Add Tekton task to configure sealights for Python.

Signed-off-by: Adam Scerra <ascerra@redhat.com>

docs/SUMMARY.md

@@ -20,3 +20,4 @@
     - [yamllint](./qe-available-tasks/linters/yamllint.md)
 - Sealights
     - [Sealights Golang Instrumentation](./qe-available-tasks/sealights/go-instrumentation/go-instrumentation.md)
+    - [Sealights Python Instrumentation](./qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md)

docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md

@@ -0,0 +1,112 @@
+# Sealights Python Instrumentation Tekton Task
+
+This Tekton task automates the process of instrumenting python code with Sealights for quality analytics and testing. It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and stores results to be used later on in testing. The task can be triggered by either Pull Request or other events.
+
+## Overview
+
+This task performs the following steps:
+
+1. **Retrieves** the source code from a trusted artifact.
+2. **Configures & Scans** the Python application using Sealights.
+3. **Creates** a new trusted artifact.
+
+The task can be triggered by different events (e.g., Pull Request, Push) and allows users to exclude specific Python packages from the configuration process.
+
+## Parameters
+
+| Name                  | Type     | Default       | Description                                                                                   |
+|-----------------------|----------|---------------|-----------------------------------------------------------------------------------------------|
+| `source-artifact`     | `string` | -             | The Trusted Artifact URI pointing to the source code.                                         |
+| `python-version`          | `string` | -             | The Python version to use with the 'ubi8/python' image, in the format (e.g., '311').                                                       |
+| `sealights-secret`    | `string` | -             | The name of the OpenShift secret containing Sealights credentials.                            |
+| `component`           | `string` | -             | The name of the Konflux component associated with the integration tests.                      |
+| `scm-provider`        | `string` | `github`      | The SCM provider (e.g., `github`, `gitlab`).                                                  |
+| `packages-excluded`   | `array`  | `[]`          | List of Go packages to exclude from instrumentation (e.g., `pkg1`, `github.com/lib/concurrent`). |
+| `repository-url`      | `string` | `""`          | URL of the source code repository (e.g., `github.com/org/repo`).                              |
+| `branch`              | `string` | `main`        | The Git branch to use (e.g., `main`, `feature-branch`).                                       |
+| `revision`            | `string` | -             | The Git revision (commit SHA).                                                                |
+| `test-event`          | `string` | `""`          | Indicates if the job is triggered by a Pull Request or Push event.                            |
+| `pull-request-number` | `string` | `""`          | The Pull Request number.                                                                      |
+| `target-branch`       | `string` | `main`        | The target branch for the Pull Request (e.g., `main`, `develop`).                             |
+| `oci-storage`         | `string` | -             | The OCI repository for storing the trusted artifacts.                                         |
+
+## Results
+
+| Name                | Type     | Description                                                                 |
+|---------------------|----------|-----------------------------------------------------------------------------|
+| `build-session-id`  | `string` | A unique identifier for the Sealights build session.                       |
+| `build-name`        | `string` | A unique build name generated using the commit SHA and current date.       |
+| `source-artifact`   | `string` | The URI of the trusted artifact with the application source code.          |
+
+## Volumes
+
+| Name                  | Description                                                    |
+|-----------------------|----------------------------------------------------------------|
+| `sealights-credentials` | Stores Sealights credentials from the specified secret.         |
+| `workdir`             | Temporary working directory for source code operations.        |
+
+## Steps
+
+### 1. `use-trusted-artifact`
+
+Retrieves the source code from a trusted artifact.
+
+### 2. `sealights-python-instrumentation`
+
+Configures and Scans the Python application using Sealights.
+
+### 3. `create-trusted-artifact`
+
+Creates a new trusted artifact containing the instrumented code and stores it in the specified OCI repository.
+
+## Usage Instructions
+
+### Create the Sealights Secret
+
+Ensure you have a Kubernetes secret containing your Sealights credentials. For example:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sealights-credentials
+type: Opaque
+data:
+  token: <BASE64_ENCODED_SEALIGHTS_TOKEN>
+```
+
+### Example Pipeline
+
+Here's an example of how you can use the `sealights-python-instrumentation` task in a Tekton pipelinerun during Konflux CI build.
+
+```yaml
+    - name: sealights-instrumentation
+      runAfter:
+        - clone-repository
+      taskRef:
+        resolver: git
+        params:
+          - name: url
+            value: https://github.com/konflux-ci/tekton-integration-catalog.git
+          - name: revision
+            value: main
+          - name: pathInRepo
+            value: tasks/sealights/python-instrumentation/0.1/python-instrumentation.yaml
+      params:
+        - name: source-artifact
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+        - name: python-version
+          value: "311"
+        - name: sealights-secret
+          value: "sealights-credentials"
+        - name: component
+          value: '{{ repo_name }}'
+        - name: branch
+          value: '{{ source_branch }}'
+        - name: revision
+          value: '{{ revision }}'
+        - name: oci-storage
+          value: $(params.output-image).sealights.git
+        - name: packages-excluded
+          value: ['/app/tests/*']
+```

