Merge branch 'main' into paketo-builder

.github/workflows/check-buildah-remote.yaml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683   # v4
       - name: Install Go
-        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed   # v5
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a   # v5
         with:
           go-version-file: './task-generator/remote/go.mod'
       - name: Check buildah remote

.github/workflows/go-ci.yaml

@@ -18,7 +18,7 @@ jobs:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@0e1fd32b0c0584f0d28eec08848dfd2bf6a909d9
+        uses: golangci/golangci-lint-action@774c35bcccffb734694af9e921f12f57d882ef74
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -84,7 +84,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@6f9e628e6f9a18c785dd746325ba455111df1b67
+        uses: github/codeql-action/upload-sarif@dd7559424621a6dd0b32ababe9e4b271a87f78d2
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.github/workflows/run-task-tests.yaml

@@ -60,7 +60,7 @@ jobs:
         with:
           repository: 'konflux-ci/konflux-ci'
           path: konflux-ci
-          ref: 13c9f7f0f90d615249c8d4d67a18c919b7bb3d95
+          ref: d19c18bc2ec9c47c02d8bcf30305a3e5e198bc9f
 
       - name: Create k8s Kind Cluster
         if: steps.tasks-to-be-tested.outputs.tasklist != ''

CODEOWNERS

@@ -76,10 +76,8 @@
 # renovate groupName=preflight
 /task/ecosystem-cert-preflight-checks   @acornett21 @bcrochet @komish @skattoju
 
-# renovate groupName=eaas
+# maitained in tekton-tools, thus should be ignored by renovate
 /task/provision-env-with-ephemeral-namespace    @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog
-
-# renovate groupName=rpm-tasks
 /task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog
 /task/rpms-signature-scan   @amisstea @avi-biton @gbenhaim @yftacherzog
 /task/verify-signed-rpms    @amisstea @avi-biton @gbenhaim @yftacherzog

renovate.json

@@ -136,8 +136,7 @@
         "stepactions/eaas-get-ephemeral-cluster-credentials/**",
         "stepactions/eaas-get-latest-openshift-version-by-prefix/**",
         "stepactions/eaas-get-supported-ephemeral-cluster-versions/**",
-        "task/eaas-provision-space/**",
-        "task/provision-env-with-ephemeral-namespace/**"
+        "task/eaas-provision-space/**"
       ]
     },
     {
@@ -170,18 +169,15 @@
       ]
     },
     {
-      "groupName": "rpm-tasks",
+      "groupName": "tekton-tools-tasks",
+      "description": "Updated and verified in tekton-tools so should be ignored here",
       "matchFileNames": [
         "task/generate-odcs-compose/**",
         "task/rpms-signature-scan/**",
-        "task/verify-signed-rpms/**"
-      ]
-    },
-    {
-      "groupName": "buildpack",
-      "matchFileNames": [
-        "task/build-paketo-builder-oci-ta/**"
-      ]
+        "task/verify-signed-rpms/**",
+        "task/provision-env-with-ephemeral-namespace/**"
+      ],
+      "enabled": false
     }
   ],
   "postUpdateOptions": [

task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml

@@ -89,12 +89,12 @@ spec:
         name: workdir
   steps:
     - name: use-trusted-artifact
-      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:b31dc501d5068e30621e51681a2921d4e43f5a030ab78c8991f83a5e774534a3
       args:
         - use
         - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
     - name: prepare
-      image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95
+      image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a
       workingDir: /var/workdir
       script: |
         #!/bin/bash

task/build-maven-zip/0.1/build-maven-zip.yaml

@@ -63,7 +63,7 @@ spec:
         name: shared
 
   steps:
-  - image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95
+  - image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a
     name: prepare
     computeResources:
       limits:

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -433,6 +433,7 @@ spec:
         ACTIVATION_KEY_PATH="/activation-key"
         ENTITLEMENT_PATH="/entitlement"
 
+        # 0. if hermetic=true, skip all subscription related stuff
         # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
         # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
         # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
@@ -441,7 +442,7 @@ spec:
         #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
         #    container.
 
