From c63d79342124ab7e7a3a4d849cdfc8e9c43e6643 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:34:08 +0200 Subject: [PATCH 1/8] Reformat files in `.tekton/` with GoLand Just used an IDE command, no other manual changes. --- .tekton/collector-pull-request.yaml | 856 +++++++++++----------- .tekton/collector-push.yaml | 858 +++++++++++------------ .tekton/collector-slim-pull-request.yaml | 842 +++++++++++----------- .tekton/collector-slim-push.yaml | 844 +++++++++++----------- .tekton/determine-image-tag-task.yaml | 24 +- 5 files changed, 1712 insertions(+), 1712 deletions(-) diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 78695b2d6f..4afdc4cf04 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -20,55 +20,55 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: clone-submodules - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - status: { } - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: @@ -77,417 +77,417 @@ spec: pipelineSpec: finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "false" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key tasks: - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + - name: input + value: $(params.prefetch-input) + runAfter: + - determine-image-tag + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: inspect-image params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clamav-scan params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: sbom-json-check params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] status: { } diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index 5ea2174a6a..b927e46398 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -19,56 +19,56 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - # TODO(ROX-20230): make release images not expire. - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-submodules - value: 'true' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-submodules + value: 'true' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - status: { } - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: @@ -77,417 +77,417 @@ spec: pipelineSpec: finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repo - name: output-image-repo - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "false" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repo + name: output-image-repo + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key tasks: - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + - name: input + value: $(params.prefetch-input) + runAfter: + - determine-image-tag + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: inspect-image params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clamav-scan params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: sbom-json-check params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] status: { } diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index dfcf2ed436..d0dd34d0be 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -20,53 +20,53 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - status: { } - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: @@ -75,415 +75,415 @@ spec: pipelineSpec: finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "true" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key tasks: - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - prepare-rhel-rpm-subscriptions - taskRef: + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + - name: input + value: $(params.prefetch-input) + runAfter: + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - taskRef: + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: inspect-image params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clamav-scan params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: sbom-json-check params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] status: { } taskRunTemplate: { } diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index 5edaeded6e..c493d243e6 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -19,54 +19,54 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - # TODO(ROX-20230): make release images not expire. - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - status: { } - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + status: { } + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: @@ -75,415 +75,415 @@ spec: pipelineSpec: finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: + - name: show-sbom params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "true" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key tasks: - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: + - name: init params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: + - name: clone-repository params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - prepare-rhel-rpm-subscriptions - taskRef: + - name: prefetch-dependencies params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + - name: input + value: $(params.prefetch-input) + runAfter: + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - taskRef: + - name: build-container params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: + - name: build-source-image params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: inspect-image params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: deprecated-base-image-check params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clair-scan params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: + - name: clamav-scan params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: + - name: sbom-json-check params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] status: { } taskRunTemplate: { } diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml index 57041e2c46..d945a37ad8 100644 --- a/.tekton/determine-image-tag-task.yaml +++ b/.tekton/determine-image-tag-task.yaml @@ -8,19 +8,19 @@ spec: description: Determines the tag for the output image using the StackRox convention from 'make tag' output. params: results: - - name: image-tag - description: Image Tag determined by custom logic. + - name: image-tag + description: Image Tag determined by custom logic. steps: - - name: determine-image-tag - image: registry.access.redhat.com/ubi8:latest - script: | - #!