecated-image-check.yaml b/task/deprecated-image-check/0.1/deprecated-image-check.yaml index 858ca8ea0e..13fcc2a2eb 100644 --- a/task/deprecated-image-check/0.1/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.1/deprecated-image-check.yaml @@ -31,7 +31,7 @@ spec: steps: # Download Pyxis metadata about the image - name: query-pyxis - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: @@ -61,7 +61,7 @@ spec: # Run the tests and save output - name: run-conftest - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: diff --git a/task/deprecated-image-check/0.2/deprecated-image-check.yaml b/task/deprecated-image-check/0.2/deprecated-image-check.yaml index e0eb889754..54a769f3e8 100644 --- a/task/deprecated-image-check/0.2/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.2/deprecated-image-check.yaml @@ -31,7 +31,7 @@ spec: steps: # Download Pyxis metadata about the image - name: query-pyxis - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: @@ -61,7 +61,7 @@ spec: # Run the tests and save output - name: run-conftest - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: diff --git a/task/deprecated-image-check/0.3/deprecated-image-check.yaml b/task/deprecated-image-check/0.3/deprecated-image-check.yaml index 3af964570d..2be4f2f2e3 100644 --- a/task/deprecated-image-check/0.3/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.3/deprecated-image-check.yaml @@ -29,7 +29,7 @@ spec: steps: - name: check-images - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: diff --git a/task/deprecated-image-check/0.4/deprecated-image-check.yaml b/task/deprecated-image-check/0.4/deprecated-image-check.yaml index 6f29c340e8..4c7182ec01 100644 --- a/task/deprecated-image-check/0.4/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.4/deprecated-image-check.yaml @@ -42,7 +42,7 @@ spec: steps: - name: check-images - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent env: diff --git a/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml b/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml index 807aabcf72..bced808208 100644 --- a/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml +++ b/task/fbc-related-image-check/0.1/fbc-related-image-check.yaml @@ -17,7 +17,7 @@ spec: - name: workspace steps: - name: check-related-images - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) diff --git a/task/fbc-validation/0.1/fbc-validation.yaml b/task/fbc-validation/0.1/fbc-validation.yaml index 12e2dc6ee0..7b17b6b6c3 100644 --- a/task/fbc-validation/0.1/fbc-validation.yaml +++ b/task/fbc-validation/0.1/fbc-validation.yaml @@ -24,7 +24,7 @@ spec: - name: workspace steps: - name: extract-and-check-binaries - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 0cb68e7772..93a7227fdf 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index f0572f200d..d8c5e99e21 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa env: - name: CLIENT_ID valueFrom: diff --git a/task/git-clone-oci-ta/0.1/README.md b/task/git-clone-oci-ta/0.1/README.md index cf8c3aee85..165c812aa3 100644 --- a/task/git-clone-oci-ta/0.1/README.md +++ b/task/git-clone-oci-ta/0.1/README.md @@ -17,6 +17,7 @@ The git-clone-oci-ta Task will clone a repo from the provided url and store it a |ociStorage|The OCI repository where the Trusted Artifacts are stored.||true| |refspec|Refspec to fetch before checking out revision.|""|false| |revision|Revision to checkout. (branch, tag, sha, ref, etc...)|""|false| +|shortCommitLength|Length of short commit SHA|7|false| |sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false| |sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false| |submodules|Initialize and fetch git submodules.|true|false| @@ -30,6 +31,7 @@ The git-clone-oci-ta Task will clone a repo from the provided url and store it a |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.| |commit|The precise commit SHA that was fetched by this Task.| |commit-timestamp|The commit timestamp of the checkout| +|short-commit|The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| |url|The precise URL that was fetched by this Task.