tasks/sealights/sealights-python/0.1/README.md

@@ -0,0 +1,3 @@
+# Tekton Task: Sealights Go Instrumentation
+
+Please read/update [test metadata docs](../../../../docs/qe-available-tasks/sealights/python-instrumentation/python-instrumentation.md) from docs folder.

tasks/sealights/sealights-python/0.1/sealights-python.yaml

@@ -0,0 +1,149 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: sealights-python-instrumentation
+  labels:
+    konflux-ci/sealights: "true"
+    konflux-ci/sealights-language: "python"
+spec:
+  description: >-
+    This Tekton task automates the process of configuring your Python application with Sealights for quality analytics and testing.
+    It retrieves the source code from a trusted artifact, installs Python Sealights agent, configures the app for sealights using 
+    vars from your pipeline run, scans all .py files that are not in the --exclude step above and reports scan to sealights, and
+    stores results to be used later on in testing. The task can be triggered by either Pull Request or other events.
+  results:
+    - name: sealights-bsid
+      type: string
+      description: "A unique identifier generated for the current sealights build session."
+    - name: sealights-build-name
+      type: string
+      description: "A unique build name generated using the commit SHA and current date to prevent conflicts during test reruns."
+    - name: source-artifact
+      description: The Trusted Artifact URI pointing to the artifact with the application source code.
+      type: string
+  params:
+    - name: source-artifact
+      description: The Trusted Artifact URI pointing to the artifact with the application source code.
+      type: string
+    - name: python-version
+      type: string
+      description: "The Python version to use with the 'ubi8/python' image, in the format (e.g., '311')."
+    - name: sealights-secret
+      type: string
+      description: "The name of the Openshift secret containing Sealights credentials."
+    - name: component
+      type: string
+      description: "The name of the Konflux component associated with the integration tests."
+    - name: scm-provider
+      type: string
+      default: "github"
+      description: "The source control management (SCM) provider used for the project, such as 'github', 'gitlab'."
+    - name: packages-excluded
+      type: array
+      default: []
+      description: "A list of paths to exclude from Sealights instrumentation during the code scan. Specify paths to prevent them from being analyzed (e.g., '/app/tests/*','/app/examples/*')."
+    - name: repository-url
+      type: string
+      description: "The name or URL of the source code repository (e.g., 'github.com/org/repo')."
+      default: ""
+    - name: branch
+      type: string
+      description: "The name of the Git branch to use for the operation (e.g., 'main' or 'feature-branch')."
+      default: "main"
+    - name: revision
+      type: string
+      description: "The Git revision (commit SHA) from which the test pipeline is originating."
+    - name: test-event
+      type: string
+      description: "Indicates if the job is triggered by a Pull Request or a Push event."
+      default: ""
+    - name: test-event
+      type: string
+      description: "Indicates if the job is triggered by a Pull Request or a Push event."
+      default: ""
+    - name: pull-request-number
+      type: string
+      description: "The identifier number of the pull request/merge request."
