diff --git a/.github/workflows/check-buildah-remote.yaml b/.github/workflows/check-buildah-remote.yaml
deleted file mode 100644
index 4f73cb1ea..000000000
--- a/.github/workflows/check-buildah-remote.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Validate PR - buildah-remote
-'on':
- pull_request:
- branches: [main]
-jobs:
- go:
- name: Check Buildah Remote
- runs-on: ubuntu-latest
- steps:
- - name: Check out code
- uses: actions/checkout@v4
- - name: Check buildah remote
- run: |
- ./hack/generate-buildah-remote.sh
- if [[ ! -z $(git status -s) ]]
- then
- echo "buildah-remote is not up to date, run ./hack/generate-buildah-remote.sh"
- git --no-pager diff
- exit 1
- fi
diff --git a/.github/workflows/check-yaml-format.yaml b/.github/workflows/check-yaml-format.yaml
new file mode 100644
index 000000000..55076a72f
--- /dev/null
+++ b/.github/workflows/check-yaml-format.yaml
@@ -0,0 +1,28 @@
+name: Validate PR - YAML Format
+on:
+ pull_request:
+ branches: [main]
+jobs:
+ go:
+ name: Check Buildah Remote
+ runs-on: ubuntu-latest
+ steps:
+ - name: Check out code
+ uses: actions/checkout@v4
+ - name: Generate buildah remote
+ run: |
+ ./hack/generate-buildah-remote.sh
+ - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
+ - name: Format YAML
+ run: |
+ go install github.com/google/yamlfmt/cmd/yamlfmt@v0.10.0
+ yamlfmt .
+ - name: Check YAML Formatted
+ run: |
+ if [[ ! -z $(git status -s) ]]
+ then
+ echo "YAML format is not up to date, run 'go install github.com/google/yamlfmt/cmd/yamlfmt@v0.10.0 && yamlfmt .'"
+ echo " If you have modified the buildah task you may also need to run ./hack/generate-buildah-remote.sh"
+ git --no-pager diff
+ exit 1
+ fi
diff --git a/.github/workflows/shellspec.yaml b/.github/workflows/shellspec.yaml
index 0bc6d82aa..02d923c67 100644
--- a/.github/workflows/shellspec.yaml
+++ b/.github/workflows/shellspec.yaml
@@ -1,6 +1,4 @@
----
name: Shellspec Tests
-
"on":
pull_request:
branches:
@@ -8,21 +6,16 @@ name: Shellspec Tests
push:
branches:
- main
-
jobs:
Shellspec:
-
runs-on: ubuntu-latest
-
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
fetch-depth: 0
-
- uses: jerop/tkn@v0.2.0
with:
version: v0.32.2
-
- name: Shellspec
run: hack/test-shellspec.sh
diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml
index 9a02608ce..011ec560b 100644
--- a/.tekton/pull-request.yaml
+++ b/.tekton/pull-request.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
@@ -47,8 +46,8 @@ spec:
- name: shared-workspace
workspace: workspace
params:
- - name: args
- value: [".", "-c", "/workspace/shared-workspace/source/.yamllint"]
+ - name: args
+ value: [".", "-c", "/workspace/shared-workspace/source/.yamllint"]
- name: sast-snyk-check
params:
- name: SNYK_SECRET
@@ -167,9 +166,9 @@ spec:
subPath: .dockerconfigjson
name: quay-secret
volumes:
- - name: quay-secret
- secret:
- secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+ - name: quay-secret
+ secret:
+ secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
workspaces:
- name: source
- name: e2e-tests
diff --git a/.tekton/push.yaml b/.tekton/push.yaml
index 3142d5e26..e66eecd5d 100644
--- a/.tekton/push.yaml
+++ b/.tekton/push.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
@@ -84,9 +83,9 @@ spec:
subPath: .dockerconfigjson
name: quay-secret
volumes:
- - name: quay-secret
- secret:
- secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+ - name: quay-secret
+ secret:
+ secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
workspaces:
- name: source
- name: update-infra-repo
@@ -113,9 +112,9 @@ spec:
- name: artifacts
description: Workspace containing arbitrary artifacts used during the task run.
volumes:
- - name: quay-secret
- secret:
- secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
+ - name: quay-secret
+ secret:
+ secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret
steps:
- name: build-bundles
image: quay.io/redhat-appstudio/appstudio-utils:{{ revision }}
diff --git a/.tekton/tasks/buildah.yaml b/.tekton/tasks/buildah.yaml
index 85685e94e..81cc5367d 100644
--- a/.tekton/tasks/buildah.yaml
+++ b/.tekton/tasks/buildah.yaml
@@ -10,90 +10,90 @@ spec:
Buildah task builds source into a container image and then pushes it to a container registry.
Buildah Task builds source into a container image using Project Atomic's Buildah build tool.It uses Buildah's support for building from Dockerfiles, using its buildah build command.This command executes the directives in the Dockerfile to assemble a container image, then pushes that image to a container registry.
params:
- - description: Reference of the image buildah will produce.
- name: IMAGE
- type: string
- - default: registry.access.redhat.com/ubi8/buildah@sha256:31f84b19a0774be7cfad751be38fc97f5e86cefd26e0abaec8047ddc650b00bf
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- description: The location of the buildah builder image.
- name: BUILDER_IMAGE
- type: string
- - default: vfs
- description: Set buildah storage driver
- name: STORAGE_DRIVER
- type: string
- - default: ./Dockerfile
- description: Path to the Dockerfile to build.
- name: DOCKERFILE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
- - default: oci
- description: The format of the built container, oci or docker
- name: FORMAT
- type: string
+ - description: Reference of the image buildah will produce.
+ name: IMAGE
+ type: string
+ - default: registry.access.redhat.com/ubi8/buildah@sha256:31f84b19a0774be7cfad751be38fc97f5e86cefd26e0abaec8047ddc650b00bf
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ description: The location of the buildah builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: vfs
+ description: Set buildah storage driver
+ name: STORAGE_DRIVER
+ type: string
+ - default: ./Dockerfile
+ description: Path to the Dockerfile to build.
+ name: DOCKERFILE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - default: oci
+ description: The format of the built container, oci or docker
+ name: FORMAT
+ type: string
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
steps:
- - image: $(params.BUILDER_IMAGE)
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent; our default param above specifies a digest
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: build
- computeResources:
- limits:
- memory: 2Gi
- requests:
- memory: 512Mi
- cpu: 10m
- script: |
- buildah --storage-driver=$(params.STORAGE_DRIVER) build \
- --format=$(params.FORMAT) \
- --tls-verify=$(params.TLSVERIFY) --no-cache \
- -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
- securityContext:
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)/source
- - image: $(params.BUILDER_IMAGE)
- name: push
- computeResources: {}
- script: |
- buildah --storage-driver=$(params.STORAGE_DRIVER) push \
- --tls-verify=$(params.TLSVERIFY) \
- --digestfile $(workspaces.source.path)/source/image-digest $(params.IMAGE) \
- docker://$(params.IMAGE)
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- securityContext:
- capabilities:
- add:
- - SETFCAP
- workingDir: $(workspaces.source.path)/source
- - image: $(params.BUILDER_IMAGE)
- name: digest-to-results
- computeResources: {}
- script: |
- cat "$(workspaces.source.path)"/source/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
+ - image: $(params.BUILDER_IMAGE)
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent; our default param above specifies a digest
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: build
+ computeResources:
+ limits:
+ memory: 2Gi
+ requests:
+ memory: 512Mi
+ cpu: 10m
+ script: |
+ buildah --storage-driver=$(params.STORAGE_DRIVER) build \
+ --format=$(params.FORMAT) \
+ --tls-verify=$(params.TLSVERIFY) --no-cache \
+ -f $(params.DOCKERFILE) -t $(params.IMAGE) $(params.CONTEXT)
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)/source
+ - image: $(params.BUILDER_IMAGE)
+ name: push
+ computeResources: {}
+ script: |
+ buildah --storage-driver=$(params.STORAGE_DRIVER) push \
+ --tls-verify=$(params.TLSVERIFY) \
+ --digestfile $(workspaces.source.path)/source/image-digest $(params.IMAGE) \
+ docker://$(params.IMAGE)
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ workingDir: $(workspaces.source.path)/source
+ - image: $(params.BUILDER_IMAGE)
+ name: digest-to-results
+ computeResources: {}
+ script: |
+ cat "$(workspaces.source.path)"/source/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
volumes:
- - emptyDir: {}
- name: varlibcontainers
+ - emptyDir: {}
+ name: varlibcontainers
workspaces:
- - name: source
+ - name: source
diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml
index 3d11e819f..7bff5865f 100644
--- a/.tekton/tasks/e2e-test.yaml
+++ b/.tekton/tasks/e2e-test.yaml
@@ -21,25 +21,22 @@ spec:
image: quay.io/redhat-appstudio/e2e-tests:327e55dbfa361d32689037180b5e44e963079c9e
# a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
# against build-definitions to update this tag
- args: [
- "--ginkgo.label-filter=build-templates-e2e",
- "--ginkgo.no-color"
- ]
+ args: ["--ginkgo.label-filter=build-templates-e2e", "--ginkgo.no-color"]
securityContext:
runAsUser: 1000
env:
- - name: APP_SUFFIX
- value: "$(params.app_suffix)"
- - name: COMPONENT_REPO_URLS
- value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world"
- - name: QUAY_E2E_ORGANIZATION
- value: redhat-appstudio
- - name: E2E_APPLICATIONS_NAMESPACE
- value: "$(params.e2e_test_namespace)"
- - name: GITHUB_TOKEN
- valueFrom:
- secretKeyRef:
- name: github
- key: token
- - name: MY_GITHUB_ORG
- value: redhat-appstudio-appdata
+ - name: APP_SUFFIX
+ value: "$(params.app_suffix)"
+ - name: COMPONENT_REPO_URLS
+ value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world"
+ - name: QUAY_E2E_ORGANIZATION
+ value: redhat-appstudio
+ - name: E2E_APPLICATIONS_NAMESPACE
+ value: "$(params.e2e_test_namespace)"
+ - name: GITHUB_TOKEN
+ valueFrom:
+ secretKeyRef:
+ name: github
+ key: token
+ - name: MY_GITHUB_ORG
+ value: redhat-appstudio-appdata
diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml
index 0d76854ea..3ffe4ef30 100644
--- a/.tekton/tasks/ec-checks.yaml
+++ b/.tekton/tasks/ec-checks.yaml
@@ -12,47 +12,47 @@ spec:
description: >-
This task can be used to run enterprise contract checks
steps:
- - name: gather-tasks
- image: quay.io/redhat-appstudio/appstudio-utils:512cca38316355d6dbfc9c23ed3c5afabb943d24
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- workingDir: $(workspaces.source.path)/source
- script: |
- source hack/ec-checks.sh
- $(build_tasks_dir build_tasks-ec)
- $(all_tasks_dir all_tasks-ec)
- - name: validate-all-tasks
- workingDir: "$(workspaces.source.path)/source"
- image: quay.io/enterprise-contract/ec-cli:snapshot
- command: [ec]
- args:
- - validate
- - definition
- - "--file"
- - "./all_tasks-ec"
- - "--policy"
- - "git::https://github.com/enterprise-contract/ec-policies//policy/task"
- - "--policy"
- - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
- - "--data"
- - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
- - "--strict"
- - name: validate-build-tasks
- workingDir: "$(workspaces.source.path)/source"
- image: quay.io/enterprise-contract/ec-cli:snapshot
- command: [ec]
- args:
- - validate
- - definition
- - "--file"
- - "./build_tasks-ec"
- - "--policy"
- - "git::https://github.com/enterprise-contract/ec-policies//policy/build_task"
- - "--policy"
- - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
- - "--data"
- - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
- - "--strict"
+ - name: gather-tasks
+ image: quay.io/redhat-appstudio/appstudio-utils:512cca38316355d6dbfc9c23ed3c5afabb943d24
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ workingDir: $(workspaces.source.path)/source
+ script: |
+ source hack/ec-checks.sh
+ $(build_tasks_dir build_tasks-ec)
+ $(all_tasks_dir all_tasks-ec)
+ - name: validate-all-tasks
+ workingDir: "$(workspaces.source.path)/source"
+ image: quay.io/enterprise-contract/ec-cli:snapshot
+ command: [ec]
+ args:
+ - validate
+ - definition
+ - "--file"
+ - "./all_tasks-ec"
+ - "--policy"
+ - "git::https://github.com/enterprise-contract/ec-policies//policy/task"
+ - "--policy"
+ - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
+ - "--data"
+ - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
+ - "--strict"
+ - name: validate-build-tasks
+ workingDir: "$(workspaces.source.path)/source"
+ image: quay.io/enterprise-contract/ec-cli:snapshot
+ command: [ec]
+ args:
+ - validate
+ - definition
+ - "--file"
+ - "./build_tasks-ec"
+ - "--policy"
+ - "git::https://github.com/enterprise-contract/ec-policies//policy/build_task"
+ - "--policy"
+ - "git::https://github.com/enterprise-contract/ec-policies//policy/lib"
+ - "--data"
+ - "git::https://github.com/release-engineering/rhtap-ec-policy//data"
+ - "--strict"
workspaces:
- name: source
diff --git a/.tekton/tasks/yaml-lint.yaml b/.tekton/tasks/yaml-lint.yaml
index 2eef68e49..500df7409 100644
--- a/.tekton/tasks/yaml-lint.yaml
+++ b/.tekton/tasks/yaml-lint.yaml
@@ -23,7 +23,7 @@ spec:
default: ["--help"]
steps:
- name: lint-yaml-files
- image: docker.io/cytopia/yamllint:1.26@sha256:1bf8270a671a2e5f2fea8ac2e80164d627e0c5fa083759862bbde80628f942b2 # tag: 1.23
+ image: docker.io/cytopia/yamllint:1.26@sha256:1bf8270a671a2e5f2fea8ac2e80164d627e0c5fa083759862bbde80628f942b2 # tag: 1.23
# per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
# the cluster will set imagePullPolicy to IfNotPresent
# also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
diff --git a/partners/example-hello-world/0.1/example-hello-world.yaml b/partners/example-hello-world/0.1/example-hello-world.yaml
index e9d2cb3e6..71c050964 100644
--- a/partners/example-hello-world/0.1/example-hello-world.yaml
+++ b/partners/example-hello-world/0.1/example-hello-world.yaml
@@ -4,32 +4,31 @@ metadata:
name: example-hello-world
spec:
description: >-
- This is example task which prints content in message parameter and if secret hello-world with key "show-me"
- exists then the SHA256 of the key value is printed.
+ This is example task which prints content in message parameter and if secret hello-world with key "show-me" exists then the SHA256 of the key value is printed.
Secret creation example: 'oc create secret generic hello-world --from-literal=show-me=super-secret'
params:
- - name: message
- type: string
- description: Message to be printed.
- default: Hello World!!!
+ - name: message
+ type: string
+ description: Message to be printed.
+ default: Hello World!!!