| ## Workspaces diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 4f9dd97b89..3bd111696d 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -66,6 +66,10 @@ spec: description: Revision to checkout. (branch, tag, sha, ref, etc...) type: string default: "" + - name: shortCommitLength + description: Length of short commit SHA + type: string + default: "7" - name: sparseCheckoutDirectories description: Define the directory patterns to match or exclude when performing a sparse checkout. @@ -103,6 +107,9 @@ spec: description: The precise commit SHA that was fetched by this Task. - name: commit-timestamp description: The commit timestamp of the checkout + - name: short-commit + description: The commit SHA that was fetched by this Task limited to + params.shortCommitLength number of characters - name: url description: The precise URL that was fetched by this Task. volumes: @@ -153,6 +160,8 @@ spec: value: $(params.submodules) - name: PARAM_DEPTH value: $(params.depth) + - name: PARAM_SHORT_COMMIT_LENGTH + value: $(params.shortCommitLength) - name: PARAM_SSL_VERIFY value: $(params.sslVerify) - name: PARAM_HTTP_PROXY @@ -232,11 +241,13 @@ spec: -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" cd "${CHECKOUT_DIR}" RESULT_SHA="$(git rev-parse HEAD)" + RESULT_SHA_SHORT="$(git rev-parse --short="${PARAM_SHORT_COMMIT_LENGTH}" HEAD)" EXIT_CODE="$?" if [ "${EXIT_CODE}" != 0 ]; then exit "${EXIT_CODE}" fi printf "%s" "${RESULT_SHA}" >"$(results.commit.path)" + printf "%s" "${RESULT_SHA_SHORT}" >"$(results.short-commit.path)" printf "%s" "${PARAM_URL}" >"$(results.url.path)" printf "%s" "$(git log -1 --pretty=%ct)" >"$(results.commit-timestamp.path)" @@ -279,7 +290,7 @@ spec: check_symlinks fi - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - create - --store diff --git a/task/git-clone/0.1/README.md b/task/git-clone/0.1/README.md index 050112e9d9..4621d9e19e 100644 --- a/task/git-clone/0.1/README.md +++ b/task/git-clone/0.1/README.md @@ -22,11 +22,13 @@ The git-clone Task will clone a repo from the provided url into the output Works |userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden the gitInitImage param with an image containing custom user configuration. |/tekton/home|false| |enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.|true|false| |fetchTags|Fetch all tags for the repo.|false|false| +|shortCommitLength|Length of the returned short-commit|7|false| ## Results |name|description| |---|---| |commit|The precise commit SHA that was fetched by this Task.| +|short-commit|The commit SHA that was fetched by this Task shortened to `shortCommitLength` number of characters|| |url|The precise URL that was fetched by this Task.| ## Workspaces diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml index 5ecb43658c..85e874f336 100644 --- a/task/git-clone/0.1/git-clone.yaml +++ b/task/git-clone/0.1/git-clone.yaml @@ -33,6 +33,10 @@ spec: description: Perform a shallow clone, fetching only the most recent N commits. name: depth type: string + - name: shortCommitLength + description: Length of short commit SHA + type: string + default: "7" - default: "true" description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. name: sslVerify @@ -94,6 +98,8 @@ spec: results: - description: The precise commit SHA that was fetched by this Task. name: commit + - description: The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters + name: short-commit - description: The precise URL that was fetched by this Task. name: url - description: The commit timestamp of the checkout @@ -113,6 +119,8 @@ spec: value: $(params.submodules) - name: PARAM_DEPTH value: $(params.depth) + - name: PARAM_SHORT_COMMIT_LENGTH + value: $(params.shortCommitLength) - name: PARAM_SSL_VERIFY value: $(params.sslVerify) - name: PARAM_SUBDIRECTORY @@ -231,11 +239,13 @@ spec: -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" cd "${CHECKOUT_DIR}" RESULT_SHA="$(git rev-parse HEAD)" + RESULT_SHA_SHORT="$(git rev-parse --short="${PARAM_SHORT_COMMIT_LENGTH}" HEAD)" EXIT_CODE="$?" if [ "${EXIT_CODE}" != 0 ] ; then exit "${EXIT_CODE}" fi printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${RESULT_SHA_SHORT}" > "$(results.short-commit.path)" printf "%s" "${PARAM_URL}" > "$(results.url.path)" printf "%s" "$(git log -1 --pretty=%ct)" > "$(results.commit-timestamp.path)" diff --git a/task/inspect-image/0.1/inspect-image.yaml b/task/inspect-image/0.1/inspect-image.yaml index a48e78ad3b..e1ff85e79f 100644 --- a/task/inspect-image/0.1/inspect-image.yaml +++ b/task/inspect-image/0.1/inspect-image.yaml @@ -33,7 +33,7 @@ spec: - name: source steps: - name: inspect-image - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.source.path)/hacbs/$(context.task.name) diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index