task/buildah/0.1/buildah.yaml

apiVersion: tekton.dev/v1
kind: Task
metadata:
  labels:
    app.kubernetes.io/version: "0.1"
    build.appstudio.redhat.com/build_type: "docker"
  annotations:
    tekton.dev/pipelines.minVersion: "0.12.1"
    tekton.dev/tags: "image-build, konflux"
  name: buildah
spec:
  description: |-
    Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
    In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
    When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
    When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
  params:
  - description: Reference of the image buildah will produce.
    name: IMAGE
    type: string
  - default: ""
    description: Deprecated. Has no effect. Will be removed in the future.
    name: BUILDER_IMAGE
    type: string
  - default: ./Dockerfile
    description: Path to the Dockerfile to build.
    name: DOCKERFILE
    type: string
  - default: .
    description: Path to the directory to use as context.
    name: CONTEXT
    type: string
  - default: "true"
    description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
    name: TLSVERIFY
    type: string
  - description: unused, should be removed in next task version
    name: DOCKER_AUTH
    type: string
    default: ""
  - default: "false"
    description: Determines if build will be executed without network access.
    name: HERMETIC
    type: string
  - default: ""
    description: In case it is not empty, the prefetched content should be made available to the build.
    name: PREFETCH_INPUT
    type: string
  - default: ""
    description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
    name: IMAGE_EXPIRES_AFTER
    type: string
  - name: COMMIT_SHA
    description: The image is built from this commit.
    type: string
    default: ""
  - name: YUM_REPOS_D_SRC
    description: Path in the git repository in which yum repository files are stored
    default: repos.d
  - name: YUM_REPOS_D_FETCHED
    description: Path in source workspace where dynamically-fetched repos are present
    default: fetched.repos.d
  - name: YUM_REPOS_D_TARGET
    description: Target path on the container in which yum repository files should be made available
    default: /etc/yum.repos.d
  - name: TARGET_STAGE
    description: Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.
    type: string
    default: ""
  - name: ENTITLEMENT_SECRET
    description: Name of secret which contains the entitlement certificates
    type: string
    default: "etc-pki-entitlement"
  - name: ACTIVATION_KEY
    default: activation-key
    description: Name of secret which contains subscription activation key
    type: string
  - name: ADDITIONAL_SECRET
    description: Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET
    type: string
    default: "does-not-exist"
  - name: BUILD_ARGS
    description: Array of --build-arg values ("arg=value" strings)
    type: array
    default: []
  - name: BUILD_ARGS_FILE
    description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file
    type: string
    default: ""
  - name: caTrustConfigMapName
    type: string
    description: The name of the ConfigMap to read CA bundle data from.
    default: trusted-ca
  - name: caTrustConfigMapKey
    type: string
    description: The name of the key in the ConfigMap that contains the CA bundle data.
    default: ca-bundle.crt
  - name: ADD_CAPABILITIES
    description: Comma separated list of extra capabilities to add when running 'buildah build'
    type: string
    default: ""
  - name: SQUASH
    description: Squash all new and previous layers added as a part of this build, as per --squash
    type: string
    default: "false"
  - name: STORAGE_DRIVER
    description: Storage driver to configure for buildah
    type: string
    default: vfs
  - name: SKIP_UNUSED_STAGES
    description: Whether to skip stages in Containerfile that seem unused by subsequent stages
    type: string
    default: "true"

  results:
  - description: Digest of the image just built
    name: IMAGE_DIGEST
  - description: Image repository where the built image was pushed
    name: IMAGE_URL
  - description: Digests of the base images used for build
    name: BASE_IMAGES_DIGESTS
  - name: SBOM_JAVA_COMPONENTS_COUNT
    description: The counting of Java components by publisher in JSON format
    type: string
  - name: JAVA_COMMUNITY_DEPENDENCIES
    description: The Java dependencies that came from community sources such as Maven central.
  stepTemplate:
    volumeMounts:
      - mountPath: /shared
        name: shared
    env:
    - name: BUILDAH_FORMAT
      value: oci
    - name: STORAGE_DRIVER
      value: $(params.STORAGE_DRIVER)
    - name: HERMETIC
      value: $(params.HERMETIC)
    - name: CONTEXT
      value: $(params.CONTEXT)
    - name: DOCKERFILE
      value: $(params.DOCKERFILE)
    - name: IMAGE
      value: $(params.IMAGE)
    - name: TLSVERIFY
      value: $(params.TLSVERIFY)
    - name: IMAGE_EXPIRES_AFTER
      value: $(params.IMAGE_EXPIRES_AFTER)
    - name: YUM_REPOS_D_SRC
      value: $(params.YUM_REPOS_D_SRC)
    - name: YUM_REPOS_D_FETCHED
      value: $(params.YUM_REPOS_D_FETCHED)
    - name: YUM_REPOS_D_TARGET
      value: $(params.YUM_REPOS_D_TARGET)
    - name: TARGET_STAGE
      value: $(params.TARGET_STAGE)
    - name: PARAM_BUILDER_IMAGE
      value: $(params.BUILDER_IMAGE)
    - name: ENTITLEMENT_SECRET
      value: $(params.ENTITLEMENT_SECRET)
    - name: ACTIVATION_KEY
      value: $(params.ACTIVATION_KEY)
    - name: ADDITIONAL_SECRET
      value: $(params.ADDITIONAL_SECRET)
    - name: BUILD_ARGS_FILE
      value: $(params.BUILD_ARGS_FILE)
    - name: ADD_CAPABILITIES
      value: $(params.ADD_CAPABILITIES)
    - name: SQUASH
      value: $(params.SQUASH)
    - name: SKIP_UNUSED_STAGES
      value: $(params.SKIP_UNUSED_STAGES)

