From 8720787a69da817abc84dd6d2bf44ebf5abcd5d2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 5 Dec 2024 00:11:25 +0000 Subject: [PATCH 01/51] fix(deps): update module github.com/tektoncd/pipeline to v0.66.0 --- task-generator/remote/go.mod | 2 +- task-generator/remote/go.sum | 4 ++-- task-generator/trusted-artifacts/go.mod | 2 +- task-generator/trusted-artifacts/go.sum | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/task-generator/remote/go.mod b/task-generator/remote/go.mod index bb4de22a7c..0649be0fe2 100644 --- a/task-generator/remote/go.mod +++ b/task-generator/remote/go.mod @@ -5,7 +5,7 @@ go 1.22.0 toolchain go1.23.2 require ( - github.com/tektoncd/pipeline v0.65.3 + github.com/tektoncd/pipeline v0.66.0 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 k8s.io/cli-runtime v0.30.3 diff --git a/task-generator/remote/go.sum b/task-generator/remote/go.sum index 98bca1ea03..a22a7020c2 100644 --- a/task-generator/remote/go.sum +++ b/task-generator/remote/go.sum @@ -320,8 +320,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.3 h1:/HXL62kx1LTu76dvrCurafjl+KU2FjEwvcKeQ4WOjbk= -github.com/tektoncd/pipeline v0.65.3/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/task-generator/trusted-artifacts/go.mod b/task-generator/trusted-artifacts/go.mod index 98eab618dd..9ca88c966d 100644 --- a/task-generator/trusted-artifacts/go.mod +++ b/task-generator/trusted-artifacts/go.mod @@ -5,7 +5,7 @@ go 1.22.7 require ( github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 - github.com/tektoncd/pipeline v0.65.3 + github.com/tektoncd/pipeline v0.66.0 github.com/zregvart/tkn-fmt v0.0.0-20240614122620-a2995427266c k8s.io/api v0.30.1 mvdan.cc/sh/v3 v3.10.0 diff --git a/task-generator/trusted-artifacts/go.sum b/task-generator/trusted-artifacts/go.sum index fdcd0ca7ed..dcbb7636af 100644 --- a/task-generator/trusted-artifacts/go.sum +++ b/task-generator/trusted-artifacts/go.sum @@ -347,8 +347,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.3 h1:/HXL62kx1LTu76dvrCurafjl+KU2FjEwvcKeQ4WOjbk= -github.com/tektoncd/pipeline v0.65.3/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= From fd3d43453a431c0bf950db9a84a74cb07a77ccf0 Mon Sep 17 00:00:00 2001 From: Gang Li Date: Thu, 5 Dec 2024 16:11:02 +0800 Subject: [PATCH 02/51] fix: maven-zip-build pipelines README failed the ci checks --- pipelines/maven-zip-build-oci-ta/README.md | 328 +++++++++++--------- pipelines/maven-zip-build/README.md | 344 +++++++++++---------- 2 files changed, 370 insertions(+), 302 deletions(-) diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index a9870f4dd0..60aa74d8e0 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -1,165 +1,203 @@ # "maven-zip-build-oci-ta pipeline" - This pipeline will build the maven zip to oci-artifact while maintaining trust after pipeline customization. _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip-oci-ta` to create zip and push it to quay.io as oci-artifact. Information is shared between tasks using OCI artifacts instead of PVCs. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build-oci-ta?tab=tags)_ ## Parameters - -| name | description | default value | used in (taskname:taskrefversion:taskparam) | -| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -| git-url | Source Repository URL | None | clone-repository:0.1:url | -| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | -| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | -| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | -| rebuild | Force rebuild oci-artifact | false | init:0.2:rebuild | -| revision | Revision of the Source Repository | | clone-repository:0.1:revision | -| skip-checks | Skip checks | true | init:0.2:skip-checks | +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-oci-artifact:0.1:IMAGE| +|prefetch-input| Build dependencies to be prefetched by Cachi2| generic| prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks - +### apply-tags:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### build-maven-zip-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | -------------------------------------------------------- | -| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | -| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | -| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | -| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | - -### init:0.2 task parameters - -| name | description | default value | already set by | -| ----------- | ---------------------------------- | ------------- | ------------------------ | -| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | -| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | -| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | - +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|FILE_NAME| The zip bundle file name of archived artifacts| maven-repository| | +|IMAGE| Reference of the OCI-Artifact this build task will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | ### git-clone-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | ------------------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | -| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | -| fetchTags | Fetch all tags for the repo. | false | | -| httpProxy | HTTP proxy server for non-SSL requests. | | | -| httpsProxy | HTTPS proxy server for SSL requests. | | | -| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | -| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | -| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).git' | -| refspec | Refspec to fetch before checking out revision. | | | -| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | -| shortCommitLength | Length of short commit SHA | 7 | | -| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | -| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | -| submodules | Initialize and fetch git submodules. | true | | -| url | Repository URL to clone from. | None | '$(params.git-url)' | -| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | -| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | - +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| ### prefetch-dependencies-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| ----------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------------- | --------------------------------------------------- | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.clone-repository.results.SOURCE_ARTIFACT)' | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | -| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | -| log-level | Set cachi2 log level (debug, info, warning, error) | info | | -| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | -| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).prefetch' | - -### sast-snyk-check-oci-ta:0.2 task parameters - -| name | description | default value | already set by | -| --------------- | ----------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------- | -| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | -| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | -| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)' | -| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | -| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | - +|name|description|default value|already set by| +|---|---|---|---| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| +### push-dockerfile:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +### sast-snyk-check-oci-ta:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | -| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | -| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | - -### Results - -| name | description | value | -| ----------------- | ----------- | ------------------------------------------------ | -| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | -| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | -| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | -| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | - +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-oci-artifact.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-oci-artifact.results.IMAGE_URL)| ## Available results from tasks - ### build-maven-zip-oci-ta:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | -| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | -| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | -| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | -| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest| +|IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url| +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone-oci-ta:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------- | -| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | prefetch-dependencies:0.1:SOURCE_ARTIFACT | -| commit | The precise commit SHA that was fetched by this Task. | build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA | -| commit-timestamp | The commit timestamp of the checkout | | -| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | -| url | The precise URL that was fetched by this Task. | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| +|commit| The precise commit SHA that was fetched by this Task.| | +|commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | +|url| The precise URL that was fetched by this Task.| | ### init:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----- | ------------------------------------------------------- | -------------------------------------------------- | -| build | Defines if the image in param image-url should be built | | - -### sast-snyk-check-oci-ta:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------- | ------------------------ | -------------------------------------------------- | -| TEST_OUTPUT | Tekton task test output. | | - -### Workspaces - -| name | description | optional | used in tasks | -| -------- | ----------- | -------- | -------------------------------------------------------------------------- | -| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | -| netrc | | True | prefetch-dependencies:0.1:netrc | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### prefetch-dependencies-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT| +### push-dockerfile:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check-oci-ta:0.3 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| +|workspace| |False| sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks - ### git-clone-oci-ta:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | -| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | ### prefetch-dependencies-oci-ta:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | -| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| +### push-dockerfile:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| +### sast-unicode-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 6ddcebe8fd..512cfaeb21 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -1,183 +1,213 @@ # "maven-zip-build pipeline" - This pipeline will build the maven zip to oci-artifact. _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip` to create zip and push it to quay.io as oci-artifact. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build?tab=tags)_ ## Parameters - -| name | description | default value | used in (taskname:taskrefversion:taskparam) | -| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -| git-url | Source Repository URL | None | clone-repository:0.1:url | -| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | -| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | -| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | -| rebuild | Force rebuild image | false | init:0.2:rebuild | -| revision | Revision of the Source Repository | | clone-repository:0.1:revision | -| skip-checks | Skip checks against built image | true | init:0.2:skip-checks | +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE| +|prefetch-input| Build dependencies to be prefetched by Cachi2| generic| prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks - +### apply-tags:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### build-maven-zip:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | ------------------------------- | -| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | -| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | -| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | - +|name|description|default value|already set by| +|---|---|---|---| +|FILE_NAME| The zip bundle file name of archived artifacts| maven-repository| | +|IMAGE| Reference of the OCI-Artifact this build task will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | ### git-clone:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| deleteExisting | Clean out the contents of the destination directory if it already exists before cloning. | true | | -| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | -| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | -| fetchTags | Fetch all tags for the repo. | false | | -| gitInitImage | Deprecated. Has no effect. Will be removed in the future. | | | -| httpProxy | HTTP proxy server for non-SSL requests. | | | -| httpsProxy | HTTPS proxy server for SSL requests. | | | -| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | -| refspec | Refspec to fetch before checking out revision. | | | -| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | -| shortCommitLength | Length of short commit SHA | 7 | | -| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | -| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | -| subdirectory | Subdirectory inside the `output` Workspace to clone the repo into. | source | | -| submodules | Initialize and fetch git submodules. | true | | -| url | Repository URL to clone from. | None | '$(params.git-url)' | -| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | -| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | - +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | ### init:0.2 task parameters - -| name | description | default value | already set by | -| ----------- | ---------------------------------- | ------------- | ------------------------ | -| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | -| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | -| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | - +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| ### prefetch-dependencies:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | -| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | -| log-level | Set cachi2 log level (debug, info, warning, error) | info | | - -### sast-snyk-check:0.2 task parameters - -| name | description | default value | already set by | -| ------------ | ----------------------------------------- | ------------------------------------------ | ------------------------------------------------- | -| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | -| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | -| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | -| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | - +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### push-dockerfile:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | +### rpms-signature-scan:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +### sast-snyk-check:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | -| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | -| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | - +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### summary:0.2 task parameters - -| name | description | default value | already set by | -| ----------------- | ---------------------------------- | ------------- | -------------------------------------------------------------------------------------- | -| build-task-status | State of build task in pipelineRun | Succeeded | '$(tasks.build-oci-artifact.status)' | -| git-url | Git URL | None | '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)' | -| image-url | Image URL | None | '$(params.output-image)' | -| pipelinerun-name | pipeline-run to annotate | None | '$(context.pipelineRun.name)' | +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-oci-artifact.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| ## Results - -| name | description | value | -| ----------------- | ----------- | ------------------------------------------------ | -| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | -| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | -| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | -| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | - +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-oci-artifact.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-oci-artifact.results.IMAGE_URL)| ## Available results from tasks - ### build-maven-zip:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | -| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | -| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | -| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | -| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest| +|IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url| +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | -| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| commit | The precise commit SHA that was fetched by this Task. | build-image-index:0.1:COMMIT_SHA | -| commit-timestamp | The commit timestamp of the checkout | | -| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | -| url | The precise URL that was fetched by this Task. | show-summary:0.2:git-url | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|commit| The precise commit SHA that was fetched by this Task.