From 1fd05256e774077297332c7977f03c0463fd2836 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Tue, 12 Aug 2025 14:29:15 +0000 Subject: [PATCH 1/5] Red Hat Konflux update deployment-validation-operator Signed-off-by: red-hat-konflux --- ...ment-validation-operator-pull-request.yaml | 225 +++++++++++++----- .../deployment-validation-operator-push.yaml | 225 +++++++++++++----- 2 files changed, 324 insertions(+), 126 deletions(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index ee97276d..a2cfd719 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -6,9 +6,11 @@ metadata: build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: '3' - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "master" && ( "konflux-ci/bundle/***".pathChanged() || ".tekton/deployment-validation-operator-bundle-pull-request.yaml".pathChanged() || "konflux-ci/bundle/bundle.Dockerfile".pathChanged() ) - creationTimestamp: + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "master" + creationTimestamp: null labels: appstudio.openshift.io/application: deployment-validation-operator appstudio.openshift.io/component: deployment-validation-operator @@ -25,22 +27,19 @@ spec: value: quay.io/redhat-user-workloads/dvo-obsint-tenant/deployment-validation-operator/deployment-validation-operator:on-pr-{{revision}} - name: image-expires-after value: 5d + - name: build-platforms + value: + - linux/x86_64 - name: dockerfile value: build/Dockerfile - name: path-context value: . - - name: hermetic - value: 'true' - - name: prefetch-input - value: '[{"type": "gomod", "path": "./"}]' - - name: build-source-image - value: 'true' pipelineSpec: description: | - This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. - _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. - This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ finally: - name: show-sbom params: @@ -59,7 +58,7 @@ spec: - description: Source Repository URL name: git-url type: string - - default: '' + - default: "" description: Revision of the Source Repository name: revision type: string @@ -67,37 +66,41 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - - default: 'false' + - default: "false" description: Force rebuild image name: rebuild type: string - - default: 'false' + - default: "false" description: Skip checks against built image name: skip-checks type: string - - default: 'false' + - default: "false" description: Execute the build with network isolation name: hermetic type: string - - default: '' + - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: '' - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - - default: 'false' + type: string + - default: "false" description: Build a source image. name: build-source-image type: string - - default: 'false' + - default: "true" description: Add built image into an OCI image index name: build-image-index type: string @@ -105,21 +108,32 @@ spec: description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - - default: '' + - default: "" description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + - default: + - linux/x86_64 + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - - description: '' + - description: "" name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - - description: '' + - description: "" name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - description: '' + - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - - description: '' + - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: @@ -165,7 +179,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" workspaces: - name: basic-auth workspace: git-auth @@ -186,7 +200,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:c5ebd3040df2511b8af762c8be946fd4ac9de60c16b81a9461534aea5979d86f - name: kind value: task resolver: bundles @@ -195,7 +209,12 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -216,18 +235,22 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: "true" runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:d78d8abba7a84faa391d8b3b23be49ad8c09e9b1c0cabaed3919f64100cead2d + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:817312f371cf37c03d5583c4c8b62fda6ea11335ca2719d2159d0320e1d67dc1 - name: kind value: task resolver: bundles @@ -235,7 +258,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - name: build-image-index params: - name: IMAGE @@ -248,9 +271,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name @@ -264,17 +287,17 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BINARY_IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -290,11 +313,11 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - input: $(params.build-source-image) operator: in values: - - 'true' + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -316,7 +339,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: clair-scan params: - name: image-digest @@ -338,8 +361,13 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: ecosystem-cert-preflight-checks + - "false" + - matrix: + params: + - name: platform + value: + - $(params.build-platforms) + name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) @@ -358,7 +386,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: sast-snyk-check params: - name: image-digest @@ -384,25 +412,92 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: sast-shell-check + - "false" + - matrix: + params: + - name: image-arch + value: + - $(params.build-platforms) + name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:4885741078917733a5cff8dfb3177b9fc8d42a4e04b7e8f07639e0c3b2a5b560 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: - build-image-index taskRef: params: - name: name - value: sast-shell-check-oci-ta + value: coverity-availability-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - name: kind value: task resolver: bundles @@ -410,25 +505,25 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: sast-unicode-check + - "false" + - name: sast-shell-check