  steps:
  - image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050
    name: build
    computeResources:
      limits:
        memory: 4Gi
      requests:
        memory: 512Mi
        cpu: 250m
    env:
    - name: COMMIT_SHA
      value: $(params.COMMIT_SHA)
    args:
      - $(params.BUILD_ARGS[*])
    script: |
      if [ -n "${PARAM_BUILDER_IMAGE}" ]; then
        echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect."
      fi

      ca_bundle=/mnt/trusted-ca/ca-bundle.crt
      if [ -f "$ca_bundle" ]; then
        echo "INFO: Using mounted CA bundle: $ca_bundle"
        cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
        update-ca-trust
      fi

      SOURCE_CODE_DIR=source
      if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
      elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
        dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
      elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
        echo "Fetch Dockerfile from $DOCKERFILE"
        dockerfile_path=$(mktemp --suffix=-Dockerfile)
        http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
        if [ $http_code != 200 ]; then
          echo "No Dockerfile is fetched. Server responds $http_code"
          exit 1
        fi
        http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
        if [ $http_code = 200 ]; then
          echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
          mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
        fi
      else
        echo "Cannot find Dockerfile $DOCKERFILE"
        exit 1
      fi
      if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
        sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"<settings><mirrors><mirror><id>mirror.default</id><url>http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/</url><mirrorOf>*</mirrorOf></mirror></mirrors></settings>\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
        touch /var/lib/containers/java
      fi

      # Fixing group permission on /var/lib/containers
      chown root:root /var/lib/containers

      sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf

      # Setting new namespace to run buildah - 2^32-2
      echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid

      BUILDAH_ARGS=()

      BASE_IMAGES=$(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}' | (grep -v ^oci-archive: || true))
      if [ "${HERMETIC}" == "true" ]; then
        BUILDAH_ARGS+=("--pull=never")
        UNSHARE_ARGS="--net"
        for image in $BASE_IMAGES; do
          if [ "${image}" != "scratch" ]; then
            unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
          fi
        done
        echo "Build will be executed with network isolation"
      fi

      if [ -n "${TARGET_STAGE}" ]; then
        BUILDAH_ARGS+=("--target=${TARGET_STAGE}")
      fi

      if [ -n "${BUILD_ARGS_FILE}" ]; then
        BUILDAH_ARGS+=("--build-arg-file=$(pwd)/$SOURCE_CODE_DIR/${BUILD_ARGS_FILE}")
      fi

      for build_arg in "$@"; do
        BUILDAH_ARGS+=("--build-arg=$build_arg")
      done

      if [ -n "${ADD_CAPABILITIES}" ]; then
        BUILDAH_ARGS+=("--cap-add=${ADD_CAPABILITIES}")
      fi

      if [ "${SQUASH}" == "true" ]; then
        BUILDAH_ARGS+=("--squash")
      fi

      if [ "${SKIP_UNUSED_STAGES}" != "true" ] ; then
        BUILDAH_ARGS+=("--skip-unused-stages=false")
      fi

      if [ -f "$(workspaces.source.path)/cachi2/cachi2.env" ]; then
        cp -r "$(workspaces.source.path)/cachi2" /tmp/
        chmod -R go+rwX /tmp/cachi2
        VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
        # Read in the whole file (https://unix.stackexchange.com/questions/533277), then
        # for each RUN ... line insert the cachi2.env command *after* any options like --mount
        sed -E -i \
            -e 'H;1h;$!d;x' \
            -e 's@^\s*(run((\s|\\\n)+-\S+)*(\s|\\\n)+)@\1. /cachi2/cachi2.env \&\& \\\n    @igM' \
            "$dockerfile_path"
        echo "Prefetched content will be made available"

        prefetched_repo_for_my_arch="/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo"
        if [ -f "$prefetched_repo_for_my_arch" ]; then
          echo "Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED"
          mkdir -p "$YUM_REPOS_D_FETCHED"
          cp --no-clobber "$prefetched_repo_for_my_arch" "$YUM_REPOS_D_FETCHED"
        fi
      fi