volumes:
- - name: secret
- secret:
- secretName: hello-world
- optional: true
+ - name: secret
+ secret:
+ secretName: hello-world
+ optional: true
steps:
- - name: main-step
- image: registry.access.redhat.com/ubi9/ubi-minimal:9.1.0-1829@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8
- script: |
- #!/bin/sh
- echo $MESSAGE
- if [ -f /etc/secret/show-me ]; then
- sha256sum /etc/secret/show-me
- fi
- env:
- - name: MESSAGE
- value: "$(params.message)"
- volumeMounts:
- - name: secret
- mountPath: /etc/secret
+ - name: main-step
+ image: registry.access.redhat.com/ubi9/ubi-minimal:9.1.0-1829@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8
+ script: |
+ #!/bin/sh
+ echo $MESSAGE
+ if [ -f /etc/secret/show-me ]; then
+ sha256sum /etc/secret/show-me
+ fi
+ env:
+ - name: MESSAGE
+ value: "$(params.message)"
+ volumeMounts:
+ - name: secret
+ mountPath: /etc/secret
diff --git a/pipelines/core-services/infra-deploy.yaml b/pipelines/core-services/infra-deploy.yaml
index 4833e633c..c8203b888 100644
--- a/pipelines/core-services/infra-deploy.yaml
+++ b/pipelines/core-services/infra-deploy.yaml
@@ -11,16 +11,16 @@
name: update-infra-deployments
version: "0.1"
when:
- - input: $(params.infra-deployment-update-script)
- operator: notin
- values: [""]
- - input: $(tasks.status)
- operator: notin
- values: ["Failed"]
+ - input: $(params.infra-deployment-update-script)
+ operator: notin
+ values: [""]
+ - input: $(tasks.status)
+ operator: notin
+ values: ["Failed"]
params:
- - name: ORIGIN_REPO
- value: $(params.git-url)
- - name: REVISION
- value: $(params.revision)
- - name: SCRIPT
- value: $(params.infra-deployment-update-script)
+ - name: ORIGIN_REPO
+ value: $(params.git-url)
+ - name: REVISION
+ value: $(params.revision)
+ - name: SCRIPT
+ value: $(params.infra-deployment-update-script)
diff --git a/pipelines/core-services/kustomization.yaml b/pipelines/core-services/kustomization.yaml
index c9c48b69c..429767589 100644
--- a/pipelines/core-services/kustomization.yaml
+++ b/pipelines/core-services/kustomization.yaml
@@ -1,19 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../docker-build
-
+ - ../docker-build
commonAnnotations:
# Make it easier to create bundle for these pipelines
appstudio.openshift.io/core-services-ci: "1"
-
patches:
-- path: infra-deploy.yaml
- target:
- kind: Pipeline
-- path: update-repo.yaml
- target:
- kind: Pipeline
-- path: slack-notification.yaml
- target:
- kind: Pipeline
+ - path: infra-deploy.yaml
+ target:
+ kind: Pipeline
+ - path: update-repo.yaml
+ target:
+ kind: Pipeline
+ - path: slack-notification.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/core-services/slack-notification.yaml b/pipelines/core-services/slack-notification.yaml
index 3119727db..c0daab8ba 100644
--- a/pipelines/core-services/slack-notification.yaml
+++ b/pipelines/core-services/slack-notification.yaml
@@ -11,14 +11,14 @@
name: slack-webhook-notification
version: "0.1"
when:
- - input: $(params.slack-webhook-notification-team)
- operator: notin
- values: [""]
- - input: $(tasks.status)
- operator: in
- values: ["Failed"]
+ - input: $(params.slack-webhook-notification-team)
+ operator: notin
+ values: [""]
+ - input: $(tasks.status)
+ operator: in
+ values: ["Failed"]
params:
- - name: message
- value: Tekton pipelineRun $(context.pipelineRun.name) failed
- - name: key-name
- value: $(params.slack-webhook-notification-team)
+ - name: message
+ value: Tekton pipelineRun $(context.pipelineRun.name) failed
+ - name: key-name
+ value: $(params.slack-webhook-notification-team)
diff --git a/pipelines/core-services/update-repo.yaml b/pipelines/core-services/update-repo.yaml
index c36575ea8..b95e98333 100644
--- a/pipelines/core-services/update-repo.yaml
+++ b/pipelines/core-services/update-repo.yaml
@@ -16,21 +16,21 @@
name: update-infra-deployments
version: "0.1"
when:
- - input: $(params.update-repo-script)
- operator: notin
- values: [""]
- - input: $(params.update-repo-name)
- operator: notin
- values: [""]
- - input: $(tasks.status)
- operator: notin
- values: ["Failed"]
+ - input: $(params.update-repo-script)
+ operator: notin
+ values: [""]
+ - input: $(params.update-repo-name)
+ operator: notin
+ values: [""]
+ - input: $(tasks.status)
+ operator: notin
+ values: ["Failed"]
params:
- - name: ORIGIN_REPO
- value: $(params.git-url)
- - name: REVISION
- value: $(params.revision)
- - name: SCRIPT
- value: $(params.update-repo-script)
- - name: TARGET_GH_REPO
- value: $(params.update-repo-name)
+ - name: ORIGIN_REPO
+ value: $(params.git-url)
+ - name: REVISION
+ value: $(params.revision)
+ - name: SCRIPT
+ value: $(params.update-repo-script)
+ - name: TARGET_GH_REPO
+ value: $(params.update-repo-name)
diff --git a/pipelines/dance/kustomization.yaml b/pipelines/dance/kustomization.yaml
index b4da55dc6..9de4b3bf7 100644
--- a/pipelines/dance/kustomization.yaml
+++ b/pipelines/dance/kustomization.yaml
@@ -1,7 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../docker-build-dance
-- ../java-builder
-- ../nodejs-builder
-- ../docker-build
+ - ../docker-build-dance
+ - ../java-builder
+ - ../nodejs-builder
+ - ../docker-build
diff --git a/pipelines/docker-build-dance/kustomization.yaml b/pipelines/docker-build-dance/kustomization.yaml
index 64f7ba8a8..ded6d9429 100644
--- a/pipelines/docker-build-dance/kustomization.yaml
+++ b/pipelines/docker-build-dance/kustomization.yaml
@@ -1,9 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-- path: patch.yaml
- target:
- kind: Pipeline
+ - path: patch.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/docker-build-dance/patch.yaml b/pipelines/docker-build-dance/patch.yaml
index 9242cd7be..e3ec97b17 100644
--- a/pipelines/docker-build-dance/patch.yaml
+++ b/pipelines/docker-build-dance/patch.yaml
@@ -1,4 +1,3 @@
----
- op: replace
path: /metadata/name
value: docker-build-dance
@@ -28,16 +27,16 @@
- op: add
path: /spec/tasks/3/params
value:
- - name: IMAGE
- value: $(params.output-image)
- - name: DOCKERFILE
- value: $(params.dockerfile)
- - name: CONTEXT
- value: $(params.path-context)
- - name: IMAGE_EXPIRES_AFTER
- value: "$(params.image-expires-after)"
- - name: COMMIT_SHA
- value: "$(tasks.clone-repository.results.commit)"
+ - name: IMAGE
+ value: $(params.output-image)
+ - name: DOCKERFILE
+ value: $(params.dockerfile)
+ - name: CONTEXT
+ value: $(params.path-context)
+ - name: IMAGE_EXPIRES_AFTER
+ value: "$(params.image-expires-after)"
+ - name: COMMIT_SHA
+ value: "$(tasks.clone-repository.results.commit)"
# Remove tasks
# Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0
# to compute offsets
@@ -55,30 +54,30 @@
path: /spec/tasks/3/runAfter/0
value: clone-repository
- op: remove
- path: /spec/tasks/9 # sbom-json-check
+ path: /spec/tasks/9 # sbom-json-check
- op: remove
- path: /spec/tasks/8 # clamav-scan
+ path: /spec/tasks/8 # clamav-scan
- op: remove
- path: /spec/tasks/7 # sast-snyk-check
+ path: /spec/tasks/7 # sast-snyk-check
- op: remove
- path: /spec/tasks/5 # deprecated-base-image-check
+ path: /spec/tasks/5 # deprecated-base-image-check
- op: remove
- path: /spec/tasks/2 # prefetch-dependencies
+ path: /spec/tasks/2 # prefetch-dependencies
- op: add
path: /spec/tasks/-
value:
name: acs-image-check
params:
- - name: rox_central_endpoint
- value: $(params.stackrox-endpoint)
- - name: rox_api_token
- value: $(params.stackrox-secret)
- - name: image
- value: $(params.output-image)
- - name: insecure-skip-tls-verify
- value: "true"
- - name: image_digest
- value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: rox_central_endpoint
+ value: $(params.stackrox-endpoint)
+ - name: rox_api_token
+ value: $(params.stackrox-secret)
+ - name: image
+ value: $(params.output-image)
+ - name: insecure-skip-tls-verify
+ value: "true"
+ - name: image_digest
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
runAfter:
- build-container
taskRef:
@@ -91,18 +90,18 @@
value:
name: acs-image-scan
params:
- - name: rox_central_endpoint
- value: $(params.stackrox-endpoint)
- - name: rox_api_token
- value: $(params.stackrox-secret)
- - name: image
- value: $(params.output-image)
- - name: insecure-skip-tls-verify
- value: "true"
- - name: image_digest
- value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: rox_central_endpoint
+ value: $(params.stackrox-endpoint)
+ - name: rox_api_token
+ value: $(params.stackrox-secret)
+ - name: image
+ value: $(params.output-image)
+ - name: insecure-skip-tls-verify
+ value: "true"
+ - name: image_digest
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
runAfter:
- - build-container
+ - build-container
taskRef:
kind: Task
name: acs-image-scan
@@ -111,14 +110,14 @@
value:
name: acs-deploy-check
params:
- - name: rox_central_endpoint
- value: $(params.stackrox-endpoint)
- - name: rox_api_token
- value: $(params.stackrox-secret)
- - name: insecure-skip-tls-verify
- value: "true"
+ - name: rox_central_endpoint
+ value: $(params.stackrox-endpoint)
+ - name: rox_api_token
+ value: $(params.stackrox-secret)
+ - name: insecure-skip-tls-verify
+ value: "true"
runAfter:
- - build-container
+ - build-container
taskRef:
kind: Task
name: acs-deploy-check
diff --git a/pipelines/docker-build/kustomization.yaml b/pipelines/docker-build/kustomization.yaml
index 64f7ba8a8..ded6d9429 100644
--- a/pipelines/docker-build/kustomization.yaml
+++ b/pipelines/docker-build/kustomization.yaml
@@ -1,9 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-- path: patch.yaml
- target:
- kind: Pipeline
+ - path: patch.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml
index f5c101893..95850808c 100644
--- a/pipelines/docker-build/patch.yaml
+++ b/pipelines/docker-build/patch.yaml
@@ -1,4 +1,3 @@
----
- op: replace
path: /metadata/name
value: docker-build
@@ -16,20 +15,20 @@
- op: add
path: /spec/tasks/3/params
value:
- - name: IMAGE
- value: $(params.output-image)
- - name: DOCKERFILE
- value: $(params.dockerfile)
- - name: CONTEXT
- value: $(params.path-context)
- - name: HERMETIC
- value: "$(params.hermetic)"
- - name: PREFETCH_INPUT
- value: "$(params.prefetch-input)"
- - name: IMAGE_EXPIRES_AFTER
- value: "$(params.image-expires-after)"
- - name: COMMIT_SHA
- value: "$(tasks.clone-repository.results.commit)"
+ - name: IMAGE
+ value: $(params.output-image)
+ - name: DOCKERFILE
+ value: $(params.dockerfile)
+ - name: CONTEXT
+ value: $(params.path-context)
+ - name: HERMETIC
+ value: "$(params.hermetic)"
+ - name: PREFETCH_INPUT
+ value: "$(params.prefetch-input)"
+ - name: IMAGE_EXPIRES_AFTER
+ value: "$(params.image-expires-after)"
+ - name: COMMIT_SHA
+ value: "$(tasks.clone-repository.results.commit)"
- op: add
path: /spec/results/-
value:
diff --git a/pipelines/fbc-builder/kustomization.yaml b/pipelines/fbc-builder/kustomization.yaml
index 64f7ba8a8..ded6d9429 100644
--- a/pipelines/fbc-builder/kustomization.yaml
+++ b/pipelines/fbc-builder/kustomization.yaml
@@ -1,9 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-- path: patch.yaml
- target:
- kind: Pipeline
+ - path: patch.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml
index 8a131d3fb..fece1d0b6 100644
--- a/pipelines/fbc-builder/patch.yaml
+++ b/pipelines/fbc-builder/patch.yaml
@@ -1,4 +1,3 @@
----
- op: replace
path: /metadata/name
value: fbc-builder
@@ -16,59 +15,59 @@
- op: add
path: /spec/tasks/3/params
value:
- - name: IMAGE
- value: $(params.output-image)
- - name: DOCKERFILE
- value: $(params.dockerfile)
- - name: CONTEXT
- value: $(params.path-context)
- - name: HERMETIC
- value: "true"
- - name: IMAGE_EXPIRES_AFTER
- value: "$(params.image-expires-after)"
- - name: COMMIT_SHA
- value: "$(tasks.clone-repository.results.commit)"
+ - name: IMAGE
+ value: $(params.output-image)
+ - name: DOCKERFILE
+ value: $(params.dockerfile)
+ - name: CONTEXT
+ value: $(params.path-context)
+ - name: HERMETIC
+ value: "true"
+ - name: IMAGE_EXPIRES_AFTER
+ value: "$(params.image-expires-after)"
+ - name: COMMIT_SHA
+ value: "$(tasks.clone-repository.results.commit)"
- op: add
path: /spec/tasks/-
value:
name: inspect-image
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- build-container
taskRef:
name: inspect-image
version: "0.1"
params:
- - name: IMAGE_URL
- value: $(tasks.build-container.results.IMAGE_URL)
- - name: IMAGE_DIGEST
- value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: IMAGE_URL
+ value: $(tasks.build-container.results.IMAGE_URL)
+ - name: IMAGE_DIGEST
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
workspaces:
- - name: source
- workspace: workspace
+ - name: source
+ workspace: workspace
- op: add
path: /spec/tasks/-
value:
name: fbc-validate
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- inspect-image
taskRef:
name: fbc-validation
version: "0.1"
params:
- - name: IMAGE_URL
- value: $(tasks.build-container.results.IMAGE_URL)
- - name: IMAGE_DIGEST
- value: $(tasks.build-container.results.IMAGE_DIGEST)
- - name: BASE_IMAGE
- value: $(tasks.inspect-image.results.BASE_IMAGE)
+ - name: IMAGE_URL
+ value: $(tasks.build-container.results.IMAGE_URL)
+ - name: IMAGE_DIGEST
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: BASE_IMAGE
+ value: $(tasks.inspect-image.results.BASE_IMAGE)
workspaces:
- name: workspace
workspace: workspace
@@ -77,9 +76,9 @@
value:
name: fbc-related-image-check
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- fbc-validate
taskRef:
@@ -88,6 +87,7 @@
workspaces:
- name: workspace
workspace: workspace
+
# - op: remove
# # build-source-image as source images are not needed for FBC components
# path: /spec/tasks/4
diff --git a/pipelines/java-builder/kustomization.yaml b/pipelines/java-builder/kustomization.yaml
index 64f7ba8a8..ded6d9429 100644
--- a/pipelines/java-builder/kustomization.yaml
+++ b/pipelines/java-builder/kustomization.yaml
@@ -1,9 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-- path: patch.yaml
- target:
- kind: Pipeline
+ - path: patch.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/java-builder/patch.yaml b/pipelines/java-builder/patch.yaml
index 3e5e4990e..b42d634a1 100644
--- a/pipelines/java-builder/patch.yaml
+++ b/pipelines/java-builder/patch.yaml
@@ -1,4 +1,3 @@
----
- op: replace
path: /metadata/name
value: java-builder
@@ -16,14 +15,14 @@
- op: add
path: /spec/tasks/3/params
value:
- - name: PATH_CONTEXT
- value: $(params.path-context)
- - name: IMAGE
- value: "$(params.output-image)"
- - name: IMAGE_EXPIRES_AFTER
- value: "$(params.image-expires-after)"
- - name: COMMIT_SHA
- value: "$(tasks.clone-repository.results.commit)"
+ - name: PATH_CONTEXT
+ value: $(params.path-context)
+ - name: IMAGE
+ value: "$(params.output-image)"
+ - name: IMAGE_EXPIRES_AFTER
+ value: "$(params.image-expires-after)"
+ - name: COMMIT_SHA
+ value: "$(tasks.clone-repository.results.commit)"
- op: add
path: /spec/results/-
value:
diff --git a/pipelines/kustomization.yaml b/pipelines/kustomization.yaml
index 9a53f3bb2..c90e4dc13 100644
--- a/pipelines/kustomization.yaml
+++ b/pipelines/kustomization.yaml
@@ -1,11 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- docker-build
-- java-builder
-- nodejs-builder
-- enterprise-contract.yaml
-- enterprise-contract-everything.yaml
-- enterprise-contract-slsa3.yaml
-- fbc-builder
-- tekton-bundle-builder
+ - docker-build
+ - java-builder
+ - nodejs-builder
+ - enterprise-contract.yaml
+ - enterprise-contract-everything.yaml
+ - enterprise-contract-slsa3.yaml
+ - fbc-builder
+ - tekton-bundle-builder
diff --git a/pipelines/nodejs-builder/kustomization.yaml b/pipelines/nodejs-builder/kustomization.yaml
index 64f7ba8a8..ded6d9429 100644
--- a/pipelines/nodejs-builder/kustomization.yaml
+++ b/pipelines/nodejs-builder/kustomization.yaml
@@ -1,9 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-- path: patch.yaml
- target:
- kind: Pipeline
+ - path: patch.yaml
+ target:
+ kind: Pipeline
diff --git a/pipelines/nodejs-builder/patch.yaml b/pipelines/nodejs-builder/patch.yaml
index 117cfd39e..2743ff018 100644
--- a/pipelines/nodejs-builder/patch.yaml
+++ b/pipelines/nodejs-builder/patch.yaml
@@ -1,4 +1,3 @@
----
- op: replace
path: /metadata/name
value: nodejs-builder
@@ -16,11 +15,11 @@
- op: add
path: /spec/tasks/3/params
value:
- - name: PATH_CONTEXT
- value: $(params.path-context)
- - name: IMAGE
- value: "$(params.output-image)"
- - name: IMAGE_EXPIRES_AFTER
- value: "$(params.image-expires-after)"
- - name: COMMIT_SHA
- value: "$(tasks.clone-repository.results.commit)"
+ - name: PATH_CONTEXT
+ value: $(params.path-context)
+ - name: IMAGE
+ value: "$(params.output-image)"
+ - name: IMAGE_EXPIRES_AFTER
+ value: "$(params.image-expires-after)"
+ - name: COMMIT_SHA
+ value: "$(tasks.clone-repository.results.commit)"
diff --git a/pipelines/prototypes/noop.yaml b/pipelines/prototypes/noop.yaml
index 13edb5ff7..74dab0304 100644
--- a/pipelines/prototypes/noop.yaml
+++ b/pipelines/prototypes/noop.yaml
@@ -106,7 +106,6 @@ spec:
echo "Build Image is in 'build.appstudio.openshift.io/image' "
echo 'oc get pr $(context.pipelineRun.name) -o jsonpath="{.metadata.annotations.build\.appstudio\.openshift\.io/image}"'
-
runAfter:
- task1
- task3
diff --git a/pipelines/prototypes/prototype-build-compliance.yaml b/pipelines/prototypes/prototype-build-compliance.yaml
index bd3b4a451..3c5eb55bf 100644
--- a/pipelines/prototypes/prototype-build-compliance.yaml
+++ b/pipelines/prototypes/prototype-build-compliance.yaml
@@ -388,27 +388,27 @@ spec:
name: summary
version: "0.1"
params:
- - name: pipeline-run-name
- value: "$(context.pipelineRun.name)"
- - name: git-url
- value: "$(params.git-url)"
- - name: image-url
- value: $(params.output-image)
+ - name: pipeline-run-name
+ value: "$(context.pipelineRun.name)"
+ - name: git-url
+ value: "$(params.git-url)"
+ - name: image-url
+ value: $(params.output-image)
- name: message-slack-summary
when:
- - input: $(params.slack-webhook)
- operator: notin
- values: [""]
+ - input: $(params.slack-webhook)
+ operator: notin
+ values: [""]
runAfter:
- record-results-show-summary
taskRef:
name: utils-task
version: "0.1"
params:
- - name: SCRIPT
- value: |
- #!/usr/bin/env bash
- echo "This is a placeholder for message-slack-summary"
+ - name: SCRIPT
+ value: |
+ #!/usr/bin/env bash
+ echo "This is a placeholder for message-slack-summary"
workspaces:
- name: workspace
- name: git-auth
diff --git a/pipelines/tekton-bundle-builder/kustomization.yaml b/pipelines/tekton-bundle-builder/kustomization.yaml
index 3a8672723..28cf3fd7b 100644
--- a/pipelines/tekton-bundle-builder/kustomization.yaml
+++ b/pipelines/tekton-bundle-builder/kustomization.yaml
@@ -1,36 +1,35 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- ../template-build
-
+ - ../template-build
patches:
-# Use the template-build as a template replacing the Pipeline name and the
-# `build-container` step's task reference
-- patch: |-
- - op: replace
- path: /metadata/name
- value: tekton-bundle-builder
- - op: replace
- path: /spec/tasks/3/taskRef
- value:
- name: tkn-bundle
- version: "0.1"
- - op: add
- path: /spec/tasks/3/params
- value:
- - name: IMAGE
- value: $(params.output-image)
- - name: CONTEXT
- value: $(params.path-context)
- # Remove tasks that assume a binary image
- - op: remove
- path: /spec/tasks/9 # sbom-json-check
- - op: remove
- path: /spec/tasks/5 # deprecated-base-image-check
- - op: remove
- path: /spec/tasks/4 # build-source-image
- - op: remove
- path: /spec/finally/0 # show-sbom
- target:
- kind: Pipeline
- name: template-build
+ # Use the template-build as a template replacing the Pipeline name and the
+ # `build-container` step's task reference
+ - patch: |-
+ - op: replace
+ path: /metadata/name
+ value: tekton-bundle-builder
+ - op: replace
+ path: /spec/tasks/3/taskRef
+ value:
+ name: tkn-bundle
+ version: "0.1"
+ - op: add
+ path: /spec/tasks/3/params
+ value:
+ - name: IMAGE
+ value: $(params.output-image)
+ - name: CONTEXT
+ value: $(params.path-context)
+ # Remove tasks that assume a binary image
+ - op: remove
+ path: /spec/tasks/9 # sbom-json-check
+ - op: remove
+ path: /spec/tasks/5 # deprecated-base-image-check
+ - op: remove
+ path: /spec/tasks/4 # build-source-image
+ - op: remove
+ path: /spec/finally/0 # show-sbom
+ target:
+ kind: Pipeline
+ name: template-build
diff --git a/pipelines/template-build/kustomization.yaml b/pipelines/template-build/kustomization.yaml
index d23310fd0..0b68504df 100644
--- a/pipelines/template-build/kustomization.yaml
+++ b/pipelines/template-build/kustomization.yaml
@@ -1,4 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
-- template-build.yaml
+ - template-build.yaml
diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml
index 93d2cc182..97005a1f0 100644
--- a/pipelines/template-build/template-build.yaml
+++ b/pipelines/template-build/template-build.yaml
@@ -67,9 +67,9 @@ spec:
version: "0.2"
- name: clone-repository
when:
- - input: $(tasks.init.results.build)
- operator: in
- values: ["true"]
+ - input: $(tasks.init.results.build)
+ operator: in
+ values: ["true"]
runAfter:
- init
params:
@@ -87,9 +87,9 @@ spec:
workspace: git-auth
- name: prefetch-dependencies
when:
- - input: $(params.hermetic)
- operator: in
- values: ["true"]
+ - input: $(params.hermetic)
+ operator: in
+ values: ["true"]
params:
- name: input
value: $(params.prefetch-input)
@@ -103,9 +103,9 @@ spec:
workspace: workspace
- name: build-container
when:
- - input: $(tasks.init.results.build)
- operator: in
- values: ["true"]
+ - input: $(tasks.init.results.build)
+ operator: in
+ values: ["true"]
runAfter:
- prefetch-dependencies
taskRef:
@@ -136,97 +136,96 @@ spec:
workspace: workspace
- name: deprecated-base-image-check
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
taskRef:
name: deprecated-image-check
version: "0.3"
params:
- - name: BASE_IMAGES_DIGESTS
- value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+ - name: BASE_IMAGES_DIGESTS
+ value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
runAfter:
- build-container
- name: clair-scan
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- build-container
taskRef:
name: clair-scan
version: "0.1"
params:
- - name: image-digest
- value: $(tasks.build-container.results.IMAGE_DIGEST)
- - name: image-url
- value: $(tasks.build-container.results.IMAGE_URL)
+ - name: image-digest
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: image-url
+ value: $(tasks.build-container.results.IMAGE_URL)
- name: sast-snyk-check
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- clone-repository
taskRef:
name: sast-snyk-check
version: "0.1"
workspaces:
- - name: workspace
- workspace: workspace
+ - name: workspace
+ workspace: workspace
- name: clamav-scan
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- build-container
taskRef:
name: clamav-scan
version: "0.1"
params:
- - name: image-digest
- value: $(tasks.build-container.results.IMAGE_DIGEST)
- - name: image-url
- value: $(tasks.build-container.results.IMAGE_URL)
+ - name: image-digest
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
+ - name: image-url
+ value: $(tasks.build-container.results.IMAGE_URL)
- name: sbom-json-check
when:
- - input: $(params.skip-checks)
- operator: in
- values: ["false"]
+ - input: $(params.skip-checks)
+ operator: in
+ values: ["false"]
runAfter:
- build-container
taskRef:
name: sbom-json-check
version: "0.1"
params:
- - name: IMAGE_URL
- value: $(tasks.build-container.results.IMAGE_URL)
- - name: IMAGE_DIGEST
- value: $(tasks.build-container.results.IMAGE_DIGEST)
-
+ - name: IMAGE_URL
+ value: $(tasks.build-container.results.IMAGE_URL)
+ - name: IMAGE_DIGEST
+ value: $(tasks.build-container.results.IMAGE_DIGEST)
finally:
- name: show-sbom
taskRef:
name: show-sbom
version: "0.1"
params:
- - name: IMAGE_URL
- value: $(tasks.build-container.results.IMAGE_URL)
+ - name: IMAGE_URL
+ value: $(tasks.build-container.results.IMAGE_URL)
- name: show-summary
taskRef:
name: summary
version: "0.1"
params:
- - name: pipelinerun-name
- value: "$(context.pipelineRun.name)"
- - name: git-url
- value: "$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)"
- - name: image-url
- value: $(params.output-image)
- - name: build-task-status
- value: $(tasks.build-container.status)
+ - name: pipelinerun-name
+ value: "$(context.pipelineRun.name)"
+ - name: git-url
+ value: "$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)"
+ - name: image-url
+ value: $(params.output-image)
+ - name: build-task-status
+ value: $(tasks.build-container.status)
results:
- name: IMAGE_URL
value: "$(tasks.build-container.results.IMAGE_URL)"
diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml
index 54d0c0e44..e96bc207c 100644
--- a/task/build-image-manifest/0.1/build-image-manifest.yaml
+++ b/task/build-image-manifest/0.1/build-image-manifest.yaml
@@ -12,97 +12,97 @@ spec:
description: |-
This takes existing images and stiches them together into a multi platform image.