/usr/bin/env bash - set -euo pipefail - dnf -y upgrade --nobest - dnf -y install git make - cd "$(workspaces.source.path)/source" - .konflux/scripts/fail-build-if-git-is-dirty.sh - echo -n "$(make --quiet --no-print-directory tag)-fast" | tee "$(results.image-tag.path)" + - name: determine-image-tag + image: registry.access.redhat.com/ubi8:latest + script: | + #!/usr/bin/env bash + set -euo pipefail + dnf -y upgrade --nobest + dnf -y install git make + cd "$(workspaces.source.path)/source" + .konflux/scripts/fail-build-if-git-is-dirty.sh + echo -n "$(make --quiet --no-print-directory tag)-fast" | tee "$(results.image-tag.path)" workspaces: - name: source description: The workspace where source code is included. From 41cff5372af1096786779652f78d6ebf11439345 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:40:55 +0200 Subject: [PATCH 2/8] Reduce diff between collector pipelines --- .tekton/collector-pull-request.yaml | 5 ++++- .tekton/collector-push.yaml | 11 +++++++---- .tekton/collector-slim-pull-request.yaml | 20 ++++++++++++++------ .tekton/collector-slim-push.yaml | 20 ++++++++++++++------ 4 files changed, 39 insertions(+), 17 deletions(-) diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 4afdc4cf04..2adb6b811f 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -112,6 +112,7 @@ spec: - name: kind value: task resolver: bundles + params: - description: Source Repository URL name: git-url @@ -157,10 +158,11 @@ spec: description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after + type: string - default: "true" description: Initialize and fetch git submodules during cloning of repository. name: clone-submodules - - default: "false" + - default: "true" description: Build a source image. name: build-source-image type: string @@ -168,6 +170,7 @@ spec: description: Build stage to target in container build name: build-target-stage type: string + results: - description: "" name: IMAGE_URL diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index b927e46398..67a144542b 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -40,12 +40,12 @@ spec: # No language dependencies are required for collector image. - name: prefetch-input value: '' - - name: clone-submodules - value: 'true' - name: clone-depth value: '0' - name: clone-fetch-tags value: 'true' + - name: clone-submodules + value: 'true' - name: build-source-image value: 'true' - name: build-target-stage @@ -112,6 +112,7 @@ spec: - name: kind value: task resolver: bundles + params: - description: Source Repository URL name: git-url @@ -120,7 +121,7 @@ spec: description: Revision of the Source Repository name: revision type: string - - description: Output Image Repo + - description: Output Image Repository name: output-image-repo type: string - default: . @@ -157,10 +158,11 @@ spec: description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after + type: string - default: "true" description: Initialize and fetch git submodules during cloning of repository. name: clone-submodules - - default: "false" + - default: "true" description: Build a source image. name: build-source-image type: string @@ -168,6 +170,7 @@ spec: description: Build stage to target in container build name: build-target-stage type: string + results: - description: "" name: IMAGE_URL diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index d0dd34d0be..709a8f7298 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -40,14 +40,16 @@ spec: # No language dependencies are required for collector image. - name: prefetch-input value: '' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim - name: clone-depth value: '0' - name: clone-fetch-tags value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim workspaces: - name: workspace @@ -157,6 +159,9 @@ spec: 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules - default: "true" description: Build a source image. name: build-source-image @@ -216,6 +221,8 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) - name: depth value: "$(params.clone-depth)" - name: fetchTags @@ -264,14 +271,14 @@ spec: # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - name: smuggle-activation-key image: registry.access.redhat.com/ubi8/ubi:latest - script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) runAfter: - - prepare-rhel-rpm-subscriptions + - determine-image-tag taskRef: params: - name: name @@ -305,6 +312,7 @@ spec: value: $(params.build-target-stage) runAfter: - prefetch-dependencies + - prepare-rhel-rpm-subscriptions taskRef: params: - name: name diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index c493d243e6..da0e9ba91a 