diff --git a/.github/workflows/check-task-owners.yaml b/.github/workflows/check-task-owners.yaml index fe2685b207..9a12930019 100644 --- a/.github/workflows/check-task-owners.yaml +++ b/.github/workflows/check-task-owners.yaml @@ -13,3 +13,22 @@ jobs: - name: Check task owners run: | ./hack/check-task-owners.sh + + - name: Check renovate.json groups + run: | + #!/bin/bash + set -euo pipefail + + renovate_content=$(cat renovate.json) + ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json + + uptodate=$(jq --argjson previous "$renovate_content" '$previous == .' renovate.json) + echo "renovate.json is up to date: $uptodate" + + if [[ $uptodate == false ]]; then + echo + git --no-pager diff -- renovate.json + echo + echo "To apply the updates, run: ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json" + exit 1 + fi diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index cab004a2b1..5148aa6ad1 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -18,7 +18,7 @@ jobs: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@9e66d46e22c9991dbf33ddab82b6b28b69052dec + uses: golangci/golangci-lint-action@0e1fd32b0c0584f0d28eec08848dfd2bf6a909d9 with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -84,7 +84,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@978ed829bdde7389737ac17d6b144aeed5f9bdad + uses: github/codeql-action/upload-sarif@6f9e628e6f9a18c785dd746325ba455111df1b67 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index f7937dfaeb..21d276cc00 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -9,84 +9,105 @@ name: Run Task Tests jobs: run-task-tests: - runs-on: ubuntu-22.04 - # Skipping it temporarily till we fix this workflow - if: false + runs-on: ubuntu-24.04 steps: - name: Get all changed files in the PR from task directory id: changed-dirs uses: tj-actions/changed-files@v45 with: files: | - task/** + # Any task yaml or script (including its tests) is changed + task/**/*.{yaml,sh} dir_names: "true" dir_names_max_depth: "3" - name: Checkout build-defintions Repository if: steps.changed-dirs.outputs.any_changed == 'true' - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: ref: "${{ github.event.pull_request.head.sha }}" path: build-definitions - - name: Install tkn + - name: Check if tests dir exists for all the tasks changed if: steps.changed-dirs.outputs.any_changed == 'true' + id: tasks-to-be-tested + env: + CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }} + run: | + echo "Task Dirs changed in PR: ${CHANGED_DIRS}" + # Check if tests dir exists under each task dir + TASKS_TO_BE_TESTED=() + for TASK_DIR in ${CHANGED_DIRS}; do + TESTS_DIR=build-definitions/${TASK_DIR}/tests + if [ ! -d $TESTS_DIR ]; then + echo "INFO: tests dir does not exist: $TESTS_DIR" + continue + else + echo "INFO: tests dir exists for task: $TASK_DIR" + TASKS_TO_BE_TESTED+=("$TASK_DIR") + fi + done + echo "Tasks with tests: ${TASKS_TO_BE_TESTED[*]}" + echo "tasklist=${TASKS_TO_BE_TESTED[*]}" >> $GITHUB_OUTPUT + + - name: Install tkn + if: steps.tasks-to-be-tested.outputs.tasklist != '' uses: ./build-definitions/.github/actions/install-tkn - name: Checkout konflux-ci/konflux-ci Repository - if: steps.changed-dirs.outputs.any_changed == 'true' - uses: actions/checkout@v3 + if: steps.tasks-to-be-tested.outputs.tasklist != '' + uses: actions/checkout@v4 with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: c4630e684e81f71bfd920fff0c9bb2956d3265f4 + ref: 13c9f7f0f90d615249c8d4d67a18c919b7bb3d95 - name: Create k8s Kind Cluster - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' uses: helm/kind-action@v1 with: config: konflux-ci/kind-config.yaml - name: Show version information - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | kubectl version kind version - name: Deploying Dependencies - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-deps.sh - name: Wait for the dependencies to be ready - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./wait-for-all.sh - name: Deploying Konflux - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-konflux.sh - name: List namespaces - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | kubectl get namespace - name: Deploy test resources - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' run: | cd $GITHUB_WORKSPACE/konflux-ci ./deploy-test-resources.sh - name: Run the task tests - if: steps.changed-dirs.outputs.any_changed == 'true' + if: steps.tasks-to-be-tested.outputs.tasklist != '' env: - CHANGED_DIRS: ${{ steps.changed-dirs.outputs.all_changed_files }} + TASK_LIST: ${{ steps.tasks-to-be-tested.outputs.tasklist }} run: | - echo "Task Dirs changed in PR: ${CHANGED_DIRS}" + echo "Tasks to be tested: ${TASK_LIST}" cd $GITHUB_WORKSPACE/build-definitions - ./.github/scripts/test_tekton_tasks.sh ${CHANGED_DIRS} + ./.github/scripts/test_tekton_tasks.sh ${TASK_LIST} diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 9e4183bcd4..887babd11c 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -36,6 +36,27 @@ spec: value: $(params.revision) - name: depth value: "0" + - name: build-appstudio-utils + runAfter: + - fetch-repository + params: + - name: IMAGE + value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} + - name: CONTEXT + value: appstudio-utils + taskRef: + name: buildah + workspaces: + - name: source + workspace: workspace + - name: sast-snyk-check + runAfter: + - fetch-repository + taskRef: + name: sast-snyk-check + workspaces: + - name: workspace + workspace: workspace - name: task-switchboard taskRef: name: task-switchboard @@ -48,7 +69,12 @@ spec: value: - tasks := strings.any_prefix_match(input, ["task/", "hack/", ".tekton/"]) - tasks_pipelines := strings.any_prefix_match(input, ["task/", "pipelines/", "hack/", ".tekton/"]) - - e2e_tests := strings.any_prefix_match(input, ["task/", "pipelines/", "hack/", ".tekton/"]) + - | + e2e_tests if { + some file in input + strings.any_prefix_match(file, ["task/", "pipelines/", "hack/", ".tekton/"]) + not endswith(file, "/OWNERS") + } - check_partner_tasks := strings.any_prefix_match(input, ["partners/", "hack/", ".tekton/"]) runAfter: - build-appstudio-utils @@ -58,20 +84,12 @@ spec: operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskRef: name: task-lint workspaces: - name: shared-workspace workspace: workspace - - name: sast-snyk-check - runAfter: - - fetch-repository - taskRef: - name: sast-snyk-check - workspaces: - - name: workspace - workspace: workspace - name: sast-unicode-check runAfter: - build-appstudio-utils @@ -80,26 +98,13 @@ spec: workspaces: - name: workspace workspace: workspace - - name: build-appstudio-utils - runAfter: - - fetch-repository - params: - - name: IMAGE - value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} - - name: CONTEXT - value: appstudio-utils - taskRef: - name: buildah - workspaces: - - name: source - workspace: workspace - name: check-partner-tasks when: - input: "check_partner_tasks" operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - build-appstudio-utils + - task-switchboard taskSpec: steps: - name: check-task-structure @@ -153,6 +158,8 @@ spec: - input: "tasks_pipelines" operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] + runAfter: + - task-switchboard params: - name: revision value: "{{ revision }}" @@ -227,33 +234,13 @@ spec: name: e2e-test # Added a timeout due to https://issues.redhat.com/browse/STONEBLD-2265 timeout: "2h" - - name: check-task-pipeline-repo-existence - when: - - input: "tasks_pipelines" - operator: "in" - values: ["$(tasks.task-switchboard.results.bindings[*])"] - runAfter: - - build-bundles - taskSpec: - steps: - - name: fail-when-repo-is-missed - image: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} - workingDir: $(workspaces.source.path)/source - script: | - #!/usr/bin/env bash - .tekton/scripts/check-task-pipeline-bundle-repos.sh - workspaces: - - name: source - workspaces: - - name: source - workspace: workspace - name: ec-task-checks when: - input: "tasks_pipelines" operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskRef: name: ec-checks workspaces: @@ -265,7 +252,7 @@ spec: operator: "in" values: ["$(tasks.task-switchboard.results.bindings[*])"] runAfter: - - fetch-repository + - task-switchboard taskSpec: steps: - name: check-task-migration-md diff --git a/.tekton/push.yaml b/.tekton/push.yaml index 3ad2aa839c..e8cca52499 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -176,6 +176,29 @@ spec: workspaces: - name: source + - name: create-repositories-if-missing + runAfter: + - build-bundles + taskSpec: + steps: + - name: run-create-bundle-repos + image: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}} + workingDir: $(workspaces.source.path)/source + script: | + #!/usr/bin/env bash + .tekton/scripts/create-task-pipeline-bundle-repos.sh + env: + - name: QUAY_TOKEN + valueFrom: + secretKeyRef: + name: konflux-ci-repo-creator + key: quaytoken + workspaces: + - name: source + workspaces: + - name: source + workspace: workspace + - name: update-infra-repo runAfter: - build-bundles diff --git a/.tekton/scripts/check-task-pipeline-bundle-repos.sh b/.tekton/scripts/check-task-pipeline-bundle-repos.sh deleted file mode 100755 index 74e3f3eaad..0000000000 --- a/.tekton/scripts/check-task-pipeline-bundle-repos.sh +++ /dev/null @@ -1,74 +0,0 @@ -#!/usr/bin/bash - -set -o errexit -set -o pipefail -set -o nounset - -SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" -cd "$SCRIPTDIR/../.." - -CATALOG_NAMESPACES=( - konflux-ci/tekton-catalog -) - -locate_bundle_repo() { - local -r quay_namespace="$1" - local -r type="$2" - local -r object="$3" - - curl -I -s -L -w "%{http_code}\n" -o /dev/null "https://quay.io/v2/${quay_namespace}/${type}-${object}/tags/list" -} - -locate_in_all_namespaces() { - local -r type="$1" - local -r object="$2" - - local rc=0 - - for quay_namespace in "${CATALOG_NAMESPACES[@]}"; do - found=$(locate_bundle_repo "$quay_namespace" "$type" "$object") - if [ "$found" != "200" ]; then - echo "Missing $type bundle repo: ${quay_namespace}/${type}-${object}" - rc=1 - fi - done - - return "$rc" -} - -has_missing_repo= - -echo "Checking existence of task and pipeline bundle repositories ..." - -# tasks -for task_dir in $(find task/*/*/ -maxdepth 0 -type d); do - if [ ! -f $task_dir/kustomization.yaml ]; then - # expected structure: task/${name}/${version}/${name}.yaml - task_name=$(basename "$(dirname "$task_dir")") - task_name=$(yq < "$task_dir/$task_name.yaml" .metadata.name) - else - task_name=$(oc kustomize "$task_dir" | yq .metadata.name) - fi - - if ! locate_in_all_namespaces task "$task_name"; then - has_missing_repo=yes - fi -done - -# pipelines -pl_names=($(oc kustomize pipelines/ | yq -o json '.metadata.name' | jq -r)) -# Currently, only one pipeline for core services CI -pl_names+=($(oc kustomize pipelines/core-services/ | yq -o json '"core-services-" + .metadata.name' | jq -r)) -for pl_name in ${pl_names[@]}; do - if ! locate_in_all_namespaces pipeline "$pl_name"; then - has_missing_repo=yes - fi -done - -if [ -n "$has_missing_repo" ]; then - echo "Please contact Build team - #forum-konflux-build that the missing repos should be created in:" - echo "- https://quay.io/organization/konflux-ci" - exit 1 -else - echo "Done" -fi diff --git a/.tekton/scripts/create-task-pipeline-bundle-repos.sh b/.tekton/scripts/create-task-pipeline-bundle-repos.sh new file mode 100755 index 0000000000..8e7fd590d0 --- /dev/null +++ b/.tekton/scripts/create-task-pipeline-bundle-repos.sh @@ -0,0 +1,97 @@ +#!/usr/bin/bash + +set -o errexit +set -o pipefail +set -o nounset + +SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" +cd "$SCRIPTDIR/../.." + +CATALOG_NAMESPACES=( + konflux-ci/tekton-catalog +) + +locate_bundle_repo() { + local -r quay_namespace="$1" + local -r type="$2" + local -r object="$3" + + curl -I -s -L -w "%{http_code}\n" -o /dev/null "https://quay.io/v2/${quay_namespace}/${type}-${object}/tags/list" +} + +locate_in_all_namespaces() { + local -r type="$1" + local -r object="$2" + + for quay_namespace in "${CATALOG_NAMESPACES[@]}"; do + found=$(locate_bundle_repo "$quay_namespace" "$type" "$object") + + # konflux-ci/tekton-catalog + if [[ $quay_namespace = */* ]]; then + # tekton-catalog/ + quay_repo_prefix="${quay_namespace#*/}/" + # konflux-ci + quay_namespace=${quay_namespace%%/*} + else + quay_repo_prefix="" + fi + + echo "Checking ${quay_namespace}/${quay_repo_prefix}${object}, http code: ${found}" + if [ "$found" != "200" ]; then + echo "Missing $type bundle repo: ${quay_repo_prefix}${object} in ${quay_namespace}, creating..." + payload=$( + jq -n \ + --arg namespace "$quay_namespace" \ + --arg repository "$quay_repo_prefix$object" \ + --arg visibility "public" \ + --arg description "" \ + '$ARGS.named' + ) + if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --json "$payload" | jq '.error_message // empty'); + then + echo "curl returned an error when creating the repository. See the error above." + exit 1 + fi + + if [ -n "$err_msg" ]; then + echo "Quay returned an error when creating the repository: ${err_msg}" + exit 1 + fi + fi + done +} + +echo "Checking existence of task bundle repositories..." +echo + +# tasks +while IFS= read -r -d '' task_dir +do + if [ ! -f "$task_dir"/kustomization.yaml ]; then + # expected structure: task/${name}/${version}/${name}.yaml + task_name=$(basename "$(dirname "$task_dir")") + task_name=$(yq < "$task_dir/$task_name.yaml" .metadata.name) + else + task_name=$(oc kustomize "$task_dir" | yq .metadata.name) + fi + + locate_in_all_namespaces task "$task_name" +done < <(find task/*/*/ -maxdepth 0 -type d -print0) + +echo +echo "Checking existence of pipeline bundle repositories..." +echo + +# pipelines +pl_names=() +# Split by newlines into an array +while IFS=$'\n' read -r line; + do pl_names+=("$line"); +done <<<"$(oc kustomize pipelines/ | yq -o json '.metadata.name' | jq -r)" + +# Currently, only one pipeline for core services CI +pl_names+=("$(oc kustomize pipelines/core-services/ | yq -o json '"core-services-" + .metadata.name' | jq -r)") +for pl_name in "${pl_names[@]}"; do + echo "Checking pipeline: ${pl_name}" + locate_in_all_namespaces pipeline "$pl_name" +done diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 9dce078405..99a2007a6f 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -37,7 +37,7 @@ spec: stepactions_dir stepactions-ec - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | set -euo pipefail @@ -51,7 +51,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | set -euo pipefail @@ -65,7 +65,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-step-actions workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:b854a575632fb1a7d1cc72ad250e82c120900f00600c16b89d4b08ebcf5a7235 script: | #!