params:
- - description: Reference of the image buildah will produce.
- name: IMAGE
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
- - name: COMMIT_SHA
- description: The image is built from this commit.
- type: string
- default: ""
- - name: IMAGES
- description: List of images that are to be merged into the multi platform image
- type: array
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
+ - description: Reference of the image buildah will produce.
+ name: IMAGE
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - name: COMMIT_SHA
+ description: The image is built from this commit.
+ type: string
+ default: ""
+ - name: IMAGES
+ description: List of images that are to be merged into the multi platform image
+ type: array
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
stepTemplate:
env:
- - name: BUILDAH_FORMAT
- value: oci
- - name: STORAGE_DRIVER
- value: vfs
- - name: IMAGE
- value: $(params.IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
+ - name: BUILDAH_FORMAT
+ value: oci
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
steps:
- - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: build
- computeResources:
- limits:
- memory: 4Gi
- requests:
- memory: 512Mi
- cpu: 250m
- env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- args: ["$(params.IMAGES[*])"]
- script: |
- #!/bin/bash
- # Fixing group permission on /var/lib/containers
- set -eu
- set -o pipefail
- chown root:root /var/lib/containers
+ - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: build
+ computeResources:
+ limits:
+ memory: 4Gi
+ requests:
+ memory: 512Mi
+ cpu: 250m
+ env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ args: ["$(params.IMAGES[*])"]
+ script: |
+ #!/bin/bash
+ # Fixing group permission on /var/lib/containers
+ set -eu
+ set -o pipefail
+ chown root:root /var/lib/containers
- sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
+ sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- buildah manifest create "$IMAGE"
- for i in $@
- do
- TOADD="$i"
- if [[ $(echo $i | tr -cd ":" | wc -c) == 2 ]]; then
- #we need to remove the tag, and just reference the digest
- #as tag + digest is not supported
- TOADD="$(echo $i | cut -d: -f1)@sha256:$(echo $i | cut -d: -f3)"
- fi
- echo "Adding $TOADD"
- buildah manifest add $IMAGE "docker://$TOADD"
- done
+ buildah manifest create "$IMAGE"
+ for i in $@
+ do
+ TOADD="$i"
+ if [[ $(echo $i | tr -cd ":" | wc -c) == 2 ]]; then
+ #we need to remove the tag, and just reference the digest
+ #as tag + digest is not supported
+ TOADD="$(echo $i | cut -d: -f1)@sha256:$(echo $i | cut -d: -f3)"
+ fi
+ echo "Adding $TOADD"
+ buildah manifest add $IMAGE "docker://$TOADD"
+ done
- status=-1
- max_run=5
- sleep_sec=10
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec
- echo "Pushing image to registry"
- buildah manifest push \
- --tls-verify=$TLSVERIFY \
- --digestfile image-digest $IMAGE \
- docker://$IMAGE && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to push image to registry after ${max_run} tries"
- exit 1
- fi
+ status=-1
+ max_run=5
+ sleep_sec=10
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec
+ echo "Pushing image to registry"
+ buildah manifest push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile image-digest $IMAGE \
+ docker://$IMAGE && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to push image to registry after ${max_run} tries"
+ exit 1
+ fi
- cat image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
- securityContext:
- capabilities:
- add:
- - SETFCAP
+ cat image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
diff --git a/task/build-image-manifest/0.1/kustomization.yaml b/task/build-image-manifest/0.1/kustomization.yaml
index 2ffff583c..7f9440970 100644
--- a/task/build-image-manifest/0.1/kustomization.yaml
+++ b/task/build-image-manifest/0.1/kustomization.yaml
@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
-- build-image-manifest.yaml
+ - build-image-manifest.yaml
diff --git a/task/buildah-10gb/0.1/kustomization.yaml b/task/buildah-10gb/0.1/kustomization.yaml
index 2226896cc..18d7fd144 100644
--- a/task/buildah-10gb/0.1/kustomization.yaml
+++ b/task/buildah-10gb/0.1/kustomization.yaml
@@ -1,10 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
- ../../buildah/0.1
-
patches:
-- path: patch.yaml
- target:
- kind: Task
+ - path: patch.yaml
+ target:
+ kind: Task
diff --git a/task/buildah-6gb/0.1/kustomization.yaml b/task/buildah-6gb/0.1/kustomization.yaml
index 2226896cc..18d7fd144 100644
--- a/task/buildah-6gb/0.1/kustomization.yaml
+++ b/task/buildah-6gb/0.1/kustomization.yaml
@@ -1,10 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
- ../../buildah/0.1
-
patches:
-- path: patch.yaml
- target:
- kind: Task
+ - path: patch.yaml
+ target:
+ kind: Task
diff --git a/task/buildah-8gb/0.1/kustomization.yaml b/task/buildah-8gb/0.1/kustomization.yaml
index 2226896cc..18d7fd144 100644
--- a/task/buildah-8gb/0.1/kustomization.yaml
+++ b/task/buildah-8gb/0.1/kustomization.yaml
@@ -1,10 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
- ../../buildah/0.1
-
patches:
-- path: patch.yaml
- target:
- kind: Task
+ - path: patch.yaml
+ target:
+ kind: Task
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
index abe6d77bf..f563ea8a3 100644
--- a/task/buildah-remote/0.1/buildah-remote.yaml
+++ b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -16,439 +16,433 @@ spec:
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
params:
- - description: Reference of the image buildah will produce.
- name: IMAGE
- type: string
- - default: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
- description: The location of the buildah builder image.
- name: BUILDER_IMAGE
- type: string
- - default: ./Dockerfile
- description: Path to the Dockerfile to build.
- name: DOCKERFILE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
- registry)
- name: TLSVERIFY
- type: string
- - default: ""
- description: unused, should be removed in next task version
- name: DOCKER_AUTH
- type: string
- - default: "false"
- description: Determines if build will be executed without network access.
- name: HERMETIC
- type: string
- - default: ""
- description: In case it is not empty, the prefetched content should be made available
- to the build.
- name: PREFETCH_INPUT
- type: string
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image
- tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks,
- respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
- - default: ""
- description: The image is built from this commit.
- name: COMMIT_SHA
- type: string
- - default: repos.d
- description: Path in the git repository in which yum repository files are stored
- name: YUM_REPOS_D_SRC
- - default: fetched.repos.d
- description: Path in source workspace where dynamically-fetched repos are present
- name: YUM_REPOS_D_FETCHED
- - default: /etc/yum.repos.d
- description: Target path on the container in which yum repository files should
- be made available
- name: YUM_REPOS_D_TARGET
- - description: The platform to build on
- name: PLATFORM
- type: string
+ - description: Reference of the image buildah will produce.
+ name: IMAGE
+ type: string
+ - default: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
+ description: The location of the buildah builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: ./Dockerfile
+ description: Path to the Dockerfile to build.
+ name: DOCKERFILE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - default: ""
+ description: unused, should be removed in next task version
+ name: DOCKER_AUTH
+ type: string
+ - default: "false"
+ description: Determines if build will be executed without network access.
+ name: HERMETIC
+ type: string
+ - default: ""
+ description: In case it is not empty, the prefetched content should be made available to the build.
+ name: PREFETCH_INPUT
+ type: string
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
+ - default: ""
+ description: The image is built from this commit.
+ name: COMMIT_SHA
+ type: string
+ - default: repos.d
+ description: Path in the git repository in which yum repository files are stored
+ name: YUM_REPOS_D_SRC
+ - default: fetched.repos.d
+ description: Path in source workspace where dynamically-fetched repos are present
+ name: YUM_REPOS_D_FETCHED
+ - default: /etc/yum.repos.d
+ description: Target path on the container in which yum repository files should be made available
+ name: YUM_REPOS_D_TARGET
+ - description: The platform to build on
+ name: PLATFORM
+ type: string
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
- - description: The counting of Java components by publisher in JSON format
- name: SBOM_JAVA_COMPONENTS_COUNT
- type: string
- - description: The Java dependencies that came from community sources such as Maven
- central.
- name: JAVA_COMMUNITY_DEPENDENCIES
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
+ - description: The counting of Java components by publisher in JSON format
+ name: SBOM_JAVA_COMPONENTS_COUNT
+ type: string
+ - description: The Java dependencies that came from community sources such as Maven central.
+ name: JAVA_COMMUNITY_DEPENDENCIES
stepTemplate:
computeResources: {}
env:
- - name: BUILDAH_FORMAT
- value: oci
- - name: STORAGE_DRIVER
- value: vfs
- - name: HERMETIC
- value: $(params.HERMETIC)
- - name: PREFETCH_INPUT
- value: $(params.PREFETCH_INPUT)
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: DOCKERFILE
- value: $(params.DOCKERFILE)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
- - name: IMAGE_EXPIRES_AFTER
- value: $(params.IMAGE_EXPIRES_AFTER)
- - name: YUM_REPOS_D_SRC
- value: $(params.YUM_REPOS_D_SRC)
- - name: YUM_REPOS_D_FETCHED
- value: $(params.YUM_REPOS_D_FETCHED)
- - name: YUM_REPOS_D_TARGET
- value: $(params.YUM_REPOS_D_TARGET)
- - name: BUILDER_IMAGE
- value: $(params.BUILDER_IMAGE)
+ - name: BUILDAH_FORMAT
+ value: oci
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: HERMETIC
+ value: $(params.HERMETIC)
+ - name: PREFETCH_INPUT
+ value: $(params.PREFETCH_INPUT)
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: DOCKERFILE
+ value: $(params.DOCKERFILE)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
+ - name: IMAGE_EXPIRES_AFTER
+ value: $(params.IMAGE_EXPIRES_AFTER)
+ - name: YUM_REPOS_D_SRC
+ value: $(params.YUM_REPOS_D_SRC)
+ - name: YUM_REPOS_D_FETCHED
+ value: $(params.YUM_REPOS_D_FETCHED)
+ - name: YUM_REPOS_D_TARGET
+ value: $(params.YUM_REPOS_D_TARGET)
+ - name: BUILDER_IMAGE
+ value: $(params.BUILDER_IMAGE)
steps:
- - computeResources:
- limits:
- memory: 4Gi
- requests:
- cpu: 250m
- memory: 512Mi
- env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
- name: build
- script: |-
- set -o verbose
- mkdir -p ~/.ssh
- if [ -e "/ssh/error" ]; then
- #no server could be provisioned
- cat /ssh/error
- exit 1
- elif [ -e "/ssh/otp" ]; then
- curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa
- echo "" >> ~/.ssh/id_rsa
- else
- cp /ssh/id_rsa ~/.ssh
- fi
- chmod 0400 ~/.ssh/id_rsa
- export SSH_HOST=$(cat /ssh/host)
- export BUILD_DIR=$(cat /ssh/user-dir)
- export SSH_ARGS="-o StrictHostKeyChecking=no"
- mkdir -p scripts
- echo "$BUILD_DIR"
- ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts"
+ - computeResources:
+ limits:
+ memory: 4Gi
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+ name: build
+ script: |-
+ set -o verbose
+ mkdir -p ~/.ssh
+ if [ -e "/ssh/error" ]; then
+ #no server could be provisioned
+ cat /ssh/error
+ exit 1
+ elif [ -e "/ssh/otp" ]; then
+ curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa
+ echo "" >> ~/.ssh/id_rsa
+ else
+ cp /ssh/id_rsa ~/.ssh
+ fi
+ chmod 0400 ~/.ssh/id_rsa
+ export SSH_HOST=$(cat /ssh/host)
+ export BUILD_DIR=$(cat /ssh/user-dir)
+ export SSH_ARGS="-o StrictHostKeyChecking=no"
+ mkdir -p scripts
+ echo "$BUILD_DIR"
+ ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts"
- PORT_FORWARD=""
- PODMAN_PORT_FORWARD=""
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then
- PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80"
- PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost"
- fi
+ PORT_FORWARD=""
+ PODMAN_PORT_FORWARD=""
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] ; then
+ PORT_FORWARD=" -L 80:$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR:80"
+ PODMAN_PORT_FORWARD=" -e JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR=localhost"
+ fi
- rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
- rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
- rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
- cat >scripts/script-build.sh <<'REMOTESSHEOF'
- #!/bin/bash
- set -o verbose
- set -e
- cd $(workspaces.source.path)
- SOURCE_CODE_DIR=source
- if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
- elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
- elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
- echo "Fetch Dockerfile from $DOCKERFILE"
- dockerfile_path=$(mktemp --suffix=-Dockerfile)
- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
- if [ $http_code != 200 ]; then
- echo "No Dockerfile is fetched. Server responds $http_code"
+ rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
+ rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
+ rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
+ cat >scripts/script-build.sh <<'REMOTESSHEOF'
+ #!/bin/bash
+ set -o verbose
+ set -e
+ cd $(workspaces.source.path)
+ SOURCE_CODE_DIR=source
+ if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
+ elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
+ elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
+ echo "Fetch Dockerfile from $DOCKERFILE"
+ dockerfile_path=$(mktemp --suffix=-Dockerfile)
+ http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
+ if [ $http_code != 200 ]; then
+ echo "No Dockerfile is fetched. Server responds $http_code"
+ exit 1
+ fi
+ http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
+ if [ $http_code = 200 ]; then
+ echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
+ mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
+ fi
+ else
+ echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
- if [ $http_code = 200 ]; then
- echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
- mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+ touch /var/lib/containers/java
fi
- else
- echo "Cannot find Dockerfile $DOCKERFILE"
- exit 1
- fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
- touch /var/lib/containers/java
- fi
- # Fixing group permission on /var/lib/containers
- chown root:root /var/lib/containers
+ # Fixing group permission on /var/lib/containers
+ chown root:root /var/lib/containers
- sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
+ sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- # Setting new namespace to run buildah - 2^32-2
- echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid
+ # Setting new namespace to run buildah - 2^32-2
+ echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid
- if [ "${HERMETIC}" == "true" ]; then
- BUILDAH_ARGS="--pull=never"
- UNSHARE_ARGS="--net"
- for image in $(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}'); do
- if [ "${image}" != "scratch" ]; then
- unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
- fi
- done
- echo "Build will be executed with network isolation"
- fi
+ if [ "${HERMETIC}" == "true" ]; then
+ BUILDAH_ARGS="--pull=never"
+ UNSHARE_ARGS="--net"
+ for image in $(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}'); do
+ if [ "${image}" != "scratch" ]; then
+ unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
+ fi
+ done
+ echo "Build will be executed with network isolation"
+ fi
- if [ -n "${PREFETCH_INPUT}" ]; then
- cp -r cachi2 /tmp/
- chmod -R go+rwX /tmp/cachi2
- VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
- sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path"
- echo "Prefetched content will be made available"
- fi
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ cp -r cachi2 /tmp/
+ chmod -R go+rwX /tmp/cachi2
+ VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
+ sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path"
+ echo "Prefetched content will be made available"
+ fi
- # if yum repofiles stored in git, copy them to mount point outside the source dir
- if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then
- mkdir -p ${YUM_REPOS_D_FETCHED}
- cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED}
- fi
+ # if yum repofiles stored in git, copy them to mount point outside the source dir
+ if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then
+ mkdir -p ${YUM_REPOS_D_FETCHED}
+ cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED}
+ fi
- # if anything in the repofiles mount point (either fetched or from git), mount it
- if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
- chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
- mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
- VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
- fi
+ # if anything in the repofiles mount point (either fetched or from git), mount it
+ if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
+ chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
+ mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
+ VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
+ fi
- LABELS=(
- "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
- "--label" "architecture=$(uname -m)"
- "--label" "vcs-type=git"
- )
- [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
- [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
+ LABELS=(
+ "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
+ "--label" "architecture=$(uname -m)"
+ "--label" "vcs-type=git"
+ )
+ [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
+ [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
- unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah build \
- $VOLUME_MOUNTS \
- $BUILDAH_ARGS \
- ${LABELS[@]} \
- --tls-verify=$TLSVERIFY --no-cache \
- --ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
+ unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah build \
+ $VOLUME_MOUNTS \
+ $BUILDAH_ARGS \
+ ${LABELS[@]} \
+ --tls-verify=$TLSVERIFY --no-cache \
+ --ulimit nofile=4096:4096 \
+ -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
- container=$(buildah from --pull-never $IMAGE)
- buildah mount $container | tee /workspace/container_path
- echo $container > /workspace/container_name
+ container=$(buildah from --pull-never $IMAGE)
+ buildah mount $container | tee /workspace/container_path
+ echo $container > /workspace/container_name
- # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
- if [ -n "${PREFETCH_INPUT}" ]; then
- cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
- fi
+ # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
+ fi
- # Expose base image digests
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ # Expose base image digests
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
- buildah push "$IMAGE" oci:rhtap-final-image
- REMOTESSHEOF
- chmod +x scripts/script-build.sh
- rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
- ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
- -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
- -e STORAGE_DRIVER="$STORAGE_DRIVER" \
- -e HERMETIC="$HERMETIC" \
- -e PREFETCH_INPUT="$PREFETCH_INPUT" \
- -e CONTEXT="$CONTEXT" \
- -e DOCKERFILE="$DOCKERFILE" \
- -e IMAGE="$IMAGE" \
- -e TLSVERIFY="$TLSVERIFY" \
- -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
- -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \
- -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \
- -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \
- -e COMMIT_SHA="$COMMIT_SHA" \
- -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
- -v "$BUILD_DIR/.docker/:/root/.docker:Z" \
- -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
- -v $BUILD_DIR/scripts:/script:Z \
- --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh
- rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
- rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/"
- buildah pull oci:rhtap-final-image
- buildah images