      # if yum repofiles stored in git, copy them to mount point outside the source dir
      if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then
        mkdir -p ${YUM_REPOS_D_FETCHED}
        cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED}
      fi

      # if anything in the repofiles mount point (either fetched or from git), mount it
      if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
        chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
        mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
        VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
      fi

      LABELS=(
        "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
        "--label" "architecture=$(uname -m)"
        "--label" "vcs-type=git"
      )
      [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
      [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")

      ENTITLEMENT_PATH="/entitlement"
      if [ -d "$ENTITLEMENT_PATH" ]; then
        cp -r --preserve=mode "$ENTITLEMENT_PATH" /tmp/entitlement
        VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/entitlement:/etc/pki/entitlement"
        echo "Adding the entitlement to the build"
      fi

      ACTIVATION_KEY_PATH="/activation-key"
         if [ -d "$ACTIVATION_KEY_PATH" ]; then
          cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
          VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume /tmp/activation-key:/activation-key"
          echo "Adding activation key to the build"
        fi

      ADDITIONAL_SECRET_PATH="/additional-secret"
      ADDITIONAL_SECRET_TMP="/tmp/additional-secret"
      if [ -d "$ADDITIONAL_SECRET_PATH" ]; then
        cp -r --preserve=mode -L "$ADDITIONAL_SECRET_PATH" $ADDITIONAL_SECRET_TMP
        while read -r filename; do
          echo "Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}"
          BUILDAH_ARGS+=("--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}")
        done < <(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \;)
      fi

      unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \
        $VOLUME_MOUNTS \
        "${BUILDAH_ARGS[@]}" \
        "${LABELS[@]}" \
        --tls-verify=$TLSVERIFY --no-cache \
        --ulimit nofile=4096:4096 \
        -f "$dockerfile_path" -t $IMAGE .

      container=$(buildah from --pull-never $IMAGE)
      buildah mount $container | tee /shared/container_path
      echo $container > /shared/container_name

      # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
      if [ -f "/tmp/cachi2/output/bom.json" ]; then
        cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
      fi

      # Expose base image digests
      touch $(results.BASE_IMAGES_DIGESTS.path)
      for image in $BASE_IMAGES; do
        if [ "${image}" != "scratch" ]; then
          buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> $(results.BASE_IMAGES_DIGESTS.path)
        fi
      done

      # Needed to generate base images SBOM
      echo "$BASE_IMAGES" > $(workspaces.source.path)/base_images_from_dockerfile

    securityContext:
      capabilities:
        add:
          - SETFCAP
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    - mountPath: "/entitlement"
      name: etc-pki-entitlement
    - mountPath: /activation-key
      name: activation-key
    - mountPath: "/additional-secret"
      name: additional-secret
    - name: trusted-ca
      mountPath: /mnt/trusted-ca
      readOnly: true
    workingDir: $(workspaces.source.path)

  - name: sbom-syft-generate
    image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431
    # Respect Syft configuration if the user has it in the root of their repository
    # (need to set the workdir, see https://github.com/anchore/syft/issues/2465)
    workingDir: $(workspaces.source.path)/source
    script: |
      echo "Running syft on the source directory"
      syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
      find $(cat /shared/container_path) -xtype l -delete
      echo "Running syft on the image filesystem"
      syft dir:$(cat /shared/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    - mountPath: /shared
      name: shared
  - name: analyse-dependencies-java-sbom
    image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
    script: |
      if [ -f /var/lib/containers/java ]; then
        /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /shared/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
        sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
      else
        touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
      fi
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    - mountPath: /shared
      name: shared
    securityContext:
      runAsUser: 0

  - name: merge-syft-sboms
    image: registry.access.redhat.com/ubi9/python-39:1-192@sha256:01c9e53b32acd96f9fe7781727140df6868c91ebc916ed95dc58999fbf4d8ddd
    script: |
      #!/bin/python3
      import json