/bin/bash set -euo pipefail diff --git a/CODEOWNERS b/CODEOWNERS new file mode 100644 index 0000000000..3997eb7e29 --- /dev/null +++ b/CODEOWNERS @@ -0,0 +1,115 @@ +# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners + +* @konflux-ci/build-maintainers + +# renovate groupName=build +/task/acs-deploy-check @konflux-ci/build-maintainers +/task/acs-image-check @konflux-ci/build-maintainers +/task/acs-image-scan @konflux-ci/build-maintainers +/task/apply-tags @konflux-ci/build-maintainers +/task/build-image-index @konflux-ci/build-maintainers +/task/build-image-manifest @konflux-ci/build-maintainers +/task/buildah @konflux-ci/build-maintainers +/task/buildah-10gb @konflux-ci/build-maintainers +/task/buildah-20gb @konflux-ci/build-maintainers +/task/buildah-24gb @konflux-ci/build-maintainers +/task/buildah-6gb @konflux-ci/build-maintainers +/task/buildah-8gb @konflux-ci/build-maintainers +/task/buildah-min @konflux-ci/build-maintainers +/task/buildah-oci-ta @konflux-ci/build-maintainers +/task/buildah-remote @konflux-ci/build-maintainers +/task/buildah-remote-oci-ta @konflux-ci/build-maintainers +/task/buildah-rhtap @konflux-ci/build-maintainers +/task/download-sbom-from-url-in-attestation @konflux-ci/build-maintainers +/task/gather-deploy-images @konflux-ci/build-maintainers +/task/git-clone @konflux-ci/build-maintainers +/task/git-clone-oci-ta @konflux-ci/build-maintainers +/task/init @konflux-ci/build-maintainers +/task/push-dockerfile @konflux-ci/build-maintainers +/task/push-dockerfile-oci-ta @konflux-ci/build-maintainers +/task/show-sbom @konflux-ci/build-maintainers +/task/show-sbom-rhdh @konflux-ci/build-maintainers +/task/slack-webhook-notification @konflux-ci/build-maintainers +/task/source-build @konflux-ci/build-maintainers +/task/source-build-oci-ta @konflux-ci/build-maintainers +/task/summary @konflux-ci/build-maintainers +/task/update-deployment @konflux-ci/build-maintainers +/task/update-infra-deployments @konflux-ci/build-maintainers +/task/upload-sbom-to-trustification @konflux-ci/build-maintainers + +# renovate groupName=build +/task/prefetch-dependencies @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore +/task/prefetch-dependencies-oci-ta @konflux-ci/build-maintainers @brunoapimentel @eskultety @taylormadore + +# renovate groupName=build +/task/generate-labels @konflux-ci/build-maintainers @ralphbean + +# renovate groupName=ec +/task/tkn-bundle @konflux-ci/ec +/task/tkn-bundle-oci-ta @konflux-ci/ec +/task/verify-enterprise-contract @konflux-ci/ec + +# renovate groupName=integration +/task/clair-scan @konflux-ci/integration-service-maintainers +/task/clamav-scan @konflux-ci/integration-service-maintainers +/task/deprecated-image-check @konflux-ci/integration-service-maintainers +/task/fbc-related-image-check @konflux-ci/integration-service-maintainers +/task/fbc-validation @konflux-ci/integration-service-maintainers +/task/inspect-image @konflux-ci/integration-service-maintainers +/task/sbom-json-check @konflux-ci/integration-service-maintainers +/task/validate-fbc @konflux-ci/integration-service-maintainers + +# renovate groupName=integration +/task/coverity-availability-check @konflux-ci/integration-service-maintainers @kdudka +/task/coverity-availability-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-coverity-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-coverity-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-shell-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-shell-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-snyk-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-snyk-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka +/task/sast-unicode-check @konflux-ci/integration-service-maintainers @kdudka +/task/sast-unicode-check-oci-ta @konflux-ci/integration-service-maintainers @kdudka + +# renovate groupName=preflight +/task/ecosystem-cert-preflight-checks @acornett21 @bcrochet @komish @skattoju + +# renovate groupName=eaas +/task/provision-env-with-ephemeral-namespace @amisstea @avi-biton @gbenhaim @omeramsc @yftacherzog + +# renovate groupName=rpm-tasks +/task/generate-odcs-compose @amisstea @avi-biton @gbenhaim @yftacherzog +/task/rpms-signature-scan @amisstea @avi-biton @gbenhaim @yftacherzog +/task/verify-signed-rpms @amisstea @avi-biton @gbenhaim @yftacherzog + +# renovate groupName=eaas +/stepactions/eaas-copy-secrets-to-ephemeral-cluster @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-create-ephemeral-cluster-hypershift-aws @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-ephemeral-cluster-credentials @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-latest-openshift-version-by-prefix @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/stepactions/eaas-get-supported-ephemeral-cluster-versions @amisstea @avi-biton @hmariset @omeramsc @yftacherzog +/task/eaas-provision-space @amisstea @avi-biton @hmariset @omeramsc @yftacherzog + +# renovate groupName=build-vm-image +/task/build-vm-image @arewm @brianwcook @ralphbean @scoheb + +# renovate groupName=rpm-ostree +/task/rpm-ostree @cgwalters +/task/rpm-ostree-oci-ta @cgwalters + +# renovate groupName=opm +/task/operator-sdk-generate-bundle @gurnben @jbpratt +/task/opm-get-bundle-version @gurnben @jbpratt +/task/opm-render-bundles @gurnben @jbpratt + +# renovate groupName=maven +/task/build-maven-zip @ligangty @yma96 +/task/build-maven-zip-oci-ta @ligangty @yma96 + +# renovate groupName=oci-copy +/task/oci-copy @ralphbean +/task/oci-copy-oci-ta @ralphbean + +# These are auto-generated and often require changes when tasks change. +# Allow anyone with write access to approve the changes. +/pipelines/*/README.md diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES index 0d5c6b3bd1..482cc708f9 100644 --- a/OWNERS_ALIASES +++ b/OWNERS_ALIASES @@ -9,9 +9,6 @@ aliases: - tisutisu - tnevrlka - MartinBasti - - eskultety - - brunoapimentel - - taylormadore integration-team: - dirgim - jsztuka diff --git a/hack/check-task-owners.sh b/hack/check-task-owners.sh index 4c31bfe597..2469cf4f05 100755 --- a/hack/check-task-owners.sh +++ b/hack/check-task-owners.sh @@ -1,25 +1,37 @@ #!/usr/bin/env bash +set -o errexit -o nounset -o pipefail -check_result=$(mktemp) +shopt -s nullglob -# Check the OWNERS file is present for each task -find task/ -mindepth 1 -maxdepth 1 -type d | \ - while read -r task_dir; do - owners_file="$task_dir/OWNERS" - if [ ! -e "$owners_file" ]; then - echo "error: missing owners file $owners_file" >>"$check_result" - continue - fi - approvers=$(yq '.approvers[]' $owners_file) - reviewers=$(yq '.reviwers[]' $owners_file) - if [ -z "$approvers" ] && [ -z "$reviewers" ]; then - echo "error: $task_dir/OWNERS don't have atleast 1 approver and 1 reviewer" >>"$check_result" +codeowners_to_gitignore() { + # drop comments and the root '*' pattern, extract the pattern from each line + awk '/^[^#]/ && !/^\*\s/ { print $1 }' "$1" +} + +temp_gitignore=$(mktemp --tmpdir "codeowners-gitignore.XXXX") +trap 'rm "$temp_gitignore"' EXIT +codeowners_to_gitignore CODEOWNERS > "$temp_gitignore" + +important_dirs=$( + for f in task/* stepactions/*; do + if [[ -d "$f" ]]; then + echo "$f" fi - done + done | sort +) -if [ -s "$check_result" ]; then - cat "$check_result" - echo "Please add OWNERS file with atleast 1 approver and 1 reviewer" +codeowned_dirs=$( + # CODEOWNERS is roughly a .gitignore file, so check which dirs are "ignored" by CODEOWNERS + echo "$important_dirs" | + git -c "core.excludesFile=$temp_gitignore" check-ignore --no-index --stdin | + sort +) + +missing_owners=$(comm -23 <(echo "$important_dirs") <(echo "$codeowned_dirs")) + +if [[ -n "$missing_owners" ]]; then + echo "Missing CODEOWNERS:" >&2 + # shellcheck disable=SC2001 # can't use ${variable//search/replace} instead + sed 's/^/ /' <<< "$missing_owners" >&2 exit 1 fi - diff --git a/hack/update_renovate_json_based_on_codeowners.py b/hack/update_renovate_json_based_on_codeowners.py new file mode 100755 index 0000000000..97f627705b --- /dev/null +++ b/hack/update_renovate_json_based_on_codeowners.py @@ -0,0 +1,113 @@ +#!/usr/bin/env python +import argparse +import json +import re +from itertools import groupby +from pathlib import Path +from typing import Any, Iterable, Iterator, TypedDict + + +class PackageRule(TypedDict): + groupName: str + matchFileNames: list[str] + + +def get_renovate_packagerules(codeowners_content: str) -> Iterator[PackageRule]: + lines = map(str.strip, codeowners_content.splitlines()) + rules: list[PackageRule] = [] + + for isempty, lines_group in groupby(lines, key=lambda line: not line): + if not isempty and (rule := _process_owner_group(lines_group)): + rules.append(rule) + + rules.sort(key=lambda rule: rule["groupName"]) + + for groupname, rules_group in groupby(rules, key=lambda rule: rule["groupName"]): + merged_patterns = set() + for rule in rules_group: + merged_patterns.update(rule["matchFileNames"]) + yield {"groupName": groupname, "matchFileNames": sorted(merged_patterns)} + + +def _process_owner_group(group: Iterable[str]) -> PackageRule | None: + """Process a group of CODEOWNERS. + + If the group has a '# renovate groupName=' directive, return a packageRules object. + Otherwise, return None. + """ + renovate_directive_pat = re.compile(r"#\s*renovate\s+groupName=(.*)") + + patterns = [] + groupname = None + + for line in group: + if not line.startswith("#"): + pattern, *_ = line.split(maxsplit=1) + patterns.append(pattern) + elif m := renovate_directive_pat.match(line): + groupname = m.group(1) + + if not groupname: + return None + + patterns = list(map(_codeowners_pattern_to_glob_pattern, patterns)) + return {"groupName": groupname, "matchFileNames": patterns} + + + +def _codeowners_pattern_to_glob_pattern(codeowners_pattern: str) -> str: + if codeowners_pattern.startswith("/"): + glob_pattern = codeowners_pattern.lstrip("/") + else: + glob_pattern = f"**/{codeowners_pattern}" + + if not glob_pattern.endswith("**") and any(p.is_dir() for p in Path().glob(glob_pattern)): + glob_pattern += "/**" + + return glob_pattern + + +def merge_to_existing_rules( + existing_rules: Iterable[dict[str, Any]], new_rules: Iterable[PackageRule] +) -> list[dict[str, Any]]: + merged_rules = list(existing_rules) + for new_rule in new_rules: + for i, existing_rule in enumerate(merged_rules): + if existing_rule.get("groupName") == new_rule["groupName"]: + merged_rules[i] = existing_rule | new_rule + break + else: + merged_rules.append(dict(new_rule)) + + return merged_rules + + +def main() -> None: + ap = argparse.ArgumentParser() + ap.add_argument("-o", "--output-file", type=Path) + args = ap.parse_args() + + output_file: Path | None = args.output_file + + codeowners_path = Path("CODEOWNERS") + renovate_json_path = Path("renovate.json") + + codeowners_package_rules = get_renovate_packagerules(codeowners_path.read_text()) + + renovate_json = json.loads(renovate_json_path.read_text()) + + package_rules = merge_to_existing_rules( + renovate_json.get("packageRules", []), + codeowners_package_rules, + ) + + renovate_json["packageRules"] = package_rules + if output_file: + with output_file.open("w") as f: + print(json.dumps(renovate_json, indent=2), file=f) + else: + print(json.dumps(renovate_json, indent=2)) + + +if __name__ == "__main__": + main() diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md index 2ba97a681e..ecc2ac3f9f 100644 --- a/pipelines/docker-build-multi-platform-oci-ta/README.md +++ b/pipelines/docker-build-multi-platform-oci-ta/README.md @@ -142,6 +142,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | @@ -183,8 +184,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -252,9 +253,9 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index e08c152e2d..f9b3f8b35f 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -139,6 +139,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | @@ -180,8 +181,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -249,16 +250,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index b7fb2d5e6e..bf5f15cf5d 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -136,6 +136,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ### prefetch-dependencies:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | @@ -171,8 +172,8 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-shell-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -239,16 +240,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.3:image-digest ; clamav-scan:0.2:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.3:image-url ; clamav-scan:0.2:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### buildah:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index c3b235ae87..1b96df8aaa 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -114,7 +114,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:9333e2fbd30a219124a2eed1c270c55b79e6fb18a2abc3bcb4c6275d6c721919 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 8eaa61f29e..42226f6f51 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -7,15 +7,18 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| -|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| +|build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.2:BUILD_ARGS| +|build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| true| build-image-index:0.1:ALWAYS_BUILD_INDEX| +|build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64']| | |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.2:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| true| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | | +|hermetic| Execute the build with network isolation| true| build-images:0.2:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-images:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-images:0.2:IMAGE ; build-image-index:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-images:0.2:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-images:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| |skip-checks| Skip