- buildah tag localhost/rhtap-final-image "$IMAGE"
- container=$(buildah from --pull-never "$IMAGE")
- buildah mount "$container" | tee /workspace/container_path
- echo $container > /workspace/container_name
- securityContext:
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - mountPath: /ssh
- name: ssh
- readOnly: true
- workingDir: $(workspaces.source.path)
- - computeResources: {}
- image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- name: sbom-syft-generate
- script: |
- syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
- find $(cat /workspace/container_path) -xtype l -delete
- syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - computeResources: {}
- image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
- name: analyse-dependencies-java-sbom
- script: |
- if [ -f /var/lib/containers/java ]; then
- /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
- sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
- else
- touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
- fi
- securityContext:
- runAsUser: 0
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - computeResources: {}
- image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- name: merge-syft-sboms
- script: |
- #!/bin/python3
- import json
+ buildah push "$IMAGE" oci:rhtap-final-image
+ REMOTESSHEOF
+ chmod +x scripts/script-build.sh
+ rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
+ ssh $SSH_ARGS "$SSH_HOST" $PORT_FORWARD podman run $PODMAN_PORT_FORWARD \
+ -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
+ -e STORAGE_DRIVER="$STORAGE_DRIVER" \
+ -e HERMETIC="$HERMETIC" \
+ -e PREFETCH_INPUT="$PREFETCH_INPUT" \
+ -e CONTEXT="$CONTEXT" \
+ -e DOCKERFILE="$DOCKERFILE" \
+ -e IMAGE="$IMAGE" \
+ -e TLSVERIFY="$TLSVERIFY" \
+ -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" \
+ -e YUM_REPOS_D_SRC="$YUM_REPOS_D_SRC" \
+ -e YUM_REPOS_D_FETCHED="$YUM_REPOS_D_FETCHED" \
+ -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \
+ -e COMMIT_SHA="$COMMIT_SHA" \
+ -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
+ -v "$BUILD_DIR/.docker/:/root/.docker:Z" \
+ -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
+ -v $BUILD_DIR/scripts:/script:Z \
+ --user=0 --rm "$BUILDER_IMAGE" /script/script-build.sh
+ rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
+ rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/"
+ buildah pull oci:rhtap-final-image
+ buildah images
+ buildah tag localhost/rhtap-final-image "$IMAGE"
+ container=$(buildah from --pull-never "$IMAGE")
+ buildah mount "$container" | tee /workspace/container_path
+ echo $container > /workspace/container_name
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /ssh
+ name: ssh
+ readOnly: true
+ workingDir: $(workspaces.source.path)
+ - computeResources: {}
+ image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ name: sbom-syft-generate
+ script: |
+ syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+ find $(cat /workspace/container_path) -xtype l -delete
+ syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - computeResources: {}
+ image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
+ name: analyse-dependencies-java-sbom
+ script: |
+ if [ -f /var/lib/containers/java ]; then
+ /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
+ sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
+ else
+ touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
+ fi
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - computeResources: {}
+ image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ name: merge-syft-sboms
+ script: |
+ #!/bin/python3
+ import json
- # load SBOMs
- with open("./sbom-image.json") as f:
- image_sbom = json.load(f)
+ # load SBOMs
+ with open("./sbom-image.json") as f:
+ image_sbom = json.load(f)
- with open("./sbom-source.json") as f:
- source_sbom = json.load(f)
+ with open("./sbom-source.json") as f:
+ source_sbom = json.load(f)
- # fetch unique components from available SBOMs
- def get_identifier(component):
- return component["name"] + '@' + component.get("version", "")
+ # fetch unique components from available SBOMs
+ def get_identifier(component):
+ return component["name"] + '@' + component.get("version", "")
- image_sbom_components = image_sbom.get("components", [])
- existing_components = [get_identifier(component) for component in image_sbom_components]
+ image_sbom_components = image_sbom.get("components", [])
+ existing_components = [get_identifier(component) for component in image_sbom_components]
- source_sbom_components = source_sbom.get("components", [])
- for component in source_sbom_components:
- if get_identifier(component) not in existing_components:
- image_sbom_components.append(component)
- existing_components.append(get_identifier(component))
+ source_sbom_components = source_sbom.get("components", [])
+ for component in source_sbom_components:
+ if get_identifier(component) not in existing_components:
+ image_sbom_components.append(component)
+ existing_components.append(get_identifier(component))
- image_sbom_components.sort(key=lambda c: get_identifier(c))
+ image_sbom_components.sort(key=lambda c: get_identifier(c))
- # write the CycloneDX unified SBOM
- with open("./sbom-cyclonedx.json", "w") as f:
- json.dump(image_sbom, f, indent=4)
- securityContext:
- runAsUser: 0
- workingDir: $(workspaces.source.path)
- - computeResources: {}
- image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
- name: merge-cachi2-sbom
- script: |
- if [ -n "${PREFETCH_INPUT}" ]; then
- echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
- /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
- mv sbom-temp.json sbom-cyclonedx.json
- else
- echo "Skipping step since no Cachi2 SBOM was produced"
- fi
- securityContext:
- runAsUser: 0
- workingDir: $(workspaces.source.path)
- - computeResources: {}
- image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- name: create-purl-sbom
- script: |
- #!/bin/python3
- import json
+ # write the CycloneDX unified SBOM
+ with open("./sbom-cyclonedx.json", "w") as f:
+ json.dump(image_sbom, f, indent=4)
+ securityContext:
+ runAsUser: 0
+ workingDir: $(workspaces.source.path)
+ - computeResources: {}
+ image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
+ name: merge-cachi2-sbom
+ script: |
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
+ /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
+ mv sbom-temp.json sbom-cyclonedx.json
+ else
+ echo "Skipping step since no Cachi2 SBOM was produced"
+ fi
+ securityContext:
+ runAsUser: 0
+ workingDir: $(workspaces.source.path)
+ - computeResources: {}
+ image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ name: create-purl-sbom
+ script: |
+ #!/bin/python3
+ import json
- with open("./sbom-cyclonedx.json") as f:
- cyclonedx_sbom = json.load(f)
+ with open("./sbom-cyclonedx.json") as f:
+ cyclonedx_sbom = json.load(f)
- purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
- purl_content = {"image_contents": {"dependencies": purls}}
+ purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
+ purl_content = {"image_contents": {"dependencies": purls}}
- with open("sbom-purl.json", "w") as output_file:
- json.dump(purl_content, output_file, indent=4)
- securityContext:
- runAsUser: 0
- workingDir: $(workspaces.source.path)
- - computeResources: {}
- image: $(params.BUILDER_IMAGE)
- name: inject-sbom-and-push
- script: |
- base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
- base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
- container=$(buildah from --pull-never $IMAGE)
- buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
- buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
- buildah commit $container $IMAGE
+ with open("sbom-purl.json", "w") as output_file:
+ json.dump(purl_content, output_file, indent=4)
+ securityContext:
+ runAsUser: 0
+ workingDir: $(workspaces.source.path)
+ - computeResources: {}
+ image: $(params.BUILDER_IMAGE)
+ name: inject-sbom-and-push
+ script: |
+ base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+ base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+ container=$(buildah from --pull-never $IMAGE)
+ buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+ buildah commit $container $IMAGE
- status=-1
- max_run=5
- sleep_sec=10
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec
- echo "Pushing sbom image to registry"
- buildah push \
- --tls-verify=$TLSVERIFY \
- --digestfile $(workspaces.source.path)/image-digest $IMAGE \
- docker://$IMAGE && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to push sbom image to registry after ${max_run} tries"
- exit 1
- fi
+ status=-1
+ max_run=5
+ sleep_sec=10
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec
+ echo "Pushing sbom image to registry"
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile $(workspaces.source.path)/image-digest $IMAGE \
+ docker://$IMAGE && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to push sbom image to registry after ${max_run} tries"
+ exit 1
+ fi
- cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
- securityContext:
- capabilities:
- add:
- - SETFCAP
- runAsUser: 0
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)
- - args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- computeResources: {}
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- name: upload-sbom
- workingDir: $(workspaces.source.path)
+ cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ computeResources: {}
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ name: upload-sbom
+ workingDir: $(workspaces.source.path)
volumes:
- - emptyDir: {}
- name: varlibcontainers
- - name: ssh
- secret:
- optional: false
- secretName: multi-platform-ssh-$(context.taskRun.name)
+ - emptyDir: {}
+ name: varlibcontainers
+ - name: ssh
+ secret:
+ optional: false
+ secretName: multi-platform-ssh-$(context.taskRun.name)
workspaces:
- - description: Workspace containing the source code to build.
- name: source
+ - description: Workspace containing the source code to build.
+ name: source
diff --git a/task/buildah-remote/0.1/kustomization.yaml b/task/buildah-remote/0.1/kustomization.yaml
index fff6f6dcb..539d2d553 100644
--- a/task/buildah-remote/0.1/kustomization.yaml
+++ b/task/buildah-remote/0.1/kustomization.yaml
@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
-- buildah-remote.yaml
+ - buildah-remote.yaml
diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
index 64e317834..ed15f5ab0 100644
--- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml
+++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
@@ -13,162 +13,158 @@ spec:
Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
params:
- - description: Reference of the image buildah will produce.
- name: IMAGE
- type: string
- - default: ./Dockerfile
- description: Path to the Dockerfile to build.
- name: DOCKERFILE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
+ - description: Reference of the image buildah will produce.
+ name: IMAGE
+ type: string
+ - default: ./Dockerfile
+ description: Path to the Dockerfile to build.
+ name: DOCKERFILE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
stepTemplate:
env:
- - name: STORAGE_DRIVER
- value: vfs
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: DOCKERFILE
- value: $(params.DOCKERFILE)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: DOCKERFILE
+ value: $(params.DOCKERFILE)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
steps:
- - name: build
- image: registry.access.redhat.com/ubi9/buildah@sha256:04fde77ea72c25b56efb3f71db809c5d7b09938130df2da9175a3c888b94043d
- script: |
- # Check if the Dockerfile exists
- SOURCE_CODE_DIR=source
- if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
- elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
- else
- echo "Cannot find Dockerfile $DOCKERFILE"
- exit 1
- fi
-
- # Build the image
- buildah build \
- --tls-verify=$TLSVERIFY \
- --ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
-
- # Push the image
- buildah push \
- --tls-verify=$TLSVERIFY \
- --retry=5 \
- --digestfile /tmp/files/image-digest $IMAGE \
- docker://$IMAGE
-
- # Set task results
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
- cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
-
- # Save the image so it can be used in the generate-sbom step
- buildah push "$IMAGE" oci:/tmp/files/image
- securityContext:
- capabilities:
- add:
- # this is needed so that buildah can write to the mounted /var/lib/containers directory
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - mountPath: /tmp/files
- name: tmpfiles
- workingDir: $(workspaces.source.path)
-
- - name: generate-sboms
- image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- script: |
- syft dir:$(workspaces.source.path)/source --output cyclonedx-json@1.5=/tmp/files/sbom-source.json
- syft oci-dir:/tmp/files/image --output cyclonedx-json@1.5=/tmp/files/sbom-image.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - mountPath: /tmp/files
- name: tmpfiles
-
- - name: merge-sboms
- image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- script: |
- #!/bin/python3
- import json
-
- ### load SBOMs ###
-
- with open("./sbom-image.json") as f:
- image_sbom = json.load(f)
-
- with open("./sbom-source.json") as f:
- source_sbom = json.load(f)
-
-
- ### attempt to deduplicate components ###
-
- component_list = image_sbom.get("components", [])
- existing_purls = [c["purl"] for c in component_list if "purl" in c]
-
- for component in source_sbom.get("components", []):
- if "purl" in component:
- if component["purl"] not in existing_purls:
+ - name: build
+ image: registry.access.redhat.com/ubi9/buildah@sha256:04fde77ea72c25b56efb3f71db809c5d7b09938130df2da9175a3c888b94043d
+ script: |
+ # Check if the Dockerfile exists
+ SOURCE_CODE_DIR=source
+ if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
+ elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
+ else
+ echo "Cannot find Dockerfile $DOCKERFILE"
+ exit 1
+ fi
+
+ # Build the image
+ buildah build \
+ --tls-verify=$TLSVERIFY \
+ --ulimit nofile=4096:4096 \
+ -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
+
+ # Push the image
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --retry=5 \
+ --digestfile /tmp/files/image-digest $IMAGE \
+ docker://$IMAGE
+
+ # Set task results
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+
+ # Save the image so it can be used in the generate-sbom step
+ buildah push "$IMAGE" oci:/tmp/files/image
+ securityContext:
+ capabilities:
+ add:
+ # this is needed so that buildah can write to the mounted /var/lib/containers directory
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /tmp/files
+ name: tmpfiles
+ workingDir: $(workspaces.source.path)
+ - name: generate-sboms
+ image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ script: |
+ syft dir:$(workspaces.source.path)/source --output cyclonedx-json@1.5=/tmp/files/sbom-source.json
+ syft oci-dir:/tmp/files/image --output cyclonedx-json@1.5=/tmp/files/sbom-image.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /tmp/files
+ name: tmpfiles
+ - name: merge-sboms
+ image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ script: |
+ #!/bin/python3
+ import json
+
+ ### load SBOMs ###
+
+ with open("./sbom-image.json") as f:
+ image_sbom = json.load(f)
+
+ with open("./sbom-source.json") as f:
+ source_sbom = json.load(f)
+
+
+ ### attempt to deduplicate components ###
+
+ component_list = image_sbom.get("components", [])
+ existing_purls = [c["purl"] for c in component_list if "purl" in c]
+
+ for component in source_sbom.get("components", []):
+ if "purl" in component:
+ if component["purl"] not in existing_purls:
+ component_list.append(component)
+ existing_purls.append(component["purl"])
+ else:
+ # We won't try to deduplicate components that lack a purl.
+ # This should only happen with operating-system type components,
+ # which are only reported in the image SBOM.
component_list.append(component)
- existing_purls.append(component["purl"])
- else:
- # We won't try to deduplicate components that lack a purl.
- # This should only happen with operating-system type components,
- # which are only reported in the image SBOM.
- component_list.append(component)
-
- component_list.sort(key=lambda c: c["type"] + c["name"])
- image_sbom["components"] = component_list
-
-
- ### write the CycloneDX unified SBOM ###
-
- with open("./sbom-cyclonedx.json", "w") as f:
- json.dump(image_sbom, f, indent=4)
- volumeMounts:
- - mountPath: /tmp/files
- name: tmpfiles
- workingDir: /tmp/files
-
- - name: upload-sbom
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- volumeMounts:
- - mountPath: /tmp/files
- name: tmpfiles
- workingDir: /tmp/files
+ component_list.sort(key=lambda c: c["type"] + c["name"])
+ image_sbom["components"] = component_list
+
+
+ ### write the CycloneDX unified SBOM ###
+
+ with open("./sbom-cyclonedx.json", "w") as f:
+ json.dump(image_sbom, f, indent=4)
+ volumeMounts:
+ - mountPath: /tmp/files
+ name: tmpfiles
+ workingDir: /tmp/files
+ - name: upload-sbom
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ volumeMounts:
+ - mountPath: /tmp/files
+ name: tmpfiles
+ workingDir: /tmp/files
volumes:
- - emptyDir: {}
- name: varlibcontainers
- - emptyDir: {}
- name: tmpfiles
+ - emptyDir: {}
+ name: varlibcontainers
+ - emptyDir: {}
+ name: tmpfiles
workspaces:
- - name: source
- description: Workspace containing the source code to build.
+ - name: source
+ description: Workspace containing the source code to build.
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index fc0deaecf..ff41e8452 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -15,380 +15,371 @@ spec:
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
params:
- - description: Reference of the image buildah will produce.
- name: IMAGE
- type: string
- - default: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- description: The location of the buildah builder image.
- name: BUILDER_IMAGE
- type: string
- - default: ./Dockerfile
- description: Path to the Dockerfile to build.
- name: DOCKERFILE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
- - description: unused, should be removed in next task version
- name: DOCKER_AUTH
- type: string
- default: ""
- - default: "false"
- description: Determines if build will be executed without network access.
- name: HERMETIC
- type: string
- - default: ""
- description: In case it is not empty, the prefetched content should be made available to the build.
- name: PREFETCH_INPUT
- type: string
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
- - name: COMMIT_SHA
- description: The image is built from this commit.
- type: string
- default: ""
- - name: YUM_REPOS_D_SRC
- description: Path in the git repository in which yum repository files are stored
- default: repos.d
- - name: YUM_REPOS_D_FETCHED
- description: Path in source workspace where dynamically-fetched repos are present
- default: fetched.repos.d
- - name: YUM_REPOS_D_TARGET
- description: Target path on the container in which yum repository files should be made available
- default: /etc/yum.repos.d
- results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
- - name: SBOM_JAVA_COMPONENTS_COUNT
- description: The counting of Java components by publisher in JSON format
- type: string
- - name: JAVA_COMMUNITY_DEPENDENCIES
- description: The Java dependencies that came from community sources such as Maven central.
- stepTemplate:
- env:
- - name: BUILDAH_FORMAT
- value: oci
- - name: STORAGE_DRIVER
- value: vfs
- - name: HERMETIC
- value: $(params.HERMETIC)
- - name: PREFETCH_INPUT
- value: $(params.PREFETCH_INPUT)
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: DOCKERFILE
- value: $(params.DOCKERFILE)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
- - name: IMAGE_EXPIRES_AFTER
- value: $(params.IMAGE_EXPIRES_AFTER)
+ - description: Reference of the image buildah will produce.
+ name: IMAGE
+ type: string
+ - default: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ description: The location of the buildah builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: ./Dockerfile
+ description: Path to the Dockerfile to build.