| | +|commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----- | ------------------------------------------------------- | -------------------------------------------------- | -| build | Defines if the image in param image-url should be built | | - -### sast-snyk-check:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------- | ------------------------ | -------------------------------------------------- | -| TEST_OUTPUT | Tekton task test output. | | - -### Workspaces - -| name | description | optional | used in tasks | -| --------- | ----------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | -| netrc | | True | prefetch-dependencies:0.1:netrc | -| workspace | | False | show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.2:workspace | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### push-dockerfile:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | +### rpms-signature-scan:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|RPMS_DATA| Information about signed and unsigned RPMs| | +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check:0.3 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks - ### build-maven-zip:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------ | ---------------------------------------------- | -------- | ----------------------- | -| source | Workspace containing the source code to build. | False | workspace | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| ### git-clone:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | -| output | The git repo will be cloned onto the volume backing this Workspace. | False | workspace | -| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | ### prefetch-dependencies:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | -| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | -| source | Workspace with the source code, cachi2 artifacts will be stored on the workspace as well | False | workspace | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### push-dockerfile:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| +### sast-snyk-check:0.3 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-unicode-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### summary:0.2 task workspaces - -| name | description | optional | workspace from pipeline | -| --------- | -------------------------------------------- | -------- | ----------------------- | -| workspace | The workspace where source code is included. | True | workspace | +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| From 08fd75ffc25aa363244543542ed06daab8d3d522 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Tue, 26 Nov 2024 16:43:23 +0100 Subject: [PATCH 03/51] Improve listing changed files in a commit We ended up with revision 3b215506e4ecc70c287785eeda9dbf8a4350b2fe for several Tasks in the acceptable bundles, seems that the `git log` method was also listing the files that were brought in by merging the main branch onto the pull request branch. This switches to using GitHub CLI to search for a merged pull request that contains the top commit (`$REVISION`), and then lists the changed files in that pull request. This should contain only the list of files that were changed in the pull request and not any changed files in a merge commit. Reference: https://issues.redhat.com/browse/EC-1015 --- .tekton/scripts/build-acceptable-bundles.sh | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/.tekton/scripts/build-acceptable-bundles.sh b/.tekton/scripts/build-acceptable-bundles.sh index 6a2b9599a3..3034baa96f 100755 --- a/.tekton/scripts/build-acceptable-bundles.sh +++ b/.tekton/scripts/build-acceptable-bundles.sh @@ -7,10 +7,14 @@ set -o pipefail DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles}" mapfile -t BUNDLES < <(cat "$@") +pr_number=$(gh search prs --repo konflux-ci/build-definitions --merged "${REVISION}" --json number --jq '.[].number') + +# changed files in a PR +mapfile -t changed_files < <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '.files.[].path') # store a list of changed task files task_records=() # loop over all changed files -for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do +for path in "${changed_files[@]}"; do # check that the file modified is the task file if [[ "${path}" == task/*/*/*.yaml ]]; then IFS='/' read -r -a path_array <<< "${path}" @@ -30,6 +34,11 @@ printf '%s\n' "${task_records[@]}" echo "Bundles to be added:" printf '%s\n' "${BUNDLES[@]}" +if [[ -z ${task_records[*]} && -z ${BUNDLES[*]} ]]; then + echo Nothing to do... + exit 0 +fi + # The OPA data bundle is tagged with the current timestamp. This has two main # advantages. First, it prevents the image from accidentally not having any tags, # and getting garbage collected. Second, it helps us create a timeline of the From 9a0aa304d8fa7a1ac0cc049378693117008043c9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 12:25:59 +0000 Subject: [PATCH 04/51] chore(deps): update quay.io/redhat-appstudio/build-trusted-artifacts:latest docker digest to 52f1391 --- task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml | 2 +- task/build-vm-image/0.1/build-vm-image.yaml | 2 +- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 2 +- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 2 +- .../0.1/coverity-availability-check-oci-ta.yaml | 2 +- task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 2 +- .../0.1/prefetch-dependencies-oci-ta.yaml | 4 ++-- task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml | 2 +- task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml | 2 +- .../0.1/sast-coverity-check-oci-ta.yaml | 2 +- task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml | 2 +- task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml | 2 +- task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml | 2 +- task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml | 2 +- .../0.1/sast-unicode-check-oci-ta.yaml | 2 +- task/source-build-oci-ta/0.1/source-build-oci-ta.yaml | 2 +- task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml | 2 +- 20 files changed, 21 insertions(+), 21 deletions(-) diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml index f212a9fb23..17a60f49b1 100644 --- a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -89,7 +89,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 5ada826f85..009ad27703 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -65,7 +65,7 @@ spec: name: varlibcontainers steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 9225ffff66..cf47fc5e8a 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -215,7 +215,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 4e5bdf7c8d..f4398eafc7 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -221,7 +221,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index d1437c8bbb..0e07f2fddd 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -197,7 +197,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ce75471d4e..307847cc55 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -211,7 +211,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af name: use-trusted-artifact - args: - --build-args diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml index cc112db4ef..7431660c92 100644 --- a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml +++ b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml @@ -51,7 +51,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 579931cc9e..3629da9fd7 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -298,7 +298,7 @@ spec: check_symlinks fi - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - create - --store diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 1457c93420..63b889abeb 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -66,7 +66,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index ecc4b44d93..fe5cdd194f 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -130,7 +130,7 @@ spec: echo -n "" >$(results.CACHI2_ARTIFACT.path) fi - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -226,7 +226,7 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - create - --store diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml index 08debbec68..4ccb25d2d2 100644 --- a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml +++ b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml index 977e06a05d..bb03a4da3b 100644 --- a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml +++ b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml @@ -104,7 +104,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml index caa7c87a6b..ccbcd85a6f 100644 --- a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml +++ b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml @@ -95,7 +95,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml index 5375a156c1..71b6a92119 100644 --- a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml +++ b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml @@ -78,7 +78,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index fdd308f97b..c8b7d72325 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml index 863cc3b340..f1578a9187 100644 --- a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -58,7 +58,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index a2652be712..654c12373a 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -89,7 +89,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml index 6b927e9e8c..2b6c71185f 100644 --- a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml +++ b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml @@ -76,7 +76,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a83c92fc0a1e2c785937c6612dc8c8237818535543f00ecaf6b3b77a35f76259 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 590a027f56..53c4f0389a 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -55,7 +55,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml index 3ec3988d4c..88ab3bc167 100644 --- a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml +++ b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml @@ -54,7 +54,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source From eda6e0fd5dad5b721ce956fcbb8c7bea3f724e11 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 4 Dec 2024 15:06:24 -0500 Subject: [PATCH 05/51] Convert FBC pipeline to use trusted artifacts This also changes the FBC pipeline to be multi-arch enabled by default. Signed-off-by: arewm --- pipelines/fbc-builder/README.md | 92 +++++++++++++----------- pipelines/fbc-builder/kustomization.yaml | 2 +- pipelines/fbc-builder/patch.yaml | 43 +++++------ 3 files changed, 72 insertions(+), 65 deletions(-) diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 8eaa61f29e..903f6230c5 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -7,15 +7,18 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| -|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| +|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.2:BUILD_ARGS| +|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| true| build-image-index:0.1:ALWAYS_BUILD_INDEX| +|build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64']| | |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.2:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| true| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | | +|hermetic| Execute the build with network isolation| true| build-images:0.2:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-images:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-images:0.2:IMAGE ; build-image-index:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-images:0.2:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-images:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| @@ -34,28 +37,32 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| |COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| |IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| -|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-images.results.IMAGE_REF[*])']'| |IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### buildah:0.2 task parameters +### buildah-remote-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | -|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | -|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_APPEND_PLATFORM| Whether to append a sanitized platform architecture on the IMAGE tag| false| 'true'| |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | -|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PLATFORM| The platform to build on| None| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | @@ -75,25 +82,24 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | -### git-clone:0.1 task parameters +### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | |depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | |enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | |fetchTags| Fetch all tags for the repo.| false| | -|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | |httpProxy| HTTP proxy server for non-SSL requests.| | | |httpsProxy| HTTPS proxy server for SSL requests.| | | |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| |shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | -|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | |submodules| Initialize and fetch git submodules.| true| | |url| Repository URL to clone from.| None| '$(params.git-url)'| |userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | @@ -104,6 +110,18 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -111,13 +129,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | -### summary:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| -|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| -|image-url| Image URL| None| '$(params.output-image)'| -|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| ### validate-fbc:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -140,12 +151,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; validate-fbc:0.1:IMAGE_URL| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | -### buildah:0.2 task results +### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_DIGEST| Digest of the image just built| | -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -154,19 +165,25 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### git-clone:0.1 task results +### git-clone-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| +|commit| The precise commit SHA that was fetched by this Task.| build-images:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | -|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +|url| The precise URL that was fetched by this Task.| | ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | +### prefetch-dependencies-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT| ### validate-fbc:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -178,21 +195,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Workspaces |name|description|optional|used in tasks |---|---|---|---| -|git-auth| |True| clone-repository:0.1:basic-auth| -|netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.2:source| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| ## Available workspaces from tasks -### buildah:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|source| Workspace containing the source code to build.| False| workspace| -### git-clone:0.1 task workspaces +### git-clone-oci-ta:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| -|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### summary:0.2 task workspaces +### prefetch-dependencies-oci-ta:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| The workspace where source code is included.| True| workspace| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| diff --git a/pipelines/fbc-builder/kustomization.yaml b/pipelines/fbc-builder/kustomization.yaml index 64f7ba8a8b..f5c1a4cfe3 100644 --- a/pipelines/fbc-builder/kustomization.yaml +++ b/pipelines/fbc-builder/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../template-build +- ../docker-build-multi-platform-oci-ta patches: - path: patch.yaml diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 1366d1d2a1..670b45f63d 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -15,35 +15,32 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "fbc" "pipelines.openshift.io/strategy": "fbc" +# Customize parameters +# $ kustomize build pipelines/docker-build-multi-platform-oci-ta | yq ".spec.params.[].name" | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 image-expires-after +# 10 build-source-image +# 11 build-image-index +# 12 build-args +# 13 build-args-file +# 14 build-platforms - op: replace path: /spec/params/7/default value: "true" -- op: replace - path: /spec/tasks/3/taskRef - value: - name: buildah - version: "0.2" -- op: add - path: /spec/tasks/3/params - value: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" # Remove tasks -# yq ".spec.tasks.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# $ kustomize build pipelines/docker-build-multi-platform-oci-ta | yq ".spec.tasks.[].name" | nl -v 0 # 0 init # 1 clone-repository # 2 prefetch-dependencies -# 3 build-container +# 3 build-images # 4 build-image-index # 5 build-source-image # 6 deprecated-base-image-check @@ -83,8 +80,6 @@ path: /spec/tasks/7 # clair-scan - op: remove path: /spec/tasks/5 # build-source-image -- op: remove - path: /spec/tasks/2 # prefetch-dependencies - op: add path: /spec/tasks/- value: From d550bc5f4610fe09081d2c177bf4aef64775a66a Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 4 Dec 2024 21:57:05 -0500 Subject: [PATCH 06/51] improve pipeline visualization Visualization of taskruns is based off of the presence of runAfter links. While Tekton can determine the dependency based on result references, the console cannot. ref: OCPBUGS-42076 Signed-off-by: arewm --- .tekton/pull-request.yaml | 52 ++++++++++++++++++++------------------- 1 file changed, 27 insertions(+), 25 deletions(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 9e4183bcd4..6335aeec96 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -36,6 +36,27 @@ spec: value: $(params.revision) - name: depth value: "0" + - name: build-appstudio-utils + runAfter: + - fetch-repository + params: + - name: IMAGE + value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} + - name: CONTEXT + value: appstudio-utils + taskRef: + name: buildah + workspaces: + - name: source + workspace: workspace + - name: sast-snyk-check + runAfter: + - fetch-repository + taskRef: + name: sast-snyk-check + workspaces: + - name: workspace + workspace: workspace - name: task-switchboard taskRef: name: task-switchboard @@ -58,20 +79,12 @@ spec: operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskRef: name: task-lint workspaces: - name: shared-workspace workspace: workspace - - name: sast-snyk-check - runAfter: - - fetch-repository - taskRef: - name: sast-snyk-check - workspaces: - - name: workspace - workspace: workspace - name: sast-unicode-check runAfter: - build-appstudio-utils @@ -80,26 +93,13 @@ spec: workspaces: - name: workspace workspace: workspace - - name: build-appstudio-utils - runAfter: - - fetch-repository - params: - - name: IMAGE - value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} - - name: CONTEXT - value: appstudio-utils - taskRef: - name: buildah - workspaces: - - name: source - workspace: workspace - name: check-partner-tasks when: - input: "check_partner_tasks" operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - build-appstudio-utils + - task-switchboard taskSpec: steps: - name: check-task-structure @@ -153,6 +153,8 @@ spec: - input: "tasks_pipelines" operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] + runAfter: + - task-switchboard params: - name: revision value: "{{ revision }}" @@ -253,7 +255,7 @@ spec: operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskRef: name: ec-checks workspaces: @@ -265,7 +267,7 @@ spec: operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskSpec: steps: - name: check-task-migration-md From 609f834ed3673445765d04e52844c1417e6ae065 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 5 Dec 2024 15:13:55 +0100 Subject: [PATCH 07/51] Revert "Improve listing changed files in a commit" This reverts commit 08fd75ffc25aa363244543542ed06daab8d3d522. --- .tekton/scripts/build-acceptable-bundles.sh | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.tekton/scripts/build-acceptable-bundles.sh b/.tekton/scripts/build-acceptable-bundles.sh index 3034baa96f..6a2b9599a3 100755 --- a/.tekton/scripts/build-acceptable-bundles.sh +++ b/.tekton/scripts/build-acceptable-bundles.sh @@ -7,14 +7,10 @@ set -o pipefail DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles}" mapfile -t BUNDLES < <(cat "$@") -pr_number=$(gh search prs --repo konflux-ci/build-definitions --merged "${REVISION}" --json number --jq '.