diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 2b937ddd9d..37ceddb15a 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -331,7 +331,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.3:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.2:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.3:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.2:source ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### buildah:0.3 task workspaces |name|description|optional|workspace from pipeline @@ -356,7 +356,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### sast-coverity-check:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| | False| workspace| +|source| | False| workspace| ### sast-shell-check:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 924fe52967..2e19cd46d8 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -255,7 +255,7 @@ spec: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - - name: workspace + - name: source workspace: workspace - name: coverity-availability-check when: diff --git a/task/sast-coverity-check/0.2/MIGRATION.md b/task/sast-coverity-check/0.2/MIGRATION.md index 1c6df6a12e..ef87c26c9c 100644 --- a/task/sast-coverity-check/0.2/MIGRATION.md +++ b/task/sast-coverity-check/0.2/MIGRATION.md @@ -1,7 +1,60 @@ # Migration from 0.1 to 0.2 +- The workspace has been renamed to `source` to make the interface compatible + with the `build-container` task. + - The unused `IMAGE_DIGEST` parameter has been removed. ## Action from users +- The workspace for this task in the build pipeline should be renamed to `source`. - The `IMAGE_DIGEST` parameter definition can optionally be removed for this task in the build pipeline. + +### Example +```diff +--- a/.tekton/konflux-test-operator-pipelines-pull-request.yaml ++++ b/.tekton/konflux-test-operator-pipelines-pull-request.yaml +@@ -417,40 +417,38 @@ spec: + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: +- - name: image-digest +- value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check + - name: bundle +- value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check:0.1@sha256:6d0bead975a9e9ce9dac98edb0a3c3908dbae3882df2775fc8760c6bb4f41f8c ++ value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check:0.2 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + workspaces: +- - name: workspace ++ - name: source + workspace: workspace + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name +``` diff --git a/task/sast-coverity-check/0.2/sast-coverity-check.yaml b/task/sast-coverity-check/0.2/sast-coverity-check.yaml index d567ac4613..5080295ed9 100644 --- a/task/sast-coverity-check/0.2/sast-coverity-check.yaml +++ b/task/sast-coverity-check/0.2/sast-coverity-check.yaml @@ -86,7 +86,7 @@ spec: cpu: "16" # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent - workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name) + workingDir: $(workspaces.source.path)/hacbs/$(context.task.name) volumeMounts: - name: cov-license mountPath: "/etc/secrets/cov" @@ -130,9 +130,9 @@ spec: echo "The PROJECT_NAME used is: ${PROJECT_NAME}" COVERITY_DIR=/var/tmp/coverity/idir - COVERITY_RESULTS_FILE=$(workspaces.workspace.path)/coverity-buildless-results.json + COVERITY_RESULTS_FILE=$(workspaces.source.path)/coverity-buildless-results.json COV_LICENSE_PATH=/etc/secrets/cov/cov-license - SOURCE_CODE_DIR=$(workspaces.workspace.path) + SOURCE_CODE_DIR=$(workspaces.source.path) # Installing Coverity license cp "$COV_LICENSE_PATH" /opt/coverity/bin/license.dat @@ -227,7 +227,7 @@ spec: (set -x $$ csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json) fi - csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json > "$(workspaces.workspace.path)"/coverity-results.sarif + csgrep --mode=sarif filtered_sast_coverity_buildless_check_all_findings.json > "$(workspaces.source.path)"/coverity-results.sarif if [[ -z "$(csgrep --mode=evtstat filtered_sast_coverity_buildless_check_all_findings.json)" ]]; then note="Task $(context.task.name) success: No finding was detected" @@ -235,7 +235,7 @@ spec: echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" else TEST_OUTPUT= - parse_test_output "$(context.task.name)" sarif "$(workspaces.workspace.path)"/coverity-results.sarif || true + parse_test_output "$(context.task.name)" sarif "$(workspaces.source.path)"/coverity-results.sarif || true note="Task $(context.task.name) failed: For details, check Tekton task log." echo "${ERROR_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" fi @@ -243,7 +243,7 @@ spec: echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee "$(results.TEST_OUTPUT.path)" - name: upload image: quay.io/konflux-ci/oras:latest@sha256:99737f436051e6d3866eb8a8706463c35abf72c87f05090ff42ff642f6729661 - workingDir: $(workspaces.workspace.path) + workingDir: $(workspaces.source.path) env: - name: IMAGE_URL value: $(params.image-url) @@ -273,4 +273,4 @@ spec: oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}" done workspaces: - - name: workspace + - name: source