From 657cc30461241e7b947f63334dc4480da35cbd6d Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 12 Mar 2025 18:37:38 +0100 Subject: [PATCH 01/23] Test hermetic build --- .tekton/deployment-validation-operator-bundle-pull-request.yaml | 2 ++ .tekton/deployment-validation-operator-pull-request.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index 79ff9807..1e9c77f0 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -31,6 +31,8 @@ spec: value: konflux-ci/bundle/bundle.Dockerfile - name: path-context value: konflux-ci/bundle + - name: HERMETIC + value: 'true' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 58cbff0d..c3cee592 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -29,6 +29,8 @@ spec: value: build/Dockerfile - name: path-context value: . + - name: HERMETIC + value: 'true' pipelineSpec: finally: - name: show-sbom From 9853de756b8e29847b3923e061bc20655dcd1703 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 11:21:42 +0100 Subject: [PATCH 02/23] Fix hermetic parameter --- .tekton/deployment-validation-operator-bundle-pull-request.yaml | 2 +- .tekton/deployment-validation-operator-pull-request.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index 1e9c77f0..50d37a57 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -31,7 +31,7 @@ spec: value: konflux-ci/bundle/bundle.Dockerfile - name: path-context value: konflux-ci/bundle - - name: HERMETIC + - name: hermetic value: 'true' pipelineSpec: description: | diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index c3cee592..2235cbaa 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -29,7 +29,7 @@ spec: value: build/Dockerfile - name: path-context value: . - - name: HERMETIC + - name: hermetic value: 'true' pipelineSpec: finally: From 935e7411d020181573d8575079282a2bf2972fc1 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 12:55:13 +0100 Subject: [PATCH 03/23] Fix prefetch-dependencies-oci-ta task on operator component --- ...ment-validation-operator-pull-request.yaml | 19 ++++++++++--------- .../deployment-validation-operator-push.yaml | 19 ++++++++++--------- 2 files changed, 20 insertions(+), 18 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 2235cbaa..8187177a 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -184,27 +184,28 @@ spec: params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.2@sha256:fb126d78a71fa4cef9046d2563832c91ec73e0d1a7c5811b85e9d28132b7c076 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:752230a646483aebd465a942aef4f35c08e67185609ac26e19a3b931de9b7b0a - name: kind value: task resolver: bundles - when: - - input: $(params.prefetch-input) - operator: notin - values: - - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 83d5c63f..606bec0b 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -179,27 +179,28 @@ spec: params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.2@sha256:fb126d78a71fa4cef9046d2563832c91ec73e0d1a7c5811b85e9d28132b7c076 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:752230a646483aebd465a942aef4f35c08e67185609ac26e19a3b931de9b7b0a - name: kind value: task resolver: bundles - when: - - input: $(params.prefetch-input) - operator: notin - values: - - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE From 20fd56dd82e83f8515f98d22a8c2a480629f66a1 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 12:58:45 +0100 Subject: [PATCH 04/23] Fix clone-repository due to prefetch task changes --- .../deployment-validation-operator-pull-request.yaml | 10 ++++++---- .tekton/deployment-validation-operator-push.yaml | 10 ++++++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 8187177a..a89cf69d 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -159,14 +159,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:92cf275b60f7bd23472acc4bc6e9a4bc9a9cbd78a680a23087fa4df668b85a34 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 - name: kind value: task resolver: bundles @@ -176,8 +180,6 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 606bec0b..4fea5b67 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -154,14 +154,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:92cf275b60f7bd23472acc4bc6e9a4bc9a9cbd78a680a23087fa4df668b85a34 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 - name: kind value: task resolver: bundles @@ -171,8 +175,6 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies From b65a75bfc6a9096926ee38922566d3e3dbcb244a Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 13:10:17 +0100 Subject: [PATCH 05/23] Fix clone-repository source --- .tekton/deployment-validation-operator-pull-request.yaml | 2 ++ .tekton/deployment-validation-operator-push.