[].number') - -# changed files in a PR -mapfile -t changed_files < <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '.files.[].path') # store a list of changed task files task_records=() # loop over all changed files -for path in "${changed_files[@]}"; do +for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do # check that the file modified is the task file if [[ "${path}" == task/*/*/*.yaml ]]; then IFS='/' read -r -a path_array <<< "${path}" @@ -34,11 +30,6 @@ printf '%s\n' "${task_records[@]}" echo "Bundles to be added:" printf '%s\n' "${BUNDLES[@]}" -if [[ -z ${task_records[*]} && -z ${BUNDLES[*]} ]]; then - echo Nothing to do... - exit 0 -fi - # The OPA data bundle is tagged with the current timestamp. This has two main # advantages. First, it prevents the image from accidentally not having any tags, # and getting garbage collected. Second, it helps us create a timeline of the From c79096e7d15276d906ccd2cd9bdddbe8ec6abb86 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 5 Dec 2024 14:55:31 +0000 Subject: [PATCH 08/51] chore(deps): update konflux-ci digest to 888974e --- .github/workflows/run-task-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index f7937dfaeb..75955db3d1 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -39,7 +39,7 @@ jobs: with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: c4630e684e81f71bfd920fff0c9bb2956d3265f4 + ref: 888974e37be2a415f3c3e9b2e73d9246dec8eef2 - name: Create k8s Kind Cluster if: steps.changed-dirs.outputs.any_changed == 'true' From 5f62fe3b01edcd6897a00c1c156d4f7272a0e31e Mon Sep 17 00:00:00 2001 From: Brian Cook Date: Tue, 3 Dec 2024 08:21:07 -0500 Subject: [PATCH 09/51] RHSM integration for prefetch task This adds steps to the prefetch task to detect when a Red Hat subscription activation key is provided. When prefetch is configured for RPM package manager and an acivation key is provided, the pod will be registered with Red Hat's subscription management service so that protected content can be fetched. The activation key is provided via the param ACTIVATION_KEY. This is expected to be the name of a secret with two keys: org and activationkey. For more information see https://access.redhat.com solutions/3341191. The task modifies the prefetch input on the fly in order to inject the necessary entitlement files used for mTLS auth. For example, for simple input like 'rpm', the input will first be transformed to: [ { "type": "rpm", "options": { "ssl": { "client_key": null, "client_cert": null, "ca_bundle": null, "verify": 1 } } } ] After this the entitelement certificate information will be added to ALL instances of rpm package manager present (in case the input is a JSON array.) After prefetch the container is unregistered. Signed-off-by: Brian Cook --- .../README.md | 1 + pipelines/docker-build-oci-ta/README.md | 1 + pipelines/docker-build/README.md | 1 + pipelines/tekton-bundle-builder/README.md | 1 + .../0.1/README.md | 1 + .../0.1/prefetch-dependencies-oci-ta.yaml | 191 +++++++++++++++- task/prefetch-dependencies/0.1/README.md | 14 +- .../0.1/prefetch-dependencies.yaml | 206 +++++++++++++++++- 8 files changed, 398 insertions(+), 18 deletions(-) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index 2ba97a681e..c278bf28ce 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -142,6 +142,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index e08c152e2d..1b078292d5 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -139,6 +139,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index b7fb2d5e6e..95afc49114 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -136,6 +136,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index cd38c1a6db..7af3d568ce 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -66,6 +66,7 @@ ### prefetch-dependencies:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | diff --git a/task/prefetch-dependencies-oci-ta/0.1/README.md b/task/prefetch-dependencies-oci-ta/0.1/README.md index 48065f95ea..73e8ebb5d5 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/README.md +++ b/task/prefetch-dependencies-oci-ta/0.1/README.md @@ -26,6 +26,7 @@ params: ## Parameters |name|description|default value|required| |---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index fe5cdd194f..87deeb25b5 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -33,6 +33,10 @@ spec: [available configuration parameters]: https://github.com/containerbuildsystem/cachi2?tab=readme-ov-file#available-configuration-parameters params: + - name: ACTIVATION_KEY + description: Name of secret which contains subscription activation key + type: string + default: activation-key - name: SOURCE_ARTIFACT description: The Trusted Artifact URI pointing to the artifact with the application source code. @@ -79,8 +83,16 @@ spec: the application source code. type: string volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: config emptyDir: {} + - name: etc-pki-entitlement + emptyDir: {} + - name: shared + emptyDir: {} - name: trusted-ca configMap: items: @@ -110,6 +122,8 @@ spec: volumeMounts: - mountPath: /mnt/config name: config + - mountPath: /shared + name: shared - mountPath: /var/workdir name: workdir steps: @@ -143,15 +157,159 @@ spec: # https://github.com/containerbuildsystem/cachi2/issues/577 yq 'del(.goproxy_url)' <<<"${CONFIG_FILE_CONTENT}" >/mnt/config/config.yaml fi + - name: check-prefetch-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + env: + - name: INPUT + value: $(params.input) + script: | + if [ -z "${INPUT}" ]; then + # Confirm input was provided though it's likely the whole task would be skipped if it wasn't + echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + echo "skip" >/shared/skip + fi + - name: register-red-hat + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + results: + - name: registered + type: string + volumeMounts: + - mountPath: /activation-key + name: activation-key + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + echo "false" >/shared/registered + ACTIVATION_KEY_PATH="/activation-key" + + mkdir -p /shared/rhsm/entitlement + mkdir -p /shared/rhsm/consumer + + if [ -e /activation-key/org ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + + echo "Registering with Red Hat subscription manager." + subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)" + + # copy generated certificates to /shared/rhsm + cp /etc/pki/entitlement/*.pem /shared/rhsm/entitlement/ + cp /etc/pki/consumer/*.pem /shared/rhsm/consumer/ + + file="$(find /shared/rhsm/entitlement -regextype egrep -regex '.*[0-9]+\.pem' -printf %f)" + echo "file: $file" + basename "$file" .pem >/shared/RHSM_ID + echo "./RHSM_ID:" + cat /shared/RHSM_ID + + # trust the CA used for Red Hat CDN + cp /etc/rhsm-host/ca/redhat-uep.pem /shared/rhsm/redhat-uep.pem + fi + - name: preprocess-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + args: + - $(params.input) + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + script: | + #!/bin/python3 + import json + import os + import sys + + + def string_to_json(input: str): + if input in ['bundler', 'generic', 'gomod', 'npm', 'pip', 'rpm', 'yarn-classic', 'yarn']: + input = '{"type": "%s"}' % input + print("json: %s" % input) + return input + + + def json_to_list(input: str): + input = json.loads(input) + if type(input) is dict: + input = [input] + return json.dumps(input) + + + def inject_certs(input: str, rhsm_id: str): + input_list: list = json.loads(input) + + cert = ("/shared/rhsm/entitlement/%s.pem" % rhsm_id) + key = ("/shared/rhsm/entitlement/%s-key.pem" % rhsm_id) + ca_bundle = os.getenv("CA_BUNDLE", None) + for pkg_man in input_list: + if pkg_man["type"] == "rpm": + + # preserve verify setting + verify = \ + pkg_man.get("options", {}).get("ssl", {}).get("ssl_verify", 1) + + # preserve other options + options: dict = pkg_man.get('options', {}) + + ssl_options = { + "client_key": key, + "client_cert": cert, + "ca_bundle": ca_bundle, + "ssl_verify": verify} + + options['ssl'] = ssl_options + pkg_man["options"] = options + return (json.dumps(input_list)) + + + def convert_input(input, rhsm_id): + input = string_to_json(input) + input = json_to_list(input) + input = inject_certs(input, rhsm_id) + return input + + + if __name__ == '__main__': + + if os.path.isfile("/shared/skip"): + sys.exit() + + rhsm_id = "" + input = "" + + try: + f = open("/shared/RHSM_ID", "r") + rhsm_id = f.read().strip("\n") + except FileNotFoundError: + print("No RHSM ID found.") + + if rhsm_id == "": + input = sys.argv[1] + else: + print("RHSM Cert ID is: %s" % rhsm_id) + print("Called with args: %s" % str(sys.argv)) + input = convert_input(sys.argv[1], rhsm_id) + + print("Preprocessing result: %s" % input) + with open('/shared/rhsm/preprocessed_input', 'w') as f: + f.write(input) - name: prefetch-dependencies image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true + - mountPath: /activation-key + name: activation-key env: - - name: INPUT - value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) - name: LOG_LEVEL @@ -165,9 +323,10 @@ spec: - name: WORKSPACE_NETRC_PATH value: $(workspaces.netrc.path) script: | - if [ -z "${INPUT}" ]; then - # Confirm input was provided though it's likely the whole task would be skipped if it wasn't - echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + #!/bin/bash + + if [ -f /shared/skip ]; then + echo "Skipping." exit 0 fi @@ -183,6 +342,16 @@ spec: dev_pacman_flag="" fi + INPUT=$(cat /shared/rhsm/preprocessed_input) + export INPUT + + # trust Red Hat CA cert used for Red Hat CDN + if [ -f /shared/rhsm/redhat-uep.pem ]; then + echo "Adding Red Hat CA certificate to trusted roots." + cp /shared/rhsm/redhat-uep.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust + fi + # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ]; then if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then @@ -225,6 +394,18 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output + - name: unregister-rhsm + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + cp /shared/rhsm/consumer/* /etc/pki/consumer/ + cp /shared/rhsm/entitlement/* /etc/pki/entitlement/ + subscription-manager unregister || true - name: create-trusted-artifact image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: diff --git a/task/prefetch-dependencies/0.1/README.md b/task/prefetch-dependencies/0.1/README.md index 7d03f7d3b3..df88e80b36 100644 --- a/task/prefetch-dependencies/0.1/README.md +++ b/task/prefetch-dependencies/0.1/README.md @@ -5,17 +5,18 @@ See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. ## Configuration -Config file must be passed as a YAML string. For all available config options please check [available configuration parameters] page. +Config file must be passed as a YAML string. For all available config options please check +[available configuration parameters] page. Example of setting timeouts: ```yaml params: - - name: config-file-content - value: | - --- - requests_timeout: 300 - subprocess_timeout: 3600 + - name: config-file-content + value: | + --- + requests_timeout: 300 + subprocess_timeout: 3600 ``` [available configuration parameters]: https://github.com/containerbuildsystem/cachi2?tab=readme-ov-file#available-configuration-parameters @@ -29,6 +30,7 @@ params: |config-file-content|Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! |""|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| ## Workspaces |name|description|optional| diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index 1b804860bd..9a859d42de 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -53,6 +53,10 @@ spec: type: string description: The name of the key in the ConfigMap that contains the CA bundle data. default: ca-bundle.crt + - name: ACTIVATION_KEY + default: activation-key + description: Name of secret which contains subscription activation key + type: string stepTemplate: env: @@ -61,7 +65,8 @@ spec: volumeMounts: - name: config mountPath: /mnt/config - + - mountPath: /shared + name: shared steps: - name: sanitize-cachi2-config-file-with-yq image: quay.io/konflux-ci/yq:latest@sha256:343c2ca0a347ae87fe43750ee0873e1fe813f77eff56e9722c840bb75d97fef2 @@ -74,13 +79,164 @@ spec: yq 'del(.goproxy_url)' <<< "${CONFIG_FILE_CONTENT}" > /mnt/config/config.yaml fi - - image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + - name: check-prefetch-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent - name: prefetch-dependencies env: - name: INPUT value: $(params.input) + script: | + if [ -z "${INPUT}" ] + then + # Confirm input was provided though it's likely the whole task would be skipped if it wasn't + echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + echo "skip" > /shared/skip + fi + + - name: register-red-hat + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + volumeMounts: + - mountPath: /activation-key + name: activation-key + results: + - name: registered + type: string + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + echo "false" > /shared/registered + ACTIVATION_KEY_PATH="/activation-key" + + mkdir -p /shared/rhsm/entitlement + mkdir -p /shared/rhsm/consumer + + if [ -e /activation-key/org ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + + echo "Registering with Red Hat subscription manager." + subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)" + + # copy generated certificates to /shared/rhsm + cp /etc/pki/entitlement/*.pem /shared/rhsm/entitlement/ + cp /etc/pki/consumer/*.pem /shared/rhsm/consumer/ + + file="$(find /shared/rhsm/entitlement -regextype egrep -regex '.*[0-9]+\.pem' -printf %f)" + echo "file: $file" + basename "$file" .pem > /shared/RHSM_ID + echo "./RHSM_ID:" + cat /shared/RHSM_ID + + # trust the CA used for Red Hat CDN + cp /etc/rhsm-host/ca/redhat-uep.pem /shared/rhsm/redhat-uep.pem + fi + + - name: preprocess-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + args: ["$(params.input)"] + script: | + #!/bin/python3 + import json + import os + import sys + + + def string_to_json(input: str): + if input in ['bundler', 'generic', 'gomod', 'npm', 'pip', 'rpm', 'yarn-classic', 'yarn']: + input = '{"type": "%s"}' % input + print("json: %s" % input) + return input + + + def json_to_list(input: str): + input = json.loads(input) + if type(input) is dict: + input = [input] + return json.dumps(input) + + + def inject_certs(input: str, rhsm_id: str): + input_list: list = json.loads(input) + + cert = ("/shared/rhsm/entitlement/%s.pem" % rhsm_id) + key = ("/shared/rhsm/entitlement/%s-key.pem" % rhsm_id) + ca_bundle = os.getenv("CA_BUNDLE", None) + for pkg_man in input_list: + if pkg_man["type"] == "rpm": + + # preserve verify setting + verify = \ + pkg_man.get("options", {}).get("ssl", {}).get("ssl_verify", 1) + + # preserve other options + options: dict = pkg_man.get('options', {}) + + ssl_options = { + "client_key": key, + "client_cert": cert, + "ca_bundle": ca_bundle, + "ssl_verify": verify} + + options['ssl'] = ssl_options + pkg_man["options"] = options + return (json.dumps(input_list)) + + + def convert_input(input, rhsm_id): + input = string_to_json(input) + input = json_to_list(input) + input = inject_certs(input, rhsm_id) + return input + + + if __name__ == '__main__': + + if os.path.isfile("/shared/skip"): + sys.exit() + + rhsm_id = "" + input = "" + + try: + f = open("/shared/RHSM_ID", "r") + rhsm_id = f.read().strip("\n") + except FileNotFoundError: + print("No RHSM ID found.") + + if rhsm_id == "": + input = sys.argv[1] + else: + print("RHSM Cert ID is: %s" % rhsm_id) + print("Called with args: %s" % str(sys.argv)) + input = convert_input(sys.argv[1], rhsm_id) + + print("Preprocessing result: %s" % input) + with open('/shared/rhsm/preprocessed_input', 'w') as f: + f.write(input) + + + - name: prefetch-dependencies + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + env: - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) - name: LOG_LEVEL @@ -97,11 +253,13 @@ spec: - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true + - mountPath: /activation-key + name: activation-key script: | - if [ -z "${INPUT}" ] - then - # Confirm input was provided though it's likely the whole task would be skipped if it wasn't - echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + #!/bin/bash + + if [ -f /shared/skip ]; then + echo "Skipping." exit 0 fi @@ -117,6 +275,16 @@ spec: dev_pacman_flag="" fi + INPUT=$(cat /shared/rhsm/preprocessed_input) + export INPUT + + # trust Red Hat CA cert used for Red Hat CDN + if [ -f /shared/rhsm/redhat-uep.pem ]; then + echo "Adding Red Hat CA certificate to trusted roots." + cp /shared/rhsm/redhat-uep.