+ name: DOCKERFILE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - description: unused, should be removed in next task version
+ name: DOCKER_AUTH
+ type: string
+ default: ""
+ - default: "false"
+ description: Determines if build will be executed without network access.
+ name: HERMETIC
+ type: string
+ - default: ""
+ description: In case it is not empty, the prefetched content should be made available to the build.
+ name: PREFETCH_INPUT
+ type: string
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
+ - name: COMMIT_SHA
+ description: The image is built from this commit.
+ type: string
+ default: ""
- name: YUM_REPOS_D_SRC
- value: $(params.YUM_REPOS_D_SRC)
+ description: Path in the git repository in which yum repository files are stored
+ default: repos.d
- name: YUM_REPOS_D_FETCHED
- value: $(params.YUM_REPOS_D_FETCHED)
+ description: Path in source workspace where dynamically-fetched repos are present
+ default: fetched.repos.d
- name: YUM_REPOS_D_TARGET
- value: $(params.YUM_REPOS_D_TARGET)
- steps:
- - image: $(params.BUILDER_IMAGE)
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent; our default param above specifies a digest
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: build
- computeResources:
- limits:
- memory: 4Gi
- requests:
- memory: 512Mi
- cpu: 250m
+ description: Target path on the container in which yum repository files should be made available
+ default: /etc/yum.repos.d
+ results:
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
+ - name: SBOM_JAVA_COMPONENTS_COUNT
+ description: The counting of Java components by publisher in JSON format
+ type: string
+ - name: JAVA_COMMUNITY_DEPENDENCIES
+ description: The Java dependencies that came from community sources such as Maven central.
+ stepTemplate:
env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- script: |
- SOURCE_CODE_DIR=source
- if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
- elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
- dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
- elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
- echo "Fetch Dockerfile from $DOCKERFILE"
- dockerfile_path=$(mktemp --suffix=-Dockerfile)
- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
- if [ $http_code != 200 ]; then
- echo "No Dockerfile is fetched. Server responds $http_code"
+ - name: BUILDAH_FORMAT
+ value: oci
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: HERMETIC
+ value: $(params.HERMETIC)
+ - name: PREFETCH_INPUT
+ value: $(params.PREFETCH_INPUT)
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: DOCKERFILE
+ value: $(params.DOCKERFILE)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
+ - name: IMAGE_EXPIRES_AFTER
+ value: $(params.IMAGE_EXPIRES_AFTER)
+ - name: YUM_REPOS_D_SRC
+ value: $(params.YUM_REPOS_D_SRC)
+ - name: YUM_REPOS_D_FETCHED
+ value: $(params.YUM_REPOS_D_FETCHED)
+ - name: YUM_REPOS_D_TARGET
+ value: $(params.YUM_REPOS_D_TARGET)
+ steps:
+ - image: $(params.BUILDER_IMAGE)
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent; our default param above specifies a digest
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: build
+ computeResources:
+ limits:
+ memory: 4Gi
+ requests:
+ memory: 512Mi
+ cpu: 250m
+ env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ script: |
+ SOURCE_CODE_DIR=source
+ if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE"
+ elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
+ dockerfile_path="$SOURCE_CODE_DIR/$DOCKERFILE"
+ elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
+ echo "Fetch Dockerfile from $DOCKERFILE"
+ dockerfile_path=$(mktemp --suffix=-Dockerfile)
+ http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE")
+ if [ $http_code != 200 ]; then
+ echo "No Dockerfile is fetched. Server responds $http_code"
+ exit 1
+ fi
+ http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
+ if [ $http_code = 200 ]; then
+ echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
+ mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
+ fi
+ else
+ echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
- http_code=$(curl -s -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore")
- if [ $http_code = 200 ]; then
- echo "Fetched .dockerignore from $DOCKERFILE.dockerignore"
- mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore
+ if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
+ sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
+ touch /var/lib/containers/java
fi
- else
- echo "Cannot find Dockerfile $DOCKERFILE"
- exit 1
- fi
- if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
- sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
- touch /var/lib/containers/java
- fi
-
- # Fixing group permission on /var/lib/containers
- chown root:root /var/lib/containers
-
- sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- # Setting new namespace to run buildah - 2^32-2
- echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid
+ # Fixing group permission on /var/lib/containers
+ chown root:root /var/lib/containers
- if [ "${HERMETIC}" == "true" ]; then
- BUILDAH_ARGS="--pull=never"
- UNSHARE_ARGS="--net"
- for image in $(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}'); do
- if [ "${image}" != "scratch" ]; then
- unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
- fi
- done
- echo "Build will be executed with network isolation"
- fi
-
- if [ -n "${PREFETCH_INPUT}" ]; then
- cp -r cachi2 /tmp/
- chmod -R go+rwX /tmp/cachi2
- VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
- sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path"
- echo "Prefetched content will be made available"
- fi
-
- # if yum repofiles stored in git, copy them to mount point outside the source dir
- if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then
- mkdir -p ${YUM_REPOS_D_FETCHED}
- cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED}
- fi
-
- # if anything in the repofiles mount point (either fetched or from git), mount it
- if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
- chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
- mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
- VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
- fi
-
- LABELS=(
- "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
- "--label" "architecture=$(uname -m)"
- "--label" "vcs-type=git"
- )
- [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
- [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
-
- unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah build \
- $VOLUME_MOUNTS \
- $BUILDAH_ARGS \
- ${LABELS[@]} \
- --tls-verify=$TLSVERIFY --no-cache \
- --ulimit nofile=4096:4096 \
- -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
+ sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- container=$(buildah from --pull-never $IMAGE)
- buildah mount $container | tee /workspace/container_path
- echo $container > /workspace/container_name
+ # Setting new namespace to run buildah - 2^32-2
+ echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid
- # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
- if [ -n "${PREFETCH_INPUT}" ]; then
- cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
- fi
-
- # Expose base image digests
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
-
- securityContext:
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)
-
- - name: sbom-syft-generate
- image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- script: |
- syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
- find $(cat /workspace/container_path) -xtype l -delete
- syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - name: analyse-dependencies-java-sbom
- image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- script: |
- if [ -f /var/lib/containers/java ]; then
- /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
- sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
- else
- touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
- fi
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- securityContext:
- runAsUser: 0
-
- - name: merge-syft-sboms
- image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- script: |
- #!/bin/python3
- import json
-
- # load SBOMs
- with open("./sbom-image.json") as f:
- image_sbom = json.load(f)
-
- with open("./sbom-source.json") as f:
- source_sbom = json.load(f)
-
- # fetch unique components from available SBOMs
- def get_identifier(component):
- return component["name"] + '@' + component.get("version", "")
-
- image_sbom_components = image_sbom.get("components", [])
- existing_components = [get_identifier(component) for component in image_sbom_components]
-
- source_sbom_components = source_sbom.get("components", [])
- for component in source_sbom_components:
- if get_identifier(component) not in existing_components:
- image_sbom_components.append(component)
- existing_components.append(get_identifier(component))
-
- image_sbom_components.sort(key=lambda c: get_identifier(c))
-
- # write the CycloneDX unified SBOM
- with open("./sbom-cyclonedx.json", "w") as f:
- json.dump(image_sbom, f, indent=4)
- workingDir: $(workspaces.source.path)
- securityContext:
- runAsUser: 0
-
- - name: merge-cachi2-sbom
- image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- script: |
- if [ -n "${PREFETCH_INPUT}" ]; then
- echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
- /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
- mv sbom-temp.json sbom-cyclonedx.json
- else
- echo "Skipping step since no Cachi2 SBOM was produced"
- fi
- workingDir: $(workspaces.source.path)
- securityContext:
- runAsUser: 0
-
- - name: create-purl-sbom
- image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- script: |
- #!/bin/python3
- import json
-
- with open("./sbom-cyclonedx.json") as f:
- cyclonedx_sbom = json.load(f)
-
- purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
- purl_content = {"image_contents": {"dependencies": purls}}
-
- with open("sbom-purl.json", "w") as output_file:
- json.dump(purl_content, output_file, indent=4)
- workingDir: $(workspaces.source.path)
- securityContext:
- runAsUser: 0
+ if [ "${HERMETIC}" == "true" ]; then
+ BUILDAH_ARGS="--pull=never"
+ UNSHARE_ARGS="--net"
+ for image in $(grep -i '^\s*FROM' "$dockerfile_path" | sed 's/--platform=\S*//' | awk '{print $2}'); do
+ if [ "${image}" != "scratch" ]; then
+ unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image
+ fi
+ done
+ echo "Build will be executed with network isolation"
+ fi
- - name: inject-sbom-and-push
- image: $(params.BUILDER_IMAGE)
- computeResources: {}
- script: |
- base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
- base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
- container=$(buildah from --pull-never $IMAGE)
- buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
- buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
- buildah commit $container $IMAGE
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ cp -r cachi2 /tmp/
+ chmod -R go+rwX /tmp/cachi2
+ VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
+ sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path"
+ echo "Prefetched content will be made available"
+ fi
- status=-1
- max_run=5
- sleep_sec=10
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec
- echo "Pushing sbom image to registry"
- buildah push \
- --tls-verify=$TLSVERIFY \
- --digestfile $(workspaces.source.path)/image-digest $IMAGE \
- docker://$IMAGE && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to push sbom image to registry after ${max_run} tries"
- exit 1
- fi
+ # if yum repofiles stored in git, copy them to mount point outside the source dir
+ if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then
+ mkdir -p ${YUM_REPOS_D_FETCHED}
+ cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED}
+ fi
- cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ # if anything in the repofiles mount point (either fetched or from git), mount it
+ if [ -d "${YUM_REPOS_D_FETCHED}" ]; then
+ chmod -R go+rwX ${YUM_REPOS_D_FETCHED}
+ mount_point=$(realpath ${YUM_REPOS_D_FETCHED})
+ VOLUME_MOUNTS="${VOLUME_MOUNTS} --volume ${mount_point}:${YUM_REPOS_D_TARGET}"
+ fi
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)
+ LABELS=(
+ "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
+ "--label" "architecture=$(uname -m)"
+ "--label" "vcs-type=git"
+ )
+ [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
+ [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
+
+ unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah build \
+ $VOLUME_MOUNTS \
+ $BUILDAH_ARGS \
+ ${LABELS[@]} \
+ --tls-verify=$TLSVERIFY --no-cache \
+ --ulimit nofile=4096:4096 \
+ -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
+
+ container=$(buildah from --pull-never $IMAGE)
+ buildah mount $container | tee /workspace/container_path
+ echo $container > /workspace/container_name
+
+ # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
+ fi
- - name: upload-sbom
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- workingDir: $(workspaces.source.path)
+ # Expose base image digests
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - name: sbom-syft-generate
+ image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ script: |
+ syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+ find $(cat /workspace/container_path) -xtype l -delete
+ syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - name: analyse-dependencies-java-sbom
+ image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ script: |
+ if [ -f /var/lib/containers/java ]; then
+ /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
+ sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
+ else
+ touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
+ fi
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ securityContext:
+ runAsUser: 0
+ - name: merge-syft-sboms
+ image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ script: |
+ #!/bin/python3
+ import json
+
+ # load SBOMs
+ with open("./sbom-image.json") as f:
+ image_sbom = json.load(f)
+
+ with open("./sbom-source.json") as f:
+ source_sbom = json.load(f)
+
+ # fetch unique components from available SBOMs
+ def get_identifier(component):
+ return component["name"] + '@' + component.get("version", "")
+
+ image_sbom_components = image_sbom.get("components", [])
+ existing_components = [get_identifier(component) for component in image_sbom_components]
+
+ source_sbom_components = source_sbom.get("components", [])
+ for component in source_sbom_components:
+ if get_identifier(component) not in existing_components:
+ image_sbom_components.append(component)
+ existing_components.append(get_identifier(component))
+
+ image_sbom_components.sort(key=lambda c: get_identifier(c))
+
+ # write the CycloneDX unified SBOM
+ with open("./sbom-cyclonedx.json", "w") as f:
+ json.dump(image_sbom, f, indent=4)
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ runAsUser: 0
+ - name: merge-cachi2-sbom
+ image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ script: |
+ if [ -n "${PREFETCH_INPUT}" ]; then
+ echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
+ /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
+ mv sbom-temp.json sbom-cyclonedx.json
+ else
+ echo "Skipping step since no Cachi2 SBOM was produced"
+ fi
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ runAsUser: 0
+ - name: create-purl-sbom
+ image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ script: |
+ #!/bin/python3
+ import json
+
+ with open("./sbom-cyclonedx.json") as f:
+ cyclonedx_sbom = json.load(f)
+
+ purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
+ purl_content = {"image_contents": {"dependencies": purls}}
+
+ with open("sbom-purl.json", "w") as output_file:
+ json.dump(purl_content, output_file, indent=4)
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ runAsUser: 0
+ - name: inject-sbom-and-push
+ image: $(params.BUILDER_IMAGE)
+ computeResources: {}
+ script: |
+ base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+ base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+ container=$(buildah from --pull-never $IMAGE)
+ buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+ buildah commit $container $IMAGE
+
+ status=-1
+ max_run=5
+ sleep_sec=10
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec
+ echo "Pushing sbom image to registry"
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile $(workspaces.source.path)/image-digest $IMAGE \
+ docker://$IMAGE && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to push sbom image to registry after ${max_run} tries"
+ exit 1
+ fi
+ cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - name: upload-sbom
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ workingDir: $(workspaces.source.path)
volumes:
- - emptyDir: {}
- name: varlibcontainers
+ - emptyDir: {}
+ name: varlibcontainers
workspaces:
- - name: source
- description: Workspace containing the source code to build.
+ - name: source
+ description: Workspace containing the source code to build.
diff --git a/task/buildah/0.1/kustomization.yaml b/task/buildah/0.1/kustomization.yaml
index 6a3c230a1..8e4e2bb43 100644
--- a/task/buildah/0.1/kustomization.yaml
+++ b/task/buildah/0.1/kustomization.yaml
@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
-- buildah.yaml
+ - buildah.yaml
diff --git a/task/clair-scan/0.1/clair-scan.yaml b/task/clair-scan/0.1/clair-scan.yaml
index f31e426f8..1cd670c5d 100644
--- a/task/clair-scan/0.1/clair-scan.yaml
+++ b/task/clair-scan/0.1/clair-scan.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: Task
metadata:
@@ -26,7 +25,7 @@ spec:
description: Clair scan result.
steps:
- name: get-vulnerabilities
- image: quay.io/redhat-appstudio/clair-in-ci:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest
+ image: quay.io/redhat-appstudio/clair-in-ci:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest
imagePullPolicy: Always
env:
- name: IMAGE_URL
diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml
index 6bf1ac82a..a70281b1f 100644
--- a/task/clamav-scan/0.1/clamav-scan.yaml
+++ b/task/clamav-scan/0.1/clamav-scan.yaml
@@ -21,7 +21,6 @@ spec:
- name: docker-auth
description: unused
default: ""
-
steps:
- name: extract-and-scan-image
image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
@@ -178,7 +177,7 @@ spec:
# provides latest virus database for clamscan only
# does not execute anything
sidecars:
- - image: quay.io/redhat-appstudio/clamav-db:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest
+ - image: quay.io/redhat-appstudio/clamav-db:v1 # explicit floating tag, daily updates, per arch call this is exempt for now for use of image digest
imagePullPolicy: Always
name: database
script: |
diff --git a/task/deprecated-image-check/0.1/deprecated-image-check.yaml b/task/deprecated-image-check/0.1/deprecated-image-check.yaml
index c86d9f349..0df041a15 100644
--- a/task/deprecated-image-check/0.1/deprecated-image-check.yaml
+++ b/task/deprecated-image-check/0.1/deprecated-image-check.yaml
@@ -9,8 +9,7 @@ metadata:
name: deprecated-image-check
spec:
description: >-
- Identifies the unmaintained and potentially insecure deprecated base images.
- Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
+ Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
params:
- name: POLICY_DIR
description: Path to directory containing Conftest policies.
@@ -20,13 +19,11 @@ spec:
default: "required_checks"
- name: BASE_IMAGES_DIGESTS
description: Digests of base build images.
-
results:
- name: PYXIS_HTTP_CODE
description: HTTP code returned by Pyxis API endpoint.
- description: Tekton task test output.
name: TEST_OUTPUT
-
steps:
# Download Pyxis metadata about the image
- name: query-pyxis
@@ -58,7 +55,6 @@ spec:
echo "Response code: $http_code."
echo $http_code $IMAGE_REGISTRY $IMAGE_REPOSITORY>> $(results.PYXIS_HTTP_CODE.path)
done
-
# Run the tests and save output
- name: run-conftest
image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
@@ -119,6 +115,5 @@ spec:
-s "${success_counter}" -f "${failure_counter}" -t "$note")
fi
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
-
workspaces:
- name: test-ws
diff --git a/task/deprecated-image-check/0.2/deprecated-image-check.yaml b/task/deprecated-image-check/0.2/deprecated-image-check.yaml
index 0485a54f4..97a6076b9 100644
--- a/task/deprecated-image-check/0.2/deprecated-image-check.yaml
+++ b/task/deprecated-image-check/0.2/deprecated-image-check.yaml
@@ -9,8 +9,7 @@ metadata:
name: deprecated-image-check
spec:
description: >-
- Identifies the unmaintained and potentially insecure deprecated base images.
- Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
+ Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
params:
- name: POLICY_DIR
description: Path to directory containing Conftest policies.
@@ -20,13 +19,11 @@ spec:
default: "required_checks"
- name: BASE_IMAGES_DIGESTS
description: Digests of base build images.
-
results:
- name: PYXIS_HTTP_CODE
description: HTTP code returned by Pyxis API endpoint.
- description: Tekton task test output.
name: TEST_OUTPUT
-
steps:
# Download Pyxis metadata about the image
- name: query-pyxis
@@ -58,7 +55,6 @@ spec:
echo "Response code: $http_code."
echo $http_code $IMAGE_REGISTRY $IMAGE_REPOSITORY>> $(results.PYXIS_HTTP_CODE.path)
done
-
# Run the tests and save output
- name: run-conftest
image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
@@ -119,6 +115,5 @@ spec:
-s "${success_counter}" -f "${failure_counter}" -t "$note")
fi
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
-
workspaces:
- name: test-ws
diff --git a/task/deprecated-image-check/0.3/deprecated-image-check.yaml b/task/deprecated-image-check/0.3/deprecated-image-check.yaml
index f2487b30c..35cada9f7 100644
--- a/task/deprecated-image-check/0.3/deprecated-image-check.yaml
+++ b/task/deprecated-image-check/0.3/deprecated-image-check.yaml
@@ -9,8 +9,7 @@ metadata:
name: deprecated-image-check
spec:
description: >-
- Identifies the unmaintained and potentially insecure deprecated base images.
- Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
+ Identifies the unmaintained and potentially insecure deprecated base images. Pyxis API collects metadata from image repository, and Conftest applies supplied policy to identify the deprecated images using that metadata.
params:
- name: POLICY_DIR
description: Path to directory containing Conftest policies.
@@ -20,13 +19,11 @@ spec:
default: "required_checks"
- name: BASE_IMAGES_DIGESTS
description: Digests of base build images.
-
results:
- name: PYXIS_HTTP_CODE
description: HTTP code returned by Pyxis API endpoint.