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -40,14 +40,16 @@ spec: # No language dependencies are required for collector image. - name: prefetch-input value: '' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim - name: clone-depth value: '0' - name: clone-fetch-tags value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim workspaces: - name: workspace @@ -157,6 +159,9 @@ spec: 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules - default: "true" description: Build a source image. name: build-source-image @@ -216,6 +221,8 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) - name: depth value: "$(params.clone-depth)" - name: fetchTags @@ -264,14 +271,14 @@ spec: # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - name: smuggle-activation-key image: registry.access.redhat.com/ubi8/ubi:latest - script: exec /workspace/source/source/.konflux/scripts/subscription-manager-bro.sh smuggle + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) runAfter: - - prepare-rhel-rpm-subscriptions + - determine-image-tag taskRef: params: - name: name @@ -305,6 +312,7 @@ spec: value: $(params.build-target-stage) runAfter: - prefetch-dependencies + - prepare-rhel-rpm-subscriptions taskRef: params: - name: name From 06d78c9fe156640240ac6a76fec1a073f75e6404 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:42:59 +0200 Subject: [PATCH 3/8] Remove empty `status`-es and `taskRunTemplate`-s --- .tekton/collector-pull-request.yaml | 3 --- .tekton/collector-push.yaml | 3 --- .tekton/collector-slim-pull-request.yaml | 4 ---- .tekton/collector-slim-push.yaml | 4 ---- 4 files changed, 14 deletions(-) diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 2adb6b811f..00d6fbcceb 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -62,7 +62,6 @@ spec: resources: requests: storage: 5Gi - status: { } - name: git-auth secret: secretName: '{{ git_auth_secret }}' @@ -492,5 +491,3 @@ spec: - input: $(params.skip-checks) operator: in values: [ "false" ] - -status: { } diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index 67a144542b..aa2b7d5737 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -62,7 +62,6 @@ spec: resources: requests: storage: 5Gi - status: { } - name: git-auth secret: secretName: '{{ git_auth_secret }}' @@ -492,5 +491,3 @@ spec: - input: $(params.skip-checks) operator: in values: [ "false" ] - -status: { } diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index 709a8f7298..529b79863f 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -62,7 +62,6 @@ spec: resources: requests: storage: 5Gi - status: { } - name: git-auth secret: secretName: '{{ git_auth_secret }}' @@ -492,6 +491,3 @@ spec: - input: $(params.skip-checks) operator: in values: [ "false" ] - -status: { } -taskRunTemplate: { } diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index da0e9ba91a..106826aea9 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -62,7 +62,6 @@ spec: resources: requests: storage: 5Gi - status: { } - name: git-auth secret: secretName: '{{ git_auth_secret }}' @@ -492,6 +491,3 @@ spec: - input: $(params.skip-checks) operator: in values: [ "false" ] - -status: { } -taskRunTemplate: { } From 49452a460f35b5d165974cc4e3d21ebd39ccef78 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 22 May 2024 14:21:34 +0200 Subject: [PATCH 4/8] Introduce pipeline parameter for tag suffix --- .tekton/collector-pull-request.yaml | 7 ++++++- .tekton/collector-push.yaml | 7 ++++++- .tekton/collector-slim-pull-request.yaml | 7 ++++++- .tekton/collector-slim-push.yaml | 7 ++++++- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 00d6fbcceb..18cbc69644 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -28,6 +28,8 @@ spec: value: '13w' - name: output-image-repo value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-latest' - name: path-context value: . - name: revision @@ -123,6 +125,9 @@ spec: - description: Output Image Repository name: output-image-repo type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string - default: . description: Path to the source code of an application's component from where to build image. @@ -294,7 +299,7 @@ spec: - name: build-container params: - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index aa2b7d5737..2c181e7d71 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -28,6 +28,8 @@ spec: value: '13w' - name: output-image-repo value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-latest' - name: path-context value: . - name: revision @@ -123,6 +125,9 @@ spec: - description: Output Image Repository name: output-image-repo type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string - default: . description: Path to the source code of an application's component from where to build image. @@ -294,7 +299,7 @@ spec: - name: build-container params: - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-latest + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index 529b79863f..fbe69acebe 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -28,6 +28,8 @@ spec: value: '13w' - name: output-image-repo value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-slim' - name: path-context value: . - name: revision @@ -123,6 +125,9 @@ spec: - description: Output Image Repository name: output-image-repo type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string - default: . description: Path to the source code of an application's component from where to build image. @@ -294,7 +299,7 @@ spec: - name: build-container params: - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index 106826aea9..663e8409bc 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -28,6 +28,8 @@ spec: value: '13w' - name: output-image-repo value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-slim' - name: path-context value: . - name: revision @@ -123,6 +125,9 @@ spec: - description: Output Image Repository name: output-image-repo type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string - default: . description: Path to the source code of an application's component from where to build image. @@ -294,7 +299,7 @@ spec: - name: build-container params: - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)-slim + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT From 4bc9a2afd37bfd305c1dd4e71370307ffc26f366 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:46:09 +0200 Subject: [PATCH 5/8] Factor a common `collector-component-pipeline` and use it everywhere. --- .tekton/collector-component-pipeline.yaml | 426 ++++++++++++++++++++++ .tekton/collector-pull-request.yaml | 423 +-------------------- .tekton/collector-push.yaml | 423 +-------------------- .tekton/collector-slim-pull-request.yaml | 423 +-------------------- .tekton/collector-slim-push.yaml | 423 +-------------------- 5 files changed, 434 insertions(+), 1684 deletions(-) create mode 100644 .tekton/collector-component-pipeline.yaml diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml new file mode 100644 index 0000000000..ab79fc8fbd --- /dev/null +++ b/.tekton/collector-component-pipeline.yaml @@ -0,0 +1,426 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: collector-component-pipeline + +spec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules + - default: "true" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key + + tasks: + + - name: init + params: + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace + + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle + + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - determine-image-tag + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace + + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace + + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace + + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 18cbc69644..b70a9d7710 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index 2c181e7d71..4fd01824ac 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index fbe69acebe..8810d5ddab 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index 663e8409bc..4ce8a715ba 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline From 08842b40a3e5e2cbea93f265dd8d7ec607e01ffe Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:55:01 +0200 Subject: [PATCH 6/8] Remove `inspect-image` as redundant Per https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1714150635478009 --- .tekton/collector-component-pipeline.yaml | 25 ----------------------- 1 file changed, 25 deletions(-) diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml index ab79fc8fbd..d7fab81b30 100644 --- a/.tekton/collector-component-pipeline.yaml +++ b/.tekton/collector-component-pipeline.yaml @@ -290,31 +290,6 @@ spec: - name: workspace workspace: workspace - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - name: deprecated-base-image-check params: - name: BASE_IMAGES_DIGESTS From b1243f77f036a0ed96d4ea94bccbb241a2c88f96 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 22 May 2024 14:24:58 +0200 Subject: [PATCH 7/8] Configure indentation in YAML formatting consistent with StackRox See for more context: https://github.com/stackrox/scanner/pull/1515 https://github.com/stackrox/stackrox/pull/11213 --- .editorconfig | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.editorconfig b/.editorconfig index 0804900a46..bb1d2806ca 100644 --- a/.editorconfig +++ b/.editorconfig @@ -35,3 +35,8 @@ function_next_line = false # Ignore submodules [{third_party,falcosecurity-libs,collector/proto/third_party}/**] ignore = true + +# Make JetBrains IDEs format yaml consistently with stackrox/stackrox repo. +[{*.yaml,*.yml}] +# ij_ settings meaning can be mapped from https://www.jetbrains.com/help/idea/code-style-yaml.html +ij_yaml_indent_sequence_value = false From 7ebd9e449698c6e3174b4bc0621a5e2d61030abc Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Wed, 22 May 2024 14:26:05 +0200 Subject: [PATCH 8/8] Reformat `.tekton/*.yaml` files using GoLand Only used IDE command, no manual changes on top. --- .tekton/collector-component-pipeline.yaml | 724 +++++++++++----------- .tekton/collector-pull-request.yaml | 96 +-- .tekton/collector-push.yaml | 98 +-- .tekton/collector-slim-pull-request.yaml | 96 +-- .tekton/collector-slim-push.yaml | 98 +-- .tekton/determine-image-tag-task.yaml | 28 +- 6 files changed, 570 insertions(+), 570 deletions(-) diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml index d7fab81b30..39bb8fc989 100644 --- a/.tekton/collector-component-pipeline.yaml +++ b/.tekton/collector-component-pipeline.yaml @@ -6,396 +6,396 @@ metadata: spec: finally: - - name: show-sbom + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules + - default: "true" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key tasks: - - name: init + - name: init + params: + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles - - name: clone-repository + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - name: prefetch-dependencies + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - determine-image-tag + taskRef: params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace - - name: build-container + - name: build-container + params: + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - prepare-rhel-rpm-subscriptions + taskRef: params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace - - name: build-source-image + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace - - name: deprecated-base-image-check + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: clair-scan + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace - - name: clamav-scan + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] - - name: sbom-json-check + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index b70a9d7710..af283c4216 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -20,56 +20,56 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: output-tag-suffix - value: '-latest' - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: clone-submodules - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-latest' + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index 4fd01824ac..3e8dde63b8 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -19,57 +19,57 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - # TODO(ROX-20230): make release images not expire. - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: output-tag-suffix - value: '-latest' - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: clone-submodules - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-latest' + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index 8810d5ddab..99089b3d78 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -20,56 +20,56 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: output-tag-suffix - value: '-slim' - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: clone-submodules - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-slim' + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index 4ce8a715ba..d66469eb67 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -19,57 +19,57 @@ metadata: spec: params: - - name: dockerfile - value: collector/container/konflux.Dockerfile - - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - # TODO(ROX-20230): make release images not expire. - value: '13w' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: output-tag-suffix - value: '-slim' - - name: path-context - value: . - - name: revision - value: '{{revision}}' - - name: rebuild - value: 'true' - # TODO(ROX-20234): Enable hermetic builds - # - name: hermetic - # value: "true" - # No language dependencies are required for collector image. - - name: prefetch-input - value: '' - - name: clone-depth - value: '0' - - name: clone-fetch-tags - value: 'true' - - name: clone-submodules - value: 'true' - - name: build-source-image - value: 'true' - - name: build-target-stage - value: collector-slim + - name: dockerfile + value: collector/container/konflux.Dockerfile + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + # TODO(ROX-20230): make release images not expire. + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: output-tag-suffix + value: '-slim' + - name: path-context + value: . + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + # TODO(ROX-20234): Enable hermetic builds + # - name: hermetic + # value: "true" + # No language dependencies are required for collector image. + - name: prefetch-input + value: '' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + - name: clone-submodules + value: 'true' + - name: build-source-image + value: 'true' + - name: build-target-stage + value: collector-slim workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - name: subscription-manager-activation-key - secret: - secretName: subscription-manager-activation-key + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + - name: subscription-manager-activation-key + secret: + secretName: subscription-manager-activation-key # The pipeline regularly takes >1h to finish. timeouts: diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml index d945a37ad8..61e4ae152d 100644 --- a/.tekton/determine-image-tag-task.yaml +++ b/.tekton/determine-image-tag-task.yaml @@ -8,19 +8,19 @@ spec: description: Determines the tag for the output image using the StackRox convention from 'make tag' output. params: results: - - name: image-tag - description: Image Tag determined by custom logic. + - name: image-tag + description: Image Tag determined by custom logic. steps: - - name: determine-image-tag - image: registry.access.redhat.com/ubi8:latest - script: | - #!/usr/bin/env bash - set -euo pipefail - dnf -y upgrade --nobest - dnf -y install git make - cd "$(workspaces.source.path)/source" - .konflux/scripts/fail-build-if-git-is-dirty.sh - echo -n "$(make --quiet --no-print-directory tag)-fast" | tee "$(results.image-tag.path)" + - name: determine-image-tag + image: registry.access.redhat.com/ubi8:latest + script: | + #!/usr/bin/env bash + set -euo pipefail + dnf -y upgrade --nobest + dnf -y install git make + cd "$(workspaces.source.path)/source" + .konflux/scripts/fail-build-if-git-is-dirty.sh + echo -n "$(make --quiet --no-print-directory tag)-fast" | tee "$(results.image-tag.path)" workspaces: - - name: source - description: The workspace where source code is included. + - name: source + description: The workspace where source code is included.