checks against built image| false| init:0.2:skip-checks| @@ -34,28 +37,32 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| |COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| |IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| -|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-images.results.IMAGE_REF[*])']'| |IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### buildah:0.2 task parameters +### buildah-remote-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| |ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |ADDITIONAL_SECRET| Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET| does-not-exist| | |ADD_CAPABILITIES| Comma separated list of extra capabilities to add when running 'buildah build'| | | -|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| | -|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | | +|BUILD_ARGS| Array of --build-arg values ("arg=value" strings)| []| '['$(params.build-args[*])']'| +|BUILD_ARGS_FILE| Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file| | '$(params.build-args-file)'| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| |COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| |ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | |HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| |IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_APPEND_PLATFORM| Whether to append a sanitized platform architecture on the IMAGE tag| false| 'true'| |IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| |LABELS| Additional key=value labels that should be applied to the image| []| | -|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|PLATFORM| The platform to build on| None| | +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| |SKIP_UNUSED_STAGES| Whether to skip stages in Containerfile that seem unused by subsequent stages| true| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |SQUASH| Squash all new and previous layers added as a part of this build, as per --squash| false| | |STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | |TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | @@ -75,25 +82,24 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | -### git-clone:0.1 task parameters +### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | |depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | |enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | |fetchTags| Fetch all tags for the repo.| false| | -|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | |httpProxy| HTTP proxy server for non-SSL requests.| | | |httpsProxy| HTTPS proxy server for SSL requests.| | | |noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| |refspec| Refspec to fetch before checking out revision.| | | |revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| |shortCommitLength| Length of short commit SHA| 7| | |sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | |sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | -|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | |submodules| Initialize and fetch git submodules.| true| | |url| Repository URL to clone from.| None| '$(params.git-url)'| |userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | @@ -104,6 +110,19 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -111,13 +130,6 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | -### summary:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| -|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| -|image-url| Image URL| None| '$(params.output-image)'| -|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| ### validate-fbc:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -140,12 +152,12 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | |IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; validate-fbc:0.1:IMAGE_URL| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | -### buildah:0.2 task results +### buildah-remote-oci-ta:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_DIGEST| Digest of the image just built| | -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES| +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository and tag where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -154,19 +166,25 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito |---|---|---| |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | -### git-clone:0.1 task results +### git-clone-oci-ta:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | |CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| +|commit| The precise commit SHA that was fetched by this Task.| build-images:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | -|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +|url| The precise URL that was fetched by this Task.| | ### init:0.2 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | +### prefetch-dependencies-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-images:0.2:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| build-images:0.2:SOURCE_ARTIFACT| ### validate-fbc:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -178,21 +196,16 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito ## Workspaces |name|description|optional|used in tasks |---|---|---|---| -|git-auth| |True| clone-repository:0.1:basic-auth| -|netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.2:source| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| ## Available workspaces from tasks -### buildah:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|source| Workspace containing the source code to build.| False| workspace| -### git-clone:0.1 task workspaces +### git-clone-oci-ta:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| -|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### summary:0.2 task workspaces +### prefetch-dependencies-oci-ta:0.1 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| -|workspace| The workspace where source code is included.| True| workspace| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| diff --git a/pipelines/fbc-builder/kustomization.yaml b/pipelines/fbc-builder/kustomization.yaml index 64f7ba8a8b..f5c1a4cfe3 100644 --- a/pipelines/fbc-builder/kustomization.yaml +++ b/pipelines/fbc-builder/kustomization.yaml @@ -1,7 +1,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ../template-build +- ../docker-build-multi-platform-oci-ta patches: - path: patch.yaml diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 1366d1d2a1..670b45f63d 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -15,35 +15,32 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "fbc" "pipelines.openshift.io/strategy": "fbc" +# Customize parameters +# $ kustomize build pipelines/docker-build-multi-platform-oci-ta | yq ".spec.params.[].name" | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 image-expires-after +# 10 build-source-image +# 11 build-image-index +# 12 build-args +# 13 build-args-file +# 14 build-platforms - op: replace path: /spec/params/7/default value: "true" -- op: replace - path: /spec/tasks/3/taskRef - value: - name: buildah - version: "0.2" -- op: add - path: /spec/tasks/3/params - value: - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" # Remove tasks -# yq ".spec.tasks.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# $ kustomize build pipelines/docker-build-multi-platform-oci-ta | yq ".spec.tasks.[].name" | nl -v 0 # 0 init # 1 clone-repository # 2 prefetch-dependencies -# 3 build-container +# 3 build-images # 4 build-image-index # 5 build-source-image # 6 deprecated-base-image-check @@ -83,8 +80,6 @@ path: /spec/tasks/7 # clair-scan - op: remove path: /spec/tasks/5 # build-source-image -- op: remove - path: /spec/tasks/2 # prefetch-dependencies - op: add path: /spec/tasks/- value: diff --git a/pipelines/kustomization.yaml b/pipelines/kustomization.yaml index 8474b41382..3c32a05f23 100644 --- a/pipelines/kustomization.yaml +++ b/pipelines/kustomization.yaml @@ -7,3 +7,5 @@ resources: - enterprise-contract.yaml - fbc-builder - tekton-bundle-builder +- maven-zip-build +- maven-zip-build-oci-ta diff --git a/pipelines/maven-zip-build-oci-ta/README.md b/pipelines/maven-zip-build-oci-ta/README.md index a9870f4dd0..bfd837141c 100644 --- a/pipelines/maven-zip-build-oci-ta/README.md +++ b/pipelines/maven-zip-build-oci-ta/README.md @@ -1,165 +1,213 @@ # "maven-zip-build-oci-ta pipeline" - This pipeline will build the maven zip to oci-artifact while maintaining trust after pipeline customization. _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip-oci-ta` to create zip and push it to quay.io as oci-artifact. Information is shared between tasks using OCI artifacts instead of PVCs. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build-oci-ta?tab=tags)_ ## Parameters - -| name | description | default value | used in (taskname:taskrefversion:taskparam) | -| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -| git-url | Source Repository URL | None | clone-repository:0.1:url | -| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | -| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | -| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | -| rebuild | Force rebuild oci-artifact | false | init:0.2:rebuild | -| revision | Revision of the Source Repository | | clone-repository:0.1:revision | -| skip-checks | Skip checks | true | init:0.2:skip-checks | +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-oci-artifact:0.1:IMAGE| +|prefetch-input| Build dependencies to be prefetched by Cachi2| generic| prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks - ### build-maven-zip-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | -------------------------------------------------------- | -| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | -| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | -| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | -| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | - -### init:0.2 task parameters - -| name | description | default value | already set by | -| ----------- | ---------------------------------- | ------------- | ------------------------ | -| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | -| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | -| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | - +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|FILE_NAME| The zip bundle file name of archived artifacts| maven-repository| | +|IMAGE| Reference of the OCI-Artifact this build task will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +### coverity-availability-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| ### git-clone-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | ------------------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | -| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | -| fetchTags | Fetch all tags for the repo. | false | | -| httpProxy | HTTP proxy server for non-SSL requests. | | | -| httpsProxy | HTTPS proxy server for SSL requests. | | | -| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | -| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | -| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).git' | -| refspec | Refspec to fetch before checking out revision. | | | -| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | -| shortCommitLength | Length of short commit SHA | 7 | | -| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | -| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | -| submodules | Initialize and fetch git submodules. | true | | -| url | Repository URL to clone from. | None | '$(params.git-url)' | -| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | -| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | - +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).git'| +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| ### prefetch-dependencies-oci-ta:0.1 task parameters - -| name | description | default value | already set by | -| ----------------------- | --------------------------------------------------------------------------------------------------------------------------- | ------------- | --------------------------------------------------- | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.clone-repository.results.SOURCE_ARTIFACT)' | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | -| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | -| log-level | Set cachi2 log level (debug, info, warning, error) | info | | -| ociArtifactExpiresAfter | Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire. | | '$(params.image-expires-after)' | -| ociStorage | The OCI repository where the Trusted Artifacts are stored. | None | '$(params.output-image).prefetch' | - -### sast-snyk-check-oci-ta:0.2 task parameters - -| name | description | default value | already set by | -| --------------- | ----------------------------------------------------------------------------------- | ------------------------------------------ | -------------------------------------------------------- | -| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | -| CACHI2_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. | | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)' | -| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | None | '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)' | -| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | -| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | - +|name|description|default value|already set by| +|---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.clone-repository.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +|ociArtifactExpiresAfter| Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.| | '$(params.image-expires-after)'| +|ociStorage| The OCI repository where the Trusted Artifacts are stored.