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust + fi + # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then @@ -159,6 +327,22 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ --for-output-dir=/cachi2/output + + - name: unregister-rhsm + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + cp /shared/rhsm/consumer/* /etc/pki/consumer/ + cp /shared/rhsm/entitlement/* /etc/pki/entitlement/ + subscription-manager unregister || true + workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well @@ -175,6 +359,14 @@ spec: performing http(s) requests. optional: true volumes: + - name: shared + emptyDir: {} + - name: etc-pki-entitlement + emptyDir: {} + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: trusted-ca configMap: name: $(params.caTrustConfigMapName) From b670a9edfdfc45d3292ecba4b08e7f21fe7e1adb Mon Sep 17 00:00:00 2001 From: Gang Li Date: Fri, 6 Dec 2024 08:27:00 +0800 Subject: [PATCH 10/51] fix: pipelines README out of date * fbc-builder * maven-zip-build * maven-zip-build-oci-ta Signed-off-by: Gang Li --- pipelines/fbc-builder/README.md | 1 + pipelines/maven-zip-build-oci-ta/README.md | 1 + pipelines/maven-zip-build/README.md | 1 + 3 files changed, 3 insertions(+) diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 903f6230c5..42226f6f51 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -113,6 +113,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index 60aa74d8e0..6d198d8992 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -64,6 +64,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 512cfaeb21..067bdbc9bc 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -64,6 +64,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | From 48f8f4ba33ccf909d9ab0af49f1d000431a87e9f Mon Sep 17 00:00:00 2001 From: Tomas Nevrlka Date: Tue, 3 Dec 2024 09:45:49 +0100 Subject: [PATCH 11/51] refactor: use built-in buildah --retry - Retries were achieved by writing a loop around the buildah command - buildah actually has a `--retry` option - Use the built-in option in order to simplify the code --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 26 +++++++------------ .../0.2/buildah-remote-oci-ta.yaml | 26 +++++++------------ task/buildah-remote/0.2/buildah-remote.yaml | 26 +++++++------------ task/buildah/0.2/buildah.yaml | 26 +++++++------------ 4 files changed, 36 insertions(+), 68 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index f4398eafc7..bcf4db60ee 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -559,19 +559,6 @@ spec: #!/bin/bash set -e - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -579,21 +566,26 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "/var/workdir/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 307847cc55..c70529c4bd 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -659,19 +659,6 @@ spec: export IMAGE fi - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -679,21 +666,26 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "/var/workdir/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 9f2c2d0b0e..88a1ee48f3 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -637,19 +637,6 @@ spec: export IMAGE fi - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -657,23 +644,28 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 3a6a9f70a9..34fdcbfa8b 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -500,19 +500,6 @@ spec: #!/bin/bash set -e - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -520,23 +507,28 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi From d18207fbfa404811bda83184947043dc5fff8f59 Mon Sep 17 00:00:00 2001 From: Tomas Nevrlka Date: Thu, 28 Nov 2024 19:24:36 +0100 Subject: [PATCH 12/51] push to a unique tag in buildah-rhtap - buildah currently pushes to a tag based on revision - if multiple pipelineruns are ran on the same revision, race conditions may happen - push to a unique tag based on the unique taskrun name --- task/buildah-rhtap/0.1/buildah-rhtap.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 91c621e794..db92791893 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -103,6 +103,13 @@ spec: --digestfile /tmp/files/image-digest $IMAGE \ docker://$IMAGE + # Push the image to a unique tag to avoid race conditions + buildah push \ + --tls-verify="$TLSVERIFY" \ + --retry=5 \ + --digestfile /tmp/files/image-digest "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)" + # Set task results buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path) From ec12d20b66fa5fb7130d94d62381d15ac4a72a51 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 4 Dec 2024 12:26:06 +0000 Subject: [PATCH 13/51] chore(deps): update quay.io/redhat-appstudio/konflux-test docker tag to v1.4.8 --- .../0.1/coverity-availability-check-oci-ta.yaml | 2 +- .../0.1/coverity-availability-check.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml index 7431660c92..faf430eecc 100644 --- a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml +++ b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml @@ -57,7 +57,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: coverity-availability-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 + image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 workingDir: /var/workdir/source volumeMounts: - mountPath: /etc/secrets/cov diff --git a/task/coverity-availability-check/0.1/coverity-availability-check.yaml b/task/coverity-availability-check/0.1/coverity-availability-check.yaml index 63fc4ac04c..a9cec81f1f 100644 --- a/task/coverity-availability-check/0.1/coverity-availability-check.yaml +++ b/task/coverity-availability-check/0.1/coverity-availability-check.yaml @@ -33,7 +33,7 @@ spec: optional: true steps: - name: coverity-availability-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.7@sha256:cf6808a3bd605630a5d9f20595ff7c43f8645c00381219d32f5a11e88fe37072 + image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) From 3289b26b8bd407864eb1d7e500d75f60069a5374 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Thu, 5 Dec 2024 17:12:48 +0000 Subject: [PATCH 14/51] chore(deps): update ec --- .tekton/tasks/ec-checks.yaml | 6 +++--- pipelines/enterprise-contract.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 9dce078405..99a2007a6f 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -37,7 +37,7 @@ spec: stepactions_dir stepactions-ec - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | set -euo pipefail @@ -51,7 +51,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | set -euo pipefail @@ -65,7 +65,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-step-actions workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | #!/bin/bash set -euo pipefail diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index c3b235ae87..1b96df8aaa 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -114,7 +114,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:9333e2fbd30a219124a2eed1c270c55b79e6fb18a2abc3bcb4c6275d6c721919 - name: name value: verify-enterprise-contract - name: kind From 12bbd684492acf11786d73d8a57295e4518413b7 Mon Sep 17 00:00:00 2001 From: Gang Li Date: Thu, 5 Dec 2024 16:13:57 +0800 Subject: [PATCH 15/51] chore: add maven-zip-build/ta to main kustomization.yaml --- pipelines/kustomization.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pipelines/kustomization.yaml b/pipelines/kustomization.yaml index 8474b41382..3c32a05f23 100644 --- a/pipelines/kustomization.yaml +++ b/pipelines/kustomization.yaml @@ -7,3 +7,5 @@ resources: - enterprise-contract.yaml - fbc-builder - tekton-bundle-builder +- maven-zip-build +- maven-zip-build-oci-ta From 317ac725161af6d6f6661aa0423e14e17af46d35 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Thu, 17 Oct 2024 09:57:56 +0200 Subject: [PATCH 16/51] Move prefetch devs out of the larger build team They generally don't maintain anything in the build pipeline except for the prefetch task. Signed-off-by: Adam Cmiel --- OWNERS_ALIASES | 3 --- task/prefetch-dependencies-oci-ta/OWNERS | 6 ++++++ task/prefetch-dependencies/OWNERS | 6 ++++++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 0d5c6b3bd1..482cc708f9 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -9,9 +9,6 @@ aliases: - tisutisu - tnevrlka - MartinBasti - - eskultety - - brunoapimentel - - taylormadore integration-team: - dirgim - jsztuka diff --git a/task/prefetch-dependencies-oci-ta/OWNERS b/task/prefetch-dependencies-oci-ta/OWNERS index d3f0ff4a7e..bc865ca681 100644 --- a/task/prefetch-dependencies-oci-ta/OWNERS +++ b/task/prefetch-dependencies-oci-ta/OWNERS @@ -1,5 +1,11 @@ # See the OWNERS docs: https://go.k8s.io/owners approvers: - build-team + - eskultety + - brunoapimentel + - taylormadore reviewers: - build-team + - eskultety + - brunoapimentel + - taylormadore diff --git a/task/prefetch-dependencies/OWNERS b/task/prefetch-dependencies/OWNERS index d3f0ff4a7e..bc865ca681 100644 --- a/task/prefetch-dependencies/OWNERS +++ b/task/prefetch-dependencies/OWNERS @@ -1,5 +1,11 @@ # See the OWNERS docs: https://go.k8s.io/owners approvers: - build-team + - eskultety + - brunoapimentel + - taylormadore reviewers: - build-team + - eskultety + - brunoapimentel + - taylormadore From fa39ce04779acf851788259156fcfa75e1764030 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 27 Nov 2024 16:31:51 +0100 Subject: [PATCH 17/51] Don't run e2e-tests just for OWNERS changes Signed-off-by: Adam Cmiel --- .tekton/pull-request.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 6335aeec96..070a9c352c 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -69,7 +69,12 @@ spec: value: - tasks := strings.any_prefix_match(input, ["task/", "hack/", ".tekton/"]) - tasks_pipelines := strings.any_prefix_match(input, ["task/", "pipelines/", "hack/", ".tekton/"]) - - e2e_tests := strings.any_prefix_match(input, ["task/", "pipelines/", "hack/", ".tekton/"]) + - | + e2e_tests if { + some file in input + strings.any_prefix_match(file, ["task/", "pipelines/", "hack/", ".tekton/"]) + not endswith(file, "/OWNERS") + } - check_partner_tasks := strings.any_prefix_match(input, ["partners/", "hack/", ".tekton/"]) runAfter: - build-appstudio-utils From ceaf947346078791a582994711d8b4775764abff Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Thu, 5 Dec 2024 11:00:53 +0100 Subject: [PATCH 18/51] provision-env-with-ephemeral-namespace: fix OWNERS Signed-off-by: Adam Cmiel --- task/provision-env-with-ephemeral-namespace/OWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/provision-env-with-ephemeral-namespace/OWNERS b/task/provision-env-with-ephemeral-namespace/OWNERS index d90b38493a..711cda3d63 100644 --- a/task/provision-env-with-ephemeral-namespace/OWNERS +++ b/task/provision-env-with-ephemeral-namespace/OWNERS @@ -2,7 +2,7 @@ approvers: - gbenhaim -- oamsalem +- omeramsc - amisstea - avi-biton - yftacherzog From 1d7901fecd92f36566fcade8a2dc9b1e6a9c903d Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 29 Nov 2024 11:26:47 +0100 Subject: [PATCH 19/51] Add CODEOWNERS CODEOWNERS will allow us to make the ownership of individual tasks actually mean something. We will have to give every owner write permissions, but we will be able to set up branch protection rules to block PRs from getting merged if they don't have approvals from the owners. This will allow the CODEOWNERS of tasks and stepactions to fully self-service their PRs without giving them the ability to mess with other parts of the repository. The file was generated based on the current **/OWNERS Signed-off-by: Adam Cmiel --- CODEOWNERS | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 96 insertions(+) create mode 100644 CODEOWNERS diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000000..f69707bdb7 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,96 @@ +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +* @konflux-ci/build-maintainers + +/task/acs-deploy-check @konflux-ci/build-maintainers +/task/acs-image-check @konflux-ci/build-maintainers +/task/acs-image-scan @konflux-ci/build-maintainers +/task/apply-tags @konflux-ci/build-maintainers +/task/build-image-index @konflux-ci/build-maintainers +/task/build-image-manifest @konflux-ci/build-maintainers +/task/buildah @konflux-ci/build-maintainers +/task/buildah-10gb @konflux-ci/build-maintainers +/task/buildah-20gb @konflux-ci/build-maintainers +/task/buildah-24gb @konflux-ci/build-maintainers +/task/buildah-6gb @konflux-ci/build-maintainers +/task/buildah-8gb @konflux-ci/build-maintainers +/task/buildah-min @konflux-ci/build-maintainers +/task/buildah-oci-ta @konflux-ci/build-maintainers +/task/buildah-remote @konflux-ci/build-maintainers +/task/buildah-remote-oci-ta @konflux-ci/build-maintainers +/task/buildah-rhtap @konflux-ci/build-maintainers +/task/download-sbom-from-url-in-attestation @konflux-ci/build-maintainers +/task/gather-deploy-images @konflux-ci/build-maintainers +/task/git-clone @konflux-ci/build-maintainers +/task/git-clone-oci-ta @konflux-ci/build-maintainers +/task/init @konflux-ci/build-maintainers +/task/push-dockerfile @konflux-ci/build-maintainers +/task/push-dockerfile-oci-ta @konflux-ci/build-maintainers +/task/show-sbom @konflux-ci/build-maintainers +/task/show-sbom-rhdh @konflux-ci/build-maintainers +/task/slack-webhook-notification @konflux-ci/build-maintainers +/task/source-build @konflux-ci/build-maintainers +/task/source-build-oci-ta @konflux-ci/build-maintainers +/task/summary @konflux-ci/build-maintainers +/task/update-deployment @konflux-ci/build-maintainers +/task/update-infra-deployments @konflux-ci/build-maintainers +/task/upload-sbom-to-trustification @konflux-ci/build-maintainers + +/task/prefetch-dependencies @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore +/task/prefetch-dependencies-oci-ta @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore + +/task/generate-labels @konflux-ci/build-maintainers @ralphbean + +/task/tkn-bundle @konflux-ci/ec +/task/tkn-bundle-oci-ta @konflux-ci/ec +/task/verify-enterprise-contract @konflux-ci/ec + +/task/clair-scan @konflux-ci/integration-service-maintainers +/task/clamav-scan @konflux-ci/integration-service-maintainers +/task/deprecated-image-check @konflux-ci/integration-service-maintainers +/task/fbc-related-image-check @konflux-ci/integration-service-maintainers +/task/fbc-validation @konflux-ci/integration-service-maintainers +/task/inspect-image @konflux-ci/integration-service-maintainers +/task/sbom-json-check @konflux-ci/integration-service-maintainers +/task/validate-fbc @konflux-ci/integration-service-maintainers + +/task/coverity-availability-check @konflux-ci/integration-service-maintainers @kdudka +/task/coverity-availability-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-coverity-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-coverity-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-shell-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-shell-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-snyk-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-snyk-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-unicode-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-unicode-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka + +/task/ecosystem-cert-preflight-checks @acornett21 @bcrochet @komish @skattoju + +/task/provision-env-with-ephemeral-namespace @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog + +/task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog +/task/rpms-signature-scan @amisstea @avi-biton @gbenhaim @yftacherzog +/task/verify-signed-rpms @amisstea @avi-biton @gbenhaim @yftacherzog + +/stepactions/eaas-copy-secrets-to-ephemeral-cluster @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-create-ephemeral-cluster-hypershift-aws @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-ephemeral-cluster-credentials @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-latest-openshift-version-by-prefix @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-supported-ephemeral-cluster-versions @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/task/eaas-provision-space @amisstea @avi-biton @hmariset @omeramsc @yftacherzog + +/task/build-vm-image @arewm @brianwcook @ralphbean @scoheb + +/task/rpm-ostree @cgwalters +/task/rpm-ostree-oci-ta @cgwalters + +/task/operator-sdk-generate-bundle @gurnben @jbpratt +/task/opm-get-bundle-version @gurnben @jbpratt +/task/opm-render-bundles @gurnben @jbpratt + +/task/build-maven-zip @ligangty @yma96 +/task/build-maven-zip-oci-ta @ligangty @yma96 + +/task/oci-copy @ralphbean +/task/oci-copy-oci-ta @ralphbean From b7d37895b9dc4c59efcf61fd06870c2a8cf4d835 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 29 Nov 2024 11:30:12 +0100 Subject: [PATCH 20/51] CI: change OWNERS check to work with CODEOWNERS Signed-off-by: Adam Cmiel --- hack/check-task-owners.sh | 48 ++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 18 deletions(-) diff --git a/hack/check-task-owners.sh b/hack/check-task-owners.sh index 4c31bfe597..2469cf4f05 100755 --- a/hack/check-task-owners.sh +++ b/hack/check-task-owners.sh @@ -1,25 +1,37 @@ #!/usr/bin/env bash +set -o errexit -o nounset -o pipefail -check_result=$(mktemp) +shopt -s nullglob -# Check the OWNERS file is present for each task -find task/ -mindepth 1 -maxdepth 1 -type d | \ - while read -r task_dir; do - owners_file="$task_dir/OWNERS" - if [ ! -e "$owners_file" ]; then - echo "error: missing owners file $owners_file" >>"$check_result" - continue - fi - approvers=$(yq '.approvers[]' $owners_file) - reviewers=$(yq '.reviwers[]' $owners_file) - if [ -z "$approvers" ] && [ -z "$reviewers" ]; then - echo "error: $task_dir/OWNERS don't have atleast 1 approver and 1 reviewer" >>"$check_result" +codeowners_to_gitignore() { + # drop comments and the root '*' pattern, extract the pattern from each line + awk '/^[^#]/ && !