- description: Tekton task test output.
name: TEST_OUTPUT
-
steps:
- name: check-images
image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
diff --git a/task/fbc-validation/0.1/fbc-validation.yaml b/task/fbc-validation/0.1/fbc-validation.yaml
index 75b47e577..d7d919908 100644
--- a/task/fbc-validation/0.1/fbc-validation.yaml
+++ b/task/fbc-validation/0.1/fbc-validation.yaml
@@ -9,9 +9,7 @@ metadata:
name: fbc-validation
spec:
description: >-
- Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline.
- The manifest data of container images obtained previously (via Skopeo) from inspect-image task is checked using OpenShift Operator Framework's opm CLI tool.
- The opm binary is extracted from the container's base image, which must come from a trusted source.
+ Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. The manifest data of container images obtained previously (via Skopeo) from inspect-image task is checked using OpenShift Operator Framework's opm CLI tool. The opm binary is extracted from the container's base image, which must come from a trusted source.
params:
- name: IMAGE_URL
description: Fully qualified image name.
diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml
index b8e90d046..395f07d16 100644
--- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml
+++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
diff --git a/task/generate-odcs-compose/0.1/kustomization.yaml b/task/generate-odcs-compose/0.1/kustomization.yaml
index b1202e1ca..ccfd85cb3 100644
--- a/task/generate-odcs-compose/0.1/kustomization.yaml
+++ b/task/generate-odcs-compose/0.1/kustomization.yaml
@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
-- generate-odcs-compose.yaml
+ - generate-odcs-compose.yaml
diff --git a/task/git-clone/0.1/git-clone.yaml b/task/git-clone/0.1/git-clone.yaml
index 3beaec3fc..b4e72cb5e 100644
--- a/task/git-clone/0.1/git-clone.yaml
+++ b/task/git-clone/0.1/git-clone.yaml
@@ -14,263 +14,262 @@ spec:
description: |-
The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.
params:
- - description: Repository URL to clone from.
- name: url
- type: string
- - default: ""
- description: Revision to checkout. (branch, tag, sha, ref, etc...)
- name: revision
- type: string
- - default: ""
- description: Refspec to fetch before checking out revision.
- name: refspec
- type: string
- - default: "true"
- description: Initialize and fetch git submodules.
- name: submodules
- type: string
- - default: "1"
- description: Perform a shallow clone, fetching only the most recent N commits.
- name: depth
- type: string
- - default: "true"
- description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
- name: sslVerify
- type: string
- - default: "source"
- description: Subdirectory inside the `output` Workspace to clone the repo into.
- name: subdirectory
- type: string
- - default: ""
- description: Define the directory patterns to match or exclude when performing a sparse checkout.
- name: sparseCheckoutDirectories
- type: string
- - default: "true"
- description: Clean out the contents of the destination directory if it already exists before cloning.
- name: deleteExisting
- type: string
- - default: ""
- description: HTTP proxy server for non-SSL requests.
- name: httpProxy
- type: string
- - default: ""
- description: HTTPS proxy server for SSL requests.
- name: httpsProxy
- type: string
- - default: ""
- description: Opt out of proxying HTTP/HTTPS requests.
- name: noProxy
- type: string
- - default: "true"
- description: Log the commands that are executed during `git-clone`'s operation.
- name: verbose
- type: string
- - default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- description: The image providing the git-init binary that this Task runs.
- name: gitInitImage
- type: string
- - default: /tekton/home
- description: |
- Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden
- the gitInitImage param with an image containing custom user configuration.
- name: userHome
- type: string
- - default: "true"
- description: |
- Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.
- name: enableSymlinkCheck
- type: string
- - default: "false"
- description: Fetch all tags for the repo.
- name: fetchTags
- type: string
+ - description: Repository URL to clone from.
+ name: url
+ type: string
+ - default: ""
+ description: Revision to checkout. (branch, tag, sha, ref, etc...)
+ name: revision
+ type: string
+ - default: ""
+ description: Refspec to fetch before checking out revision.
+ name: refspec
+ type: string
+ - default: "true"
+ description: Initialize and fetch git submodules.
+ name: submodules
+ type: string
+ - default: "1"
+ description: Perform a shallow clone, fetching only the most recent N commits.
+ name: depth
+ type: string
+ - default: "true"
+ description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
+ name: sslVerify
+ type: string
+ - default: "source"
+ description: Subdirectory inside the `output` Workspace to clone the repo into.
+ name: subdirectory
+ type: string
+ - default: ""
+ description: Define the directory patterns to match or exclude when performing a sparse checkout.
+ name: sparseCheckoutDirectories
+ type: string
+ - default: "true"
+ description: Clean out the contents of the destination directory if it already exists before cloning.
+ name: deleteExisting
+ type: string
+ - default: ""
+ description: HTTP proxy server for non-SSL requests.
+ name: httpProxy
+ type: string
+ - default: ""
+ description: HTTPS proxy server for SSL requests.
+ name: httpsProxy
+ type: string
+ - default: ""
+ description: Opt out of proxying HTTP/HTTPS requests.
+ name: noProxy
+ type: string
+ - default: "true"
+ description: Log the commands that are executed during `git-clone`'s operation.
+ name: verbose
+ type: string
+ - default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ description: The image providing the git-init binary that this Task runs.
+ name: gitInitImage
+ type: string
+ - default: /tekton/home
+ description: |
+ Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden
+ the gitInitImage param with an image containing custom user configuration.
+ name: userHome
+ type: string
+ - default: "true"
+ description: |
+ Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.
+ name: enableSymlinkCheck
+ type: string
+ - default: "false"
+ description: Fetch all tags for the repo.
+ name: fetchTags
+ type: string
results:
- - description: The precise commit SHA that was fetched by this Task.
- name: commit
- - description: The precise URL that was fetched by this Task.
- name: url
+ - description: The precise commit SHA that was fetched by this Task.
+ name: commit
+ - description: The precise URL that was fetched by this Task.
+ name: url
steps:
- - name: clone
- env:
- - name: HOME
- value: $(params.userHome)
- - name: PARAM_URL
- value: $(params.url)
- - name: PARAM_REVISION
- value: $(params.revision)
- - name: PARAM_REFSPEC
- value: $(params.refspec)
- - name: PARAM_SUBMODULES
- value: $(params.submodules)
- - name: PARAM_DEPTH
- value: $(params.depth)
- - name: PARAM_SSL_VERIFY
- value: $(params.sslVerify)
- - name: PARAM_SUBDIRECTORY
- value: $(params.subdirectory)
- - name: PARAM_DELETE_EXISTING
- value: $(params.deleteExisting)
- - name: PARAM_HTTP_PROXY
- value: $(params.httpProxy)
- - name: PARAM_HTTPS_PROXY
- value: $(params.httpsProxy)
- - name: PARAM_NO_PROXY
- value: $(params.noProxy)
- - name: PARAM_VERBOSE
- value: $(params.verbose)
- - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
- value: $(params.sparseCheckoutDirectories)
- - name: PARAM_USER_HOME
- value: $(params.userHome)
- - name: PARAM_FETCH_TAGS
- value: $(params.fetchTags)
- - name: WORKSPACE_OUTPUT_PATH
- value: $(workspaces.output.path)
- - name: WORKSPACE_SSH_DIRECTORY_BOUND
- value: $(workspaces.ssh-directory.bound)
- - name: WORKSPACE_SSH_DIRECTORY_PATH
- value: $(workspaces.ssh-directory.path)
- - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
- value: $(workspaces.basic-auth.bound)
- - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
- value: $(workspaces.basic-auth.path)
- image: $(params.gitInitImage)
- computeResources: {}
- securityContext:
- runAsUser: 0
- script: |
- #!/usr/bin/env sh
- set -eu
+ - name: clone
+ env:
+ - name: HOME
+ value: $(params.userHome)
+ - name: PARAM_URL
+ value: $(params.url)
+ - name: PARAM_REVISION
+ value: $(params.revision)
+ - name: PARAM_REFSPEC
+ value: $(params.refspec)
+ - name: PARAM_SUBMODULES
+ value: $(params.submodules)
+ - name: PARAM_DEPTH
+ value: $(params.depth)
+ - name: PARAM_SSL_VERIFY
+ value: $(params.sslVerify)
+ - name: PARAM_SUBDIRECTORY
+ value: $(params.subdirectory)
+ - name: PARAM_DELETE_EXISTING
+ value: $(params.deleteExisting)
+ - name: PARAM_HTTP_PROXY
+ value: $(params.httpProxy)
+ - name: PARAM_HTTPS_PROXY
+ value: $(params.httpsProxy)
+ - name: PARAM_NO_PROXY
+ value: $(params.noProxy)
+ - name: PARAM_VERBOSE
+ value: $(params.verbose)
+ - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
+ value: $(params.sparseCheckoutDirectories)
+ - name: PARAM_USER_HOME
+ value: $(params.userHome)
+ - name: PARAM_FETCH_TAGS
+ value: $(params.fetchTags)
+ - name: WORKSPACE_OUTPUT_PATH
+ value: $(workspaces.output.path)
+ - name: WORKSPACE_SSH_DIRECTORY_BOUND
+ value: $(workspaces.ssh-directory.bound)
+ - name: WORKSPACE_SSH_DIRECTORY_PATH
+ value: $(workspaces.ssh-directory.path)
+ - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
+ value: $(workspaces.basic-auth.bound)
+ - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
+ value: $(workspaces.basic-auth.path)
+ image: $(params.gitInitImage)
+ computeResources: {}
+ securityContext:
+ runAsUser: 0
+ script: |
+ #!/usr/bin/env sh
+ set -eu
- if [ "${PARAM_VERBOSE}" = "true" ] ; then
- set -x
- fi
-
- if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
- if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then
- cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
- cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
- # Compatibility with kubernetes.io/basic-auth secrets
- elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then
- HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')
- echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials"
- echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${PARAM_USER_HOME}/.gitconfig"
- else
- echo "Unknown basic-auth workspace format"
- exit 1
+ if [ "${PARAM_VERBOSE}" = "true" ] ; then
+ set -x
fi
- chmod 400 "${PARAM_USER_HOME}/.git-credentials"
- chmod 400 "${PARAM_USER_HOME}/.gitconfig"
- fi
-
- if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
- cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
- chmod 700 "${PARAM_USER_HOME}"/.ssh
- chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
- fi
- CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
+ if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
+ if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then
+ cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
+ cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
+ # Compatibility with kubernetes.io/basic-auth secrets
+ elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then
+ HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')
+ echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials"
+ echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${PARAM_USER_HOME}/.gitconfig"
+ else
+ echo "Unknown basic-auth workspace format"
+ exit 1
+ fi
+ chmod 400 "${PARAM_USER_HOME}/.git-credentials"
+ chmod 400 "${PARAM_USER_HOME}/.gitconfig"
+ fi
- cleandir() {
- # Delete any existing contents of the repo directory if it exists.
- #
- # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
- # or the root of a mounted volume.
- if [ -d "${CHECKOUT_DIR}" ] ; then
- # Delete non-hidden files and directories
- rm -rf "${CHECKOUT_DIR:?}"/*
- # Delete files and directories starting with . but excluding ..
- rm -rf "${CHECKOUT_DIR}"/.[!.]*
- # Delete files and directories starting with .. plus any other character
- rm -rf "${CHECKOUT_DIR}"/..?*
+ if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
+ cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
+ chmod 700 "${PARAM_USER_HOME}"/.ssh
+ chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
- }
- if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
- cleandir
- fi
+ CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
- test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
- test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
- test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
+ cleandir() {
+ # Delete any existing contents of the repo directory if it exists.
+ #
+ # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
+ # or the root of a mounted volume.
+ if [ -d "${CHECKOUT_DIR}" ] ; then
+ # Delete non-hidden files and directories
+ rm -rf "${CHECKOUT_DIR:?}"/*
+ # Delete files and directories starting with . but excluding ..
+ rm -rf "${CHECKOUT_DIR}"/.[!.]*
+ # Delete files and directories starting with .. plus any other character
+ rm -rf "${CHECKOUT_DIR}"/..?*
+ fi
+ }
- /ko-app/git-init \
- -url="${PARAM_URL}" \
- -revision="${PARAM_REVISION}" \
- -refspec="${PARAM_REFSPEC}" \
- -path="${CHECKOUT_DIR}" \
- -sslVerify="${PARAM_SSL_VERIFY}" \
- -submodules="${PARAM_SUBMODULES}" \
- -depth="${PARAM_DEPTH}" \
- -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
- cd "${CHECKOUT_DIR}"
- RESULT_SHA="$(git rev-parse HEAD)"
- EXIT_CODE="$?"
- if [ "${EXIT_CODE}" != 0 ] ; then
- exit "${EXIT_CODE}"
- fi
- printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
- printf "%s" "${PARAM_URL}" > "$(results.url.path)"
+ if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
+ cleandir
+ fi
- if [ "${PARAM_FETCH_TAGS}" = "true" ] ; then
- echo "Fetching tags"
- git fetch --tags
- fi
+ test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
+ test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
+ test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
- - name: symlink-check
- image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- env:
- - name: PARAM_ENABLE_SYMLINK_CHECK
- value: $(params.enableSymlinkCheck)
- - name: PARAM_SUBDIRECTORY
- value: $(params.subdirectory)
- - name: WORKSPACE_OUTPUT_PATH
- value: $(workspaces.output.path)
- computeResources: {}
- script: |
- #!/usr/bin/env bash
- set -euo pipefail
+ /ko-app/git-init \
+ -url="${PARAM_URL}" \
+ -revision="${PARAM_REVISION}" \
+ -refspec="${PARAM_REFSPEC}" \
+ -path="${CHECKOUT_DIR}" \
+ -sslVerify="${PARAM_SSL_VERIFY}" \
+ -submodules="${PARAM_SUBMODULES}" \
+ -depth="${PARAM_DEPTH}" \
+ -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
+ cd "${CHECKOUT_DIR}"
+ RESULT_SHA="$(git rev-parse HEAD)"
+ EXIT_CODE="$?"
+ if [ "${EXIT_CODE}" != 0 ] ; then
+ exit "${EXIT_CODE}"
+ fi
+ printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
+ printf "%s" "${PARAM_URL}" > "$(results.url.path)"
- CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
- check_symlinks() {
- FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false
- while read symlink
- do
- target=$(readlink -f "$symlink")
- if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then
- echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink"
- FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true
- fi
- done < <(find $CHECKOUT_DIR -type l -print)
- if [ "$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO" = true ] ; then
- return 1
+ if [ "${PARAM_FETCH_TAGS}" = "true" ] ; then
+ echo "Fetching tags"
+ git fetch --tags
fi
- }
+ - name: symlink-check
+ image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ env:
+ - name: PARAM_ENABLE_SYMLINK_CHECK
+ value: $(params.enableSymlinkCheck)
+ - name: PARAM_SUBDIRECTORY
+ value: $(params.subdirectory)
+ - name: WORKSPACE_OUTPUT_PATH
+ value: $(workspaces.output.path)
+ computeResources: {}
+ script: |
+ #!/usr/bin/env bash
+ set -euo pipefail
- if [ "${PARAM_ENABLE_SYMLINK_CHECK}" = "true" ] ; then
- echo "Running symlink check"
- check_symlinks
- fi
+ CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
+ check_symlinks() {
+ FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false
+ while read symlink
+ do
+ target=$(readlink -f "$symlink")
+ if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then
+ echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink"
+ FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true
+ fi
+ done < <(find $CHECKOUT_DIR -type l -print)
+ if [ "$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO" = true ] ; then
+ return 1
+ fi
+ }
+
+ if [ "${PARAM_ENABLE_SYMLINK_CHECK}" = "true" ] ; then
+ echo "Running symlink check"
+ check_symlinks
+ fi
workspaces:
- - description: The git repo will be cloned onto the volume backing this Workspace.
- name: output
- - description: |
- A .ssh directory with private key, known_hosts, config, etc. Copied to
- the user's home before git commands are executed. Used to authenticate
- with the git remote when performing the clone. Binding a Secret to this
- Workspace is strongly recommended over other volume types.
- name: ssh-directory
- optional: true
- - description: |
- A Workspace containing a .gitconfig and .git-credentials file or username and password.
- These will be copied to the user's home before any git commands are run. Any
- other files in this Workspace are ignored. It is strongly recommended
- to use ssh-directory over basic-auth whenever possible and to bind a
- Secret to this Workspace over other volume types.
- name: basic-auth
- optional: true
+ - description: The git repo will be cloned onto the volume backing this Workspace.
+ name: output
+ - description: |
+ A .ssh directory with private key, known_hosts, config, etc. Copied to
+ the user's home before git commands are executed. Used to authenticate
+ with the git remote when performing the clone. Binding a Secret to this
+ Workspace is strongly recommended over other volume types.
+ name: ssh-directory
+ optional: true
+ - description: |
+ A Workspace containing a .gitconfig and .git-credentials file or username and password.
+ These will be copied to the user's home before any git commands are run. Any
+ other files in this Workspace are ignored. It is strongly recommended
+ to use ssh-directory over basic-auth whenever possible and to bind a
+ Secret to this Workspace over other volume types.
+ name: basic-auth
+ optional: true
diff --git a/task/init/0.1/init.yaml b/task/init/0.1/init.yaml
index a1473bcfd..9bf9e33dd 100644
--- a/task/init/0.1/init.yaml
+++ b/task/init/0.1/init.yaml
@@ -33,7 +33,6 @@ spec:
description: Defines if the image in param image-url should be built
- name: container-registry-secret
description: unused, should be removed in next task version
-
steps:
- name: init
image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c
diff --git a/task/init/0.2/init.yaml b/task/init/0.2/init.yaml
index e6dd5c9a1..5958277f1 100644
--- a/task/init/0.2/init.yaml
+++ b/task/init/0.2/init.yaml
@@ -22,7 +22,6 @@ spec:
results:
- name: build
description: Defines if the image in param image-url should be built
-
steps:
- name: init
image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c
diff --git a/task/inspect-image/0.1/inspect-image.yaml b/task/inspect-image/0.1/inspect-image.yaml
index 1354d0f5e..27d2308ef 100644
--- a/task/inspect-image/0.1/inspect-image.yaml
+++ b/task/inspect-image/0.1/inspect-image.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
@@ -10,8 +9,7 @@ metadata:
name: inspect-image
spec:
description: >-
- Inspects and analyzes manifest data of the container's source image, and its base image (if available) using Skopeo.
- An image's manifest data contains information about the layers that make up the image, the platforms for which the image is intended, and other metadata about the image.
+ Inspects and analyzes manifest data of the container's source image, and its base image (if available) using Skopeo. An image's manifest data contains information about the layers that make up the image, the platforms for which the image is intended, and other metadata about the image.
params:
- name: IMAGE_URL
description: Fully qualified image name.