| None| '$(params.output-image).prefetch'| +### sast-coverity-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check-oci-ta:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-snyk-check-oci-ta:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| | '$(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)'| +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | -| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | -| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | - -### Results - -| name | description | value | -| ----------------- | ----------- | ------------------------------------------------ | -| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | -| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | -| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | -| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | - +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-oci-artifact.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-oci-artifact.results.IMAGE_URL)| ## Available results from tasks - ### build-maven-zip-oci-ta:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | -| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | -| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | -| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | -| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | +### coverity-availability-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### git-clone-oci-ta:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------- | -| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| SOURCE_ARTIFACT | The Trusted Artifact URI pointing to the artifact with the application source code. | prefetch-dependencies:0.1:SOURCE_ARTIFACT | -| commit | The precise commit SHA that was fetched by this Task. | build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA | -| commit-timestamp | The commit timestamp of the checkout | | -| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | -| url | The precise URL that was fetched by this Task. | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| +|commit| The precise commit SHA that was fetched by this Task.| | +|commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | +|url| The precise URL that was fetched by this Task.| | ### init:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----- | ------------------------------------------------------- | -------------------------------------------------- | -| build | Defines if the image in param image-url should be built | | - -### sast-snyk-check-oci-ta:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------- | ------------------------ | -------------------------------------------------- | -| TEST_OUTPUT | Tekton task test output. | | - -### Workspaces - -| name | description | optional | used in tasks | -| -------- | ----------- | -------- | -------------------------------------------------------------------------- | -| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | -| netrc | | True | prefetch-dependencies:0.1:netrc | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### prefetch-dependencies-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CACHI2_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| build-oci-artifact:0.1:CACHI2_ARTIFACT ; sast-snyk-check:0.3:CACHI2_ARTIFACT ; sast-coverity-check:0.1:CACHI2_ARTIFACT ; coverity-availability-check:0.1:CACHI2_ARTIFACT ; sast-shell-check:0.1:CACHI2_ARTIFACT ; sast-unicode-check:0.1:CACHI2_ARTIFACT| +|SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| sast-snyk-check:0.3:SOURCE_ARTIFACT ; sast-coverity-check:0.1:SOURCE_ARTIFACT ; coverity-availability-check:0.1:SOURCE_ARTIFACT ; sast-shell-check:0.1:SOURCE_ARTIFACT ; sast-unicode-check:0.1:SOURCE_ARTIFACT| +### sast-coverity-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check-oci-ta:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check-oci-ta:0.3 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| +|workspace| |False| | ## Available workspaces from tasks - ### git-clone-oci-ta:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | -| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | ### prefetch-dependencies-oci-ta:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | -| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| diff --git a/pipelines/maven-zip-build-oci-ta/patch.yaml b/pipelines/maven-zip-build-oci-ta/patch.yaml index 5114c4b058..a6f7fc2409 100644 --- a/pipelines/maven-zip-build-oci-ta/patch.yaml +++ b/pipelines/maven-zip-build-oci-ta/patch.yaml @@ -15,6 +15,7 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "maven-zip" + # clone-repository Task - op: replace path: /spec/tasks/1/taskRef/name @@ -31,6 +32,7 @@ value: $(params.image-expires-after) - op: remove path: /spec/tasks/1/workspaces/0 + # prefetch-dependencies Task - op: replace path: /spec/tasks/2/taskRef/name @@ -54,7 +56,8 @@ path: /spec/tasks/2/workspaces/0 - op: remove path: /spec/tasks/2/when -# Replace build-maven-zip task by build-maven-zip-oci-ta task + +# build-oci-artifact - op: replace path: /spec/tasks/3/taskRef value: @@ -67,6 +70,7 @@ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/3/workspaces/0 + # sast-snyk-check - op: replace path: /spec/tasks/4/taskRef/name @@ -85,6 +89,75 @@ value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove path: /spec/tasks/4/workspaces/0 + +# coverity-availability-check +- op: replace + path: /spec/tasks/6/taskRef/name + value: coverity-availability-check-oci-ta +- op: add + path: /spec/tasks/6/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/6/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + +# sast-coverity-check +- op: replace + path: /spec/tasks/5/taskRef/name + value: sast-coverity-check-oci-ta +- op: add + path: /spec/tasks/5/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/5/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/5/workspaces/0 +- op: remove + path: /spec/tasks/6/workspaces/0 + +# sast-shell-check +- op: replace + path: /spec/tasks/7/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/7/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/7/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/7/workspaces/0 + +# sast-unicode-check +- op: replace + path: /spec/tasks/8/taskRef/name + value: sast-shell-check-oci-ta +- op: add + path: /spec/tasks/8/params/- + value: + name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) +- op: add + path: /spec/tasks/8/params/- + value: + name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) +- op: remove + path: /spec/tasks/8/workspaces/0 + # show-summary # This Task relies on a shared workspace for some of its functionality. Although optional, it raises # the question of how valuable this Task actually is. Rather than add Trusted Artifacts support for diff --git a/pipelines/maven-zip-build/README.md b/pipelines/maven-zip-build/README.md index 6ddcebe8fd..403387103a 100644 --- a/pipelines/maven-zip-build/README.md +++ b/pipelines/maven-zip-build/README.md @@ -1,183 +1,231 @@ # "maven-zip-build pipeline" - This pipeline will build the maven zip to oci-artifact. _Uses `prefetch-dependencies` to fetch all artifacts which will be the content of the maven zip, and then uses `build-maven-zip` to create zip and push it to quay.io as oci-artifact. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-maven-zip-build?tab=tags)_ ## Parameters - -| name | description | default value | used in (taskname:taskrefversion:taskparam) | -| ------------------- | ------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | -| git-url | Source Repository URL | None | clone-repository:0.1:url | -| image-expires-after | Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER | -| output-image | Fully Qualified Output Image | None | show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE | -| prefetch-input | Build dependencies to be prefetched by Cachi2 | generic | prefetch-dependencies:0.1:input | -| rebuild | Force rebuild image | false | init:0.2:rebuild | -| revision | Revision of the Source Repository | | clone-repository:0.1:revision | -| skip-checks | Skip checks against built image | true | init:0.2:skip-checks | +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-oci-artifact:0.1:IMAGE_EXPIRES_AFTER| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-oci-artifact:0.1:IMAGE| +|prefetch-input| Build dependencies to be prefetched by Cachi2| generic| prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| ## Available params from tasks - ### build-maven-zip:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------- | ------------------------------- | -| FILE_NAME | The zip bundle file name of archived artifacts | maven-repository | | -| IMAGE | Reference of the OCI-Artifact this build task will produce. | None | '$(params.output-image)' | -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. | | '$(params.image-expires-after)' | -| PREFETCH_ROOT | The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts. | maven-repository | | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | - +|name|description|default value|already set by| +|---|---|---|---| +|FILE_NAME| The zip bundle file name of archived artifacts| maven-repository| | +|IMAGE| Reference of the OCI-Artifact this build task will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_ROOT| The root directory of the artifacts under the prefetched directory. Will be kept in the maven zip as the top directory for all artifacts.| maven-repository| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +### coverity-availability-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | ### git-clone:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ | ------------- | -------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| deleteExisting | Clean out the contents of the destination directory if it already exists before cloning. | true | | -| depth | Perform a shallow clone, fetching only the most recent N commits. | 1 | | -| enableSymlinkCheck | Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true | | -| fetchTags | Fetch all tags for the repo. | false | | -| gitInitImage | Deprecated. Has no effect. Will be removed in the future. | | | -| httpProxy | HTTP proxy server for non-SSL requests. | | | -| httpsProxy | HTTPS proxy server for SSL requests. | | | -| noProxy | Opt out of proxying HTTP/HTTPS requests. | | | -| refspec | Refspec to fetch before checking out revision. | | | -| revision | Revision to checkout. (branch, tag, sha, ref, etc...) | | '$(params.revision)' | -| shortCommitLength | Length of short commit SHA | 7 | | -| sparseCheckoutDirectories | Define the directory patterns to match or exclude when performing a sparse checkout. | | | -| sslVerify | Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. | true | | -| subdirectory | Subdirectory inside the `output` Workspace to clone the repo into. | source | | -| submodules | Initialize and fetch git submodules. | true | | -| url | Repository URL to clone from. | None | '$(params.git-url)' | -| userHome | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home | | -| verbose | Log the commands that are executed during `git-clone`'s operation. | false | | - +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|shortCommitLength| Length of short commit SHA| 7| | +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | ### init:0.2 task parameters - -| name | description | default value | already set by | -| ----------- | ---------------------------------- | ------------- | ------------------------ | -| image-url | Image URL for build by PipelineRun | None | '$(params.output-image)' | -| rebuild | Rebuild the image if exists | false | '$(params.rebuild)' | -| skip-checks | Skip checks against built image | false | '$(params.skip-checks)' | - +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| ### prefetch-dependencies:0.1 task parameters - -| name | description | default value | already set by | -| -------------------- | -------------------------------------------------------------------------------------------------------------------------- | ------------- | -------------------------- | -| caTrustConfigMapKey | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| config-file-content | Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -| dev-package-managers | Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false | | -| input | Configures project packages that will have their dependencies prefetched. | None | '$(params.prefetch-input)' | -| log-level | Set cachi2 log level (debug, info, warning, error) | info | | - -### sast-snyk-check:0.2 task parameters - -| name | description | default value | already set by | -| ------------ | ----------------------------------------- | ------------------------------------------ | ------------------------------------------------- | -| ARGS | Append arguments. | --all-projects --exclude=test*,vendor,deps | | -| SNYK_SECRET | Name of secret which contains Snyk token. | snyk-secret | | -| image-digest | Image digest to report findings for. | | '$(tasks.build-image-index.results.IMAGE_DIGEST)' | -| image-url | Image URL. | | '$(tasks.build-image-index.results.IMAGE_URL)' | - +|name|description|default value|already set by| +|---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### sast-coverity-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|AUTH_TOKEN_COVERITY_IMAGE| Name of secret which contains the authentication token for pulling the Coverity image.| auth-token-coverity-image| | +|COV_ANALYZE_ARGS| Arguments to be appended to the cov-analyze command| --enable HARDCODED_CREDENTIALS --security --concurrency --spotbugs-max-mem=4096| | +|COV_LICENSE| Name of secret which contains the Coverity license| cov-license| | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| None| '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-shell-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMP_FINDINGS_ONLY| Whether to include important findings only| true| | +|KFP_GIT_URL| git repository to download known false positives files from| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (default to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-digest| Image digest to report findings for.| | '$(tasks.build-oci-artifact.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-snyk-check:0.3 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| | | +|IMP_FINDINGS_ONLY| Report only important findings. Default is true. To report all findings, specify "false"| true| | +|KFP_GIT_URL| URL from repository to download known false positives files| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +### sast-unicode-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|FIND_UNICODE_CONTROL_ARGS| arguments for find-unicode-control command.