c78a95b62f..bbfb3616f3 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -66,7 +66,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 67887bac7f..9d18e3d461 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -130,7 +130,7 @@ spec: echo -n "" >$(results.CACHI2_ARTIFACT.path) fi - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -144,7 +144,7 @@ spec: yq 'del(.goproxy_url)' <<<"${CONFIG_FILE_CONTENT}" >/mnt/config/config.yaml fi - name: prefetch-dependencies - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca @@ -226,7 +226,7 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - create - --store diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index 905c58bc14..d72fec42d8 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -74,7 +74,7 @@ spec: yq 'del(.goproxy_url)' <<< "${CONFIG_FILE_CONTENT}" > /mnt/config/config.yaml fi - - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + - image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent name: prefetch-dependencies diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml index a5258f77de..9f0a68b0cd 100644 --- a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml +++ b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/reduce-snapshot-to-single-component/0.1/README.md b/task/reduce-snapshot-to-single-component/0.1/README.md deleted file mode 100644 index 8f660f2d36..0000000000 --- a/task/reduce-snapshot-to-single-component/0.1/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# reduce-snapshot-to-single-component task - -This task is designed to reduce the Snapshot that is passed to the Enterprise Contract verify task. - -If activated via the SINGLE_COMPONENT parameter, then the Snapshot is filtered to only contain the Component which caused the Snapshot to be built. - -The use case for this reduction is based on the desire to have components that are built to be quickly released -regardless of any other Components within the Snapshot and Application. - -## Parameters -| name | description | default value | required | -|-----------------|------------------------------------------------------------------------------------------|---------------|------------| -| SNAPSHOT | Snapshot to possibly reduce | | true | -| SINGLE_COMPONENT | Reduce the Snapshot to only the component whose build caused the Snapshot to be created | false | false | -| PIPELINERUN_ID | Name of current PipelineRun. | | true | - -## Results -| name | description | -|----------|--------------------| -| SNAPSHOT | Resulting Snapshot | diff --git a/task/reduce-snapshot-to-single-component/0.1/reduce-snapshot-to-single-component.yaml b/task/reduce-snapshot-to-single-component/0.1/reduce-snapshot-to-single-component.yaml deleted file mode 100644 index c751df720d..0000000000 --- a/task/reduce-snapshot-to-single-component/0.1/reduce-snapshot-to-single-component.yaml +++ /dev/null @@ -1,59 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: reduce-snapshot-to-single-component - annotations: - tekton.dev/pipelines.minVersion: 0.0.1 - tekton.dev/tags: konflux - labels: - app.kubernetes.io/version: "0.1" - build.appstudio.redhat.com/build_type: docker -spec: - description: Reduce a snapshot to contain the single component that the snapshot was created for. - params: - - name: SNAPSHOT - description: Snapshot to possibly reduce - type: string - - name: SINGLE_COMPONENT - description: Reduce the Snapshot to only the component whose build caused the Snapshot to be created - type: string - default: false - - name: PIPELINERUN_ID - description: Name of current PipelineRun. - type: string - results: - - name: SNAPSHOT - description: Reduced Snapshot if SINGLE_COMPONENT == true otherwise the original Snapshot - steps: - - name: reduce-snapshot-to-single-component - image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 - env: - - name: SNAPSHOT - value: $(params.SNAPSHOT) - - name: SINGLE_COMPONENT - value: $(params.SINGLE_COMPONENT) - - name: PIPELINERUN_ID - value: $(params.PIPELINERUN_ID) - script: | - #!