diff --git a/.github/workflows/check-buildah-remote.yaml b/.github/workflows/check-buildah-remote.yaml index a8206cb5fd..a5a33f2d73 100644 --- a/.github/workflows/check-buildah-remote.yaml +++ b/.github/workflows/check-buildah-remote.yaml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 - name: Install Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 with: go-version-file: './task-generator/remote/go.mod' - name: Check buildah remote diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index 5148aa6ad1..9c3fa115d7 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -18,7 +18,7 @@ jobs: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@0e1fd32b0c0584f0d28eec08848dfd2bf6a909d9 + uses: golangci/golangci-lint-action@774c35bcccffb734694af9e921f12f57d882ef74 with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -84,7 +84,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@6f9e628e6f9a18c785dd746325ba455111df1b67 + uses: github/codeql-action/upload-sarif@dd7559424621a6dd0b32ababe9e4b271a87f78d2 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 21d276cc00..7cb3a6d026 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -60,7 +60,7 @@ jobs: with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: 13c9f7f0f90d615249c8d4d67a18c919b7bb3d95 + ref: d19c18bc2ec9c47c02d8bcf30305a3e5e198bc9f - name: Create k8s Kind Cluster if: steps.tasks-to-be-tested.outputs.tasklist != '' diff --git a/CODEOWNERS b/CODEOWNERS index d58df983de..0cb0d53003 100644 --- a/CODEOWNERS +++ b/CODEOWNERS @@ -76,10 +76,8 @@ # renovate groupName=preflight /task/ecosystem-cert-preflight-checks @acornett21 @bcrochet @komish @skattoju -# renovate groupName=eaas +# maitained in tekton-tools, thus should be ignored by renovate /task/provision-env-with-ephemeral-namespace @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog - -# renovate groupName=rpm-tasks /task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog /task/rpms-signature-scan @amisstea @avi-biton @gbenhaim @yftacherzog /task/verify-signed-rpms @amisstea @avi-biton @gbenhaim @yftacherzog diff --git a/renovate.json b/renovate.json index fc3c6e36e9..9844f3889c 100644 --- a/renovate.json +++ b/renovate.json @@ -136,8 +136,7 @@ "stepactions/eaas-get-ephemeral-cluster-credentials/**", "stepactions/eaas-get-latest-openshift-version-by-prefix/**", "stepactions/eaas-get-supported-ephemeral-cluster-versions/**", - "task/eaas-provision-space/**", - "task/provision-env-with-ephemeral-namespace/**" + "task/eaas-provision-space/**" ] }, { @@ -170,18 +169,15 @@ ] }, { - "groupName": "rpm-tasks", + "groupName": "tekton-tools-tasks", + "description": "Updated and verified in tekton-tools so should be ignored here", "matchFileNames": [ "task/generate-odcs-compose/**", "task/rpms-signature-scan/**", - "task/verify-signed-rpms/**" - ] - }, - { - "groupName": "buildpack", - "matchFileNames": [ - "task/build-paketo-builder-oci-ta/**" - ] + "task/verify-signed-rpms/**", + "task/provision-env-with-ephemeral-namespace/**" + ], + "enabled": false } ], "postUpdateOptions": [ diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml index cb535b9f27..96f3346aba 100644 --- a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -89,12 +89,12 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:b31dc501d5068e30621e51681a2921d4e43f5a030ab78c8991f83a5e774534a3 args: - use - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: prepare - image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 + image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a workingDir: /var/workdir script: | #!/bin/bash diff --git a/task/build-maven-zip/0.1/build-maven-zip.yaml b/task/build-maven-zip/0.1/build-maven-zip.yaml index 3d4394976c..592324b48e 100644 --- a/task/build-maven-zip/0.1/build-maven-zip.yaml +++ b/task/build-maven-zip/0.1/build-maven-zip.yaml @@ -63,7 +63,7 @@ spec: name: shared steps: - - image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 + - image: quay.io/konflux-ci/appstudio-utils@sha256:426143910a9fe57a340143f8c19f1ad8e7103749be84096c3faacc20b260b15a name: prepare computeResources: limits: diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 65f9cdd091..f17a7d0003 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -433,6 +433,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -441,7 +442,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -465,8 +466,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >>null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index c9650451b3..b33515659b 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -467,6 +467,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -475,7 +476,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -499,8 +500,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >>null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >>null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index e4362df69a..1fac1f5c27 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -444,7 +444,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -453,7 +453,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -463,7 +463,6 @@ spec: -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) echo "Adding activation key to the build" - if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then # user is not running registration in the Containerfile: pre-register. echo "Pre-registering with subscription manager." @@ -478,8 +477,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >> null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 53c0896edf..ebe4c5d4e0 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -365,7 +365,7 @@ spec: ACTIVATION_KEY_PATH="/activation-key" ENTITLEMENT_PATH="/entitlement" - + # 0. if hermetic=true, skip all subscription related stuff # 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key. # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. @@ -374,7 +374,7 @@ spec: # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced # container. - if [ -e /activation-key/org ]; then + if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key mkdir -p /shared/rhsm/etc/pki/entitlement mkdir -p /shared/rhsm/etc/pki/consumer @@ -384,7 +384,6 @@ spec: -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z) echo "Adding activation key to the build" - if ! grep -E "^[^#]*subscription-manager.[^#]*register" "$dockerfile_path"; then # user is not running registration in the Containerfile: pre-register. echo "Pre-registering with subscription manager." @@ -399,8 +398,7 @@ spec: VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z) fi - # was: if [ -d "$ACTIVATION_KEY_PATH" ]; then - elif find /entitlement -name "*.pem" >> null; then + elif [ "${HERMETIC}" != "true" ] && find /entitlement -name "*.pem" >> null; then cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement) echo "Adding the entitlement to the build" diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index f66ecd5483..f9f33ff6a3 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27 + image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index 22cf661cdb..63a7140304 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27 + image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 env: - name: CLIENT_ID valueFrom: diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index d9d7234b00..161997edc3 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -48,7 +48,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27 + image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml index dd7211ed36..ba99ad91bb 100644 --- a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml @@ -44,7 +44,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:49f776c18b06cd7343103652106336c27d116dd367a7d5a2538aab0f40656d27 + image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 volumeMounts: - name: workdir mountPath: "$(params.workdir)"