/^\*\s/ { print $1 }' "$1" +} + +temp_gitignore=$(mktemp --tmpdir "codeowners-gitignore.XXXX") +trap 'rm "$temp_gitignore"' EXIT +codeowners_to_gitignore CODEOWNERS > "$temp_gitignore" + +important_dirs=$( + for f in task/* stepactions/*; do + if [[ -d "$f" ]]; then + echo "$f" fi - done + done | sort +) -if [ -s "$check_result" ]; then - cat "$check_result" - echo "Please add OWNERS file with atleast 1 approver and 1 reviewer" +codeowned_dirs=$( + # CODEOWNERS is roughly a .gitignore file, so check which dirs are "ignored" by CODEOWNERS + echo "$important_dirs" | + git -c "core.excludesFile=$temp_gitignore" check-ignore --no-index --stdin | + sort +) + +missing_owners=$(comm -23 <(echo "$important_dirs") <(echo "$codeowned_dirs")) + +if [[ -n "$missing_owners" ]]; then + echo "Missing CODEOWNERS:" >&2 + # shellcheck disable=SC2001 # can't use ${variable//search/replace} instead + sed 's/^/ /' <<< "$missing_owners" >&2 exit 1 fi - From 4513ad8b11aad92f7b024acdd7f4335a61063e84 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 12:59:54 +0100 Subject: [PATCH 21/51] CODEOWNERS: exclude pipelines/*/README.md Signed-off-by: Adam Cmiel --- CODEOWNERS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CODEOWNERS b/CODEOWNERS index f69707bdb7..32691d22f1 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -94,3 +94,7 @@ /task/oci-copy @ralphbean /task/oci-copy-oci-ta @ralphbean + +# These are auto-generated and often require changes when tasks change. +# Allow anyone with write access to approve the changes. +/pipelines/*/README.md From d15c9e1bc1718d6e8f018225d7b1022763244175 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 16:18:06 +0100 Subject: [PATCH 22/51] CODEOWNERS: add renovate groupName directives And a python script to update renovate.json based on those directives. Signed-off-by: Adam Cmiel --- CODEOWNERS | 15 +++ ...pdate_renovate_json_based_on_codeowners.py | 113 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100755 hack/update_renovate_json_based_on_codeowners.py diff --git a/CODEOWNERS b/CODEOWNERS index 32691d22f1..3997eb7e29 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -2,6 +2,7 @@ * @konflux-ci/build-maintainers +# renovate groupName=build /task/acs-deploy-check @konflux-ci/build-maintainers /task/acs-image-check @konflux-ci/build-maintainers /task/acs-image-scan @konflux-ci/build-maintainers @@ -36,15 +37,19 @@ /task/update-infra-deployments @konflux-ci/build-maintainers /task/upload-sbom-to-trustification @konflux-ci/build-maintainers +# renovate groupName=build /task/prefetch-dependencies @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore /task/prefetch-dependencies-oci-ta @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore +# renovate groupName=build /task/generate-labels @konflux-ci/build-maintainers @ralphbean +# renovate groupName=ec /task/tkn-bundle @konflux-ci/ec /task/tkn-bundle-oci-ta @konflux-ci/ec /task/verify-enterprise-contract @konflux-ci/ec +# renovate groupName=integration /task/clair-scan @konflux-ci/integration-service-maintainers /task/clamav-scan @konflux-ci/integration-service-maintainers /task/deprecated-image-check @konflux-ci/integration-service-maintainers @@ -54,6 +59,7 @@ /task/sbom-json-check @konflux-ci/integration-service-maintainers /task/validate-fbc @konflux-ci/integration-service-maintainers +# renovate groupName=integration /task/coverity-availability-check @konflux-ci/integration-service-maintainers @kdudka /task/coverity-availability-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka /task/sast-coverity-check @konflux-ci/integration-service-maintainers @kdudka @@ -65,14 +71,18 @@ /task/sast-unicode-check @konflux-ci/integration-service-maintainers @kdudka /task/sast-unicode-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +# renovate groupName=preflight /task/ecosystem-cert-preflight-checks @acornett21 @bcrochet @komish @skattoju +# renovate groupName=eaas /task/provision-env-with-ephemeral-namespace @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog +# renovate groupName=rpm-tasks /task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog /task/rpms-signature-scan @amisstea @avi-biton @gbenhaim @yftacherzog /task/verify-signed-rpms @amisstea @avi-biton @gbenhaim @yftacherzog +# renovate groupName=eaas /stepactions/eaas-copy-secrets-to-ephemeral-cluster @amisstea @avi-biton @hmariset @omeramsc @yftacherzog /stepactions/eaas-create-ephemeral-cluster-hypershift-aws @amisstea @avi-biton @hmariset @omeramsc @yftacherzog /stepactions/eaas-get-ephemeral-cluster-credentials @amisstea @avi-biton @hmariset @omeramsc @yftacherzog @@ -80,18 +90,23 @@ /stepactions/eaas-get-supported-ephemeral-cluster-versions @amisstea @avi-biton @hmariset @omeramsc @yftacherzog /task/eaas-provision-space @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +# renovate groupName=build-vm-image /task/build-vm-image @arewm @brianwcook @ralphbean @scoheb +# renovate groupName=rpm-ostree /task/rpm-ostree @cgwalters /task/rpm-ostree-oci-ta @cgwalters +# renovate groupName=opm /task/operator-sdk-generate-bundle @gurnben @jbpratt /task/opm-get-bundle-version @gurnben @jbpratt /task/opm-render-bundles @gurnben @jbpratt +# renovate groupName=maven /task/build-maven-zip @ligangty @yma96 /task/build-maven-zip-oci-ta @ligangty @yma96 +# renovate groupName=oci-copy /task/oci-copy @ralphbean /task/oci-copy-oci-ta @ralphbean diff --git a/hack/update_renovate_json_based_on_codeowners.py b/hack/update_renovate_json_based_on_codeowners.py new file mode 100755 index 0000000000..97f627705b --- /dev/null +++ b/hack/update_renovate_json_based_on_codeowners.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python +import argparse +import json +import re +from itertools import groupby +from pathlib import Path +from typing import Any, Iterable, Iterator, TypedDict + + +class PackageRule(TypedDict): + groupName: str + matchFileNames: list[str] + + +def get_renovate_packagerules(codeowners_content: str) -> Iterator[PackageRule]: + lines = map(str.strip, codeowners_content.splitlines()) + rules: list[PackageRule] = [] + + for isempty, lines_group in groupby(lines, key=lambda line: not line): + if not isempty and (rule := _process_owner_group(lines_group)): + rules.append(rule) + + rules.sort(key=lambda rule: rule["groupName"]) + + for groupname, rules_group in groupby(rules, key=lambda rule: rule["groupName"]): + merged_patterns = set() + for rule in rules_group: + merged_patterns.update(rule["matchFileNames"]) + yield {"groupName": groupname, "matchFileNames": sorted(merged_patterns)} + + +def _process_owner_group(group: Iterable[str]) -> PackageRule | None: + """Process a group of CODEOWNERS. + + If the group has a '# renovate groupName=' directive, return a packageRules object. + Otherwise, return None. + """ + renovate_directive_pat = re.compile(r"#\s*renovate\s+groupName=(.*)") + + patterns = [] + groupname = None + + for line in group: + if not line.startswith("#"): + pattern, *_ = line.split(maxsplit=1) + patterns.append(pattern) + elif m := renovate_directive_pat.match(line): + groupname = m.group(1) + + if not groupname: + return None + + patterns = list(map(_codeowners_pattern_to_glob_pattern, patterns)) + return {"groupName": groupname, "matchFileNames": patterns} + + + +def _codeowners_pattern_to_glob_pattern(codeowners_pattern: str) -> str: + if codeowners_pattern.startswith("/"): + glob_pattern = codeowners_pattern.lstrip("/") + else: + glob_pattern = f"**/{codeowners_pattern}" + + if not glob_pattern.endswith("**") and any(p.is_dir() for p in Path().glob(glob_pattern)): + glob_pattern += "/**" + + return glob_pattern + + +def merge_to_existing_rules( + existing_rules: Iterable[dict[str, Any]], new_rules: Iterable[PackageRule] +) -> list[dict[str, Any]]: + merged_rules = list(existing_rules) + for new_rule in new_rules: + for i, existing_rule in enumerate(merged_rules): + if existing_rule.get("groupName") == new_rule["groupName"]: + merged_rules[i] = existing_rule | new_rule + break + else: + merged_rules.append(dict(new_rule)) + + return merged_rules + + +def main() -> None: + ap = argparse.ArgumentParser() + ap.add_argument("-o", "--output-file", type=Path) + args = ap.parse_args() + + output_file: Path | None = args.output_file + + codeowners_path = Path("CODEOWNERS") + renovate_json_path = Path("renovate.json") + + codeowners_package_rules = get_renovate_packagerules(codeowners_path.read_text()) + + renovate_json = json.loads(renovate_json_path.read_text()) + + package_rules = merge_to_existing_rules( + renovate_json.get("packageRules", []), + codeowners_package_rules, + ) + + renovate_json["packageRules"] = package_rules + if output_file: + with output_file.open("w") as f: + print(json.dumps(renovate_json, indent=2), file=f) + else: + print(json.dumps(renovate_json, indent=2)) + + +if __name__ == "__main__": + main() From fea3a230227a0e452363be615ed6b824e1aceaf0 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 16:47:17 +0100 Subject: [PATCH 23/51] renovate.json: reformat Align to 2-space indentation everywhere because we'll be making automated changes to the file. Signed-off-by: Adam Cmiel --- renovate.json | 60 +++++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 49 insertions(+), 11 deletions(-) diff --git a/renovate.json b/renovate.json index 6d2a5ab4f2..e905178f7f 100644 --- a/renovate.json +++ b/renovate.json @@ -6,7 +6,10 @@ "dependencyDashboard": false, "prConcurrentLimit": 20, "tekton": { - "fileMatch": ["\\.yaml$", "\\.yml$"], + "fileMatch": [ + "\\.yaml$", + "\\.yml$" + ], "includePaths": [ ".tekton/**", "task/**", @@ -30,7 +33,14 @@ "registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9" ], "groupName": "build", - "reviewers": ["mmorhun", "tkdchen", "rcerven", "mkosiarc", "brunoapimentel", "chmeliik"] + "reviewers": [ + "mmorhun", + "tkdchen", + "rcerven", + "mkosiarc", + "brunoapimentel", + "chmeliik" + ] }, { "matchPackagePrefixes": [ @@ -40,7 +50,10 @@ "registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel8" ], "groupName": "ec", - "reviewers": ["zregvart", "lcarva"] + "reviewers": [ + "zregvart", + "lcarva" + ] }, { "matchPackageNames": [ @@ -49,14 +62,27 @@ "quay.io/konflux-ci/clamav-db" ], "groupName": "integration", - "reviewers": ["dirgim", "hongweiliu17", "jsztuka", "Josh-Everett", " 14rcole", "chipspeak", "dheerajodha", "kasemAlem", "jencull", "sonam1412"] + "reviewers": [ + "dirgim", + "hongweiliu17", + "jsztuka", + "Josh-Everett", + " 14rcole", + "chipspeak", + "dheerajodha", + "kasemAlem", + "jencull", + "sonam1412" + ] }, { "matchPackageNames": [ "quay.io/opdev/preflight" ], "groupName": "preflight", - "reviewers": ["skattoju"] + "reviewers": [ + "skattoju" + ] }, { "matchPackagePrefixes": [ @@ -64,13 +90,19 @@ "registry.access.redhat.com", "docker.io" ], - "schedule": ["on monday and wednesday"], + "schedule": [ + "on monday and wednesday" + ], "groupName": "shared" }, { "groupName": "github-actions", - "matchManagers": ["github-actions"], - "schedule": ["on monday"] + "matchManagers": [ + "github-actions" + ], + "schedule": [ + "on monday" + ] }, { "matchPackageNames": [ @@ -86,7 +118,9 @@ "customManagers": [ { "customType": "regex", - "fileMatch": ["^task/[\\w-]+/[0-9.]+/[\\w-]+\\.yaml$"], + "fileMatch": [ + "^task/[\\w-]+/[0-9.]+/[\\w-]+\\.yaml$" + ], "matchStrings": [ "value: (?quay\\.io/konflux-ci/buildah[^:]*):(?[^@]*)@(?sha256:[a-f0-9]{64})" ], @@ -95,8 +129,12 @@ }, { "customType": "regex", - "fileMatch": [".github/workflows/run-task-tests.yaml"], - "matchStrings": ["ref:\\s+(?[a-f0-9]{40})"], + "fileMatch": [ + ".github/workflows/run-task-tests.yaml" + ], + "matchStrings": [ + "ref:\\s+(?[a-f0-9]{40})" + ], "currentValueTemplate": "main", "depNameTemplate": "konflux-ci", "packageNameTemplate": "https://github.com/konflux-ci/konflux-ci", From e7521ef6739eefde4a23358faee9feca722dd908 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 18:51:12 +0100 Subject: [PATCH 24/51] renovate.json: update based on CODEOWNERS Signed-off-by: Adam Cmiel --- renovate.json | 121 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 121 insertions(+) diff --git a/renovate.json b/renovate.json index e905178f7f..d3719f172f 100644 --- a/renovate.json +++ b/renovate.json @@ -40,6 +40,44 @@ "mkosiarc", "brunoapimentel", "chmeliik" + ], + "matchFileNames": [ + "task/acs-deploy-check/**", + "task/acs-image-check/**", + "task/acs-image-scan/**", + "task/apply-tags/**", + "task/build-image-index/**", + "task/build-image-manifest/**", + "task/buildah-10gb/**", + "task/buildah-20gb/**", + "task/buildah-24gb/**", + "task/buildah-6gb/**", + "task/buildah-8gb/**", + "task/buildah-min/**", + "task/buildah-oci-ta/**", + "task/buildah-remote-oci-ta/**", + "task/buildah-remote/**", + "task/buildah-rhtap/**", + "task/buildah/**", + "task/download-sbom-from-url-in-attestation/**", + "task/gather-deploy-images/**", + "task/generate-labels/**", + "task/git-clone-oci-ta/**", + "task/git-clone/**", + "task/init/**", + "task/prefetch-dependencies-oci-ta/**", + "task/prefetch-dependencies/**", + "task/push-dockerfile-oci-ta/**", + "task/push-dockerfile/**", + "task/show-sbom-rhdh/**", + "task/show-sbom/**", + "task/slack-webhook-notification/**", + "task/source-build-oci-ta/**", + "task/source-build/**", + "task/summary/**", + "task/update-deployment/**", + "task/update-infra-deployments/**", + "task/upload-sbom-to-trustification/**" ] }, { @@ -53,6 +91,11 @@ "reviewers": [ "zregvart", "lcarva" + ], + "matchFileNames": [ + "task/tkn-bundle-oci-ta/**", + "task/tkn-bundle/**", + "task/verify-enterprise-contract/**" ] }, { @@ -73,6 +116,26 @@ "kasemAlem", "jencull", "sonam1412" + ], + "matchFileNames": [ + "task/clair-scan/**", + "task/clamav-scan/**", + "task/coverity-availability-check-oci-ta/**", + "task/coverity-availability-check/**", + "task/deprecated-image-check/**", + "task/fbc-related-image-check/**", + "task/fbc-validation/**", + "task/inspect-image/**", + "task/sast-coverity-check-oci-ta/**", + "task/sast-coverity-check/**", + "task/sast-shell-check-oci-ta/**", + "task/sast-shell-check/**", + "task/sast-snyk-check-oci-ta/**", + "task/sast-snyk-check/**", + "task/sast-unicode-check-oci-ta/**", + "task/sast-unicode-check/**", + "task/sbom-json-check/**", + "task/validate-fbc/**" ] }, { @@ -82,6 +145,9 @@ "groupName": "preflight", "reviewers": [ "skattoju" + ], + "matchFileNames": [ + "task/ecosystem-cert-preflight-checks/**" ] }, { @@ -110,6 +176,61 @@ ], "enabled": false, "groupName": "ignore" + }, + { + "groupName": "build-vm-image", + "matchFileNames": [ + "task/build-vm-image/**" + ] + }, + { + "groupName": "eaas", + "matchFileNames": [ + "stepactions/eaas-copy-secrets-to-ephemeral-cluster/**", + "stepactions/eaas-create-ephemeral-cluster-hypershift-aws/**", + "stepactions/eaas-get-ephemeral-cluster-credentials/**", + "stepactions/eaas-get-latest-openshift-version-by-prefix/**", + "stepactions/eaas-get-supported-ephemeral-cluster-versions/**", + "task/eaas-provision-space/**", + "task/provision-env-with-ephemeral-namespace/**" + ] + }, + { + "groupName": "maven", + "matchFileNames": [ + "task/build-maven-zip-oci-ta/**", + "task/build-maven-zip/**" + ] + }, + { + "groupName": "oci-copy", + "matchFileNames": [ + "task/oci-copy-oci-ta/**", + "task/oci-copy/**" + ] + }, + { + "groupName": "opm", + "matchFileNames": [ + "task/operator-sdk-generate-bundle/**", + "task/opm-get-bundle-version/**", + "task/opm-render-bundles/**" + ] + }, + { + "groupName": "rpm-ostree", + "matchFileNames": [ + "task/rpm-ostree-oci-ta/**", + "task/rpm-ostree/**" + ] + }, + { + "groupName": "rpm-tasks", + "matchFileNames": [ + "task/generate-odcs-compose/**", + "task/rpms-signature-scan/**", + "task/verify-signed-rpms/**" + ] } ], "postUpdateOptions": [ From 80bb1d2340268d1135eac5b3e9a518aefa18bd92 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 18:52:49 +0100 Subject: [PATCH 25/51] renovate.json: drop reviewers They will be assigned based on CODEOWNERS Signed-off-by: Adam Cmiel --- renovate.json | 27 --------------------------- 1 file changed, 27 deletions(-) diff --git a/renovate.json b/renovate.json index d3719f172f..176fa6dbe7 100644 --- a/renovate.json +++ b/renovate.json @@ -33,14 +33,6 @@ "registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9" ], "groupName": "build", - "reviewers": [ - "mmorhun", - "tkdchen", - "rcerven", - "mkosiarc", - "brunoapimentel", - "chmeliik" - ], "matchFileNames": [ "task/acs-deploy-check/**", "task/acs-image-check/**", @@ -88,10 +80,6 @@ "registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel8" ], "groupName": "ec", - "reviewers": [ - "zregvart", - "lcarva" - ], "matchFileNames": [ "task/tkn-bundle-oci-ta/**", "task/tkn-bundle/**", @@ -105,18 +93,6 @@ "quay.io/konflux-ci/clamav-db" ], "groupName": "integration", - "reviewers": [ - "dirgim", - "hongweiliu17", - "jsztuka", - "Josh-Everett", - " 14rcole", - "chipspeak", - "dheerajodha", - "kasemAlem", - "jencull", - "sonam1412" - ], "matchFileNames": [ "task/clair-scan/**", "task/clamav-scan/**", @@ -143,9 +119,6 @@ "quay.io/opdev/preflight" ], "groupName": "preflight", - "reviewers": [ - "skattoju" - ], "matchFileNames": [ "task/ecosystem-cert-preflight-checks/**" ] From 92020c1015afcc994ec3f7d1bc24aae7565392f0 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 4 Dec 2024 18:48:45 +0100 Subject: [PATCH 26/51] CI: check renovate.json groups against CODEOWNERS Make sure the groups will stay up to date with CODEOWNERS Signed-off-by: Adam Cmiel --- .github/workflows/check-task-owners.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/.github/workflows/check-task-owners.yaml b/.github/workflows/check-task-owners.yaml index fe2685b207..9a12930019 100644 --- a/.github/workflows/check-task-owners.yaml +++ b/.github/workflows/check-task-owners.yaml @@ -13,3 +13,22 @@ jobs: - name: Check task owners run: | ./hack/check-task-owners.sh + + - name: Check renovate.json groups + run: | + #!