Switch to trusted tasks

which come from
stackrox/konflux-tasks#3

.tekton/basic-component-pipeline.yaml

@@ -193,7 +193,15 @@ spec:
     - name: MAKEFILE_DIRECTORY
       value: $(params.image-tag-makefile-directory)
     taskRef:
-      name: determine-image-tag
+      params:
+      - name: name
+        value: determine-image-tag-stackrox
+      - name: bundle
+        # TODO(ROX-27350): switch to latest tag after tasks PR is pushed.
+        value: quay.io/rhacs-eng/konflux-tasks:pr-3@sha256:50d7e4bca7e81fbf09faa749dfad62167b2099884363efb4d9fd0d05a6bc843d
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: prefetch-dependencies
     params:

.tekton/main-pipeline.yaml

@@ -187,18 +187,36 @@ spec:
     - name: SOURCE_ARTIFACT
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     taskRef:
-      name: determine-image-tag
+      params:
+      - name: name
+        value: determine-image-tag-stackrox
+      - name: bundle
+        # TODO(ROX-27350): switch to latest tag after tasks PR is pushed.
+        value: quay.io/rhacs-eng/konflux-tasks:pr-3@sha256:50d7e4bca7e81fbf09faa749dfad62167b2099884363efb4d9fd0d05a6bc843d
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: fetch-external-networks
     params:
+    - name: TARGET_DIR
+      value: .konflux/stackrox-data
     - name: SOURCE_ARTIFACT
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     - name: ociStorage
       value: $(params.output-image-repo):konflux-$(params.revision).external-networks
     - name: ociArtifactExpiresAfter
       value: $(params.oci-artifact-expires-after)
     taskRef:
-      name: fetch-external-networks
+      params:
+      - name: name
+        value: fetch-external-networks
+      - name: bundle
+        # TODO(ROX-27350): switch to latest tag after tasks PR is pushed.
+        value: quay.io/rhacs-eng/konflux-tasks:pr-3@sha256:50d7e4bca7e81fbf09faa749dfad62167b2099884363efb4d9fd0d05a6bc843d
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: prefetch-dependencies
     params:

.tekton/operator-bundle-pipeline.yaml

@@ -296,8 +296,16 @@ spec:
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     - name: MAKEFILE_DIRECTORY
       value: ./operator
-    taskRef:
-      name: determine-image-tag
+    taskRef: &determine-image-tag-ref
+      params:
+      - name: name
+        value: determine-image-tag-stackrox
+      - name: bundle
+        # TODO(ROX-27350): switch to latest tag after tasks PR is pushed.
+        value: quay.io/rhacs-eng/konflux-tasks:pr-3@sha256:50d7e4bca7e81fbf09faa749dfad62167b2099884363efb4d9fd0d05a6bc843d
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: determine-main-image-tag
     params:
@@ -307,8 +315,7 @@ spec:
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     - name: MAKEFILE_DIRECTORY
       value: "."
-    taskRef:
-      name: determine-image-tag
+    taskRef: *determine-image-tag-ref
 
   - name: prefetch-dependencies
     params:
@@ -337,107 +344,104 @@ spec:
     params:
     - name: IMAGE
       value: "$(params.operator-image-build-repo):$(tasks.determine-operator-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: &wait-for-image-ref
+      params:
+      - name: name
+        value: wait-for-image
+      - name: bundle
+        # TODO(ROX-27350): switch to latest tag after tasks PR is pushed.
+        value: quay.io/rhacs-eng/konflux-tasks:pr-3@sha256:50d7e4bca7e81fbf09faa749dfad62167b2099884363efb4d9fd0d05a6bc843d
+      - name: kind
+        value: task
+      resolver: bundles
     # This timeout must be the same as the pipeline timeout in `operator-build.yaml`.
     timeout: 1h10m
 
   - name: wait-for-main-image
     params:
     - name: IMAGE
       value: "$(params.main-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `main-build.yaml`.
     timeout: 2h40m
 
   - name: wait-for-scanner-image
     params:
     - name: IMAGE
       value: "$(params.scanner-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-retag.yaml`
     timeout: 40m
 
   - name: wait-for-scanner-db-image
     params:
     - name: IMAGE
       value: "$(params.scanner-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-db-retag.yaml`
     timeout: 40m
 
   - name: wait-for-scanner-slim-image
     params:
     - name: IMAGE
       value: "$(params.scanner-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-slim-retag.yaml`
     timeout: 40m
 
   - name: wait-for-scanner-db-slim-image
     params:
     - name: IMAGE
       value: "$(params.scanner-db-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-db-slim-retag.yaml`
     timeout: 40m
 
   - name: wait-for-scanner-v4-image
     params:
     - name: IMAGE
       value: "$(params.scanner-v4-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-v4-build.yaml`.
     timeout: 1h10m
 
   - name: wait-for-scanner-v4-db-image
     params:
     - name: IMAGE
       value: "$(params.scanner-v4-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `scanner-v4-db-build.yaml`.
     timeout: 1h10m
 
   - name: wait-for-collector-slim-image
     params:
     - name: IMAGE
       value: "$(params.collector-slim-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # The timeout must be the same as the pipeline timeout in `collector-slim-retag.yaml`
     timeout: 40m
 
   - name: wait-for-collector-full-image
     params:
     - name: IMAGE
       value: "$(params.collector-full-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # The timeout must be the same as the pipeline timeout in `collector-full-retag.yaml`
     timeout: 40m
 
   - name: wait-for-roxctl-image
     params:
     - name: IMAGE
       value: "$(params.roxctl-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `roxctl-build.yaml`.
     timeout: 1h10m
 
   - name: wait-for-central-db-image
     params:
     - name: IMAGE
       value: "$(params.central-db-image-build-repo):$(tasks.determine-main-image-tag.results.IMAGE_TAG)"
-    taskRef:
-      name: wait-for-image
+    taskRef: *wait-for-image-ref
     # This timeout must be the same as the pipeline timeout in `central-db-build.yaml`.
     timeout: 1h40m