@@ -32,115 +30,114 @@ spec:
workspaces:
- name: source
steps:
- - name: inspect-image
- image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- workingDir: $(workspaces.source.path)/hacbs/$(context.task.name)
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- env:
- - name: IMAGE_URL
- value: $(params.IMAGE_URL)
- - name: IMAGE_DIGEST
- value: $(params.IMAGE_DIGEST)
+ - name: inspect-image
+ image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ workingDir: $(workspaces.source.path)/hacbs/$(context.task.name)
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ env:
+ - name: IMAGE_URL
+ value: $(params.IMAGE_URL)
+ - name: IMAGE_DIGEST
+ value: $(params.IMAGE_DIGEST)
+ script: |
+ #!/usr/bin/env bash
+ set -euo pipefail
+ source /utils.sh
+ trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
- script: |
- #!/usr/bin/env bash
- set -euo pipefail
- source /utils.sh
- trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
+ IMAGE_INSPECT=image_inspect.json
+ BASE_IMAGE_INSPECT=base_image_inspect.json
+ RAW_IMAGE_INSPECT=raw_image_inspect.json
- IMAGE_INSPECT=image_inspect.json
- BASE_IMAGE_INSPECT=base_image_inspect.json
- RAW_IMAGE_INSPECT=raw_image_inspect.json
-
- IMAGE_URL="${IMAGE_URL}@${IMAGE_DIGEST}"
- # Given a tag and a the digest in the IMAGE_URL we opt to use the digest alone
- # this is because containers/image currently doesn't support image references
- # that contain both. See https://github.com/containers/image/issues/1736
- if [[ "${IMAGE_URL}" == *":"*"@"* ]]; then
- IMAGE_URL="${IMAGE_URL/:*@/@}"
- fi
+ IMAGE_URL="${IMAGE_URL}@${IMAGE_DIGEST}"
+ # Given a tag and a the digest in the IMAGE_URL we opt to use the digest alone
+ # this is because containers/image currently doesn't support image references
+ # that contain both. See https://github.com/containers/image/issues/1736
+ if [[ "${IMAGE_URL}" == *":"*"@"* ]]; then
+ IMAGE_URL="${IMAGE_URL/:*@/@}"
+ fi
- status=-1
- max_run=5
- sleep_sec=10
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
- echo "Inspecting manifest for source image ${IMAGE_URL} (try $run/$max_run)."
- skopeo inspect --no-tags docker://"${IMAGE_URL}" > $IMAGE_INSPECT && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to inspect image ${IMAGE_URL}"
- note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
- TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
- echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
- exit 0
- fi
- echo "Image ${IMAGE_URL} metadata:"
- cat "$IMAGE_INSPECT"
+ status=-1
+ max_run=5
+ sleep_sec=10
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
+ echo "Inspecting manifest for source image ${IMAGE_URL} (try $run/$max_run)."
+ skopeo inspect --no-tags docker://"${IMAGE_URL}" > $IMAGE_INSPECT && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to inspect image ${IMAGE_URL}"
+ note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
+ TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
+ echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+ exit 0
+ fi
+ echo "Image ${IMAGE_URL} metadata:"
+ cat "$IMAGE_INSPECT"
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
- echo "Inspecting raw image manifest ${IMAGE_URL} (try $run/$max_run)."
- skopeo inspect --no-tags --raw docker://"${IMAGE_URL}" > $RAW_IMAGE_INSPECT && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to get raw metadata of image ${IMAGE_URL}"
- note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
- TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
- echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
- exit 0
- fi
- echo "Image ${IMAGE_URL} raw metadata:"
- cat "$RAW_IMAGE_INSPECT" | jq # jq for readable formatting
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
+ echo "Inspecting raw image manifest ${IMAGE_URL} (try $run/$max_run)."
+ skopeo inspect --no-tags --raw docker://"${IMAGE_URL}" > $RAW_IMAGE_INSPECT && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to get raw metadata of image ${IMAGE_URL}"
+ note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
+ TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
+ echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+ exit 0
+ fi
+ echo "Image ${IMAGE_URL} raw metadata:"
+ cat "$RAW_IMAGE_INSPECT" | jq # jq for readable formatting
- echo "Getting base image manifest for source image ${IMAGE_URL}."
- BASE_IMAGE_NAME="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" $RAW_IMAGE_INSPECT)"
- BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $RAW_IMAGE_INSPECT)"
- if [ $BASE_IMAGE_NAME == 'null' ]; then
- echo "Cannot get base image info from annotations."
- BASE_IMAGE_NAME="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" $IMAGE_INSPECT)"
- BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $IMAGE_INSPECT)"
- if [ "$BASE_IMAGE_NAME" == 'null' ]; then
- echo "Cannot get base image info from Labels. For details, check source image ${IMAGE_URL}."
+ echo "Getting base image manifest for source image ${IMAGE_URL}."
+ BASE_IMAGE_NAME="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" $RAW_IMAGE_INSPECT)"
+ BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $RAW_IMAGE_INSPECT)"
+ if [ $BASE_IMAGE_NAME == 'null' ]; then
+ echo "Cannot get base image info from annotations."
+ BASE_IMAGE_NAME="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" $IMAGE_INSPECT)"
+ BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $IMAGE_INSPECT)"
+ if [ "$BASE_IMAGE_NAME" == 'null' ]; then
+ echo "Cannot get base image info from Labels. For details, check source image ${IMAGE_URL}."
+ exit 0
+ fi
+ fi
+ if [ -z "$BASE_IMAGE_NAME" ]; then
+ echo "Source image ${IMAGE_URL} is built from scratch, so there is no base image."
exit 0
fi
- fi
- if [ -z "$BASE_IMAGE_NAME" ]; then
- echo "Source image ${IMAGE_URL} is built from scratch, so there is no base image."
- exit 0
- fi
- BASE_IMAGE="${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST"
- echo "Detected base image: $BASE_IMAGE"
- echo -n "$BASE_IMAGE" > $(results.BASE_IMAGE.path)
+ BASE_IMAGE="${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST"
+ echo "Detected base image: $BASE_IMAGE"
+ echo -n "$BASE_IMAGE" > $(results.BASE_IMAGE.path)
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
- echo "Inspecting base image ${BASE_IMAGE} (try $run/$max_run)."
- skopeo inspect --no-tags "docker://$BASE_IMAGE" > $BASE_IMAGE_INSPECT && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to inspect base image ${BASE_IMAGE}"
- note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
- TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
- echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
- exit 0
- fi
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec # skip last sleep
+ echo "Inspecting base image ${BASE_IMAGE} (try $run/$max_run)."
+ skopeo inspect --no-tags "docker://$BASE_IMAGE" > $BASE_IMAGE_INSPECT && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to inspect base image ${BASE_IMAGE}"
+ note="Task $(context.task.name) failed: Encountered errors while inspecting image. For details, check Tekton task log."
+ TEST_OUTPUT=$(make_result_json -r ERROR -t "$note")
+ echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+ exit 0
+ fi
- BASE_IMAGE_REPOSITORY="$(jq -r '.Name | sub("[^/]+/"; "") | sub("[:@].*"; "")' "$BASE_IMAGE_INSPECT")"
- echo "Detected base image repository: $BASE_IMAGE_REPOSITORY"
- echo -n "$BASE_IMAGE_REPOSITORY" > $(results.BASE_IMAGE_REPOSITORY.path)
+ BASE_IMAGE_REPOSITORY="$(jq -r '.Name | sub("[^/]+/"; "") | sub("[:@].*"; "")' "$BASE_IMAGE_INSPECT")"
+ echo "Detected base image repository: $BASE_IMAGE_REPOSITORY"
+ echo -n "$BASE_IMAGE_REPOSITORY" > $(results.BASE_IMAGE_REPOSITORY.path)
- note="Task $(context.task.name) completed: Check inspected JSON files under $(workspaces.source.path)/hacbs/$(context.task.name)."
- TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note")
- echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
+ note="Task $(context.task.name) completed: Check inspected JSON files under $(workspaces.source.path)/hacbs/$(context.task.name)."
+ TEST_OUTPUT=$(make_result_json -r SUCCESS -s 1 -t "$note")
+ echo "${TEST_OUTPUT}" | tee $(results.TEST_OUTPUT.path)
diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml
index 680febb7e..422301368 100644
--- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml
+++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml
@@ -12,36 +12,36 @@ spec:
Task that uses Cachi2 to prefetch build dependencies.
See docs at https://github.com/containerbuildsystem/cachi2#basic-usage.
params:
- - description: Configures project packages that will have their dependencies prefetched.
- name: input
+ - description: Configures project packages that will have their dependencies prefetched.
+ name: input
steps:
- - image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: prefetch-dependencies
- env:
- - name: INPUT
- value: $(params.input)
- script: |
- if [ -z "${INPUT}" ]
- then
- echo "Build will be executed with network isolation, but no content was configured to be prefetched."
- exit 0
- fi
+ - image: quay.io/redhat-appstudio/cachi2:0.4.0@sha256:001acfbad47e132a90998d45076a0dbe0d8beacf0bec12b4d9a5aa796f4a9cad
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: prefetch-dependencies
+ env:
+ - name: INPUT
+ value: $(params.input)
+ script: |
+ if [ -z "${INPUT}" ]
+ then
+ echo "Build will be executed with network isolation, but no content was configured to be prefetched."
+ exit 0
+ fi
- cachi2 fetch-deps \
- --source=$(workspaces.source.path)/source \
- --output=$(workspaces.source.path)/cachi2/output \
- "${INPUT}"
+ cachi2 fetch-deps \
+ --source=$(workspaces.source.path)/source \
+ --output=$(workspaces.source.path)/cachi2/output \
+ "${INPUT}"
- cachi2 generate-env $(workspaces.source.path)/cachi2/output \
- --format env \
- --for-output-dir=/cachi2/output \
- --output $(workspaces.source.path)/cachi2/cachi2.env
+ cachi2 generate-env $(workspaces.source.path)/cachi2/output \
+ --format env \
+ --for-output-dir=/cachi2/output \
+ --output $(workspaces.source.path)/cachi2/cachi2.env
- cachi2 inject-files $(workspaces.source.path)/cachi2/output \
- --for-output-dir=/cachi2/output
+ cachi2 inject-files $(workspaces.source.path)/cachi2/output \
+ --for-output-dir=/cachi2/output
workspaces:
- - name: source
- description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well
+ - name: source
+ description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well
diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml
index 898e7c5ca..f6883e1ca 100644
--- a/task/rpm-ostree/0.1/rpm-ostree.yaml
+++ b/task/rpm-ostree/0.1/rpm-ostree.yaml
@@ -12,243 +12,239 @@ metadata:
spec:
description: RPM Ostree
params:
- - description: Reference of the image rpm-ostree will produce.
- name: IMAGE
- type: string
- - default: quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- description: The location of the rpm-ostree builder image.
- name: BUILDER_IMAGE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - description: The file to use to build the image
- name: IMAGE_FILE
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS
- registry)
- name: TLSVERIFY
- type: string
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image
- tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks,
- respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
- - default: ""
- description: The image is built from this commit.
- name: COMMIT_SHA
- type: string
- - description: The platform to build on
- name: PLATFORM
- type: string
- - description: The relative path of the file used to configure the rpm-ostree tool found in source control.
- See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration
- name: CONFIG_FILE
- type: string
- default: ""
+ - description: Reference of the image rpm-ostree will produce.
+ name: IMAGE
+ type: string
+ - default: quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ description: The location of the rpm-ostree builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - description: The file to use to build the image
+ name: IMAGE_FILE
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
+ - default: ""
+ description: The image is built from this commit.
+ name: COMMIT_SHA
+ type: string
+ - description: The platform to build on
+ name: PLATFORM
+ type: string
+ - description: The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration
+ name: CONFIG_FILE
+ type: string
+ default: ""
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
stepTemplate:
env:
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: IMAGE_FILE
- value: $(params.IMAGE_FILE)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
- - name: IMAGE_EXPIRES_AFTER
- value: $(params.IMAGE_EXPIRES_AFTER)
- - name: BUILDER_IMAGE
- value: $(params.BUILDER_IMAGE)
- - name: CONFIG_FILE
- value: $(params.CONFIG_FILE)
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: IMAGE_FILE
+ value: $(params.IMAGE_FILE)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
+ - name: IMAGE_EXPIRES_AFTER
+ value: $(params.IMAGE_EXPIRES_AFTER)
+ - name: BUILDER_IMAGE
+ value: $(params.BUILDER_IMAGE)
+ - name: CONFIG_FILE
+ value: $(params.CONFIG_FILE)
computeResources: {}
steps:
- - env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: build
- computeResources:
- limits:
- memory: 512Mi
- requests:
- cpu: 250m
- memory: 128Mi
- script: |-
- set -o verbose
- set -eu
- set -o pipefail
- mkdir -p ~/.ssh
- if [ -e "/ssh/error" ]; then
- #no server could be provisioned
- cat /ssh/error
- exit 1
- elif [ -e "/ssh/otp" ]; then
- curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa
- echo "" >> ~/.ssh/id_rsa
- else
- cp /ssh/id_rsa ~/.ssh
- fi
- chmod 0400 ~/.ssh/id_rsa
- export SSH_HOST=$(cat /ssh/host)
- export BUILD_DIR=$(cat /ssh/user-dir)
- export SSH_ARGS="-o StrictHostKeyChecking=no"
- mkdir -p scripts
- echo "$BUILD_DIR"
- ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/tmp"
+ - env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f@sha256:246adeaaba600e207131d63a7f706cffdcdc37d8f600c56187123ec62823ff44
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: build
+ computeResources:
+ limits:
+ memory: 512Mi
+ requests:
+ cpu: 250m
+ memory: 128Mi
+ script: |-
+ set -o verbose
+ set -eu
+ set -o pipefail
+ mkdir -p ~/.ssh
+ if [ -e "/ssh/error" ]; then
+ #no server could be provisioned
+ cat /ssh/error
+ exit 1
+ elif [ -e "/ssh/otp" ]; then
+ curl --cacert /ssh/otp-ca -XPOST -d @/ssh/otp $(cat /ssh/otp-server) >~/.ssh/id_rsa
+ echo "" >> ~/.ssh/id_rsa
+ else
+ cp /ssh/id_rsa ~/.ssh
+ fi
+ chmod 0400 ~/.ssh/id_rsa
+ export SSH_HOST=$(cat /ssh/host)
+ export BUILD_DIR=$(cat /ssh/user-dir)
+ export SSH_ARGS="-o StrictHostKeyChecking=no"
+ mkdir -p scripts
+ echo "$BUILD_DIR"
+ ssh $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/tmp"
- rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
- cat >scripts/script-build.sh <<'REMOTESSHEOF'
- #!/bin/sh
- set -o verbose
- cd $(workspaces.source.path)
- if [ -z "$CONFIG_FILE" ] ; then
- CONFIG_FILE_ARG=""
- else
- CONFIG_FILE_ARG=" --image-config=source/$CONFIG_FILE "
- fi
- rpm-ostree compose image --initialize --format oci $CONFIG_FILE_ARG "source/$IMAGE_FILE" rhtap-final-image
+ rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
+ cat >scripts/script-build.sh <<'REMOTESSHEOF'
+ #!/bin/sh
+ set -o verbose
+ cd $(workspaces.source.path)
+ if [ -z "$CONFIG_FILE" ] ; then
+ CONFIG_FILE_ARG=""
+ else
+ CONFIG_FILE_ARG=" --image-config=source/$CONFIG_FILE "
+ fi
+ rpm-ostree compose image --initialize --format oci $CONFIG_FILE_ARG "source/$IMAGE_FILE" rhtap-final-image
- REMOTESSHEOF
- chmod +x scripts/script-build.sh
- rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
- ssh $SSH_ARGS "$SSH_HOST" podman run --mount type=bind,source=$BUILD_DIR/tmp,target=/var/tmp,relabel=shared --privileged -e CONTEXT="$CONTEXT" -e IMAGE_FILE="$IMAGE_FILE" -e CONFIG_FILE="$CONFIG_FILE" -e IMAGE="$IMAGE" -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" -e COMMIT_SHA="$COMMIT_SHA" --rm -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" -v $BUILD_DIR/scripts:/script:Z --user=0 "$BUILDER_IMAGE" /script/script-build.sh
- rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
- cp -r rhtap-final-image /var/lib/containers/rhtap-final-image
- buildah pull oci:rhtap-final-image
- buildah images
- buildah tag localhost/rhtap-final-image "$IMAGE"
- securityContext:
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - mountPath: /ssh
- name: ssh
- readOnly: true
- workingDir: $(workspaces.source.path)
- - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: sbom-syft-generate
- computeResources:
- limits:
- memory: 6Gi
- requests:
- memory: 6Gi
- script: |
- syft oci-dir:/var/lib/containers/rhtap-final-image --output cyclonedx-json=$(workspaces.source.path)/sbom-cyclonedx.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: create-purl-sbom
- computeResources: {}
- script: |
- #!/bin/python3
- import json
+ REMOTESSHEOF
+ chmod +x scripts/script-build.sh
+ rsync -ra scripts "$SSH_HOST:$BUILD_DIR"
+ ssh $SSH_ARGS "$SSH_HOST" podman run --mount type=bind,source=$BUILD_DIR/tmp,target=/var/tmp,relabel=shared --privileged -e CONTEXT="$CONTEXT" -e IMAGE_FILE="$IMAGE_FILE" -e CONFIG_FILE="$CONFIG_FILE" -e IMAGE="$IMAGE" -e IMAGE_EXPIRES_AFTER="$IMAGE_EXPIRES_AFTER" -e COMMIT_SHA="$COMMIT_SHA" --rm -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" -v $BUILD_DIR/scripts:/script:Z --user=0 "$BUILDER_IMAGE" /script/script-build.sh
+ rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
+ cp -r rhtap-final-image /var/lib/containers/rhtap-final-image
+ buildah pull oci:rhtap-final-image
+ buildah images
+ buildah tag localhost/rhtap-final-image "$IMAGE"
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /ssh
+ name: ssh
+ readOnly: true
+ workingDir: $(workspaces.source.path)
+ - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: sbom-syft-generate
+ computeResources:
+ limits:
+ memory: 6Gi
+ requests:
+ memory: 6Gi
+ script: |
+ syft oci-dir:/var/lib/containers/rhtap-final-image --output cyclonedx-json=$(workspaces.source.path)/sbom-cyclonedx.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: create-purl-sbom
+ computeResources: {}
+ script: |
+ #!/bin/python3
+ import json
- with open("./sbom-cyclonedx.json") as f:
- cyclonedx_sbom = json.load(f)
+ with open("./sbom-cyclonedx.json") as f:
+ cyclonedx_sbom = json.load(f)
- purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
- purl_content = {"image_contents": {"dependencies": purls}}
+ purls = [{"purl": component["purl"]} for component in cyclonedx_sbom.get("components", []) if "purl" in component]
+ purl_content = {"image_contents": {"dependencies": purls}}
- with open("sbom-purl.json", "w") as output_file:
- json.dump(purl_content, output_file, indent=4)
- securityContext:
- runAsUser: 0
- workingDir: $(workspaces.source.path)
- - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: inject-sbom-and-push
- computeResources: {}
- script: |
- #!/bin/bash
- # Expose base image digests
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ with open("sbom-purl.json", "w") as output_file:
+ json.dump(purl_content, output_file, indent=4)
+ securityContext:
+ runAsUser: 0
+ workingDir: $(workspaces.source.path)
+ - image: quay.io/redhat-appstudio/multi-platform-runner:01c7670e81d5120347cf0ad13372742489985e5f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: inject-sbom-and-push
+ computeResources: {}
+ script: |
+ #!/bin/bash
+ # Expose base image digests
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
- base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
- base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
- container=$(buildah from --pull-never $IMAGE)
- buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
- buildah commit $container $IMAGE
+ base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+ base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+ container=$(buildah from --pull-never $IMAGE)
+ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+ buildah commit $container $IMAGE
- status=-1
- max_run=5
- sleep_sec=10
- for run in $(seq 1 $max_run); do
- status=0
- [ "$run" -gt 1 ] && sleep $sleep_sec
- echo "Pushing sbom image to registry"
- buildah push \
- --tls-verify=$TLSVERIFY \
- --digestfile $(workspaces.source.path)/image-digest $IMAGE \
- docker://$IMAGE && break || status=$?