/usr/bin/env bash - set -eu - - echo "Single Component mode? ${SINGLE_COMPONENT}" - if [ "${SINGLE_COMPONENT}" == "true" ]; then - SNAPSHOT_CREATION_TYPE=$(oc get "pr/$PIPELINERUN_ID" -ojson | jq -rec '.metadata.labels."test.appstudio.openshift.io/type" // ""') - SNAPSHOT_CREATION_COMPONENT=$(oc get "pr/$PIPELINERUN_ID" -ojson | jq -rec '.metadata.labels."appstudio.openshift.io/component" // ""') - - echo "SNAPSHOT_CREATION_TYPE: ${SNAPSHOT_CREATION_TYPE}" - echo "SNAPSHOT_CREATION_COMPONENT: ${SNAPSHOT_CREATION_COMPONENT}" - if [ "${SNAPSHOT_CREATION_TYPE}" == "component" ] && [ "${SNAPSHOT_CREATION_COMPONENT}" != "" ]; then - echo "Single Component mode is ${SINGLE_COMPONENT} and Snapshot type is component" - REDUCED_SNAPSHOT=$(echo "${SNAPSHOT}" | jq --arg component "${SNAPSHOT_CREATION_COMPONENT}" \ - 'del(.components[] | select(.name != $component))') - echo "Reducing Snapshot to:" - echo "$REDUCED_SNAPSHOT" | jq . - SNAPSHOT=$(echo "$REDUCED_SNAPSHOT" | tr -d ' ' | tr -d '\n') - fi - fi - - echo "$SNAPSHOT" | tee -a "$(results.SNAPSHOT.path)" diff --git a/task/reduce-snapshot-to-single-component/OWNERS b/task/reduce-snapshot-to-single-component/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/reduce-snapshot-to-single-component/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index 1a17b1ac41..71d1890742 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -214,7 +214,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.10.0@sha256:58b521c821cc38e94d4a03fc024983b36e5e20b70c2578070303745caf69a6a9 + image: quay.io/redhat-appstudio/cachi2:0.11.0@sha256:1051a8e55f4b6dddb5591ac103644e1d45b2367cffe50ba900418939aace0fb2 script: | cachi2_sbom=./cachi2/output/bom.json if [ -f "$cachi2_sbom" ]; then diff --git a/task/rpms-signature-scan/0.1/README.md b/task/rpms-signature-scan/0.1/README.md index afdcddb6b8..d8ee420126 100644 --- a/task/rpms-signature-scan/0.1/README.md +++ b/task/rpms-signature-scan/0.1/README.md @@ -3,19 +3,19 @@ ## Description: This tasks scans RPMs in an image and provide information about RPMs signatures. -It can be used in two modes. Depending on the value of parameter `FAIL_UNSIGNED`, it +It can be used in two modes. Depending on the value of parameter `fail-unsigned`, it will either fail any run that find unsigned RPMs, or only report its finding without failing (the latter is useful when running inside a build pipeline which tests the use of RPMs before their official release). ## Params: -| Name | Description | Defaults | -|-----------------|-------------------------------------------------------------------|-----------| -| IMAGE | Image used for running the tasks's script | | -| INPUT | A reference to a container image | | -| FAIL_UNSIGNED | [true \| false] If true fail if unsigned RPMs were found | false | -| WORKDIR | Directory for storing temporary files | | - +| Name | Description | Defaults | Required | +|--------------------------|------------------------------------------------------------------------|---------------|----------| +| image-url | A reference to a container image | | true | +| fail-unsigned | [true \| false] If true fail if unsigned RPMs were found | false | false | +| workdir | Directory for storing temporary files | /tmp | false | +| ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | false | +| ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | false | ## Results: diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index f52d150cec..5c65de8aa9 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -5,19 +5,27 @@ metadata: name: rpms-signature-scan spec: params: - - name: INPUT + - name: image-url type: string - description: "AppStudio snapshot or a reference to a container image" - - name: FAIL_UNSIGNED + description: "AppStudio container image" + - name: fail-unsigned type: string description: "[true | false] If true fail if unsigned RPMs were found" default: "false" - - name: WORKDIR + - name: workdir type: string default: /tmp description: | Directory that will be used for storing temporary files produced by this task. + - name: ca-trust-config-map-name + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: ca-trust-config-map-key + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt results: - name: TEST_OUTPUT description: Tekton task test output. @@ -26,36 +34,47 @@ spec: volumes: - name: workdir emptyDir: {} + - name: trusted-ca + configMap: + name: $(params.ca-trust-config-map-name) + items: + - key: $(params.ca-trust-config-map-key) + path: ca-bundle.crt + optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:463b8b97125285e93201a2c858bdf1fb1a3f4f6b23247ff44bec3f6fb926fdbb + image: quay.io/redhat-appstudio/tools@sha256:130dbe49cc76ff4457cb53916a32b6b1330d86feeb95beaa3b443fd8ac5b47fa volumeMounts: - name: workdir - mountPath: "$(params.WORKDIR)" + mountPath: "$(params.workdir)" + - name: trusted-ca + mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt + subPath: ca-bundle.crt + readOnly: true env: - - name: INPUT - value: "$(params.INPUT)" + - name: IMAGE_URL + value: "$(params.image-url)" - name: FAIL_UNSIGNED - value: "$(params.FAIL_UNSIGNED)" + value: "$(params.fail-unsigned)" - name: WORKDIR - value: "$(params.WORKDIR)" + value: "$(params.workdir)" script: | #!