/bin/bash + set -euo pipefail + + renovate_content=$(cat renovate.json) + ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json + + uptodate=$(jq --argjson previous "$renovate_content" '$previous == .' renovate.json) + echo "renovate.json is up to date: $uptodate" + + if [[ $uptodate == false ]]; then + echo + git --no-pager diff -- renovate.json + echo + echo "To apply the updates, run: ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json" + exit 1 + fi From b93fba3b5d9fa9bd3db1ae170412d1bdcef264fe Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:22 +0100 Subject: [PATCH 27/51] Remove opm tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/operator-sdk-generate-bundle/OWNERS | 7 ------- task/opm-get-bundle-version/OWNERS | 6 ------ task/opm-render-bundles/OWNERS | 7 ------- 3 files changed, 20 deletions(-) delete mode 100644 task/operator-sdk-generate-bundle/OWNERS delete mode 100644 task/opm-get-bundle-version/OWNERS delete mode 100644 task/opm-render-bundles/OWNERS diff --git a/task/operator-sdk-generate-bundle/OWNERS b/task/operator-sdk-generate-bundle/OWNERS deleted file mode 100644 index b8c9b567aa..0000000000 --- a/task/operator-sdk-generate-bundle/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben diff --git a/task/opm-get-bundle-version/OWNERS b/task/opm-get-bundle-version/OWNERS deleted file mode 100644 index 54bf30ad65..0000000000 --- a/task/opm-get-bundle-version/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben diff --git a/task/opm-render-bundles/OWNERS b/task/opm-render-bundles/OWNERS deleted file mode 100644 index b8c9b567aa..0000000000 --- a/task/opm-render-bundles/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben From 8d21af1b44635ba09b828808d11d3b7d6d896626 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:21 +0100 Subject: [PATCH 28/51] Remove maven tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/build-maven-zip-oci-ta/OWNERS | 5 ----- task/build-maven-zip/OWNERS | 5 ----- 2 files changed, 10 deletions(-) delete mode 100644 task/build-maven-zip-oci-ta/OWNERS delete mode 100644 task/build-maven-zip/OWNERS diff --git a/task/build-maven-zip-oci-ta/OWNERS b/task/build-maven-zip-oci-ta/OWNERS deleted file mode 100644 index f6b0d684ad..0000000000 --- a/task/build-maven-zip-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - spmm-team -reviewers: - - spmm-team \ No newline at end of file diff --git a/task/build-maven-zip/OWNERS b/task/build-maven-zip/OWNERS deleted file mode 100644 index 890ac12991..0000000000 --- a/task/build-maven-zip/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - spmm-team -reviewers: - - spmm-team From 2b4b3a89bc8c08f2cfde6e3786f84b1a71cd08b4 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:21 +0100 Subject: [PATCH 29/51] Remove eaas tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS | 8 -------- .../eaas-create-ephemeral-cluster-hypershift-aws/OWNERS | 8 -------- stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS | 8 -------- .../eaas-get-latest-openshift-version-by-prefix/OWNERS | 8 -------- .../eaas-get-supported-ephemeral-cluster-versions/OWNERS | 8 -------- task/eaas-provision-space/OWNERS | 8 -------- task/provision-env-with-ephemeral-namespace/OWNERS | 8 -------- 7 files changed, 56 deletions(-) delete mode 100644 stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS delete mode 100644 stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS delete mode 100644 stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS delete mode 100644 stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS delete mode 100644 stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS delete mode 100644 task/eaas-provision-space/OWNERS delete mode 100644 task/provision-env-with-ephemeral-namespace/OWNERS diff --git a/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS b/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS b/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS b/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS b/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/task/eaas-provision-space/OWNERS b/task/eaas-provision-space/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/task/eaas-provision-space/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/task/provision-env-with-ephemeral-namespace/OWNERS b/task/provision-env-with-ephemeral-namespace/OWNERS deleted file mode 100644 index 711cda3d63..0000000000 --- a/task/provision-env-with-ephemeral-namespace/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- omeramsc -- amisstea -- avi-biton -- yftacherzog From c5c4757838546cb5b1ec5a3ac58f7c44b8cbb34f Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:20 +0100 Subject: [PATCH 30/51] Remove build-vm-image tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/build-vm-image/OWNERS | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 task/build-vm-image/OWNERS diff --git a/task/build-vm-image/OWNERS b/task/build-vm-image/OWNERS deleted file mode 100644 index ee96080120..0000000000 --- a/task/build-vm-image/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- arewm -- brianwcook -- ralphbean -- scoheb From e812ee1c9ab855cc15d7718999d07909f741fb51 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:19 +0100 Subject: [PATCH 31/51] Remove integration tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/clair-scan/OWNERS | 5 ----- task/clamav-scan/OWNERS | 5 ----- task/coverity-availability-check-oci-ta/OWNERS | 6 ------ task/coverity-availability-check/OWNERS | 6 ------ task/deprecated-image-check/OWNERS | 5 ----- task/fbc-related-image-check/OWNERS | 5 ----- task/fbc-validation/OWNERS | 5 ----- task/inspect-image/OWNERS | 5 ----- task/sast-coverity-check-oci-ta/OWNERS | 6 ------ task/sast-coverity-check/OWNERS | 6 ------ task/sast-shell-check-oci-ta/OWNERS | 6 ------ task/sast-shell-check/OWNERS | 6 ------ task/sast-snyk-check-oci-ta/OWNERS | 5 ----- task/sast-snyk-check/OWNERS | 6 ------ task/sast-unicode-check-oci-ta/OWNERS | 5 ----- task/sast-unicode-check/OWNERS | 6 ------ task/sbom-json-check/OWNERS | 5 ----- task/validate-fbc/OWNERS | 6 ------ 18 files changed, 99 deletions(-) delete mode 100644 task/clair-scan/OWNERS delete mode 100644 task/clamav-scan/OWNERS delete mode 100644 task/coverity-availability-check-oci-ta/OWNERS delete mode 100644 task/coverity-availability-check/OWNERS delete mode 100644 task/deprecated-image-check/OWNERS delete mode 100644 task/fbc-related-image-check/OWNERS delete mode 100644 task/fbc-validation/OWNERS delete mode 100644 task/inspect-image/OWNERS delete mode 100644 task/sast-coverity-check-oci-ta/OWNERS delete mode 100644 task/sast-coverity-check/OWNERS delete mode 100644 task/sast-shell-check-oci-ta/OWNERS delete mode 100644 task/sast-shell-check/OWNERS delete mode 100644 task/sast-snyk-check-oci-ta/OWNERS delete mode 100644 task/sast-snyk-check/OWNERS delete mode 100644 task/sast-unicode-check-oci-ta/OWNERS delete mode 100644 task/sast-unicode-check/OWNERS delete mode 100644 task/sbom-json-check/OWNERS delete mode 100644 task/validate-fbc/OWNERS diff --git a/task/clair-scan/OWNERS b/task/clair-scan/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/clair-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/clamav-scan/OWNERS b/task/clamav-scan/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/clamav-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/coverity-availability-check-oci-ta/OWNERS b/task/coverity-availability-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/coverity-availability-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/coverity-availability-check/OWNERS b/task/coverity-availability-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/coverity-availability-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/deprecated-image-check/OWNERS b/task/deprecated-image-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/deprecated-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/fbc-related-image-check/OWNERS b/task/fbc-related-image-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/fbc-related-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/fbc-validation/OWNERS b/task/fbc-validation/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/fbc-validation/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/inspect-image/OWNERS b/task/inspect-image/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/inspect-image/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/sast-coverity-check-oci-ta/OWNERS b/task/sast-coverity-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-coverity-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-coverity-check/OWNERS b/task/sast-coverity-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-coverity-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-shell-check-oci-ta/OWNERS b/task/sast-shell-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-shell-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-shell-check/OWNERS b/task/sast-shell-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-shell-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-snyk-check-oci-ta/OWNERS b/task/sast-snyk-check-oci-ta/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sast-snyk-check-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/sast-snyk-check/OWNERS b/task/sast-snyk-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-snyk-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-unicode-check-oci-ta/OWNERS b/task/sast-unicode-check-oci-ta/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sast-unicode-check-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/sast-unicode-check/OWNERS b/task/sast-unicode-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-unicode-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sbom-json-check/OWNERS b/task/sbom-json-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sbom-json-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/validate-fbc/OWNERS b/task/validate-fbc/OWNERS deleted file mode 100644 index 06c39544a4..0000000000 --- a/task/validate-fbc/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - From 0fe2a0c3591d8d8590fcc158ed5275748c798445 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:24 +0100 Subject: [PATCH 32/51] Remove rpm-related tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/generate-odcs-compose/OWNERS | 7 ------- task/rpms-signature-scan/OWNERS | 7 ------- task/verify-signed-rpms/OWNERS | 7 ------- 3 files changed, 21 deletions(-) delete mode 100644 task/generate-odcs-compose/OWNERS delete mode 100644 task/rpms-signature-scan/OWNERS delete mode 100644 task/verify-signed-rpms/OWNERS diff --git a/task/generate-odcs-compose/OWNERS b/task/generate-odcs-compose/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/generate-odcs-compose/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog diff --git a/task/rpms-signature-scan/OWNERS b/task/rpms-signature-scan/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/rpms-signature-scan/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog diff --git a/task/verify-signed-rpms/OWNERS b/task/verify-signed-rpms/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/verify-signed-rpms/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog From ee6f8bf185d4694d089b3b2bb4acf4f023f83b76 Mon Sep 17 00:00:00 2001 From: Gang Li Date: Fri, 6 Dec 2024 22:37:52 +0800 Subject: [PATCH 33/51] fix: update maven-zip-build pipelines with recent template-build change The template-build has added several sast tasks, which breaks the maven-zip-build pipelines. This commit has fixed the pipelines accordingly. Signed-off-by: Gang Li --- pipelines/maven-zip-build-oci-ta/README.md | 111 +++++++++++--------- pipelines/maven-zip-build-oci-ta/patch.yaml | 75 ++++++++++++- pipelines/maven-zip-build/README.md | 79 ++++++++------ pipelines/maven-zip-build/patch.yaml | 76 +++++++++++--- 4 files changed, 241 insertions(+), 100 deletions(-) diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index 6d198d8992..bfd837141c 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -16,13 +16,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks -### apply-tags:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### build-maven-zip-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -33,6 +26,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +### coverity-availability-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -74,23 +74,48 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |log-level| Set cachi2 log level (debug, info, warning, error)| info| | |ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| |ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| -### push-dockerfile:0.1 task parameters +### sast-coverity-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### rpms-signature-scan:0.2 task parameters +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### sast-snyk-check-oci-ta:0.3 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -105,17 +130,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| -### sast-unicode-check:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | -|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | -|KFP_GIT_URL| URL from repository to download known false positives files.| | | -|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | -|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | -|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -135,10 +149,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | +### coverity-availability-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### git-clone-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -156,23 +175,21 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT| -|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT| -### push-dockerfile:0.1 task results +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| +### sast-coverity-check-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### rpms-signature-scan:0.2 task results +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | -### sast-snyk-check-oci-ta:0.3 task results +### sast-shell-check-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | -### sast-unicode-check:0.1 task results +### sast-snyk-check-oci-ta:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |TEST_OUTPUT| Tekton task test output.| | @@ -182,7 +199,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| | ## Available workspaces from tasks ### git-clone-oci-ta:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -194,11 +211,3 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| |netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-unicode-check:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| diff --git a/pipelines/maven-zip-build-oci-ta/patch.yaml b/pipelines/maven-zip-build-oci-ta/patch.yaml index 5114c4b058..a6f7fc2409 100644 --- a/pipelines/maven-zip-build-oci-ta/patch.yaml +++ b/pipelines/maven-zip-build-oci-ta/patch.yaml @@ -15,6 +15,7 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "maven-zip" + # clone-repository Task - op: replace path: /spec/tasks/1/taskRef/name @@ -31,6 +32,7 @@ value: $(params.image-expires-after) - op: remove path: /spec/tasks/1/workspaces/0 + # prefetch-dependencies Task - op: replace path: /spec/tasks/2/taskRef/name @@ -54,7 +56,8 @@ path: /spec/tasks/2/workspaces/0 - op: remove path: /spec/tasks/2/when -# Replace build-maven-zip task by build-maven-zip-oci-ta task + +# build-oci-artifact - op: replace path: /spec/tasks/3/taskRef value: @@ -67,6 +70,7 @@ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/3/workspaces/0 + # sast-snyk-check - op: replace path: /spec/tasks/4/taskRef/name @@ -85,6 +89,75 @@ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/4/workspaces/0 + +# coverity-availability-check +- op: replace + path: /spec/tasks/6/taskRef/name + value: coverity-availability-check-oci-ta +- op: add + path: /spec/tasks/6/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/6/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + +# sast-coverity-check +- op: replace + path: /spec/tasks/5/taskRef/name + value: sast-coverity-check-oci-ta +- op: add + path: /spec/tasks/5/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/5/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/5/workspaces/0 +- op: remove + path: /spec/tasks/6/workspaces/0 + +# sast-shell-check +- op: replace + path: /spec/tasks/7/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/7/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/7/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/7/workspaces/0 + +# sast-unicode-check +- op: replace + path: /spec/tasks/8/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/8/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/8/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/8/workspaces/0 + # show-summary # This Task relies on a shared workspace for some of its functionality. Although optional, it raises # the question of how valuable this Task actually is. Rather than add Trusted Artifacts support for diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 067bdbc9bc..403387103a 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -16,13 +16,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks -### apply-tags:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### build-maven-zip:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -32,6 +25,11 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +### coverity-availability-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -71,23 +69,31 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | |input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| |log-level| Set cachi2 log level (debug, info, warning, error)| info| | -### push-dockerfile:0.1 task parameters +### sast-coverity-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### rpms-signature-scan:0.2 task parameters +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to scan| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### sast-snyk-check:0.3 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -110,7 +116,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -137,10 +143,15 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### build-maven-zip:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| |IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | -|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url| +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | +### coverity-availability-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -154,15 +165,13 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | -### push-dockerfile:0.1 task results +### sast-coverity-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### rpms-signature-scan:0.2 task results +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|RPMS_DATA| Information about signed and unsigned RPMs| | |TEST_OUTPUT| Tekton task test output.| | ### sast-snyk-check:0.3 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -178,12 +187,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; coverity-availability-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| ## Available workspaces from tasks ### build-maven-zip:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |source| Workspace containing the source code to build.| False| workspace| +### coverity-availability-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| @@ -196,10 +209,14 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| |netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| |source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| -### push-dockerfile:0.1 task workspaces +### sast-coverity-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-shell-check:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| +|workspace| | False| workspace| ### sast-snyk-check:0.3 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/maven-zip-build/patch.yaml b/pipelines/maven-zip-build/patch.yaml index a05243b9f0..1f1fa7e22d 100644 --- a/pipelines/maven-zip-build/patch.yaml +++ b/pipelines/maven-zip-build/patch.yaml @@ -46,26 +46,31 @@ value: "generic" # Remove unused tasks # kustomize build pipelines/template-build/ | yq ".spec.tasks.