| -p bidi -v -d -t| | +|FIND_UNICODE_CONTROL_GIT_URL| URL from repository to find unicode control.| https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58| | +|KFP_GIT_URL| URL from repository to download known false positives files.| | | +|PROJECT_NAME| Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.| | | +|RECORD_EXCLUDED| Whether to record the excluded findings (defaults to false). If `true`, the excluded findings will be stored in `excluded-findings.json`. | false| | +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|image-url| Image URL.| | '$(tasks.build-oci-artifact.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters - -| name | description | default value | already set by | -| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------- | ----------------------------------------------- | -| CA_TRUST_CONFIG_MAP_KEY | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | | -| CA_TRUST_CONFIG_MAP_NAME | The name of the ConfigMap to read CA bundle data from. | trusted-ca | | -| IMAGE_URL | Fully qualified image name to show SBOM for. | None | '$(tasks.build-oci-artifact.results.IMAGE_URL)' | -| PLATFORM | Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64". | linux/amd64 | | - +|name|description|default value|already set by| +|---|---|---|---| +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-oci-artifact.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### summary:0.2 task parameters - -| name | description | default value | already set by | -| ----------------- | ---------------------------------- | ------------- | -------------------------------------------------------------------------------------- | -| build-task-status | State of build task in pipelineRun | Succeeded | '$(tasks.build-oci-artifact.status)' | -| git-url | Git URL | None | '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)' | -| image-url | Image URL | None | '$(params.output-image)' | -| pipelinerun-name | pipeline-run to annotate | None | '$(context.pipelineRun.name)' | +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-oci-artifact.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| ## Results - -| name | description | value | -| ----------------- | ----------- | ------------------------------------------------ | -| CHAINS-GIT_COMMIT | | $(tasks.clone-repository.results.commit) | -| CHAINS-GIT_URL | | $(tasks.clone-repository.results.url) | -| IMAGE_DIGEST | | $(tasks.build-oci-artifact.results.IMAGE_DIGEST) | -| IMAGE_URL | | $(tasks.build-oci-artifact.results.IMAGE_URL) | - +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-oci-artifact.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-oci-artifact.results.IMAGE_URL)| ## Available results from tasks - ### build-maven-zip:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ------------- | --------------------------------------------------------------------------------- | -------------------------------------------------- | -| IMAGE_DIGEST | Digest of the OCI-Artifact just built | | -| IMAGE_REF | OCI-Artifact reference of the built OCI-Artifact | | -| IMAGE_URL | OCI-Artifact repository and tag where the built OCI-Artifact was pushed | show-sbom:0.1:IMAGE_URL | -| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance | | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the OCI-Artifact just built| sast-snyk-check:0.3:image-digest ; sast-coverity-check:0.1:image-digest ; coverity-availability-check:0.1:image-digest ; sast-shell-check:0.1:image-digest| +|IMAGE_REF| OCI-Artifact reference of the built OCI-Artifact| | +|IMAGE_URL| OCI-Artifact repository and tag where the built OCI-Artifact was pushed| show-sbom:0.1:IMAGE_URL ; sast-snyk-check:0.3:image-url ; sast-coverity-check:0.1:image-url ; coverity-availability-check:0.1:image-url ; sast-shell-check:0.1:image-url ; sast-unicode-check:0.1:image-url| +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | +### coverity-availability-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|STATUS| Tekton task simple status to be later checked| | +|TEST_OUTPUT| Tekton task result output.| | ### git-clone:0.1 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------------- | ------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | -| CHAINS-GIT_COMMIT | The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| CHAINS-GIT_URL | The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance. | | -| commit | The precise commit SHA that was fetched by this Task. | build-image-index:0.1:COMMIT_SHA | -| commit-timestamp | The commit timestamp of the checkout | | -| short-commit | The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters | | -| url | The precise URL that was fetched by this Task. | show-summary:0.2:git-url | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CHAINS-GIT_COMMIT| The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|CHAINS-GIT_URL| The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.| | +|commit| The precise commit SHA that was fetched by this Task.| | +|commit-timestamp| The commit timestamp of the checkout| | +|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----- | ------------------------------------------------------- | -------------------------------------------------- | -| build | Defines if the image in param image-url should be built | | - -### sast-snyk-check:0.2 task results - -| name | description | used in params (taskname:taskrefversion:taskparam) | -| ----------- | ------------------------ | -------------------------------------------------- | -| TEST_OUTPUT | Tekton task test output. | | - -### Workspaces - -| name | description | optional | used in tasks | -| --------- | ----------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | -| git-auth | | True | clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth | -| netrc | | True | prefetch-dependencies:0.1:netrc | -| workspace | | False | show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.2:workspace | - +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### sast-coverity-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-shell-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-snyk-check:0.3 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sast-unicode-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|netrc| |True| prefetch-dependencies:0.1:netrc| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-oci-artifact:0.1:source ; sast-snyk-check:0.3:workspace ; sast-coverity-check:0.1:workspace ; coverity-availability-check:0.1:workspace ; sast-shell-check:0.1:workspace ; sast-unicode-check:0.1:workspace| ## Available workspaces from tasks - ### build-maven-zip:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------ | ---------------------------------------------- | -------- | ----------------------- | -| source | Workspace containing the source code to build. | False | workspace | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### coverity-availability-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### git-clone:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| ------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True | git-auth | -| output | The git repo will be cloned onto the volume backing this Workspace. | False | workspace | -| ssh-directory | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True | | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | ### prefetch-dependencies:0.1 task workspaces - -| name | description | optional | workspace from pipeline | -| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ----------------------- | -| git-basic-auth | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True | git-auth | -| netrc | Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True | netrc | -| source | Workspace with the source code, cachi2 artifacts will be stored on the workspace as well | False | workspace | - +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### sast-coverity-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-shell-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-snyk-check:0.3 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### sast-unicode-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| ### summary:0.2 task workspaces - -| name | description | optional | workspace from pipeline | -| --------- | -------------------------------------------- | -------- | ----------------------- | -| workspace | The workspace where source code is included. | True | workspace | +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/maven-zip-build/patch.yaml b/pipelines/maven-zip-build/patch.yaml index a05243b9f0..1f1fa7e22d 100644 --- a/pipelines/maven-zip-build/patch.yaml +++ b/pipelines/maven-zip-build/patch.yaml @@ -46,26 +46,31 @@ value: "generic" # Remove unused tasks # kustomize build pipelines/template-build/ | yq ".spec.tasks.[].name" | nl -v 0 -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-image-index -# 5 build-source-image -# 6 deprecated-base-image-check -# 7 clair-scan -# 8 ecosystem-cert-preflight-checks -# 9 sast-snyk-check -# 10 clamav-scan -# 11 apply-tags -# 12 push-dockerfile -# 13 rpms-signature-scan +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sast-coverity-check +# 12 coverity-availability-check +# 13 sast-shell-check +# 14 sast-unicode-check +# 15 apply-tags +# 16 push-dockerfile +# 17 rpms-signature-scan + - op: remove - path: /spec/tasks/13 # rpms-signature-scan + path: /spec/tasks/17 # rpms-signature-scan - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/16 # push-dockerfile - op: remove - path: /spec/tasks/11 # apply-tags + path: /spec/tasks/15 # apply-tags - op: remove path: /spec/tasks/10 # clamav-scan - op: remove @@ -112,6 +117,43 @@ path: /spec/tasks/4/runAfter value: - build-oci-artifact +# Replace the params set and runAfter of sast-coverity-check +- op: replace + path: /spec/tasks/5/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/5/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +# Replace the params set and runAfter of coverity-availability-check +- op: replace + path: /spec/tasks/6/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/6/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/6/runAfter + value: + - build-oci-artifact +# Replace the params set and runAfter of sast-shell-check +- op: replace + path: /spec/tasks/7/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_DIGEST)" +- op: replace + path: /spec/tasks/7/params/1/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/7/runAfter + value: + - build-oci-artifact +# Replace the params set and runAfter of sast-unicode-check +- op: replace + path: /spec/tasks/8/params/0/value + value: "$(tasks.build-oci-artifact.results.IMAGE_URL)" +- op: replace + path: /spec/tasks/8/runAfter + value: + - build-oci-artifact # change pipeline results - op: replace path: /spec/results/0/value diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index cd38c1a6db..650bec2fb3 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -66,6 +66,7 @@ ### prefetch-dependencies:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| +|ACTIVATION_KEY| Name of secret which contains subscription activation key| activation-key| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | @@ -101,8 +102,8 @@ |RECORD_EXCLUDED| Write excluded records in file. Useful for auditing (defaults to false).| false| | |caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to report findings for.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### sast-unicode-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -141,9 +142,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| +|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST ; rpms-signature-scan:0.2:image-digest| |IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed| sast-coverity-check:0.1:image-url ; sast-unicode-check:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; rpms-signature-scan:0.2:image-url| |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -179,9 +180,9 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| sast-coverity-check:0.1:image-digest| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES ; sast-coverity-check:0.1:image-url| +|IMAGE_URL| Image repository and tag where the built image was pushed with tag only| build-image-index:0.1:IMAGES| ## Workspaces |name|description|optional|used in tasks diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 863f8b6451..096f330785 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -253,9 +253,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace @@ -271,9 +271,9 @@ spec: version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) workspaces: - name: workspace workspace: workspace diff --git a/renovate.json b/renovate.json index 78ec96a3ff..6dead1160f 100644 --- a/renovate.json +++ b/renovate.json @@ -6,7 +6,10 @@ "dependencyDashboard": false, "prConcurrentLimit": 20, "tekton": { - "fileMatch": ["\\.yaml$", "\\.yml$"], + "fileMatch": [ + "\\.yaml$", + "\\.yml$" + ], "includePaths": [ ".tekton/**", "task/**", @@ -15,10 +18,17 @@ ] }, "packageRules": [ + { + "matchPackageNames": [ + "quay.io/konflux-ci/appstudio-utils" + ], + "schedule": [ + "on sunday" + ] + }, { "matchPackageNames": [ "quay.io/konflux-ci/pull-request-builds", - "quay.io/konflux-ci/appstudio-utils", "quay.io/konflux-ci/buildah", "quay.io/konflux-ci/source-container-build", "quay.io/redhat-appstudio/e2e-tests", @@ -30,7 +40,44 @@ "registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9" ], "groupName": "build", - "reviewers": ["mmorhun", "tkdchen", "rcerven", "mkosiarc", "brunoapimentel", "chmeliik"] + "matchFileNames": [ + "task/acs-deploy-check/**", + "task/acs-image-check/**", + "task/acs-image-scan/**", + "task/apply-tags/**", + "task/build-image-index/**", + "task/build-image-manifest/**", + "task/buildah-10gb/**", + "task/buildah-20gb/**", + "task/buildah-24gb/**", + "task/buildah-6gb/**", + "task/buildah-8gb/**", + "task/buildah-min/**", + "task/buildah-oci-ta/**", + "task/buildah-remote-oci-ta/**", + "task/buildah-remote/**", + "task/buildah-rhtap/**", + "task/buildah/**", + "task/download-sbom-from-url-in-attestation/**", + "task/gather-deploy-images/**", + "task/generate-labels/**", + "task/git-clone-oci-ta/**", + "task/git-clone/**", + "task/init/**", + "task/prefetch-dependencies-oci-ta/**", + "task/prefetch-dependencies/**", + "task/push-dockerfile-oci-ta/**", + "task/push-dockerfile/**", + "task/show-sbom-rhdh/**", + "task/show-sbom/**", + "task/slack-webhook-notification/**", + "task/source-build-oci-ta/**", + "task/source-build/**", + "task/summary/**", + "task/update-deployment/**", + "task/update-infra-deployments/**", + "task/upload-sbom-to-trustification/**" + ] }, { "matchPackagePrefixes": [ @@ -40,7 +87,11 @@ "registry.redhat.io/openshift-pipelines/pipelines-cli-tkn-rhel8" ], "groupName": "ec", - "reviewers": ["zregvart", "lcarva"] + "matchFileNames": [ + "task/tkn-bundle-oci-ta/**", + "task/tkn-bundle/**", + "task/verify-enterprise-contract/**" + ] }, { "matchPackageNames": [ @@ -49,28 +100,47 @@ "quay.io/konflux-ci/clamav-db" ], "groupName": "integration", - "reviewers": ["dirgim", "hongweiliu17", "jsztuka", "Josh-Everett", " 14rcole", "chipspeak", "dheerajodha", "kasemAlem", "jencull", "sonam1412"] + "matchFileNames": [ + "task/clair-scan/**", + "task/clamav-scan/**", + "task/coverity-availability-check-oci-ta/**", + "task/coverity-availability-check/**", + "task/deprecated-image-check/**", + "task/fbc-related-image-check/**", + "task/fbc-validation/**", + "task/inspect-image/**", + "task/sast-coverity-check-oci-ta/**", + "task/sast-coverity-check/**", + "task/sast-shell-check-oci-ta/**", + "task/sast-shell-check/**", + "task/sast-snyk-check-oci-ta/**", + "task/sast-snyk-check/**", + "task/sast-unicode-check-oci-ta/**", + "task/sast-unicode-check/**", + "task/sbom-json-check/**", + "task/validate-fbc/**" + ] }, { "matchPackageNames": [ "quay.io/opdev/preflight" ], "groupName": "preflight", - "reviewers": ["skattoju"] - }, - { - "matchPackagePrefixes": [ - "registry.redhat.io", - "registry.access.redhat.com", - "docker.io" - ], - "schedule": ["on monday and wednesday"], - "groupName": "shared" + "matchFileNames": [ + "task/ecosystem-cert-preflight-checks/**" + ] }, { "groupName": "github-actions", - "matchManagers": ["github-actions"], - "schedule": ["on monday"] + "matchManagers": [ + "github-actions" + ], + "matchFileNames": [ + ".github/workflows/**" + ], + "schedule": [ + "on sunday" + ] }, { "matchPackageNames": [ @@ -78,6 +148,61 @@ ], "enabled": false, "groupName": "ignore" + }, + { + "groupName": "build-vm-image", + "matchFileNames": [ + "task/build-vm-image/**" + ] + }, + { + "groupName": "eaas", + "matchFileNames": [ + "stepactions/eaas-copy-secrets-to-ephemeral-cluster/**", + "stepactions/eaas-create-ephemeral-cluster-hypershift-aws/**", + "stepactions/eaas-get-ephemeral-cluster-credentials/**", + "stepactions/eaas-get-latest-openshift-version-by-prefix/**", + "stepactions/eaas-get-supported-ephemeral-cluster-versions/**", + "task/eaas-provision-space/**", + "task/provision-env-with-ephemeral-namespace/**" + ] + }, + { + "groupName": "maven", + "matchFileNames": [ + "task/build-maven-zip-oci-ta/**", + "task/build-maven-zip/**" + ] + }, + { + "groupName": "oci-copy", + "matchFileNames": [ + "task/oci-copy-oci-ta/**", + "task/oci-copy/**" + ] + }, + { + "groupName": "opm", + "matchFileNames": [ + "task/operator-sdk-generate-bundle/**", + "task/opm-get-bundle-version/**", + "task/opm-render-bundles/**" + ] + }, + { + "groupName": "rpm-ostree", + "matchFileNames": [ + "task/rpm-ostree-oci-ta/**", + "task/rpm-ostree/**" + ] + }, + { + "groupName": "rpm-tasks", + "matchFileNames": [ + "task/generate-odcs-compose/**", + "task/rpms-signature-scan/**", + "task/verify-signed-rpms/**" + ] } ], "postUpdateOptions": [ @@ -86,7 +211,9 @@ "customManagers": [ { "customType": "regex", - "fileMatch": ["^task/[\\w-]+/[0-9.]+/[\\w-]+\\.yaml$"], + "fileMatch": [ + "^task/[\\w-]+/[0-9.]+/[\\w-]+\\.yaml$" + ], "matchStrings": [ "value: (?quay\\.io/konflux-ci/buildah[^:]*):(?[^@]*)@(?sha256:[a-f0-9]{64})" ], @@ -95,8 +222,12 @@ }, { "customType": "regex", - "fileMatch": [".github/workflows/run-task-tests.yaml"], - "matchStrings": ["ref:\\s+(?[a-f0-9]{40})"], + "fileMatch": [ + ".github/workflows/run-task-tests.yaml" + ], + "matchStrings": [ + "ref:\\s+(?[a-f0-9]{40})" + ], "currentValueTemplate": "main", "depNameTemplate": "konflux-ci", "packageNameTemplate": "https://github.com/konflux-ci/konflux-ci", diff --git a/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS b/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-copy-secrets-to-ephemeral-cluster/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS b/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-create-ephemeral-cluster-hypershift-aws/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS b/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-ephemeral-cluster-credentials/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS b/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-latest-openshift-version-by-prefix/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS b/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/stepactions/eaas-get-supported-ephemeral-cluster-versions/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/task-generator/remote/go.mod b/task-generator/remote/go.mod index bb4de22a7c..0649be0fe2 100644 --- a/task-generator/remote/go.mod +++ b/task-generator/remote/go.mod @@ -5,7 +5,7 @@ go 1.22.0 toolchain go1.23.2 require ( - github.com/tektoncd/pipeline v0.65.3 + github.com/tektoncd/pipeline v0.66.0 k8s.io/api v0.31.0 k8s.io/apimachinery v0.31.0 k8s.io/cli-runtime v0.30.3 diff --git a/task-generator/remote/go.sum b/task-generator/remote/go.sum index 98bca1ea03..a22a7020c2 100644 --- a/task-generator/remote/go.sum +++ b/task-generator/remote/go.sum @@ -320,8 +320,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.3 h1:/HXL62kx1LTu76dvrCurafjl+KU2FjEwvcKeQ4WOjbk= -github.com/tektoncd/pipeline v0.65.3/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM= github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg= github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= diff --git a/task-generator/trusted-artifacts/go.mod b/task-generator/trusted-artifacts/go.mod index 98eab618dd..9ca88c966d 100644 --- a/task-generator/trusted-artifacts/go.mod +++ b/task-generator/trusted-artifacts/go.mod @@ -5,7 +5,7 @@ go 1.22.7 require ( github.com/google/go-cmp v0.6.0 github.com/google/go-containerregistry v0.20.2 - github.com/tektoncd/pipeline v0.65.3 + github.com/tektoncd/pipeline v0.66.0 github.com/zregvart/tkn-fmt v0.0.0-20240614122620-a2995427266c k8s.io/api v0.30.1 mvdan.cc/sh/v3 v3.10.0 diff --git a/task-generator/trusted-artifacts/go.sum b/task-generator/trusted-artifacts/go.sum index fdcd0ca7ed..dcbb7636af 100644 --- a/task-generator/trusted-artifacts/go.sum +++ b/task-generator/trusted-artifacts/go.sum @@ -347,8 +347,8 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg= github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/stvp/go-udp-testing v0.0.0-20201019212854-469649b16807/go.mod h1:7jxmlfBCDBXRzr0eAQJ48XC1hBu1np4CS5+cHEYfwpc= -github.com/tektoncd/pipeline v0.65.3 h1:/HXL62kx1LTu76dvrCurafjl+KU2FjEwvcKeQ4WOjbk= -github.com/tektoncd/pipeline v0.65.3/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= +github.com/tektoncd/pipeline v0.66.0 h1:WLL98YEgWzblSAD2mPbpZN97tkOC50wiftaW+8+6zTY= +github.com/tektoncd/pipeline v0.66.0/go.mod h1:V3cyfxxc7b3GLT2a13GX2mWA86qmxWhh4mOp4gfFQwQ= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= github.com/vbatts/tar-split v0.11.3 h1:hLFqsOLQ1SsppQNTMpkpPXClLDfC2A3Zgy9OUU+RVck= github.com/vbatts/tar-split v0.11.3/go.mod h1:9QlHN18E+fEH7RdG+QAJJcuya3rqT7eXSTY7wGrAokY= diff --git a/task/acs-deploy-check/OWNERS b/task/acs-deploy-check/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-deploy-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/acs-image-check/OWNERS b/task/acs-image-check/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/acs-image-scan/OWNERS b/task/acs-image-scan/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/acs-image-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/apply-tags/OWNERS b/task/apply-tags/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/apply-tags/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/build-image-index/OWNERS b/task/build-image-index/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/build-image-index/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/build-image-manifest/OWNERS b/task/build-image-manifest/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/build-image-manifest/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml index f212a9fb23..cb535b9f27 100644 --- a/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml +++ b/task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml @@ -89,12 +89,12 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: prepare - image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 workingDir: /var/workdir script: | #!/bin/bash @@ -132,7 +132,7 @@ spec: add: - SETFCAP - name: build - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40 workingDir: /var/workdir volumeMounts: - mountPath: /mnt/trusted-ca diff --git a/task/build-maven-zip-oci-ta/OWNERS b/task/build-maven-zip-oci-ta/OWNERS deleted file mode 100644 index f6b0d684ad..0000000000 --- a/task/build-maven-zip-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - spmm-team -reviewers: - - spmm-team \ No newline at end of file diff --git a/task/build-maven-zip/0.1/build-maven-zip.yaml b/task/build-maven-zip/0.1/build-maven-zip.yaml index 44746710d7..3d4394976c 100644 --- a/task/build-maven-zip/0.1/build-maven-zip.yaml +++ b/task/build-maven-zip/0.1/build-maven-zip.yaml @@ -63,7 +63,7 @@ spec: name: shared steps: - - image: quay.io/konflux-ci/appstudio-utils@sha256:1f31b6443c7d114cb3b6448136a9ef3730e9c72485e45172fc11c0176a86a267 + - image: quay.io/konflux-ci/appstudio-utils@sha256:980a09c9bccb6baaf4e698fc5a10a9f5b477233139a3b2a78fc54124c7599e95 name: prepare computeResources: limits: @@ -102,7 +102,7 @@ spec: add: - SETFCAP workingDir: $(workspaces.source.path) - - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9 + - image: quay.io/konflux-ci/oras:latest@sha256:66ccc8c3698304036a42739f6e1836f3399a46645be2d3c5d6d456b9c79fff40 name: build computeResources: limits: diff --git a/task/build-maven-zip/OWNERS b/task/build-maven-zip/OWNERS deleted file mode 100644 index 890ac12991..0000000000 --- a/task/build-maven-zip/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - spmm-team -reviewers: - - spmm-team diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 5ada826f85..009ad27703 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -65,7 +65,7 @@ spec: name: varlibcontainers steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/build-vm-image/OWNERS b/task/build-vm-image/OWNERS deleted file mode 100644 index ee96080120..0000000000 --- a/task/build-vm-image/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- arewm -- brianwcook -- ralphbean -- scoheb diff --git a/task/buildah-10gb/OWNERS b/task/buildah-10gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-10gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-20gb/OWNERS b/task/buildah-20gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-20gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-24gb/OWNERS b/task/buildah-24gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-24gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-6gb/OWNERS b/task/buildah-6gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-6gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-8gb/OWNERS b/task/buildah-8gb/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-8gb/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-min/OWNERS b/task/buildah-min/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-min/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 9225ffff66..cf47fc5e8a 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -215,7 +215,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 4e5bdf7c8d..bcf4db60ee 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -221,7 +221,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -559,19 +559,6 @@ spec: #!/bin/bash set -e - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -579,21 +566,26 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "/var/workdir/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah-oci-ta/OWNERS b/task/buildah-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index d1437c8bbb..0e07f2fddd 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -197,7 +197,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ce75471d4e..c70529c4bd 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -211,7 +211,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af name: use-trusted-artifact - args: - --build-args @@ -659,19 +659,6 @@ spec: export IMAGE fi - retry() { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -679,21 +666,26 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "/var/workdir/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah-remote-oci-ta/OWNERS b/task/buildah-remote-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-remote-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 9f2c2d0b0e..88a1ee48f3 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -637,19 +637,6 @@ spec: export IMAGE fi - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -657,23 +644,28 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah-remote/OWNERS b/task/buildah-remote/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-remote/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 91c621e794..db92791893 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -103,6 +103,13 @@ spec: --digestfile /tmp/files/image-digest $IMAGE \ docker://$IMAGE + # Push the image to a unique tag to avoid race conditions + buildah push \ + --tls-verify="$TLSVERIFY" \ + --retry=5 \ + --digestfile /tmp/files/image-digest "$IMAGE" \ + "docker://${IMAGE%:*}:$(context.taskRun.name)" + # Set task results buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path) diff --git a/task/buildah-rhtap/OWNERS b/task/buildah-rhtap/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah-rhtap/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 3a6a9f70a9..34fdcbfa8b 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -500,19 +500,6 @@ spec: #!