-        if [ -e /activation-key/org ]; then
+        if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
           mkdir -p /shared/rhsm/etc/pki/entitlement
           mkdir -p /shared/rhsm/etc/pki/consumer
@@ -465,8 +466,7 @@ spec:
             VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)
           fi
 
-        # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then
-        elif find /entitlement -name "*.pem" >>null; then
+        elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then
           cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
           VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
           echo "Adding the entitlement to the build"

task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml

@@ -467,6 +467,7 @@ spec:
       ACTIVATION_KEY_PATH="/activation-key"
       ENTITLEMENT_PATH="/entitlement"
 
+      # 0. if hermetic=true, skip all subscription related stuff
       # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
       # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
       # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
@@ -475,7 +476,7 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      if [ -e /activation-key/org ]; then
+      if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
         mkdir -p /shared/rhsm/etc/pki/entitlement
         mkdir -p /shared/rhsm/etc/pki/consumer
@@ -499,8 +500,7 @@ spec:
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)
         fi
 
-      # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then
-      elif find /entitlement -name "*.pem" >>null; then
+      elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then
         cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
         VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
         echo "Adding the entitlement to the build"

task/buildah-remote/0.2/buildah-remote.yaml

@@ -444,7 +444,7 @@ spec:
       ACTIVATION_KEY_PATH="/activation-key"
       ENTITLEMENT_PATH="/entitlement"
 
-
+      # 0. if hermetic=true, skip all subscription related stuff
       # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
       # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
       # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
@@ -453,7 +453,7 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      if [ -e /activation-key/org ]; then
+      if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
         mkdir -p /shared/rhsm/etc/pki/entitlement
         mkdir -p /shared/rhsm/etc/pki/consumer
@@ -463,7 +463,6 @@ spec:
                         -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
         echo "Adding activation key to the build"
 
-
         if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then
           # user is not running registration in the Containerfile: pre-register.
           echo "Pre-registering with subscription manager."
@@ -478,8 +477,7 @@ spec:
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)
         fi
 
-      # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then
-      elif find /entitlement -name "*.pem" >> null; then
+      elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then
         cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
         VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
         echo "Adding the entitlement to the build"

task/buildah/0.2/buildah.yaml

@@ -365,7 +365,7 @@ spec:
       ACTIVATION_KEY_PATH="/activation-key"
       ENTITLEMENT_PATH="/entitlement"
 
-
+      # 0. if hermetic=true, skip all subscription related stuff
       # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.
       # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
       # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
@@ -374,7 +374,7 @@ spec:
       #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
       #    container.
 
-      if [ -e /activation-key/org ]; then
+      if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
         cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
         mkdir -p /shared/rhsm/etc/pki/entitlement
         mkdir -p /shared/rhsm/etc/pki/consumer
@@ -384,7 +384,6 @@ spec:
                         -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)
         echo "Adding activation key to the build"
 
-
         if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then
           # user is not running registration in the Containerfile: pre-register.
           echo "Pre-registering with subscription manager."
@@ -399,8 +398,7 @@ spec:
           VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)
         fi
 
-      # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then
-      elif find /entitlement -name "*.pem" >> null; then
+      elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then
         cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
         VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)
         echo "Adding the entitlement to the build"

task/generate-odcs-compose/0.1/generate-odcs-compose.yaml

@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27
+      image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7
       env:
         - name: CLIENT_ID
           valueFrom:

task/generate-odcs-compose/0.2/generate-odcs-compose.yaml

@@ -21,7 +21,7 @@ spec:
       description: Directory to write the result .repo files.
   steps:
     - name: generate-odcs-compose
-      image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27
+      image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7
       env:
         - name: CLIENT_ID
           valueFrom:

task/rpms-signature-scan/0.1/rpms-signature-scan.yaml

@@ -48,7 +48,7 @@ spec:
         optional: true
   steps:
     - name: rpms-signature-scan
-      image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27
+      image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7
       volumeMounts:
         - name: workdir
           mountPath: "$(params.workdir)"

task/rpms-signature-scan/0.2/rpms-signature-scan.yaml

@@ -44,7 +44,7 @@ spec:
         optional: true
   steps:
     - name: rpms-signature-scan
-      image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27
+      image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7
       volumeMounts:
         - name: workdir
           mountPath: "$(params.workdir)"