[].name" | nl -v 0 -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-image-index -# 5 build-source-image -# 6 deprecated-base-image-check -# 7 clair-scan -# 8 ecosystem-cert-preflight-checks -# 9 sast-snyk-check -# 10 clamav-scan -# 11 apply-tags -# 12 push-dockerfile -# 13 rpms-signature-scan +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sast-coverity-check +# 12 coverity-availability-check +# 13 sast-shell-check +# 14 sast-unicode-check +# 15 apply-tags +# 16 push-dockerfile +# 17 rpms-signature-scan + - op: remove - path: /spec/tasks/13 # rpms-signature-scan + path: /spec/tasks/17 # rpms-signature-scan - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/16 # push-dockerfile - op: remove - path: /spec/tasks/11 # apply-tags + path: /spec/tasks/15 # apply-tags - op: remove path: /spec/tasks/10 # clamav-scan - op: remove @@ -112,6 +117,43 @@ path: /spec/tasks/4/runAfter value: - build-oci-artifact +# Replace the params set and runAfter of sast-coverity-check +- op: replace + path: /spec/tasks/5/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/5/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +# Replace the params set and runAfter of coverity-availability-check +- op: replace + path: /spec/tasks/6/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/6/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/6/runAfter + value: + - build-oci-artifact +# Replace the params set and runAfter of sast-shell-check +- op: replace + path: /spec/tasks/7/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/7/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/7/runAfter + value: + - build-oci-artifact +# Replace the params set and runAfter of sast-unicode-check +- op: replace + path: /spec/tasks/8/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/8/runAfter + value: + - build-oci-artifact # change pipeline results - op: replace path: /spec/results/0/value From d6a5e8faca86431c99372c4c683b837e59c8bb57 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:20 +0100 Subject: [PATCH 34/51] Remove preflight tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/ecosystem-cert-preflight-checks/OWNERS | 11 ----------- 1 file changed, 11 deletions(-) delete mode 100644 task/ecosystem-cert-preflight-checks/OWNERS diff --git a/task/ecosystem-cert-preflight-checks/OWNERS b/task/ecosystem-cert-preflight-checks/OWNERS deleted file mode 100644 index 167186ef1c..0000000000 --- a/task/ecosystem-cert-preflight-checks/OWNERS +++ /dev/null @@ -1,11 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - skattoju - - acornett21 - - bcrochet - - komish -reviewers: - - skattoju - - acornett21 - - bcrochet - - komish From acd4f75c5bae810a17fbcca0f83d08539748edf2 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:58:06 +0000 Subject: [PATCH 35/51] chore(deps): update konflux-ci digest to 69fd3b5 --- .github/workflows/run-task-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 75955db3d1..269687d3a0 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -39,7 +39,7 @@ jobs: with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: 888974e37be2a415f3c3e9b2e73d9246dec8eef2 + ref: 69fd3b5aaaf42100de366918b4943c90b6cf7194 - name: Create k8s Kind Cluster if: steps.changed-dirs.outputs.any_changed == 'true' From 6b72e2823653242f0381d8470bca02a8172b87bf Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:58:15 +0000 Subject: [PATCH 36/51] chore(deps): update rpm-tasks --- task/generate-odcs-compose/0.1/generate-odcs-compose.yaml | 2 +- task/generate-odcs-compose/0.2/generate-odcs-compose.yaml | 2 +- task/rpms-signature-scan/0.1/rpms-signature-scan.yaml | 4 ++-- task/rpms-signature-scan/0.2/rpms-signature-scan.yaml | 4 ++-- task/verify-signed-rpms/0.1/verify-signed-rpms.yaml | 2 +- 5 files changed, 7 insertions(+), 7 deletions(-) diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 6022da7ed3..eb4737e765 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index c2f4ca4f3f..9eed809b00 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a env: - name: CLIENT_ID valueFrom: diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index b38f3a9104..c85f6a3d7c 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -48,7 +48,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a volumeMounts: - name: workdir mountPath: "$(params.workdir)" @@ -76,7 +76,7 @@ spec: --fail-unsigned "${FAIL_UNSIGNED}" \ --workdir "${WORKDIR}" \ - name: output-results - image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + image: quay.io/redhat-appstudio/konflux-test:v1.4.9@sha256:eee855e60b437d9a55a30e63f2eb7f95d9fd6d3b111c32cac8730c9b7a071394 volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml index 92b17d565f..66ceb5f4a8 100644 --- a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml @@ -44,7 +44,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a volumeMounts: - name: workdir mountPath: "$(params.workdir)" @@ -69,7 +69,7 @@ spec: --image-digest "${IMAGE_DIGEST}" \ --workdir "${WORKDIR}" \ - name: output-results - image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + image: quay.io/redhat-appstudio/konflux-test:v1.4.9@sha256:eee855e60b437d9a55a30e63f2eb7f95d9fd6d3b111c32cac8730c9b7a071394 volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml index 3560b39ea3..3cd7bf5768 100644 --- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml +++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml @@ -48,7 +48,7 @@ spec: --workdir "${WORKDIR}" \ --status-path "${WORKDIR}"/status - name: output-results - image: quay.io/redhat-appstudio/konflux-test:v1.4.8@sha256:2224fabdb0a28a415d4af4c58ae53d7c4c53c83c315f12e07d1d7f48a80bfa70 + image: quay.io/redhat-appstudio/konflux-test:v1.4.9@sha256:eee855e60b437d9a55a30e63f2eb7f95d9fd6d3b111c32cac8730c9b7a071394 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)" From 84b3cd21b9cc194838dd310fedcc316ea8a4aab4 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 8 Dec 2024 12:08:32 +0000 Subject: [PATCH 37/51] Update maven --- task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml | 4 ++-- task/build-maven-zip/0.1/build-maven-zip.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml index 17a60f49b1..cb535b9f27 100644 --- a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -94,7 +94,7 @@ spec: - use - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: prepare - image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 workingDir: /var/workdir script: | #!/bin/bash @@ -132,7 +132,7 @@ spec: add: - SETFCAP - name: build - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40 workingDir: /var/workdir volumeMounts: - mountPath: /mnt/trusted-ca diff --git a/task/build-maven-zip/0.1/build-maven-zip.yaml b/task/build-maven-zip/0.1/build-maven-zip.yaml index 44746710d7..3d4394976c 100644 --- a/task/build-maven-zip/0.1/build-maven-zip.yaml +++ b/task/build-maven-zip/0.1/build-maven-zip.yaml @@ -63,7 +63,7 @@ spec: name: shared steps: - - image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + - image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 name: prepare computeResources: limits: @@ -102,7 +102,7 @@ spec: add: - SETFCAP workingDir: $(workspaces.source.path) - - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + - image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40 name: build computeResources: limits: From cc6cd440b5a5083f9b77d849be253a0b26fe7f87 Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Fri, 6 Dec 2024 12:42:02 +0530 Subject: [PATCH 38/51] Fix the task validate CI --- .github/workflows/run-task-tests.yaml | 55 +++++++++++++++++++-------- 1 file changed, 39 insertions(+), 16 deletions(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 269687d3a0..0493ddb219 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -10,15 +10,16 @@ name: Run Task Tests jobs: run-task-tests: runs-on: ubuntu-22.04 - # Skipping it temporarily till we fix this workflow - if: false steps: - name: Get all changed files in the PR from task directory id: changed-dirs uses: tj-actions/changed-files@v45 with: files: | - task/** + # Any task yaml or script is changed + task/*/*/*.{yaml,sh} + # Any test yaml or script is changed + task/*/*/*/*.{yaml,sh} dir_names: "true" dir_names_max_depth: "3" @@ -29,12 +30,34 @@ jobs: ref: "${{ github.event.pull_request.head.sha }}" path: build-definitions - - name: Install tkn + - name: Check if tests dir exists for all the tasks changed if: steps.changed-dirs.outputs.any_changed == 'true' + id: tasks-to-be-tested + env: + CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }} + run: | + echo "Task Dirs changed in PR: ${CHANGED_DIRS}" + # Check if tests dir exists under each task dir + TASKS_TO_BE_TESTED=() + for TASK_DIR in ${CHANGED_DIRS}; do + TESTS_DIR=build-definitions/${TASK_DIR}/tests + if [ ! -d $TESTS_DIR ]; then + echo "INFO: tests dir does not exist: $TESTS_DIR" + continue + else + echo "INFO: tests dir exists for task: $TASK_DIR" + TASKS_TO_BE_TESTED+=("$TASK_DIR") + fi + done + echo "Tasks with tests: ${TASKS_TO_BE_TESTED[@]}" + echo "tasklist=${TASKS_TO_BE_TESTED[@]}" >> $GITHUB_OUTPUT + + - name: Install tkn + if: steps.tasks-to-be-tested.outputs.tasklist != '' uses: ./build-definitions/.github/actions/install-tkn - name: Checkout konflux-ci/konflux-ci Repository - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' uses: actions/checkout@v3 with: repository: 'konflux-ci/konflux-ci' @@ -42,51 +65,51 @@ jobs: ref: 69fd3b5aaaf42100de366918b4943c90b6cf7194 - name: Create k8s Kind Cluster - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' uses: helm/kind-action@v1 with: config: konflux-ci/kind-config.yaml - name: Show version information - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | kubectl version kind version - name: Deploying Dependencies - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-deps.sh - name: Wait for the dependencies to be ready - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./wait-for-all.sh - name: Deploying Konflux - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-konflux.sh - name: List namespaces - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | kubectl get namespace - name: Deploy test resources - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-test-resources.sh - name: Run the task tests - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' env: - CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }} + TASK_LIST: ${{ steps.tasks-to-be-tested.outputs.tasklist }} run: | - echo "Task Dirs changed in PR: ${CHANGED_DIRS}" + echo "Tasks to be tested: ${TASK_LIST}" cd $GITHUB_WORKSPACE/build-definitions - ./.github/scripts/test_tekton_tasks.sh ${CHANGED_DIRS} + ./.github/scripts/test_tekton_tasks.sh ${TASK_LIST} From 41e17ce0762b5d5b3109eaae0868f3aa5aef200a Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Mon, 9 Dec 2024 10:29:58 +0530 Subject: [PATCH 39/51] Update .github/workflows/run-task-tests.yaml Co-authored-by: Adam Cmiel --- .github/workflows/run-task-tests.yaml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 0493ddb219..6b91a95279 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -16,10 +16,8 @@ jobs: uses: tj-actions/changed-files@v45 with: files: | - # Any task yaml or script is changed - task/*/*/*.{yaml,sh} - # Any test yaml or script is changed - task/*/*/*/*.{yaml,sh} + # Any task yaml or script (including its tests) is changed + task/**/*.{yaml,sh} dir_names: "true" dir_names_max_depth: "3" From f493263e0430def318edafc489cd00e7c0fc76b6 Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Mon, 9 Dec 2024 10:30:07 +0530 Subject: [PATCH 40/51] Update .github/workflows/run-task-tests.yaml Co-authored-by: Adam Cmiel --- .github/workflows/run-task-tests.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 6b91a95279..ae6f294823 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -47,8 +47,8 @@ jobs: TASKS_TO_BE_TESTED+=("$TASK_DIR") fi done - echo "Tasks with tests: ${TASKS_TO_BE_TESTED[@]}" - echo "tasklist=${TASKS_TO_BE_TESTED[@]}" >> $GITHUB_OUTPUT + echo "Tasks with tests: ${TASKS_TO_BE_TESTED[*]}" + echo "tasklist=${TASKS_TO_BE_TESTED[*]}" >> $GITHUB_OUTPUT - name: Install tkn if: steps.tasks-to-be-tested.outputs.tasklist != '' From 919c4591705e6aece859caa5dc8d5e9dff598842 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:18 +0100 Subject: [PATCH 41/51] Remove build tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/acs-deploy-check/OWNERS | 5 ----- task/acs-image-check/OWNERS | 5 ----- task/acs-image-scan/OWNERS | 5 ----- task/apply-tags/OWNERS | 5 ----- task/build-image-index/OWNERS | 5 ----- task/build-image-manifest/OWNERS | 5 ----- task/buildah-10gb/OWNERS | 5 ----- task/buildah-20gb/OWNERS | 5 ----- task/buildah-24gb/OWNERS | 5 ----- task/buildah-6gb/OWNERS | 5 ----- task/buildah-8gb/OWNERS | 5 ----- task/buildah-min/OWNERS | 5 ----- task/buildah-oci-ta/OWNERS | 5 ----- task/buildah-remote-oci-ta/OWNERS | 5 ----- task/buildah-remote/OWNERS | 5 ----- task/buildah-rhtap/OWNERS | 5 ----- task/buildah/OWNERS | 5 ----- task/download-sbom-from-url-in-attestation/OWNERS | 5 ----- task/gather-deploy-images/OWNERS | 5 ----- task/generate-labels/OWNERS | 7 ------- task/git-clone-oci-ta/OWNERS | 5 ----- task/git-clone/OWNERS | 5 ----- task/init/OWNERS | 5 ----- task/prefetch-dependencies-oci-ta/OWNERS | 11 ----------- task/prefetch-dependencies/OWNERS | 11 ----------- task/push-dockerfile-oci-ta/OWNERS | 5 ----- task/push-dockerfile/OWNERS | 5 ----- task/show-sbom-rhdh/OWNERS | 5 ----- task/show-sbom/OWNERS | 5 ----- task/slack-webhook-notification/OWNERS | 5 ----- task/source-build-oci-ta/OWNERS | 5 ----- task/source-build/OWNERS | 5 ----- task/summary/OWNERS | 5 ----- task/update-deployment/OWNERS | 5 ----- task/update-infra-deployments/OWNERS | 5 ----- task/upload-sbom-to-trustification/OWNERS | 5 ----- 36 files changed, 194 deletions(-) delete mode 100644 task/acs-deploy-check/OWNERS delete mode 100644 task/acs-image-check/OWNERS delete mode 100644 task/acs-image-scan/OWNERS delete mode 100644 task/apply-tags/OWNERS delete mode 100644 task/build-image-index/OWNERS delete mode 100644 task/build-image-manifest/OWNERS delete mode 100644 task/buildah-10gb/OWNERS delete mode 100644 task/buildah-20gb/OWNERS delete mode 100644 task/buildah-24gb/OWNERS delete mode 100644 task/buildah-6gb/OWNERS delete mode 100644 task/buildah-8gb/OWNERS delete mode 100644 task/buildah-min/OWNERS delete mode 100644 task/buildah-oci-ta/OWNERS delete mode 100644 task/buildah-remote-oci-ta/OWNERS delete mode 100644 task/buildah-remote/OWNERS delete mode 100644 task/buildah-rhtap/OWNERS delete mode 100644 task/buildah/OWNERS delete mode 100644 task/download-sbom-from-url-in-attestation/OWNERS delete mode 100644 task/gather-deploy-images/OWNERS delete mode 100644 task/generate-labels/OWNERS delete mode 100644 task/git-clone-oci-ta/OWNERS delete mode 100644 task/git-clone/OWNERS delete mode 100644 task/init/OWNERS delete mode 100644 task/prefetch-dependencies-oci-ta/OWNERS delete mode 100644 task/prefetch-dependencies/OWNERS delete mode 100644 task/push-dockerfile-oci-ta/OWNERS delete mode 100644 task/push-dockerfile/OWNERS delete mode 100644 task/show-sbom-rhdh/OWNERS delete mode 100644 task/show-sbom/OWNERS delete mode 100644 task/slack-webhook-notification/OWNERS delete mode 100644 task/source-build-oci-ta/OWNERS delete mode 100644 task/source-build/OWNERS delete mode 100644 task/summary/OWNERS delete mode 100644 task/update-deployment/OWNERS delete mode 100644 task/update-infra-deployments/OWNERS delete mode 100644 task/upload-sbom-to-trustification/OWNERS diff --git a/task/acs-deploy-check/OWNERS b/task/acs-deploy-check/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-deploy-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/acs-image-check/OWNERS b/task/acs-image-check/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/acs-image-scan/OWNERS b/task/acs-image-scan/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-image-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/apply-tags/OWNERS b/task/apply-tags/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/apply-tags/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/build-image-index/OWNERS b/task/build-image-index/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/build-image-index/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/build-image-manifest/OWNERS b/task/build-image-manifest/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/build-image-manifest/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-10gb/OWNERS b/task/buildah-10gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-10gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-20gb/OWNERS b/task/buildah-20gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-20gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-24gb/OWNERS b/task/buildah-24gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-24gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-6gb/OWNERS b/task/buildah-6gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-6gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-8gb/OWNERS b/task/buildah-8gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-8gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-min/OWNERS b/task/buildah-min/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-min/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-oci-ta/OWNERS b/task/buildah-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-remote-oci-ta/OWNERS b/task/buildah-remote-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-remote-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-remote/OWNERS b/task/buildah-remote/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-remote/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-rhtap/OWNERS b/task/buildah-rhtap/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-rhtap/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah/OWNERS b/task/buildah/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/download-sbom-from-url-in-attestation/OWNERS b/task/download-sbom-from-url-in-attestation/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/download-sbom-from-url-in-attestation/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/gather-deploy-images/OWNERS b/task/gather-deploy-images/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/gather-deploy-images/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/generate-labels/OWNERS b/task/generate-labels/OWNERS deleted file mode 100644 index 3d74ca650b..0000000000 --- a/task/generate-labels/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team - - ralphbean -reviewers: - - build-team - - ralphbean diff --git a/task/git-clone-oci-ta/OWNERS b/task/git-clone-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/git-clone-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/git-clone/OWNERS b/task/git-clone/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/git-clone/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/init/OWNERS b/task/init/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/init/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/prefetch-dependencies-oci-ta/OWNERS b/task/prefetch-dependencies-oci-ta/OWNERS deleted file mode 100644 index bc865ca681..0000000000 --- a/task/prefetch-dependencies-oci-ta/OWNERS +++ /dev/null @@ -1,11 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team - - eskultety - - brunoapimentel - - taylormadore -reviewers: - - build-team - - eskultety - - brunoapimentel - - taylormadore diff --git a/task/prefetch-dependencies/OWNERS b/task/prefetch-dependencies/OWNERS deleted file mode 100644 index bc865ca681..0000000000 --- a/task/prefetch-dependencies/OWNERS +++ /dev/null @@ -1,11 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team - - eskultety - - brunoapimentel - - taylormadore -reviewers: - - build-team - - eskultety - - brunoapimentel - - taylormadore diff --git a/task/push-dockerfile-oci-ta/OWNERS b/task/push-dockerfile-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/push-dockerfile-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/push-dockerfile/OWNERS b/task/push-dockerfile/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/push-dockerfile/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/show-sbom-rhdh/OWNERS b/task/show-sbom-rhdh/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/show-sbom-rhdh/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/show-sbom/OWNERS b/task/show-sbom/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/show-sbom/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/slack-webhook-notification/OWNERS b/task/slack-webhook-notification/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/slack-webhook-notification/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/source-build-oci-ta/OWNERS b/task/source-build-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/source-build-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/source-build/OWNERS b/task/source-build/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/source-build/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/summary/OWNERS b/task/summary/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/summary/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/update-deployment/OWNERS b/task/update-deployment/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/update-deployment/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/update-infra-deployments/OWNERS b/task/update-infra-deployments/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/update-infra-deployments/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/upload-sbom-to-trustification/OWNERS b/task/upload-sbom-to-trustification/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/upload-sbom-to-trustification/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team From e388f17227aaced0ae2b9a8f3adad89577ca5214 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 01:30:44 +0000 Subject: [PATCH 42/51] Update github-actions --- .github/workflows/go-ci.