      # load SBOMs
      with open("./sbom-image.json") as f:
        image_sbom = json.load(f)

      with open("./sbom-source.json") as f:
        source_sbom = json.load(f)

      # fetch unique components from available SBOMs
      def get_identifier(component):
        return component["name"] + '@' + component.get("version", "")

      image_sbom_components = image_sbom.setdefault("components", [])
      existing_components = [get_identifier(component) for component in image_sbom_components]

      source_sbom_components = source_sbom.get("components", [])
      for component in source_sbom_components:
        if get_identifier(component) not in existing_components:
          image_sbom_components.append(component)
          existing_components.append(get_identifier(component))

      image_sbom_components.sort(key=lambda c: get_identifier(c))

      # write the CycloneDX unified SBOM
      with open("./sbom-cyclonedx.json", "w") as f:
        json.dump(image_sbom, f, indent=4)
    workingDir: $(workspaces.source.path)
    securityContext:
      runAsUser: 0

  - name: merge-cachi2-sbom
    image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad
    script: |
      if [ -f "sbom-cachi2.json" ]; then
        echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
        merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
        mv sbom-temp.json sbom-cyclonedx.json
      else
        echo "Skipping step since no Cachi2 SBOM was produced"
      fi
    workingDir: $(workspaces.source.path)
    securityContext:
      runAsUser: 0

  - name: create-purl-sbom
    image: registry.access.redhat.com/ubi9/python-39:1-192@sha256:01c9e53b32acd96f9fe7781727140df6868c91ebc916ed95dc58999fbf4d8ddd
    script: |
      #!/bin/python3
      import json

      with open("./sbom-cyclonedx.json") as f:
        cyclonedx_sbom = json.load(f)

      purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
      purl_content = {"image_contents": {"dependencies": purls}}

      with open("sbom-purl.json", "w") as output_file:
        json.dump(purl_content, output_file, indent=4)
    workingDir: $(workspaces.source.path)
    securityContext:
      runAsUser: 0

  - name: create-base-images-sbom
    image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840
    env:
    - name: BASE_IMAGES_DIGESTS_PATH
      value: $(results.BASE_IMAGES_DIGESTS.path)
    script: |
      python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH
    workingDir: $(workspaces.source.path)
    securityContext:
      runAsUser: 0

  - name: inject-sbom-and-push
    image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050
    computeResources: {}
    script: |
      if [ -n "${PARAM_BUILDER_IMAGE}" ]; then
        echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect."
      fi

      base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
      base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
      container=$(buildah from --pull-never $IMAGE)
      buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
      buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container

      BUILDAH_ARGS=()
      if [ "${SQUASH}" == "true" ]; then
        BUILDAH_ARGS+=("--squash")
      fi

      buildah commit "${BUILDAH_ARGS[@]}" $container $IMAGE

      status=-1
      max_run=5
      sleep_sec=10
      for run in $(seq 1 $max_run); do
        status=0
        [ "$run" -gt 1 ] && sleep $sleep_sec
        echo "Pushing sbom image to registry"
        buildah push \
          --tls-verify=$TLSVERIFY \
          --digestfile $(workspaces.source.path)/image-digest $IMAGE \
          docker://$IMAGE && break || status=$?
      done
      if [ "$status" -ne 0 ]; then
          echo "Failed to push sbom image to registry after ${max_run} tries"
          exit 1
      fi

      cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
      echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)

    securityContext:
      runAsUser: 0
      capabilities:
        add:
          - SETFCAP
    volumeMounts:
    - mountPath: /var/lib/containers
      name: varlibcontainers
    workingDir: $(workspaces.source.path)

  - name: upload-sbom
    image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
    args:
      - attach
      - sbom
      - --sbom
      - sbom-cyclonedx.json
      - --type
      - cyclonedx
      - $(params.IMAGE)
    workingDir: $(workspaces.source.path)

  volumes:
  - name: varlibcontainers
    emptyDir: {}
  - name: shared
    emptyDir: {}
  - name: etc-pki-entitlement
    secret:
      secretName: $(params.ENTITLEMENT_SECRET)
      optional: true
  - name: activation-key
    secret:
      optional: true
      secretName: $(params.ACTIVATION_KEY)
  - name: additional-secret
    secret:
      secretName: $(params.ADDITIONAL_SECRET)
      optional: true
  - name: trusted-ca
    configMap:
      name: $(params.caTrustConfigMapName)
      items:
        - key: $(params.caTrustConfigMapKey)
          path: ca-bundle.crt
      optional: true
  workspaces:
  - name: source
    description: Workspace containing the source code to build.