params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name - value: sast-unicode-check-oci-ta + value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - name: kind value: task resolver: bundles @@ -436,21 +531,25 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: clamav-scan + - "false" + - name: sast-unicode-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name - value: clamav-scan + value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - name: kind value: task resolver: bundles @@ -458,7 +557,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: apply-tags params: - name: IMAGE_URL @@ -495,7 +594,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:972990bea93c13f8afd279c0e0d4bd8c2665b48bbb3369b2c43acf194b851f5c - name: kind value: task resolver: bundles @@ -512,7 +611,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:7d1c087d7d33dd97effb3b4c9f3788e4c3138da2032040d69da6929e9a3aaceb - name: kind value: task resolver: bundles @@ -520,7 +619,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" workspaces: - name: git-auth optional: true diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 9fcba9ec..9f548676 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -5,9 +5,11 @@ metadata: build.appstudio.openshift.io/repo: https://github.com/app-sre/deployment-validation-operator?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: '3' - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "master" - creationTimestamp: + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "master" + creationTimestamp: null labels: appstudio.openshift.io/application: deployment-validation-operator appstudio.openshift.io/component: deployment-validation-operator @@ -22,22 +24,19 @@ spec: value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/dvo-obsint-tenant/deployment-validation-operator/deployment-validation-operator:{{revision}} + - name: build-platforms + value: + - linux/x86_64 - name: dockerfile value: build/Dockerfile - name: path-context value: . - - name: hermetic - value: 'true' - - name: prefetch-input - value: '[{"type": "gomod", "path": "./"}]' - - name: build-source-image - value: 'true' pipelineSpec: description: | - This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. - _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. - This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ finally: - name: show-sbom params: @@ -56,7 +55,7 @@ spec: - description: Source Repository URL name: git-url type: string - - default: '' + - default: "" description: Revision of the Source Repository name: revision type: string @@ -64,37 +63,41 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - - default: 'false' + - default: "false" description: Force rebuild image name: rebuild type: string - - default: 'false' + - default: "false" description: Skip checks against built image name: skip-checks type: string - - default: 'false' + - default: "false" description: Execute the build with network isolation name: hermetic type: string - - default: '' + - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: '' - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - - default: 'false' + type: string + - default: "false" description: Build a source image. name: build-source-image type: string - - default: 'false' + - default: "true" description: Add built image into an OCI image index name: build-image-index type: string @@ -102,21 +105,32 @@ spec: description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - - default: '' + - default: "" description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + - default: + - linux/x86_64 + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. + name: build-platforms + type: array results: - - description: '' + - description: "" name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - - description: '' + - description: "" name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - description: '' + - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - - description: '' + - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: @@ -162,7 +176,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" workspaces: - name: basic-auth workspace: git-auth @@ -183,7 +197,7 @@ spec: - name: name value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:e38599be9aafc4622545e66673c5bc2292b323834c5d852f4a39cb7d01784574 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:c5ebd3040df2511b8af762c8be946fd4ac9de60c16b81a9461534aea5979d86f - name: kind value: task resolver: bundles @@ -192,7 +206,12 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - matrix: + params: + - name: PLATFORM + value: + - $(params.build-platforms) + name: build-images params: - name: IMAGE value: $(params.output-image) @@ -213,18 +232,22 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: IMAGE_APPEND_PLATFORM + value: "true" runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: buildah-remote-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.4@sha256:d78d8abba7a84faa391d8b3b23be49ad8c09e9b1c0cabaed3919f64100cead2d + value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:817312f371cf37c03d5583c4c8b62fda6ea11335ca2719d2159d0320e1d67dc1 - name: kind value: task resolver: bundles @@ -232,7 +255,7 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - name: build-image-index params: - name: IMAGE @@ -245,9 +268,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-images.results.IMAGE_REF[*]) runAfter: - - build-container + - build-images taskRef: params: - name: name @@ -261,17 +284,17 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BINARY_IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -287,11 +310,11 @@ spec: - input: $(tasks.init.results.build) operator: in values: - - 'true' + - "true" - input: $(params.build-source-image) operator: in values: - - 'true' + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -313,7 +336,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: clair-scan params: - name: image-digest @@ -335,8 +358,13 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: ecosystem-cert-preflight-checks + - "false" + - matrix: + params: + - name: platform + value: + - $(params.build-platforms) + name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) @@ -355,7 +383,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: sast-snyk-check params: - name: image-digest @@ -381,25 +409,92 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: sast-shell-check + - "false" + - matrix: + params: + - name: image-arch + value: + - $(params.build-platforms) + name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:4885741078917733a5cff8dfb3177b9fc8d42a4e04b7e8f07639e0c3b2a5b560 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: - build-image-index taskRef: params: - name: name - value: sast-shell-check-oci-ta + value: coverity-availability-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - name: kind value: task resolver: bundles @@ -407,25 +502,25 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: sast-unicode-check + - "false" + - name: sast-shell-check params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name - value: sast-unicode-check-oci-ta + value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - name: kind value: task resolver: bundles @@ -433,21 +528,25 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' - - name: clamav-scan + - "false" + - name: sast-unicode-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name - value: clamav-scan + value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:cce2dfcc5bd6e91ee54aacdadad523b013eeae5cdaa7f6a4624b8cbcc040f439 + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - name: kind value: task resolver: bundles @@ -455,7 +554,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" - name: apply-tags params: - name: IMAGE_URL @@ -492,7 +591,7 @@ spec: - name: name value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:8640726ef7c5875e3b2e64c9f823921ea970674593f077cadfce3c45c9b9a2b9 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:972990bea93c13f8afd279c0e0d4bd8c2665b48bbb3369b2c43acf194b851f5c - name: kind value: task resolver: bundles @@ -509,7 +608,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1b6c20ab3dbfb0972803d3ebcb2fa72642e59400c77bd66dfd82028bdd09e120 + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:7d1c087d7d33dd97effb3b4c9f3788e4c3138da2032040d69da6929e9a3aaceb - name: kind value: task resolver: bundles @@ -517,7 +616,7 @@ spec: - input: $(params.skip-checks) operator: in values: - - 'false' + - "false" workspaces: - name: git-auth optional: true From 82001a232d44efba48a987f80f153acc49b4650c Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 13 Aug 2025 16:32:33 +0200 Subject: [PATCH 2/5] Fix removed params customization --- .tekton/deployment-validation-operator-pull-request.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index a2cfd719..dc860c9f 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -34,6 +34,10 @@ spec: value: build/Dockerfile - name: path-context value: . + - name: hermetic + value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "./"}]' pipelineSpec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. From c19b5998eda1662bcb14ea4063d69070f358beda Mon Sep 17 00:00:00 2001 From: Isaac Date: Wed, 13 Aug 2025 16:42:03 +0200 Subject: [PATCH 3/5] Fix removed params customization --- .tekton/deployment-validation-operator-pull-request.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index dc860c9f..95013bee 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -30,6 +30,7 @@ spec: - name: build-platforms value: - linux/x86_64 + - linux/arm64 - name: dockerfile value: build/Dockerfile - name: path-context @@ -38,6 +39,8 @@ spec: value: 'true' - name: prefetch-input value: '[{"type": "gomod", "path": "./"}]' + - name: build-source-image + value: 'true' pipelineSpec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. From e6ea6916873585865a5a38a350407bd949f2e020 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 14 Aug 2025 10:06:24 +0200 Subject: [PATCH 4/5] Fix rpms-signature-scan image sha --- .tekton/deployment-validation-operator-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/deployment-validation-operator-pull-request.yaml b/.tekton/deployment-validation-operator-pull-request.yaml index 95013bee..8ba8cf70 100644 --- a/.tekton/deployment-validation-operator-pull-request.yaml +++ b/.tekton/deployment-validation-operator-pull-request.yaml @@ -618,7 +618,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:7d1c087d7d33dd97effb3b4c9f3788e4c3138da2032040d69da6929e9a3aaceb + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:e127e0e0a5aab1364b560436594fe7ed67abcd5f8d6dd3ef14ac1f35cf81078c - name: kind value: task resolver: bundles From a6d42107d4bcbe86f688a55d7e59c065e3255880 Mon Sep 17 00:00:00 2001 From: Isaac Date: Thu, 14 Aug 2025 10:38:44 +0200 Subject: [PATCH 5/5] Fix on-push pipelines with changes done on pr file --- .tekton/deployment-validation-operator-push.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.tekton/deployment-validation-operator-push.yaml b/.tekton/deployment-validation-operator-push.yaml index 9f548676..45210f98 100644 --- a/.tekton/deployment-validation-operator-push.yaml +++ b/.tekton/deployment-validation-operator-push.yaml @@ -27,10 +27,17 @@ spec: - name: build-platforms value: - linux/x86_64 + - linux/arm64 - name: dockerfile value: build/Dockerfile - name: path-context value: . + - name: hermetic + value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "./"}]' + - name: build-source-image + value: 'true' pipelineSpec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. @@ -608,7 +615,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:7d1c087d7d33dd97effb3b4c9f3788e4c3138da2032040d69da6929e9a3aaceb + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:e127e0e0a5aab1364b560436594fe7ed67abcd5f8d6dd3ef14ac1f35cf81078c - name: kind value: task resolver: bundles