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index cab004a2b1..5148aa6ad1 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -18,7 +18,7 @@ jobs: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@9e66d46e22c9991dbf33ddab82b6b28b69052dec + uses: golangci/golangci-lint-action@0e1fd32b0c0584f0d28eec08848dfd2bf6a909d9 with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -84,7 +84,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@978ed829bdde7389737ac17d6b144aeed5f9bdad + uses: github/codeql-action/upload-sarif@6f9e628e6f9a18c785dd746325ba455111df1b67 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif From 40441c117fd8c855947296683548ab2b35e47e19 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 05:22:28 +0000 Subject: [PATCH 43/51] Update github-actions --- .github/workflows/run-task-tests.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index ae6f294823..ad12324560 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -9,7 +9,7 @@ name: Run Task Tests jobs: run-task-tests: - runs-on: ubuntu-22.04 + runs-on: ubuntu-24.04 steps: - name: Get all changed files in the PR from task directory id: changed-dirs @@ -23,7 +23,7 @@ jobs: - name: Checkout build-defintions Repository if: steps.changed-dirs.outputs.any_changed == 'true' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: "${{ github.event.pull_request.head.sha }}" path: build-definitions @@ -56,7 +56,7 @@ jobs: - name: Checkout konflux-ci/konflux-ci Repository if: steps.tasks-to-be-tested.outputs.tasklist != '' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: repository: 'konflux-ci/konflux-ci' path: konflux-ci From 7dfec4ab8c77f88d08d6e433aced9c6fe60fb8b9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 9 Dec 2024 04:27:22 +0000 Subject: [PATCH 44/51] Update konflux-ci digest to 13c9f7f --- .github/workflows/run-task-tests.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index ad12324560..21d276cc00 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -60,7 +60,7 @@ jobs: with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: 69fd3b5aaaf42100de366918b4943c90b6cf7194 + ref: 13c9f7f0f90d615249c8d4d67a18c919b7bb3d95 - name: Create k8s Kind Cluster if: steps.tasks-to-be-tested.outputs.tasklist != '' From f642cd3481b21684c42965f2dcbb7aa2618000a9 Mon Sep 17 00:00:00 2001 From: Tomas Nevrlka Date: Wed, 13 Nov 2024 13:21:36 +0100 Subject: [PATCH 45/51] create bundle repos automatically if missing - A check is currently ran checking that every task bundle has its own Quay repository - If the task bundle does not have its own repository, the check will fail and the repository has to be created manually - Automate the repository creation via a task, but only in the on-push pipelinerun (once a PR is approved and merged) for security reasons --- .tekton/pull-request.yaml | 20 ---- .tekton/push.yaml | 23 +++++ .../check-task-pipeline-bundle-repos.sh | 74 -------------- .../create-task-pipeline-bundle-repos.sh | 97 +++++++++++++++++++ 4 files changed, 120 insertions(+), 94 deletions(-) delete mode 100755 .tekton/scripts/check-task-pipeline-bundle-repos.sh create mode 100755 .tekton/scripts/create-task-pipeline-bundle-repos.sh diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 070a9c352c..887babd11c 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -234,26 +234,6 @@ spec: name: e2e-test # Added a timeout due to https://issues.redhat.com/browse/STONEBLD-2265 timeout: "2h" - - name: check-task-pipeline-repo-existence - when: - - input: "tasks_pipelines" - operator: "in" - values: ["$(tasks.task-switchboard.results.bindings[*])"] - runAfter: - - build-bundles - taskSpec: - steps: - - name: fail-when-repo-is-missed - image: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} - workingDir: $(workspaces.source.path)/source - script: | - #!/usr/bin/env bash - .tekton/scripts/check-task-pipeline-bundle-repos.sh - workspaces: - - name: source - workspaces: - - name: source - workspace: workspace - name: ec-task-checks when: - input: "tasks_pipelines" diff --git a/.tekton/push.yaml b/.tekton/push.yaml index 3ad2aa839c..e8cca52499 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -176,6 +176,29 @@ spec: workspaces: - name: source + - name: create-repositories-if-missing + runAfter: + - build-bundles + taskSpec: + steps: + - name: run-create-bundle-repos + image: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} + workingDir: $(workspaces.source.path)/source + script: | + #!/usr/bin/env bash + .tekton/scripts/create-task-pipeline-bundle-repos.sh + env: + - name: QUAY_TOKEN + valueFrom: + secretKeyRef: + name: konflux-ci-repo-creator + key: quaytoken + workspaces: + - name: source + workspaces: + - name: source + workspace: workspace + - name: update-infra-repo runAfter: - build-bundles diff --git a/.tekton/scripts/check-task-pipeline-bundle-repos.sh b/.tekton/scripts/check-task-pipeline-bundle-repos.sh deleted file mode 100755 index 74e3f3eaad..0000000000 --- a/.tekton/scripts/check-task-pipeline-bundle-repos.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/bash - -set -o errexit -set -o pipefail -set -o nounset - -SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd "$SCRIPTDIR/../.." - -CATALOG_NAMESPACES=( - konflux-ci/tekton-catalog -) - -locate_bundle_repo() { - local -r quay_namespace="$1" - local -r type="$2" - local -r object="$3" - - curl -I -s -L -w "%{http_code}\n" -o /dev/null "https://quay.io/v2/${quay_namespace}/${type}-${object}/tags/list" -} - -locate_in_all_namespaces() { - local -r type="$1" - local -r object="$2" - - local rc=0 - - for quay_namespace in "${CATALOG_NAMESPACES[@]}"; do - found=$(locate_bundle_repo "$quay_namespace" "$type" "$object") - if [ "$found" != "200" ]; then - echo "Missing $type bundle repo: ${quay_namespace}/${type}-${object}" - rc=1 - fi - done - - return "$rc" -} - -has_missing_repo= - -echo "Checking existence of task and pipeline bundle repositories ..." - -# tasks -for task_dir in $(find task/*/*/ -maxdepth 0 -type d); do - if [ ! -f $task_dir/kustomization.yaml ]; then - # expected structure: task/${name}/${version}/${name}.yaml - task_name=$(basename "$(dirname "$task_dir")") - task_name=$(yq < "$task_dir/$task_name.yaml" .metadata.name) - else - task_name=$(oc kustomize "$task_dir" | yq .metadata.name) - fi - - if ! locate_in_all_namespaces task "$task_name"; then - has_missing_repo=yes - fi -done - -# pipelines -pl_names=($(oc kustomize pipelines/ | yq -o json '.metadata.name' | jq -r)) -# Currently, only one pipeline for core services CI -pl_names+=($(oc kustomize pipelines/core-services/ | yq -o json '"core-services-" + .metadata.name' | jq -r)) -for pl_name in ${pl_names[@]}; do - if ! locate_in_all_namespaces pipeline "$pl_name"; then - has_missing_repo=yes - fi -done - -if [ -n "$has_missing_repo" ]; then - echo "Please contact Build team - #forum-konflux-build that the missing repos should be created in:" - echo "- https://quay.io/organization/konflux-ci" - exit 1 -else - echo "Done" -fi diff --git a/.tekton/scripts/create-task-pipeline-bundle-repos.sh b/.tekton/scripts/create-task-pipeline-bundle-repos.sh new file mode 100755 index 0000000000..8e7fd590d0 --- /dev/null +++ b/.tekton/scripts/create-task-pipeline-bundle-repos.sh @@ -0,0 +1,97 @@ +#!/usr/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd "$SCRIPTDIR/../.." + +CATALOG_NAMESPACES=( + konflux-ci/tekton-catalog +) + +locate_bundle_repo() { + local -r quay_namespace="$1" + local -r type="$2" + local -r object="$3" + + curl -I -s -L -w "%{http_code}\n" -o /dev/null "https://quay.io/v2/${quay_namespace}/${type}-${object}/tags/list" +} + +locate_in_all_namespaces() { + local -r type="$1" + local -r object="$2" + + for quay_namespace in "${CATALOG_NAMESPACES[@]}"; do + found=$(locate_bundle_repo "$quay_namespace" "$type" "$object") + + # konflux-ci/tekton-catalog + if [[ $quay_namespace = */* ]]; then + # tekton-catalog/ + quay_repo_prefix="${quay_namespace#*/}/" + # konflux-ci + quay_namespace=${quay_namespace%%/*} + else + quay_repo_prefix="" + fi + + echo "Checking ${quay_namespace}/${quay_repo_prefix}${object}, http code: ${found}" + if [ "$found" != "200" ]; then + echo "Missing $type bundle repo: ${quay_repo_prefix}${object} in ${quay_namespace}, creating..." + payload=$( + jq -n \ + --arg namespace "$quay_namespace" \ + --arg repository "$quay_repo_prefix$object" \ + --arg visibility "public" \ + --arg description "" \ + '$ARGS.named' + ) + if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --json "$payload" | jq '.error_message // empty'); + then + echo "curl returned an error when creating the repository. See the error above." + exit 1 + fi + + if [ -n "$err_msg" ]; then + echo "Quay returned an error when creating the repository: ${err_msg}" + exit 1 + fi + fi + done +} + +echo "Checking existence of task bundle repositories..." +echo + +# tasks +while IFS= read -r -d '' task_dir +do + if [ ! -f "$task_dir"/kustomization.yaml ]; then + # expected structure: task/${name}/${version}/${name}.yaml + task_name=$(basename "$(dirname "$task_dir")") + task_name=$(yq < "$task_dir/$task_name.yaml" .metadata.name) + else + task_name=$(oc kustomize "$task_dir" | yq .metadata.name) + fi + + locate_in_all_namespaces task "$task_name" +done < <(find task/*/*/ -maxdepth 0 -type d -print0) + +echo +echo "Checking existence of pipeline bundle repositories..." +echo + +# pipelines +pl_names=() +# Split by newlines into an array +while IFS=$'\n' read -r line; + do pl_names+=("$line"); +done <<<"$(oc kustomize pipelines/ | yq -o json '.metadata.name' | jq -r)" + +# Currently, only one pipeline for core services CI +pl_names+=("$(oc kustomize pipelines/core-services/ | yq -o json '"core-services-" + .metadata.name' | jq -r)") +for pl_name in "${pl_names[@]}"; do + echo "Checking pipeline: ${pl_name}" + locate_in_all_namespaces pipeline "$pl_name" +done From e20e80ebdae722d05cc3b54f2a43423aaddb2111 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 6 Dec 2024 14:57:26 +0100 Subject: [PATCH 46/51] template-build: fix parmeters of sast-coverity-check ... and coverity-availability-check to make the template work with multiarch builds. Fixes: https://github.com/konflux-ci/build-definitions/pull/1411 Resolves: https://issues.redhat.com/browse/OSH-790 Resolves: https://issues.redhat.com/browse/KFLUXSPRT-847 --- .../docker-build-multi-platform-oci-ta/README.md | 8 ++++---- pipelines/docker-build-oci-ta/README.md | 12 ++++++------ pipelines/docker-build/README.md | 12 ++++++------ pipelines/tekton-bundle-builder/README.md | 12 ++++++------ pipelines/template-build/template-build.yaml | 8 ++++---- 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index c278bf28ce..ecc2ac3f9f 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -184,8 +184,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -253,9 +253,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index 1b078292d5..f9b3f8b35f 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -181,8 +181,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -250,16 +250,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 95afc49114..bf5f15cf5d 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -172,8 +172,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -240,16 +240,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index 7af3d568ce..650bec2fb3 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -102,8 +102,8 @@ |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-unicode-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -142,9 +142,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| sast-coverity-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -180,9 +180,9 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES| ## Workspaces |name|description|optional|used in tasks diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 863f8b6451..096f330785 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -253,9 +253,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace @@ -271,9 +271,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace From 815448b76ab11349efe79502e07e537187328fdd Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:36:55 +0100 Subject: [PATCH 47/51] renovate: group .github/workflows/* together We have a custom regex manager for a file in .github/workflows. Group the updates together with other github actions updates. Signed-off-by: Adam Cmiel --- renovate.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/renovate.json b/renovate.json index 176fa6dbe7..eb5db54045 100644 --- a/renovate.json +++ b/renovate.json @@ -139,6 +139,9 @@ "matchManagers": [ "github-actions" ], + "matchFileNames": [ + ".github/workflows/**" + ], "schedule": [ "on monday" ] From b58c040a89455ead6d50fc1b8c5c4c96ade83f79 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:42:14 +0100 Subject: [PATCH 48/51] renovate: upgrade appstudio-utils only once a week The appstudio-utils image is built on every push to build-definitions. This creates an infinite loop of Renovate update PRs. The updates are hardly ever relevant. Update the image once a week. Signed-off-by: Adam Cmiel --- renovate.json | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/renovate.json b/renovate.json index eb5db54045..47607284a0 100644 --- a/renovate.json +++ b/renovate.json @@ -18,10 +18,17 @@ ] }, "packageRules": [ + { + "matchPackageNames": [ + "quay.io/konflux-ci/appstudio-utils" + ], + "schedule": [ + "on monday" + ] + }, { "matchPackageNames": [ "quay.io/konflux-ci/pull-request-builds", - "quay.io/konflux-ci/appstudio-utils", "quay.io/konflux-ci/buildah", "quay.io/konflux-ci/source-container-build", "quay.io/redhat-appstudio/e2e-tests", From 27996c92910ff15c28990788f7a7911af9336fbe Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:50:53 +0100 Subject: [PATCH 49/51] renovate: remove the 'shared' group It shouldn't match any updates anymore, we group updates by task file paths now. Signed-off-by: Adam Cmiel --- renovate.json | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/renovate.json b/renovate.json index 47607284a0..70af3f8477 100644 --- a/renovate.json +++ b/renovate.json @@ -130,17 +130,6 @@ "task/ecosystem-cert-preflight-checks/**" ] }, - { - "matchPackagePrefixes": [ - "registry.redhat.io", - "registry.access.redhat.com", - "docker.io" - ], - "schedule": [ - "on monday and wednesday" - ], - "groupName": "shared" - }, { "groupName": "github-actions", "matchManagers": [ From 3def877ed54278439312997fee475c9bf48ead92 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 9 Dec 2024 06:44:26 +0100 Subject: [PATCH 50/51] renovate: move scheduled updates to Sunday https://docs.renovatebot.com/configuration-options/#schedule Schedule: "on Monday" pretty much means "submit PRs all throughout Monday". That means if we merge Renovate PRs on Monday morning, we will still get more throughout the day. Instead, send the scheduled PRs on Sunday so that they're ready for merging on Monday. Note: currently, only GH actions and appstudio-utils updates are on a schedule. Others are unscheduled. Signed-off-by: Adam Cmiel --- renovate.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/renovate.json b/renovate.json index 70af3f8477..ec4332c7d7 100644 --- a/renovate.json +++ b/renovate.json @@ -23,7 +23,7 @@ "quay.io/konflux-ci/appstudio-utils" ], "schedule": [ - "on monday" + "on sunday" ] }, { @@ -139,7 +139,7 @@ ".github/workflows/**" ], "schedule": [ - "on monday" + "on sunday" ] }, { From 677c98052756a96e576c1bec9aa1317a778d37cb Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 6 Dec 2024 16:33:18 +0100 Subject: [PATCH 51/51] Remove ec-owned tasks' OWNERS files We use CODEOWNERS instead now. Signed-off-by: Adam Cmiel --- task/tkn-bundle-oci-ta/OWNERS | 5 ----- task/tkn-bundle/OWNERS | 5 ----- task/verify-enterprise-contract/OWNERS | 5 ----- 3 files changed, 15 deletions(-) delete mode 100644 task/tkn-bundle-oci-ta/OWNERS delete mode 100644 task/tkn-bundle/OWNERS delete mode 100644 task/verify-enterprise-contract/OWNERS diff --git a/task/tkn-bundle-oci-ta/OWNERS b/task/tkn-bundle-oci-ta/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/tkn-bundle/OWNERS b/task/tkn-bundle/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/verify-enterprise-contract/OWNERS b/task/verify-enterprise-contract/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/verify-enterprise-contract/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team