/bin/bash set -e - retry () { - status=-1 - max_run=5 - sleep_sec=10 - - for run in $(seq 1 $max_run); do - status=0 - [ "$run" -gt 1 ] && sleep $sleep_sec - "$@" && break || status=$? - done - return $status - } - ca_bundle=/mnt/trusted-ca/ca-bundle.crt if [ -f "$ca_bundle" ]; then echo "INFO: Using mounted CA bundle: $ca_bundle" @@ -520,23 +507,28 @@ spec: update-ca-trust fi + retries=5 + # Push to a unique tag based on the TaskRun name to avoid race conditions echo "Pushing to ${IMAGE%:*}:${TASKRUN_NAME}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ "$IMAGE" \ "docker://${IMAGE%:*}:$(context.taskRun.name)"; then - echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${max_run} tries" + echo "Failed to push sbom image to ${IMAGE%:*}:$(context.taskRun.name) after ${retries} tries" exit 1 fi + # Push to a tag based on the git revision echo "Pushing to ${IMAGE}" - if ! retry buildah push \ + if ! buildah push \ + --retry "$retries" \ --tls-verify="$TLSVERIFY" \ --digestfile "$(workspaces.source.path)/image-digest" "$IMAGE" \ "docker://$IMAGE"; then - echo "Failed to push sbom image to $IMAGE after ${max_run} tries" + echo "Failed to push sbom image to $IMAGE after ${retries} tries" exit 1 fi diff --git a/task/buildah/OWNERS b/task/buildah/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/buildah/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/clair-scan/OWNERS b/task/clair-scan/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/clair-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/clamav-scan/OWNERS b/task/clamav-scan/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/clamav-scan/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml index 2b2ab003a9..4fb21f98c2 100644 --- a/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml +++ b/task/coverity-availability-check-oci-ta/0.1/coverity-availability-check-oci-ta.yaml @@ -51,7 +51,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/coverity-availability-check-oci-ta/OWNERS b/task/coverity-availability-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/coverity-availability-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/coverity-availability-check/OWNERS b/task/coverity-availability-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/coverity-availability-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/deprecated-image-check/OWNERS b/task/deprecated-image-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/deprecated-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/download-sbom-from-url-in-attestation/OWNERS b/task/download-sbom-from-url-in-attestation/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/download-sbom-from-url-in-attestation/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/eaas-provision-space/OWNERS b/task/eaas-provision-space/OWNERS deleted file mode 100644 index 02ba027134..0000000000 --- a/task/eaas-provision-space/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- amisstea -- omeramsc -- avi-biton -- yftacherzog -- hmariset diff --git a/task/ecosystem-cert-preflight-checks/OWNERS b/task/ecosystem-cert-preflight-checks/OWNERS deleted file mode 100644 index 167186ef1c..0000000000 --- a/task/ecosystem-cert-preflight-checks/OWNERS +++ /dev/null @@ -1,11 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - skattoju - - acornett21 - - bcrochet - - komish -reviewers: - - skattoju - - acornett21 - - bcrochet - - komish diff --git a/task/fbc-related-image-check/OWNERS b/task/fbc-related-image-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/fbc-related-image-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/fbc-validation/OWNERS b/task/fbc-validation/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/fbc-validation/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/gather-deploy-images/OWNERS b/task/gather-deploy-images/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/gather-deploy-images/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/generate-labels/OWNERS b/task/generate-labels/OWNERS deleted file mode 100644 index 3d74ca650b..0000000000 --- a/task/generate-labels/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team - - ralphbean -reviewers: - - build-team - - ralphbean diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 6022da7ed3..eb4737e765 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index c2f4ca4f3f..9eed809b00 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/OWNERS b/task/generate-odcs-compose/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/generate-odcs-compose/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 579931cc9e..3629da9fd7 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -298,7 +298,7 @@ spec: check_symlinks fi - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - create - --store diff --git a/task/git-clone-oci-ta/OWNERS b/task/git-clone-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/git-clone-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/git-clone/OWNERS b/task/git-clone/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/git-clone/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/init/OWNERS b/task/init/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/init/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/inspect-image/OWNERS b/task/inspect-image/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/inspect-image/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 1457c93420..63b889abeb 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -66,7 +66,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/operator-sdk-generate-bundle/OWNERS b/task/operator-sdk-generate-bundle/OWNERS deleted file mode 100644 index b8c9b567aa..0000000000 --- a/task/operator-sdk-generate-bundle/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben diff --git a/task/opm-get-bundle-version/OWNERS b/task/opm-get-bundle-version/OWNERS deleted file mode 100644 index 54bf30ad65..0000000000 --- a/task/opm-get-bundle-version/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben diff --git a/task/opm-render-bundles/OWNERS b/task/opm-render-bundles/OWNERS deleted file mode 100644 index b8c9b567aa..0000000000 --- a/task/opm-render-bundles/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: -- jbpratt -- gurnben -reviewers: -- jbpratt -- gurnben diff --git a/task/prefetch-dependencies-oci-ta/0.1/README.md b/task/prefetch-dependencies-oci-ta/0.1/README.md index 48065f95ea..73e8ebb5d5 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/README.md +++ b/task/prefetch-dependencies-oci-ta/0.1/README.md @@ -26,6 +26,7 @@ params: ## Parameters |name|description|default value|required| |---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index ecc4b44d93..87deeb25b5 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -33,6 +33,10 @@ spec: [available configuration parameters]: https://github.com/containerbuildsystem/cachi2?tab=readme-ov-file#available-configuration-parameters params: + - name: ACTIVATION_KEY + description: Name of secret which contains subscription activation key + type: string + default: activation-key - name: SOURCE_ARTIFACT description: The Trusted Artifact URI pointing to the artifact with the application source code. @@ -79,8 +83,16 @@ spec: the application source code. type: string volumes: + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: config emptyDir: {} + - name: etc-pki-entitlement + emptyDir: {} + - name: shared + emptyDir: {} - name: trusted-ca configMap: items: @@ -110,6 +122,8 @@ spec: volumeMounts: - mountPath: /mnt/config name: config + - mountPath: /shared + name: shared - mountPath: /var/workdir name: workdir steps: @@ -130,7 +144,7 @@ spec: echo -n "" >$(results.CACHI2_ARTIFACT.path) fi - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -143,15 +157,159 @@ spec: # https://github.com/containerbuildsystem/cachi2/issues/577 yq 'del(.goproxy_url)' <<<"${CONFIG_FILE_CONTENT}" >/mnt/config/config.yaml fi + - name: check-prefetch-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + env: + - name: INPUT + value: $(params.input) + script: | + if [ -z "${INPUT}" ]; then + # Confirm input was provided though it's likely the whole task would be skipped if it wasn't + echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + echo "skip" >/shared/skip + fi + - name: register-red-hat + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + results: + - name: registered + type: string + volumeMounts: + - mountPath: /activation-key + name: activation-key + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + echo "false" >/shared/registered + ACTIVATION_KEY_PATH="/activation-key" + + mkdir -p /shared/rhsm/entitlement + mkdir -p /shared/rhsm/consumer + + if [ -e /activation-key/org ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + + echo "Registering with Red Hat subscription manager." + subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)" + + # copy generated certificates to /shared/rhsm + cp /etc/pki/entitlement/*.pem /shared/rhsm/entitlement/ + cp /etc/pki/consumer/*.pem /shared/rhsm/consumer/ + + file="$(find /shared/rhsm/entitlement -regextype egrep -regex '.*[0-9]+\.pem' -printf %f)" + echo "file: $file" + basename "$file" .pem >/shared/RHSM_ID + echo "./RHSM_ID:" + cat /shared/RHSM_ID + + # trust the CA used for Red Hat CDN + cp /etc/rhsm-host/ca/redhat-uep.pem /shared/rhsm/redhat-uep.pem + fi + - name: preprocess-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + args: + - $(params.input) + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + script: | + #!/bin/python3 + import json + import os + import sys + + + def string_to_json(input: str): + if input in ['bundler', 'generic', 'gomod', 'npm', 'pip', 'rpm', 'yarn-classic', 'yarn']: + input = '{"type": "%s"}' % input + print("json: %s" % input) + return input + + + def json_to_list(input: str): + input = json.loads(input) + if type(input) is dict: + input = [input] + return json.dumps(input) + + + def inject_certs(input: str, rhsm_id: str): + input_list: list = json.loads(input) + + cert = ("/shared/rhsm/entitlement/%s.pem" % rhsm_id) + key = ("/shared/rhsm/entitlement/%s-key.pem" % rhsm_id) + ca_bundle = os.getenv("CA_BUNDLE", None) + for pkg_man in input_list: + if pkg_man["type"] == "rpm": + + # preserve verify setting + verify = \ + pkg_man.get("options", {}).get("ssl", {}).get("ssl_verify", 1) + + # preserve other options + options: dict = pkg_man.get('options', {}) + + ssl_options = { + "client_key": key, + "client_cert": cert, + "ca_bundle": ca_bundle, + "ssl_verify": verify} + + options['ssl'] = ssl_options + pkg_man["options"] = options + return (json.dumps(input_list)) + + + def convert_input(input, rhsm_id): + input = string_to_json(input) + input = json_to_list(input) + input = inject_certs(input, rhsm_id) + return input + + + if __name__ == '__main__': + + if os.path.isfile("/shared/skip"): + sys.exit() + + rhsm_id = "" + input = "" + + try: + f = open("/shared/RHSM_ID", "r") + rhsm_id = f.read().strip("\n") + except FileNotFoundError: + print("No RHSM ID found.") + + if rhsm_id == "": + input = sys.argv[1] + else: + print("RHSM Cert ID is: %s" % rhsm_id) + print("Called with args: %s" % str(sys.argv)) + input = convert_input(sys.argv[1], rhsm_id) + + print("Preprocessing result: %s" % input) + with open('/shared/rhsm/preprocessed_input', 'w') as f: + f.write(input) - name: prefetch-dependencies image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca readOnly: true + - mountPath: /activation-key + name: activation-key env: - - name: INPUT - value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) - name: LOG_LEVEL @@ -165,9 +323,10 @@ spec: - name: WORKSPACE_NETRC_PATH value: $(workspaces.netrc.path) script: | - if [ -z "${INPUT}" ]; then - # Confirm input was provided though it's likely the whole task would be skipped if it wasn't - echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + #!/bin/bash + + if [ -f /shared/skip ]; then + echo "Skipping." exit 0 fi @@ -183,6 +342,16 @@ spec: dev_pacman_flag="" fi + INPUT=$(cat /shared/rhsm/preprocessed_input) + export INPUT + + # trust Red Hat CA cert used for Red Hat CDN + if [ -f /shared/rhsm/redhat-uep.pem ]; then + echo "Adding Red Hat CA certificate to trusted roots." + cp /shared/rhsm/redhat-uep.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust + fi + # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ]; then if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then @@ -225,8 +394,20 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output + - name: unregister-rhsm + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + cp /shared/rhsm/consumer/* /etc/pki/consumer/ + cp /shared/rhsm/entitlement/* /etc/pki/entitlement/ + subscription-manager unregister || true - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - create - --store diff --git a/task/prefetch-dependencies-oci-ta/OWNERS b/task/prefetch-dependencies-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/prefetch-dependencies-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/prefetch-dependencies/0.1/README.md b/task/prefetch-dependencies/0.1/README.md index 7d03f7d3b3..df88e80b36 100644 --- a/task/prefetch-dependencies/0.1/README.md +++ b/task/prefetch-dependencies/0.1/README.md @@ -5,17 +5,18 @@ See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. ## Configuration -Config file must be passed as a YAML string. For all available config options please check [available configuration parameters] page. +Config file must be passed as a YAML string. For all available config options please check +[available configuration parameters] page. Example of setting timeouts: ```yaml params: - - name: config-file-content - value: | - --- - requests_timeout: 300 - subprocess_timeout: 3600 + - name: config-file-content + value: | + --- + requests_timeout: 300 + subprocess_timeout: 3600 ``` [available configuration parameters]: https://github.com/containerbuildsystem/cachi2?tab=readme-ov-file#available-configuration-parameters @@ -29,6 +30,7 @@ params: |config-file-content|Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! |""|false| |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| ## Workspaces |name|description|optional| diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index 1b804860bd..9a859d42de 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -53,6 +53,10 @@ spec: type: string description: The name of the key in the ConfigMap that contains the CA bundle data. default: ca-bundle.crt + - name: ACTIVATION_KEY + default: activation-key + description: Name of secret which contains subscription activation key + type: string stepTemplate: env: @@ -61,7 +65,8 @@ spec: volumeMounts: - name: config mountPath: /mnt/config - + - mountPath: /shared + name: shared steps: - name: sanitize-cachi2-config-file-with-yq image: quay.io/konflux-ci/yq:latest@sha256:343c2ca0a347ae87fe43750ee0873e1fe813f77eff56e9722c840bb75d97fef2 @@ -74,13 +79,164 @@ spec: yq 'del(.goproxy_url)' <<< "${CONFIG_FILE_CONTENT}" > /mnt/config/config.yaml fi - - image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + - name: check-prefetch-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent - name: prefetch-dependencies env: - name: INPUT value: $(params.input) + script: | + if [ -z "${INPUT}" ] + then + # Confirm input was provided though it's likely the whole task would be skipped if it wasn't + echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + echo "skip" > /shared/skip + fi + + - name: register-red-hat + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + volumeMounts: + - mountPath: /activation-key + name: activation-key + results: + - name: registered + type: string + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + echo "false" > /shared/registered + ACTIVATION_KEY_PATH="/activation-key" + + mkdir -p /shared/rhsm/entitlement + mkdir -p /shared/rhsm/consumer + + if [ -e /activation-key/org ]; then + cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key + + echo "Registering with Red Hat subscription manager." + subscription-manager register --org "$(cat /tmp/activation-key/org)" --activationkey "$(cat /tmp/activation-key/activationkey)" + + # copy generated certificates to /shared/rhsm + cp /etc/pki/entitlement/*.pem /shared/rhsm/entitlement/ + cp /etc/pki/consumer/*.pem /shared/rhsm/consumer/ + + file="$(find /shared/rhsm/entitlement -regextype egrep -regex '.