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index a89cf69d..19892dbd 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -180,6 +180,8 @@ spec: values: - "true" workspaces: + - name: output + workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 4fea5b67..a75e62a6 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -175,6 +175,8 @@ spec: values: - "true" workspaces: + - name: output + workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies From b49b24fe3d30bee234f3beb22a7e59d126d8cfc3 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 13:38:44 +0100 Subject: [PATCH 06/23] Revert "Fix clone-repository source" This reverts commit b65a75bfc6a9096926ee38922566d3e3dbcb244a. --- .tekton/deployment-validation-operator-pull-request.yaml | 2 -- .tekton/deployment-validation-operator-push.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 19892dbd..a89cf69d 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -180,8 +180,6 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index a75e62a6..4fea5b67 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -175,8 +175,6 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies From c6e389c813e1c32a5f4eb0f355c3d04964497c57 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 13:45:57 +0100 Subject: [PATCH 07/23] Fix build-container task based on bundle tasks --- .../deployment-validation-operator-pull-request.yaml | 11 ++++++----- .tekton/deployment-validation-operator-push.yaml | 11 ++++++----- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index a89cf69d..f8599b65 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -229,14 +229,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:ead333b20003e0875cdb5b73dce1c355f8e70e950d87153d711c7fe617bdb3f5 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:8cdd218d094e586ece807eb0c61b42cd6baa32c7397fe4ce9d33f6239b78c3cd - name: kind value: task resolver: bundles @@ -245,9 +249,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 4fea5b67..c66fbb6b 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -224,14 +224,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:ead333b20003e0875cdb5b73dce1c355f8e70e950d87153d711c7fe617bdb3f5 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:8cdd218d094e586ece807eb0c61b42cd6baa32c7397fe4ce9d33f6239b78c3cd - name: kind value: task resolver: bundles @@ -240,9 +244,6 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE From 4609cb63996a72aee43ecdfaba47ccb78580ad0b Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 16:41:33 +0100 Subject: [PATCH 08/23] Fix prefetch-input for hermetic builds --- .tekton/deployment-validation-operator-pull-request.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index f8599b65..627347fd 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -31,6 +31,8 @@ spec: value: . - name: hermetic value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "./.vendor"}]' pipelineSpec: finally: - name: show-sbom From fbf268cf95e6f931aad466454d969e98e3fd9cd3 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 16:47:34 +0100 Subject: [PATCH 09/23] Fix yaml typo --- .tekton/deployment-validation-operator-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 627347fd..b1fa0fb8 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -32,7 +32,7 @@ spec: - name: hermetic value: 'true' - name: prefetch-input - value: '[{"type": "gomod", "path": "./.vendor"}]' + value: '[{"type": "gomod", "path": "./.vendor"}]' pipelineSpec: finally: - name: show-sbom From fc2553b7398ea03617318910ad01de2e285aa20d Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 16:54:57 +0100 Subject: [PATCH 10/23] Fix test gomod folder --- .tekton/deployment-validation-operator-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index b1fa0fb8..61d74e4b 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -32,7 +32,7 @@ spec: - name: hermetic value: 'true' - name: prefetch-input - value: '[{"type": "gomod", "path": "./.vendor"}]' + value: '[{"type": "gomod", "path": "./"}]' pipelineSpec: finally: - name: show-sbom From 90b0bbc5a1694d64dd13d164888e1c9c086d643a Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 17:08:10 +0100 Subject: [PATCH 11/23] Add missing build-image-index task --- ...ment-validation-operator-pull-request.yaml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 61d74e4b..6486cd3c 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -251,6 +251,35 @@ spec: operator: in values: - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:24feb32a91fb9960aa0a2d3a982dd549bad2d40074e1e5e3f9ae9739a66174b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: build-source-image params: - name: BINARY_IMAGE From d9ee27647c88df6be66f196d0644183fdf8d1327 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 17:09:09 +0100 Subject: [PATCH 12/23] Fix build-source-image task --- ...deployment-validation-operator-pull-request.yaml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 6486cd3c..3c93d0f6 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -284,14 +284,18 @@ spec: params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.2@sha256:6de42f19b1bc021657f0e94fce9995cdd841c9378a732948ae2a347422e0f613 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:183b28fc7c3ca8bc81b00d695517cd2e0b7c31e13365bcfd7e3c758ce13c489c - name: kind value: task resolver: bundles @@ -304,9 +308,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL From eb6d9ae1042aae764d4edd7fde3515b335aa89cc Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 17:35:22 +0100 Subject: [PATCH 13/23] Revert "Fix build-source-image task" This reverts commit d9ee27647c88df6be66f196d0644183fdf8d1327. --- ...deployment-validation-operator-pull-request.