/bin/bash set -ex set -o pipefail rpm_verifier \ - --input "${INPUT}" \ + --input "${IMAGE_URL}" \ --fail-unsigned "${FAIL_UNSIGNED}" \ --workdir "${WORKDIR}" \ - name: output-results - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 volumeMounts: - name: workdir - mountPath: "$(params.WORKDIR)" + mountPath: "$(params.workdir)" env: - name: WORKDIR - value: "$(params.WORKDIR)" + value: "$(params.workdir)" script: | #!/bin/bash set -ex diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index 1d1b5599fb..494b090c13 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -53,12 +53,12 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - name: sast-snyk-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 workingDir: /var/workdir/source volumeMounts: - mountPath: /etc/secrets diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml index 1540e8c557..70cc1cbd29 100644 --- a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -58,13 +58,13 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: sast-snyk-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 workingDir: /var/workdir/source volumeMounts: - mountPath: /etc/secrets diff --git a/task/sast-snyk-check/0.1/sast-snyk-check.yaml b/task/sast-snyk-check/0.1/sast-snyk-check.yaml index d2752f69d7..7dbf51714c 100644 --- a/task/sast-snyk-check/0.1/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.1/sast-snyk-check.yaml @@ -38,7 +38,7 @@ spec: optional: true steps: - name: sast-snyk-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) diff --git a/task/sast-snyk-check/0.2/sast-snyk-check.yaml b/task/sast-snyk-check/0.2/sast-snyk-check.yaml index 6c2e4262dd..4a239e8ca3 100644 --- a/task/sast-snyk-check/0.2/sast-snyk-check.yaml +++ b/task/sast-snyk-check/0.2/sast-snyk-check.yaml @@ -38,7 +38,7 @@ spec: optional: true steps: - name: sast-snyk-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) diff --git a/task/sbom-json-check/0.1/sbom-json-check.yaml b/task/sbom-json-check/0.1/sbom-json-check.yaml index 3eeec5b661..9aa29a9ec7 100644 --- a/task/sbom-json-check/0.1/sbom-json-check.yaml +++ b/task/sbom-json-check/0.1/sbom-json-check.yaml @@ -30,7 +30,7 @@ spec: name: IMAGES_PROCESSED steps: - name: sbom-json-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent securityContext: diff --git a/task/sbom-json-check/0.2/sbom-json-check.yaml b/task/sbom-json-check/0.2/sbom-json-check.yaml index 3eeec5b661..9aa29a9ec7 100644 --- a/task/sbom-json-check/0.2/sbom-json-check.yaml +++ b/task/sbom-json-check/0.2/sbom-json-check.yaml @@ -30,7 +30,7 @@ spec: name: IMAGES_PROCESSED steps: - name: sbom-json-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent securityContext: diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 3a1838113a..fd9d8befab 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -55,7 +55,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a390d28f69d61ab38aadf78b7c9b21ed09b79687bddae4cf1d02616bef5d7da7 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:c91de1771397c5a6fde3cf0c642dd3478af5409e2d1980a3402f32b395f2d2a7 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index 9757082db6..1e9e705d9f 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -41,7 +41,7 @@ spec: - name: TASK_FILE value: tekton_task_files steps: - - image: quay.io/redhat-appstudio/konflux-test:latest@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + - image: quay.io/redhat-appstudio/konflux-test:latest@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 name: modify-task-files env: - name: CONTEXT diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml index 6ddaf95251..20095dd634 100644 --- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml +++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml @@ -48,7 +48,7 @@ spec: --workdir "${WORKDIR}" \ --status-path "${WORKDIR}"/status - name: output-results - image: quay.io/redhat-appstudio/konflux-test:v1.4.6@sha256:5f298d8d990dfa82023e50029b71b08e19c3c9cedb181dfc4bc86c9ecad8700c + image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)"