*[0-9]+\.pem' -printf %f)" + echo "file: $file" + basename "$file" .pem > /shared/RHSM_ID + echo "./RHSM_ID:" + cat /shared/RHSM_ID + + # trust the CA used for Red Hat CDN + cp /etc/rhsm-host/ca/redhat-uep.pem /shared/rhsm/redhat-uep.pem + fi + + - name: preprocess-input + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + + env: + - name: INPUT + value: $(params.input) + - name: ACTIVATION_KEY + value: $(params.ACTIVATION_KEY) + args: ["$(params.input)"] + script: | + #!/bin/python3 + import json + import os + import sys + + + def string_to_json(input: str): + if input in ['bundler', 'generic', 'gomod', 'npm', 'pip', 'rpm', 'yarn-classic', 'yarn']: + input = '{"type": "%s"}' % input + print("json: %s" % input) + return input + + + def json_to_list(input: str): + input = json.loads(input) + if type(input) is dict: + input = [input] + return json.dumps(input) + + + def inject_certs(input: str, rhsm_id: str): + input_list: list = json.loads(input) + + cert = ("/shared/rhsm/entitlement/%s.pem" % rhsm_id) + key = ("/shared/rhsm/entitlement/%s-key.pem" % rhsm_id) + ca_bundle = os.getenv("CA_BUNDLE", None) + for pkg_man in input_list: + if pkg_man["type"] == "rpm": + + # preserve verify setting + verify = \ + pkg_man.get("options", {}).get("ssl", {}).get("ssl_verify", 1) + + # preserve other options + options: dict = pkg_man.get('options', {}) + + ssl_options = { + "client_key": key, + "client_cert": cert, + "ca_bundle": ca_bundle, + "ssl_verify": verify} + + options['ssl'] = ssl_options + pkg_man["options"] = options + return (json.dumps(input_list)) + + + def convert_input(input, rhsm_id): + input = string_to_json(input) + input = json_to_list(input) + input = inject_certs(input, rhsm_id) + return input + + + if __name__ == '__main__': + + if os.path.isfile("/shared/skip"): + sys.exit() + + rhsm_id = "" + input = "" + + try: + f = open("/shared/RHSM_ID", "r") + rhsm_id = f.read().strip("\n") + except FileNotFoundError: + print("No RHSM ID found.") + + if rhsm_id == "": + input = sys.argv[1] + else: + print("RHSM Cert ID is: %s" % rhsm_id) + print("Called with args: %s" % str(sys.argv)) + input = convert_input(sys.argv[1], rhsm_id) + + print("Preprocessing result: %s" % input) + with open('/shared/rhsm/preprocessed_input', 'w') as f: + f.write(input) + + + - name: prefetch-dependencies + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + env: - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) - name: LOG_LEVEL @@ -97,11 +253,13 @@ spec: - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true + - mountPath: /activation-key + name: activation-key script: | - if [ -z "${INPUT}" ] - then - # Confirm input was provided though it's likely the whole task would be skipped if it wasn't - echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + #!/bin/bash + + if [ -f /shared/skip ]; then + echo "Skipping." exit 0 fi @@ -117,6 +275,16 @@ spec: dev_pacman_flag="" fi + INPUT=$(cat /shared/rhsm/preprocessed_input) + export INPUT + + # trust Red Hat CA cert used for Red Hat CDN + if [ -f /shared/rhsm/redhat-uep.pem ]; then + echo "Adding Red Hat CA certificate to trusted roots." + cp /shared/rhsm/redhat-uep.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust + fi + # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then @@ -159,6 +327,22 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ --for-output-dir=/cachi2/output + + - name: unregister-rhsm + image: quay.io/redhat-appstudio/cachi2:0.15.0@sha256:b141cb5cf4d98e6c5f668f1fe172e1d68f2a44ac1027403fbcff94ce1e68185d + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + script: | + #!/bin/bash + if [ -f /shared/skip ]; then + echo "Skipping." + exit 0 + fi + + cp /shared/rhsm/consumer/* /etc/pki/consumer/ + cp /shared/rhsm/entitlement/* /etc/pki/entitlement/ + subscription-manager unregister || true + workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well @@ -175,6 +359,14 @@ spec: performing http(s) requests. optional: true volumes: + - name: shared + emptyDir: {} + - name: etc-pki-entitlement + emptyDir: {} + - name: activation-key + secret: + optional: true + secretName: $(params.ACTIVATION_KEY) - name: trusted-ca configMap: name: $(params.caTrustConfigMapName) diff --git a/task/prefetch-dependencies/OWNERS b/task/prefetch-dependencies/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/prefetch-dependencies/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/provision-env-with-ephemeral-namespace/OWNERS b/task/provision-env-with-ephemeral-namespace/OWNERS deleted file mode 100644 index d90b38493a..0000000000 --- a/task/provision-env-with-ephemeral-namespace/OWNERS +++ /dev/null @@ -1,8 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- oamsalem -- amisstea -- avi-biton -- yftacherzog diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml index 08debbec68..4ccb25d2d2 100644 --- a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml +++ b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/push-dockerfile-oci-ta/OWNERS b/task/push-dockerfile-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/push-dockerfile-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/push-dockerfile/OWNERS b/task/push-dockerfile/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/push-dockerfile/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml index 977e06a05d..bb03a4da3b 100644 --- a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml +++ b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml @@ -104,7 +104,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index 729ab96726..f3b72cee8d 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -48,7 +48,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml index d5624143bf..105609e815 100644 --- a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml @@ -44,7 +44,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 + image: quay.io/redhat-appstudio/tools@sha256:6676c661b5d56faa1b377218c32d2825571a9e275c32f77e521376580f4a2f4a volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/rpms-signature-scan/OWNERS b/task/rpms-signature-scan/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/rpms-signature-scan/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog diff --git a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml index caa7c87a6b..ccbcd85a6f 100644 --- a/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml +++ b/task/sast-coverity-check-oci-ta/0.1/sast-coverity-check-oci-ta.yaml @@ -95,7 +95,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-coverity-check-oci-ta/OWNERS b/task/sast-coverity-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-coverity-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-coverity-check/OWNERS b/task/sast-coverity-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-coverity-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml index 7d068fbfe0..6739ee15db 100644 --- a/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml +++ b/task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml @@ -78,7 +78,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-shell-check-oci-ta/OWNERS b/task/sast-shell-check-oci-ta/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-shell-check-oci-ta/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-shell-check/OWNERS b/task/sast-shell-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-shell-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index be1e51c256..2d64d316de 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml index 002874d713..3c7dc20079 100644 --- a/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.2/sast-snyk-check-oci-ta.yaml @@ -58,7 +58,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml index ee17b49f88..2c2f79af6c 100644 --- a/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.3/sast-snyk-check-oci-ta.yaml @@ -89,7 +89,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/OWNERS b/task/sast-snyk-check-oci-ta/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sast-snyk-check-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/sast-snyk-check/OWNERS b/task/sast-snyk-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-snyk-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml index 3ca6d282c9..b590877aaa 100644 --- a/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml +++ b/task/sast-unicode-check-oci-ta/0.1/sast-unicode-check-oci-ta.yaml @@ -76,7 +76,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:a83c92fc0a1e2c785937c6612dc8c8237818535543f00ecaf6b3b77a35f76259 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-unicode-check-oci-ta/OWNERS b/task/sast-unicode-check-oci-ta/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sast-unicode-check-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/sast-unicode-check/OWNERS b/task/sast-unicode-check/OWNERS deleted file mode 100644 index 4f4bc81c01..0000000000 --- a/task/sast-unicode-check/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - - kdudka diff --git a/task/sbom-json-check/OWNERS b/task/sbom-json-check/OWNERS deleted file mode 100644 index 27203edec2..0000000000 --- a/task/sbom-json-check/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team diff --git a/task/show-sbom-rhdh/OWNERS b/task/show-sbom-rhdh/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/show-sbom-rhdh/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/show-sbom/OWNERS b/task/show-sbom/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/show-sbom/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/slack-webhook-notification/OWNERS b/task/slack-webhook-notification/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/slack-webhook-notification/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 590a027f56..53c4f0389a 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -55,7 +55,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/source-build-oci-ta/OWNERS b/task/source-build-oci-ta/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/source-build-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/source-build/OWNERS b/task/source-build/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/source-build/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/summary/OWNERS b/task/summary/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/summary/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml index a48ab1a9f9..4e09d4c397 100644 --- a/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml +++ b/task/tkn-bundle-oci-ta/0.1/tkn-bundle-oci-ta.yaml @@ -54,7 +54,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/tkn-bundle-oci-ta/OWNERS b/task/tkn-bundle-oci-ta/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle-oci-ta/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/tkn-bundle/OWNERS b/task/tkn-bundle/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/tkn-bundle/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/update-deployment/OWNERS b/task/update-deployment/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/update-deployment/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/update-infra-deployments/OWNERS b/task/update-infra-deployments/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/update-infra-deployments/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/upload-sbom-to-trustification/OWNERS b/task/upload-sbom-to-trustification/OWNERS deleted file mode 100644 index d3f0ff4a7e..0000000000 --- a/task/upload-sbom-to-trustification/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/validate-fbc/OWNERS b/task/validate-fbc/OWNERS deleted file mode 100644 index 06c39544a4..0000000000 --- a/task/validate-fbc/OWNERS +++ /dev/null @@ -1,6 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - integration-team -reviewers: - - integration-team - diff --git a/task/verify-enterprise-contract/OWNERS b/task/verify-enterprise-contract/OWNERS deleted file mode 100644 index 9058861f0f..0000000000 --- a/task/verify-enterprise-contract/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - ec-team -reviewers: - - ec-team diff --git a/task/verify-signed-rpms/OWNERS b/task/verify-signed-rpms/OWNERS deleted file mode 100644 index eb271a7024..0000000000 --- a/task/verify-signed-rpms/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners - -approvers: -- gbenhaim -- avi-biton -- amisstea -- yftacherzog