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 3c93d0f6..6486cd3c 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -284,18 +284,14 @@ spec: params: - name: BINARY_IMAGE value: $(params.output-image) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-image-index + - build-container taskRef: params: - name: name - value: source-build-oci-ta + value: source-build - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:183b28fc7c3ca8bc81b00d695517cd2e0b7c31e13365bcfd7e3c758ce13c489c + value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.2@sha256:6de42f19b1bc021657f0e94fce9995cdd841c9378a732948ae2a347422e0f613 - name: kind value: task resolver: bundles @@ -308,6 +304,9 @@ spec: operator: in values: - "true" + workspaces: + - name: workspace + workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL From dae05f7aec34aae5d994deee91853932ad82e49d Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 17:35:26 +0100 Subject: [PATCH 14/23] Revert "Add missing build-image-index task" This reverts commit 90b0bbc5a1694d64dd13d164888e1c9c086d643a. --- ...ment-validation-operator-pull-request.yaml | 29 ------------------- 1 file changed, 29 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 6486cd3c..61d74e4b 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -251,35 +251,6 @@ spec: operator: in values: - "true" - - name: build-image-index - params: - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: ALWAYS_BUILD_INDEX - value: $(params.build-image-index) - - name: IMAGES - value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: build-image-index - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:24feb32a91fb9960aa0a2d3a982dd549bad2d40074e1e5e3f9ae9739a66174b8 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - name: build-source-image params: - name: BINARY_IMAGE From 98b08c8e08b10298ee4f8ac60ae414cb2333c88b Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 13 Mar 2025 17:46:53 +0100 Subject: [PATCH 15/23] Test fixing build-source-image --- .../deployment-validation-operator-pull-request.yaml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 61d74e4b..f43f797e 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -255,14 +255,18 @@ spec: params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.2@sha256:6de42f19b1bc021657f0e94fce9995cdd841c9378a732948ae2a347422e0f613 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:183b28fc7c3ca8bc81b00d695517cd2e0b7c31e13365bcfd7e3c758ce13c489c - name: kind value: task resolver: bundles @@ -275,9 +279,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL From eebf3804eba63a5e7a6eb128439d11e55e344678 Mon Sep 17 00:00:00 2001 From: Isaac Date: Tue, 18 Mar 2025 18:11:24 +0100 Subject: [PATCH 16/23] Fix update container image SHA --- .../deployment-validation-operator.clusterserviceversion.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/konflux-ci/bundle/manifests/deployment-validation-operator.clusterserviceversion.yaml b/konflux-ci/bundle/manifests/deployment-validation-operator.clusterserviceversion.yaml index 3945a03a..9a75db8b 100644 --- a/konflux-ci/bundle/manifests/deployment-validation-operator.clusterserviceversion.yaml +++ b/konflux-ci/bundle/manifests/deployment-validation-operator.clusterserviceversion.yaml @@ -104,7 +104,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace - image: quay.io/redhat-user-workloads/dvo-obsint-tenant/deployment-validation-operator/deployment-validation-operator@sha256:0e312d3edc28b931b721eb5ddc59feea4f9141707925224f6b936401b479b4b1 + image: quay.io/redhat-user-workloads/dvo-obsint-tenant/deployment-validation-operator/deployment-validation-operator@sha256:cb4a68ebedba10bbd504fb271b3b7cc52d01ed13557dcb9604059f1ba98717d1 imagePullPolicy: Always name: deployment-validation-operator ports: From 7c09a6181e3087b35a8616246267ac0e7249af6a Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 19 Mar 2025 10:14:46 +0100 Subject: [PATCH 17/23] Test update tekton file for DVO operator image --- ...ment-validation-operator-pull-request.yaml | 205 ++++++++++-------- 1 file changed, 118 insertions(+), 87 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index f43f797e..3f813ae0 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -7,7 +7,9 @@ metadata: build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "master" && ( "konflux-ci/bundle/***".pathChanged() || ".tekton/deployment-validation-operator-bundle-pull-request.yaml".pathChanged() + || "konflux-ci/bundle/bundle.Dockerfile".pathChanged() ) creationTimestamp: null labels: appstudio.openshift.io/application: deployment-validation-operator @@ -34,11 +36,16 @@ spec: - name: prefetch-input value: '[{"type": "gomod", "path": "./"}]' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name @@ -48,28 +55,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -82,11 +67,13 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - default: "false" @@ -105,17 +92,18 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - - default: "true" + - default: "false" description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args @@ -127,10 +115,10 @@ spec: results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -251,6 +239,35 @@ spec: operator: in values: - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:24feb32a91fb9960aa0a2d3a982dd549bad2d40074e1e5e3f9ae9739a66174b8 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" - name: build-source-image params: - name: BINARY_IMAGE @@ -260,7 +277,7 @@ spec: - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -282,11 +299,11 @@ spec: - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -304,11 +321,11 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -326,9 +343,9 @@ spec: - name: ecosystem-cert-preflight-checks params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -344,14 +361,23 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:ea2d3e305e9c8c41fafe5cea9148502ffd650f0ddfd889eee480eea85e0427e5 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6673cbd19e4f1872dd194c91d0b1fe14cacd3768050f6516d3888f660e0732de - name: kind value: task resolver: bundles @@ -360,22 +386,14 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -390,60 +408,73 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: apply-tags params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.2@sha256:8ff9631cbc61435492338e5716adce5535be9eb662ba7857210c8ed5fcb96703 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:5e5f290359fd34ae4cc77cbbba6ef8c9907d752572d6dc2a00f5a4c504eb48bb - name: kind value: task resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: apply-tags + - name: push-dockerfile params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: apply-tags + value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:5e5f290359fd34ae4cc77cbbba6ef8c9907d752572d6dc2a00f5a4c504eb48bb + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:443e665458bd44f029c8e44e8d4c44e4faa8c533f129014ccb3c4c51fd89bbfc - name: kind value: task resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:5bc61290c6d56cb3d61409efdf522574e7d08a497f362d7456ed33d56189c4f9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' From 356d6950982454038b85acf00a495440b3ae19f0 Mon Sep 17 00:00:00 2001 From: Isaac Date: Tue, 1 Apr 2025 17:40:52 +0200 Subject: [PATCH 18/23] Fix merge conflcts leftovers and Update images SHAs --- ...ment-validation-operator-pull-request.yaml | 44 ++++--------------- 1 file changed, 9 insertions(+), 35 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 7c226298..ca766624 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -160,7 +160,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3 - name: kind value: task resolver: bundles @@ -189,8 +189,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.2@sha256:566272ce2983026d7fbb22b9e6fa855b61dad757e9bea450b32aa85780ca931e - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:752230a646483aebd465a942aef4f35c08e67185609ac26e19a3b931de9b7b0a + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:efc8aebec295bf5986597b6bbeebe093b2764fea79c66094e05ff3d283f54932 - name: kind value: task resolver: bundles @@ -231,7 +230,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:8cdd218d094e586ece807eb0c61b42cd6baa32c7397fe4ce9d33f6239b78c3cd + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:25cd429104fc1e48cf2e4382d9ee475828759649a1e17c913cb8531b4729558b - name: kind value: task resolver: bundles @@ -260,8 +259,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:84583fb98c461de1ac16bd27fc744d4bf4c95b9997f8ceabca1892bb0b76c5b1 - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:24feb32a91fb9960aa0a2d3a982dd549bad2d40074e1e5e3f9ae9739a66174b8 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:95be274b6d0432d4671e2c41294ec345121bdf01284b1c6c46b5537dc6b37e15 - name: kind value: task resolver: bundles @@ -285,8 +283,7 @@ spec: - name: name value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.2@sha256:e8c321b8a67e421a9c3975fd9a938ca4e838976064e14c7c0eb4e1f261900b1c - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:183b28fc7c3ca8bc81b00d695517cd2e0b7c31e13365bcfd7e3c758ce13c489c + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:9fe82c9511f282287686f918bf1a543fcef417848e7a503357e988aab2887cee - name: kind value: task resolver: bundles @@ -380,8 +377,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:e0c1675c9813618910115f04fd6b3a9ff32d1bd4e2b9c975f1112aa1eae0d149 - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6673cbd19e4f1872dd194c91d0b1fe14cacd3768050f6516d3888f660e0732de + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:a1cb59ed66a7be1949c9720660efb0a006e95ef05b3f67929dd8e310e1d7baef - name: kind value: task resolver: bundles @@ -412,28 +408,6 @@ spec: operator: in values: - "false" - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.2@sha256:c9f3fb5aa078efd0c60be325bd664c752e7c3a611913b147d4c020d650c2631a - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: apply-tags params: - name: IMAGE @@ -445,7 +419,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:5e5f290359fd34ae4cc77cbbba6ef8c9907d752572d6dc2a00f5a4c504eb48bb + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:61c90b1c94a2a11cb11211a0d65884089b758c34254fcec164d185a402beae22 - name: kind value: task resolver: bundles @@ -468,7 +442,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:443e665458bd44f029c8e44e8d4c44e4faa8c533f129014ccb3c4c51fd89bbfc + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:55a4ff2910ae2e4502f3841719935d37578bd52156bc789fcdf45ff48c2b048b - name: kind value: task resolver: bundles @@ -485,7 +459,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:5bc61290c6d56cb3d61409efdf522574e7d08a497f362d7456ed33d56189c4f9 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 - name: kind value: task resolver: bundles From 0f7d0bcd270b7ecf50204feaf0e0061549e52581 Mon Sep 17 00:00:00 2001 From: Isaac Date: Fri, 4 Apr 2025 12:12:28 +0200 Subject: [PATCH 19/23] Add missing sast tasks --- ...lidation-operator-bundle-pull-request.yaml | 52 +++++++++++++++++++ ...yment-validation-operator-bundle-push.yaml | 52 +++++++++++++++++++ ...ment-validation-operator-pull-request.yaml | 52 +++++++++++++++++++ .../deployment-validation-operator-push.yaml | 52 +++++++++++++++++++ 4 files changed, 208 insertions(+) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index e7f39fa2..e9510c60 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -384,6 +384,58 @@ spec: operator: in values: - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] - name: clamav-scan params: - name: image-digest diff --git a/.tekton/deployment-validation-operator-bundle-push.yaml b/.tekton/deployment-validation-operator-bundle-push.yaml index 661f92c8..ed791ffd 100644 --- a/.tekton/deployment-validation-operator-bundle-push.yaml +++ b/.tekton/deployment-validation-operator-bundle-push.yaml @@ -378,6 +378,58 @@ spec: operator: in values: - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] - name: clamav-scan params: - name: image-digest diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index ca766624..8bdc1ea4 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -386,6 +386,58 @@ spec: operator: in values: - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] - name: clamav-scan params: - name: image-digest diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 927d28dc..efed282c 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -360,6 +360,58 @@ spec: value: $(tasks.build-container.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-container.results.IMAGE_URL) + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:a591675c72f06fb9c5b1a3d60e6e4c58e4df5f7da180c7a4691a692a6e7e6496 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: [] - name: clamav-scan params: - name: image-digest From 1484c5768dcfbe669747fbfb18073a26f43cefd0 Mon Sep 17 00:00:00 2001 From: Isaac Date: Fri, 4 Apr 2025 12:36:45 +0200 Subject: [PATCH 20/23] Fix build-source-image missing error --- .tekton/deployment-validation-operator-bundle-pull-request.yaml | 2 ++ .tekton/deployment-validation-operator-pull-request.yaml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index e9510c60..a0b1cac0 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -33,6 +33,8 @@ spec: value: konflux-ci/bundle - name: hermetic value: 'true' + - name: build-source-image + value: 'true' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 8bdc1ea4..5b772454 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -35,6 +35,8 @@ spec: value: 'true' - name: prefetch-input value: '[{"type": "gomod", "path": "./"}]' + - name: build-source-image + value: 'true' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. From 3af3b684e03ef81daef74ccfa26de7be5bdc93f3 Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 9 Apr 2025 17:20:39 +0200 Subject: [PATCH 21/23] Update Konflux references --- .../deployment-validation-operator-bundle-pull-request.yaml | 6 +++--- .tekton/deployment-validation-operator-bundle-push.yaml | 6 +++--- .../deployment-validation-operator-fbc-pull-request.yaml | 2 +- .tekton/deployment-validation-operator-fbc-push.yaml | 2 +- 4 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index a0b1cac0..27bccbd5 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -189,7 +189,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:efc8aebec295bf5986597b6bbeebe093b2764fea79c66094e05ff3d283f54932 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:153ef0382deef840d155f5146f134f39b480523a7d5c38ba9fea2b58792dd4b5 - name: kind value: task resolver: bundles @@ -230,7 +230,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:25cd429104fc1e48cf2e4382d9ee475828759649a1e17c913cb8531b4729558b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:174d3c420f8c9ad4ea7a16c673ac999090d66d5df1a1da278b12d87fa105503f - name: kind value: task resolver: bundles @@ -511,7 +511,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7b80f5a319d4ff1817fa097cbdbb9473635562f8ea3022e64933e387d3b68715 - name: kind value: task resolver: bundles diff --git a/.tekton/deployment-validation-operator-bundle-push.yaml b/.tekton/deployment-validation-operator-bundle-push.yaml index ed791ffd..57e0137e 100644 --- a/.tekton/deployment-validation-operator-bundle-push.yaml +++ b/.tekton/deployment-validation-operator-bundle-push.yaml @@ -181,7 +181,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:efc8aebec295bf5986597b6bbeebe093b2764fea79c66094e05ff3d283f54932 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:153ef0382deef840d155f5146f134f39b480523a7d5c38ba9fea2b58792dd4b5 - name: kind value: task resolver: bundles @@ -222,7 +222,7 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:25cd429104fc1e48cf2e4382d9ee475828759649a1e17c913cb8531b4729558b + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:174d3c420f8c9ad4ea7a16c673ac999090d66d5df1a1da278b12d87fa105503f - name: kind value: task resolver: bundles @@ -503,7 +503,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7b80f5a319d4ff1817fa097cbdbb9473635562f8ea3022e64933e387d3b68715 - name: kind value: task resolver: bundles diff --git a/.tekton/deployment-validation-operator-fbc-pull-request.yaml b/.tekton/deployment-validation-operator-fbc-pull-request.yaml index 01e0241d..4ddabba6 100644 --- a/.tekton/deployment-validation-operator-fbc-pull-request.yaml +++ b/.tekton/deployment-validation-operator-fbc-pull-request.yaml @@ -201,7 +201,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:84583fb98c461de1ac16bd27fc744d4bf4c95b9997f8ceabca1892bb0b76c5b1 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:c84e35a51c847af65e20e3c5c5b364d7e8ef03be8057a8a02fc2a1f6e86cfaf5 - name: kind value: task resolver: bundles diff --git a/.tekton/deployment-validation-operator-fbc-push.yaml b/.tekton/deployment-validation-operator-fbc-push.yaml index 8471b8ab..64036953 100644 --- a/.tekton/deployment-validation-operator-fbc-push.yaml +++ b/.tekton/deployment-validation-operator-fbc-push.yaml @@ -197,7 +197,7 @@ spec: - name: name value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:84583fb98c461de1ac16bd27fc744d4bf4c95b9997f8ceabca1892bb0b76c5b1 + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:c84e35a51c847af65e20e3c5c5b364d7e8ef03be8057a8a02fc2a1f6e86cfaf5 - name: kind value: task resolver: bundles From ce45f7f6b2c94b9b5976c50bce1e5c07dbbcb2db Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 9 Apr 2025 17:43:57 +0200 Subject: [PATCH 22/23] Remove problematic task on skipped scenario --- ...lidation-operator-bundle-pull-request.yaml | 20 ------------------- ...yment-validation-operator-bundle-push.yaml | 20 ------------------- 2 files changed, 40 deletions(-) diff --git a/.tekton/deployment-validation-operator-bundle-pull-request.yaml b/.tekton/deployment-validation-operator-bundle-pull-request.yaml index 27bccbd5..aa83fe58 100644 --- a/.tekton/deployment-validation-operator-bundle-pull-request.yaml +++ b/.tekton/deployment-validation-operator-bundle-pull-request.yaml @@ -340,26 +340,6 @@ spec: operator: in values: - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:00b13d06d17328e105b11619ee4db98b215ca6ac02314a4776aa5fc2a974f9c1 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: sast-snyk-check params: - name: image-digest diff --git a/.tekton/deployment-validation-operator-bundle-push.yaml b/.tekton/deployment-validation-operator-bundle-push.yaml index 57e0137e..e084caea 100644 --- a/.tekton/deployment-validation-operator-bundle-push.yaml +++ b/.tekton/deployment-validation-operator-bundle-push.yaml @@ -332,26 +332,6 @@ spec: operator: in values: - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:00b13d06d17328e105b11619ee4db98b215ca6ac02314a4776aa5fc2a974f9c1 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: sast-snyk-check params: - name: image-digest From 32f93eb5da00b284deec615ebe80266f49321549 Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 9 Apr 2025 18:03:12 +0200 Subject: [PATCH 23/23] Update push pipelines with last version --- ...yment-validation-operator-bundle-push.yaml | 4 + .../deployment-validation-operator-push.yaml | 225 ++++++++++-------- 2 files changed, 133 insertions(+), 96 deletions(-) diff --git a/.tekton/deployment-validation-operator-bundle-push.yaml b/.tekton/deployment-validation-operator-bundle-push.yaml index e084caea..ba4b2a52 100644 --- a/.tekton/deployment-validation-operator-bundle-push.yaml +++ b/.tekton/deployment-validation-operator-bundle-push.yaml @@ -27,6 +27,10 @@ spec: value: konflux-ci/bundle/bundle.Dockerfile - name: path-context value: konflux-ci/bundle + - name: hermetic + value: 'true' + - name: build-source-image + value: 'true' pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index efed282c..6b6d49be 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -26,12 +26,23 @@ spec: value: build/Dockerfile - name: path-context value: . + - name: hermetic + value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "./"}]' + - name: build-source-image + value: 'true' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name @@ -41,28 +52,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -98,17 +87,17 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - - default: "true" + - default: "false" description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args @@ -120,10 +109,10 @@ spec: results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -165,7 +154,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:944e7698434862d7d295b69718accf01b0e0cbeccd44b6d68d65e67f14b97d82 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3 - name: kind value: task resolver: bundles @@ -194,7 +183,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.2@sha256:566272ce2983026d7fbb22b9e6fa855b61dad757e9bea450b32aa85780ca931e + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:efc8aebec295bf5986597b6bbeebe093b2764fea79c66094e05ff3d283f54932 - name: kind value: task resolver: bundles @@ -235,7 +224,36 @@ spec: - name: name value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.4@sha256:84583fb98c461de1ac16bd27fc744d4bf4c95b9997f8ceabca1892bb0b76c5b1 + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:25cd429104fc1e48cf2e4382d9ee475828759649a1e17c913cb8531b4729558b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:95be274b6d0432d4671e2c41294ec345121bdf01284b1c6c46b5537dc6b37e15 - name: kind value: task resolver: bundles @@ -248,14 +266,18 @@ spec: params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.2@sha256:e8c321b8a67e421a9c3975fd9a938ca4e838976064e14c7c0eb4e1f261900b1c + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:9fe82c9511f282287686f918bf1a543fcef417848e7a503357e988aab2887cee - name: kind value: task resolver: bundles @@ -268,17 +290,14 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -296,11 +315,11 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -318,9 +337,9 @@ spec: - name: ecosystem-cert-preflight-checks params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -336,14 +355,23 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:e0c1675c9813618910115f04fd6b3a9ff32d1bd4e2b9c975f1112aa1eae0d149 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:a1cb59ed66a7be1949c9720660efb0a006e95ef05b3f67929dd8e310e1d7baef - name: kind value: task resolver: bundles @@ -352,26 +380,18 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - name: sast-shell-check params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -390,13 +410,13 @@ spec: - name: sast-unicode-check params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -415,11 +435,11 @@ spec: - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name @@ -434,60 +454,73 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: apply-tags params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.2@sha256:c9f3fb5aa078efd0c60be325bd664c752e7c3a611913b147d4c020d650c2631a + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:61c90b1c94a2a11cb11211a0d65884089b758c34254fcec164d185a402beae22 - name: kind value: task resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: apply-tags + - name: push-dockerfile params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: apply-tags + value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:61c90b1c94a2a11cb11211a0d65884089b758c34254fcec164d185a402beae22 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:55a4ff2910ae2e4502f3841719935d37578bd52156bc789fcdf45ff48c2b048b - name: kind value: task resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c0798ff85ad04f1553d349fe34aa4918597fb35b3b74e344dfbd5af2f3494300 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}'