+      default: ""
+    - name: target-branch
+      type: string
+      description: "The name of the target branch for the pull request, typically the branch into which the changes will be merged (e.g., 'main', 'develop')."
+      default: "main"
+    - name: oci-storage
+      description: The OCI repository where the Trusted Artifacts are stored.
+      type: string
+  volumes:
+    - name: sealights-credentials
+      secret:
+        secretName: sealights-credentials
+    - name: workdir
+      emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /app
+        name: workdir
+      - name: sealights-credentials
+        mountPath: /usr/local/sealights-credentials
+  steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
+      args:
+        - use
+        - $(params.source-artifact)=/app/source
+    - name: sealights-python-instrumentation
+      image: registry.access.redhat.com/ubi8/python-$(params.python-version):latest
+      workingDir: /app/source
+      securityContext:
+        runAsUser: 0
+      env:
+        - name: COMPONENT
+          value: $(params.component)
+        - name: SCM_PROVIDER
+          value: $(params.scm-provider)
+        - name: REPOSITORY_URL
+          value: $(params.repository-url)
+        - name: BRANCH
+          value: $(params.branch)
+        - name: REVISION
+          value: $(params.revision)
+        - name: TEST_EVENT
+          value: $(params.test-event)
+        - name: PULL_REQUEST_NUMBER
+          value: $(params.pull-request-number)
+        - name: TARGET_BRANCH
+          value: $(params.target-branch)
+      args: ["$(params.packages-excluded[*])"] 
+      script: |
+        #!/bin/sh
+        set -euo pipefail
+
+        export SEALIGHTS_TOKEN BUILD_NAME BSID PACKAGES_EXCLUDED_ENUM
+
+        SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"
+        BUILD_NAME="${REVISION}_$(date +'%y%m%d.%H%M')"
+        PACKAGES_EXCLUDED_ENUM="$(IFS=,; echo "$(printf "%s," $@ | sed 's/,$//')")"
+
+        # Installs Sealights Python agent.
+        pip install sealights-python-agent
+
+        echo "${TEST_EVENT}"
+
+        # Configures the app for sealights using vars from your pipeline run.
+        if [[ -n "${TEST_EVENT}" && "${TEST_EVENT}" == "pull_request" ]]; then
+          echo "[INFO] Generate build session id from a Pull Request source code"
+          sl-python prConfig --appname "${COMPONENT}" --targetbranch "${TARGET_BRANCH}" \
+            --pull-request-number "${PULL_REQUEST_NUMBER}" --latestcommit "${REVISION}" --repourl "${REPOSITORY_URL}"
+        else
+          echo "[INFO] Creating build session ID (BSID) for app: ${COMPONENT}, branch: ${BRANCH}, build: ${BUILD_NAME}..."
+          sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}"
+        fi
+
+        # Configures the app for sealights using vars from your pipeline run.
+        # sl-python config --appname "${COMPONENT}" --branchname "${TARGET_BRANCH}" --buildname "${BUILD_NAME}" --exclude "${PACKAGES_EXCLUDED_ENUM}" --workspacepath /app --token "${SEALIGHTS_TOKEN}"
+        
+        # Scans all .py files that are not in the --exclude step above and reports scan to sealights.
+        sl-python scan  --buildsessionidfile buildSessionId.txt --scm "${SCM_PROVIDER}" --token "${SEALIGHTS_TOKEN}"
+
+        # Stores results to be used in future tasks for testing.
+        echo -n "$(cat buildSessionId.txt)" > $(results.sealights-bsid.path)
+        echo -n "$BUILD_NAME" > $(results.sealights-build-name.path)