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to push sbom image to registry after ${max_run} tries"
- exit 1
- fi
+ status=-1
+ max_run=5
+ sleep_sec=10
+ for run in $(seq 1 $max_run); do
+ status=0
+ [ "$run" -gt 1 ] && sleep $sleep_sec
+ echo "Pushing sbom image to registry"
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile $(workspaces.source.path)/image-digest $IMAGE \
+ docker://$IMAGE && break || status=$?
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to push sbom image to registry after ${max_run} tries"
+ exit 1
+ fi
- cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
- securityContext:
- capabilities:
- add:
- - SETFCAP
- runAsUser: 0
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)
- - args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: upload-sbom
- computeResources: {}
- workingDir: $(workspaces.source.path)
+ cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: upload-sbom
+ computeResources: {}
+ workingDir: $(workspaces.source.path)
volumes:
- - emptyDir: {}
- name: varlibcontainers
- - name: ssh
- secret:
- optional: false
- secretName: multi-platform-ssh-$(context.taskRun.name)
+ - emptyDir: {}
+ name: varlibcontainers
+ - name: ssh
+ secret:
+ optional: false
+ secretName: multi-platform-ssh-$(context.taskRun.name)
workspaces:
- - description: Workspace containing the source code to build.
- name: source
+ - description: Workspace containing the source code to build.
+ name: source
diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml
index fba697c9c..6698c904c 100644
--- a/task/s2i-java/0.1/s2i-java.yaml
+++ b/task/s2i-java/0.1/s2i-java.yaml
@@ -16,264 +16,256 @@ spec:
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
params:
- - default: registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202
- description: Java builder image
- name: BASE_IMAGE
- type: string
- - default: .
- description: The location of the path to run s2i from
- name: PATH_CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
- - description: Location of the repo where image has to be pushed
- name: IMAGE
- type: string
- - default: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- description: The location of the buildah builder image.
- name: BUILDER_IMAGE
- type: string
- - default: ""
- description: unused, should be removed in next task version
- name: DOCKER_AUTH
- type: string
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
- - name: COMMIT_SHA
- description: The image is built from this commit.
- type: string
- default: ""
+ - default: registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202
+ description: Java builder image
+ name: BASE_IMAGE
+ type: string
+ - default: .
+ description: The location of the path to run s2i from
+ name: PATH_CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - description: Location of the repo where image has to be pushed
+ name: IMAGE
+ type: string
+ - default: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ description: The location of the buildah builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: ""
+ description: unused, should be removed in next task version
+ name: DOCKER_AUTH
+ type: string
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
+ - name: COMMIT_SHA
+ description: The image is built from this commit.
+ type: string
+ default: ""
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
- - name: SBOM_JAVA_COMPONENTS_COUNT
- description: The counting of Java components by publisher in JSON format
- type: string
- - name: JAVA_COMMUNITY_DEPENDENCIES
- description: The Java dependencies that came from community sources such as Maven central.
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
+ - name: SBOM_JAVA_COMPONENTS_COUNT
+ description: The counting of Java components by publisher in JSON format
+ type: string
+ - name: JAVA_COMMUNITY_DEPENDENCIES
+ description: The Java dependencies that came from community sources such as Maven central.
stepTemplate:
env:
- - name: BUILDAH_FORMAT
- value: oci
- - name: STORAGE_DRIVER
- value: vfs
- - name: PATH_CONTEXT
- value: $(params.PATH_CONTEXT)
- - name: BASE_IMAGE
- value: $(params.BASE_IMAGE)
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: IMAGE_EXPIRES_AFTER
- value: $(params.IMAGE_EXPIRES_AFTER)
+ - name: BUILDAH_FORMAT
+ value: oci
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: PATH_CONTEXT
+ value: $(params.PATH_CONTEXT)
+ - name: BASE_IMAGE
+ value: $(params.BASE_IMAGE)
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: IMAGE_EXPIRES_AFTER
+ value: $(params.IMAGE_EXPIRES_AFTER)
steps:
- - args:
- - |-
- echo "MAVEN_CLEAR_REPO=true" > env-file
- [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] &&
- echo "MAVEN_MIRROR_URL=http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/" >> env-file
-
- echo "Generated Env file"
- echo "------------------------------"
- cat env-file
- echo "------------------------------"
- s2i build $PATH_CONTEXT $BASE_IMAGE --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file env-file
-
- command:
- - /bin/sh
- - -c
- env:
- - name: HOME
- value: /tekton/home
- image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:637c15600359cb45bc01445b5e811b6240ca239f0ebfe406b50146e34f68f631
- name: s2i-gen
- computeResources: {}
- workingDir: $(workspaces.source.path)/source
- securityContext:
- runAsUser: 0
- volumeMounts:
- - mountPath: /gen-source
- name: gen-source
- - script: |
- # Fixing group permission on /var/lib/containers
- chown root:root /var/lib/containers
-
- LABELS=(
- "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
- "--label" "architecture=$(uname -m)"
- "--label" "vcs-type=git"
- )
- [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
- [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
-
- touch /var/lib/containers/java
- sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} --ulimit nofile=4096:4096 -f /gen-source/Dockerfile.gen -t $IMAGE .
-
- container=$(buildah from --pull-never $IMAGE)
- buildah mount $container | tee /workspace/container_path
- echo $container > /workspace/container_name
- image: $(params.BUILDER_IMAGE)
- name: build
- env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- computeResources:
- limits:
- memory: 4Gi
- requests:
- memory: 512Mi
- cpu: 10m
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - mountPath: /gen-source
- name: gen-source
- workingDir: /gen-source
-
- - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: sbom-syft-generate
- script: |
- syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
- find $(cat /workspace/container_path) -xtype l -delete
- syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - name: analyse-dependencies-java-sbom
- image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
- script: |
- if [ -f /var/lib/containers/java ]; then
- /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
- sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
- else
- touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
- fi
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- securityContext:
- runAsUser: 0
- - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: merge-sboms
- script: |
- #!/bin/python3
- import json
- import os
+ - args:
+ - |-
+ echo "MAVEN_CLEAR_REPO=true" > env-file
+ [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] &&
+ echo "MAVEN_MIRROR_URL=http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/" >> env-file
- # load SBOMs
- with open("./sbom-image.json") as f:
- image_sbom = json.load(f)
+ echo "Generated Env file"
+ echo "------------------------------"
+ cat env-file
+ echo "------------------------------"
+ s2i build $PATH_CONTEXT $BASE_IMAGE --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file env-file
+ command:
+ - /bin/sh
+ - -c
+ env:
+ - name: HOME
+ value: /tekton/home
+ image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:637c15600359cb45bc01445b5e811b6240ca239f0ebfe406b50146e34f68f631
+ name: s2i-gen
+ computeResources: {}
+ workingDir: $(workspaces.source.path)/source
+ securityContext:
+ runAsUser: 0
+ volumeMounts:
+ - mountPath: /gen-source
+ name: gen-source
+ - script: |
+ # Fixing group permission on /var/lib/containers
+ chown root:root /var/lib/containers
- with open("./sbom-source.json") as f:
- source_sbom = json.load(f)
+ LABELS=(
+ "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
+ "--label" "architecture=$(uname -m)"
+ "--label" "vcs-type=git"
+ )
+ [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
+ [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
- # fetch unique components from available SBOMs
- def get_identifier(component):
- return component["name"] + '@' + component.get("version", "")
+ touch /var/lib/containers/java
+ sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf
+ buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} --ulimit nofile=4096:4096 -f /gen-source/Dockerfile.gen -t $IMAGE .
- image_sbom_components = image_sbom.get("components", [])
- existing_components = [get_identifier(component) for component in image_sbom_components]
+ container=$(buildah from --pull-never $IMAGE)
+ buildah mount $container | tee /workspace/container_path
+ echo $container > /workspace/container_name
+ image: $(params.BUILDER_IMAGE)
+ name: build
+ env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ computeResources:
+ limits:
+ memory: 4Gi
+ requests:
+ memory: 512Mi
+ cpu: 10m
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /gen-source
+ name: gen-source
+ workingDir: /gen-source
+ - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: sbom-syft-generate
+ script: |
+ syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+ find $(cat /workspace/container_path) -xtype l -delete
+ syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - name: analyse-dependencies-java-sbom
+ image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
+ script: |
+ if [ -f /var/lib/containers/java ]; then
+ /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path)
+ sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875
+ else
+ touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path)
+ fi
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ securityContext:
+ runAsUser: 0
+ - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: merge-sboms
+ script: |
+ #!/bin/python3
+ import json
+ import os
- source_sbom_components = source_sbom.get("components", [])
- for component in source_sbom_components:
- if get_identifier(component) not in existing_components:
- image_sbom_components.append(component)
- existing_components.append(get_identifier(component))
+ # load SBOMs
+ with open("./sbom-image.json") as f:
+ image_sbom = json.load(f)
- image_sbom_components.sort(key=lambda c: get_identifier(c))
+ with open("./sbom-source.json") as f:
+ source_sbom = json.load(f)
- # write the CycloneDX unified SBOM
- with open("./sbom-cyclonedx.json", "w") as f:
- json.dump(image_sbom, f, indent=4)
+ # fetch unique components from available SBOMs
+ def get_identifier(component):
+ return component["name"] + '@' + component.get("version", "")
- # create and write the PURL unified SBOM
- purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component]
- purl_content = {"image_contents": {"dependencies": purls}}
+ image_sbom_components = image_sbom.get("components", [])
+ existing_components = [get_identifier(component) for component in image_sbom_components]
- with open("sbom-purl.json", "w") as output_file:
- json.dump(purl_content, output_file, indent=4)
+ source_sbom_components = source_sbom.get("components", [])
+ for component in source_sbom_components:
+ if get_identifier(component) not in existing_components:
+ image_sbom_components.append(component)
+ existing_components.append(get_identifier(component))
- workingDir: $(workspaces.source.path)
- securityContext:
- runAsUser: 0
+ image_sbom_components.sort(key=lambda c: get_identifier(c))
- - image: $(params.BUILDER_IMAGE)
- # default above is image digest specific
- name: inject-sbom-and-push
- computeResources: {}
- script: |
- # Expose base image digests
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ # write the CycloneDX unified SBOM
+ with open("./sbom-cyclonedx.json", "w") as f:
+ json.dump(image_sbom, f, indent=4)
- base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
- base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
- container=$(buildah from --pull-never $IMAGE)
- buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
- buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
- buildah commit $container $IMAGE
- buildah push \
- --tls-verify=$TLSVERIFY \
- --digestfile $(workspaces.source.path)/image-digest $IMAGE \
- docker://$IMAGE
- cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ # create and write the PURL unified SBOM
+ purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component]
+ purl_content = {"image_contents": {"dependencies": purls}}
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
-
- workingDir: $(workspaces.source.path)
-
- - name: upload-sbom
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- workingDir: $(workspaces.source.path)
+ with open("sbom-purl.json", "w") as output_file:
+ json.dump(purl_content, output_file, indent=4)
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ runAsUser: 0
+ - image: $(params.BUILDER_IMAGE)
+ # default above is image digest specific
+ name: inject-sbom-and-push
+ computeResources: {}
+ script: |
+ # Expose base image digests
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+ base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+ base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+ container=$(buildah from --pull-never $IMAGE)
+ buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+ buildah commit $container $IMAGE
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile $(workspaces.source.path)/image-digest $IMAGE \
+ docker://$IMAGE
+ cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - name: upload-sbom
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ workingDir: $(workspaces.source.path)
volumes:
- - emptyDir: {}
- name: varlibcontainers
- - emptyDir: {}
- name: gen-source
+ - emptyDir: {}
+ name: varlibcontainers
+ - emptyDir: {}
+ name: gen-source
workspaces:
- - mountPath: /workspace/source
- name: source
- description: Workspace containing the source code to build.
+ - mountPath: /workspace/source
+ name: source
+ description: Workspace containing the source code to build.
diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml
index 1bd389e08..754782732 100644
--- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml
+++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml
@@ -14,231 +14,225 @@ spec:
s2i-nodejs task builds source code into a container image and pushes the image into container registry using S2I and buildah tool.
In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
params:
- - default: registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- description: NodeJS builder image
- name: BASE_IMAGE
- type: string
- - default: .
- description: The location of the path to run s2i from.
- name: PATH_CONTEXT
- type: string
- - default: "true"
- description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
- name: TLSVERIFY
- type: string
- - description: Location of the repo where image has to be pushed
- name: IMAGE
- type: string
- - default: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af
- description: The location of the buildah builder image.
- name: BUILDER_IMAGE
- type: string
- - default: ""
- description: unused, should be removed in next task version
- name: DOCKER_AUTH
- type: string
- - default: ""
- description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
- name: IMAGE_EXPIRES_AFTER
- type: string
- # Unused only as placeholder
- - default: ""
- description: The base URL of a mirror used for retrieving artifacts
- name: MAVEN_MIRROR_URL
- - name: COMMIT_SHA
- description: The image is built from this commit.
- type: string
- default: ""
+ - default: registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ description: NodeJS builder image
+ name: BASE_IMAGE
+ type: string
+ - default: .
+ description: The location of the path to run s2i from.
+ name: PATH_CONTEXT
+ type: string
+ - default: "true"
+ description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
+ name: TLSVERIFY
+ type: string
+ - description: Location of the repo where image has to be pushed
+ name: IMAGE
+ type: string
+ - default: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af
+ description: The location of the buildah builder image.
+ name: BUILDER_IMAGE
+ type: string
+ - default: ""
+ description: unused, should be removed in next task version
+ name: DOCKER_AUTH
+ type: string
+ - default: ""
+ description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+ name: IMAGE_EXPIRES_AFTER
+ type: string
+ # Unused only as placeholder
+ - default: ""
+ description: The base URL of a mirror used for retrieving artifacts
+ name: MAVEN_MIRROR_URL
+ - name: COMMIT_SHA
+ description: The image is built from this commit.
+ type: string
+ default: ""
stepTemplate:
env:
- - name: BUILDAH_FORMAT
- value: oci
- - name: STORAGE_DRIVER
- value: vfs
- - name: TLSVERIFY
- value: $(params.TLSVERIFY)
- - name: IMAGE
- value: $(params.IMAGE)
- - name: IMAGE_EXPIRES_AFTER
- value: $(params.IMAGE_EXPIRES_AFTER)
+ - name: BUILDAH_FORMAT
+ value: oci
+ - name: STORAGE_DRIVER
+ value: vfs
+ - name: TLSVERIFY
+ value: $(params.TLSVERIFY)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ - name: IMAGE_EXPIRES_AFTER
+ value: $(params.IMAGE_EXPIRES_AFTER)
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed
- name: IMAGE_URL
- - description: Digests of the base images used for build
- name: BASE_IMAGES_DIGESTS
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed
+ name: IMAGE_URL
+ - description: Digests of the base images used for build
+ name: BASE_IMAGES_DIGESTS
steps:
- - name: generate
- image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:e518e05a730ae066e371a4bd36a5af9cedc8686fd04bd59648d20ea0a486d7e5
- command:
- - s2i
- - build
- - $(params.PATH_CONTEXT)
- - $(params.BASE_IMAGE)
- - --as-dockerfile
- - /gen-source/Dockerfile.gen
- env:
- - name: HOME
- value: /tekton/home
- computeResources: {}
- volumeMounts:
- - mountPath: /gen-source
- name: gen-source
- workingDir: $(workspaces.source.path)/source
- - script: |
- # Fixing group permission on /var/lib/containers
- chown root:root /var/lib/containers
-
- LABELS=(
- "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
- "--label" "architecture=$(uname -m)"
- "--label" "vcs-type=git"
- )
- [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
- [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
-
- sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf
- buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} -f /gen-source/Dockerfile.gen -t $IMAGE .
-
- container=$(buildah from --pull-never $IMAGE)
- buildah mount $container | tee /workspace/container_path
- echo $container > /workspace/container_name
- image: $(params.BUILDER_IMAGE)
- name: build
- env:
- - name: COMMIT_SHA
- value: $(params.COMMIT_SHA)
- computeResources:
- limits:
- memory: 2Gi
- requests:
- memory: 512Mi
- cpu: 10m
- securityContext:
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
+ - name: generate
+ image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:e518e05a730ae066e371a4bd36a5af9cedc8686fd04bd59648d20ea0a486d7e5
+ command:
+ - s2i
+ - build
+ - $(params.PATH_CONTEXT)
+ - $(params.BASE_IMAGE)
+ - --as-dockerfile
+ - /gen-source/Dockerfile.gen
+ env:
+ - name: HOME
+ value: /tekton/home
+ computeResources: {}
+ volumeMounts:
+ - mountPath: /gen-source
+ name: gen-source
+ workingDir: $(workspaces.source.path)/source
+ - script: |
+ # Fixing group permission on /var/lib/containers
+ chown root:root /var/lib/containers
+
+ LABELS=(
+ "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')"
+ "--label" "architecture=$(uname -m)"
+ "--label" "vcs-type=git"
+ )
+ [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA")
+ [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
+
+ sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf
+ buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} -f /gen-source/Dockerfile.gen -t $IMAGE .
+
+ container=$(buildah from --pull-never $IMAGE)
+ buildah mount $container | tee /workspace/container_path
+ echo $container > /workspace/container_name
+ image: $(params.BUILDER_IMAGE)
+ name: build
+ env:
+ - name: COMMIT_SHA
+ value: $(params.COMMIT_SHA)
+ computeResources:
+ limits:
+ memory: 2Gi
+ requests:
+ memory: 512Mi
+ cpu: 10m
+ securityContext:
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - mountPath: /gen-source
+ name: gen-source
+ workingDir: /gen-source
+ - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: sbom-syft-generate
+ script: |
+ syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
+ find $(cat /workspace/container_path) -xtype l -delete
+ syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ name: merge-sboms
+ script: |
+ #!/bin/python3
+ import json
+ import os
+
+ # load SBOMs
+ with open("./sbom-image.json") as f:
+ image_sbom = json.load(f)
+
+ with open("./sbom-source.json") as f:
+ source_sbom = json.load(f)
+
+ # fetch unique components from available SBOMs
+ def get_identifier(component):
+ return component["name"] + '@' + component.get("version", "")
+
+ image_sbom_components = image_sbom.get("components", [])
+ existing_components = [get_identifier(component) for component in image_sbom_components]
+
+ source_sbom_components = source_sbom.get("components", [])
+ for component in source_sbom_components:
+ if get_identifier(component) not in existing_components:
+ image_sbom_components.append(component)
+ existing_components.append(get_identifier(component))
+
+ image_sbom_components.sort(key=lambda c: get_identifier(c))
+
+ # write the CycloneDX unified SBOM
+ with open("./sbom-cyclonedx.json", "w") as f:
+ json.dump(image_sbom, f, indent=4)
+
+ # create and write the PURL unified SBOM
+ purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component]
+ purl_content = {"image_contents": {"dependencies": purls}}
+
+ with open("sbom-purl.json", "w") as output_file:
+ json.dump(purl_content, output_file, indent=4)
+ workingDir: $(workspaces.source.path)
+ securityContext:
+ runAsUser: 0
+ - image: $(params.BUILDER_IMAGE)
+ name: inject-sbom-and-push
+ computeResources: {}
+ script: |
+ # Expose base image digests
+ buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
+
+ base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
+ base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
+ container=$(buildah from --pull-never $IMAGE)
+ buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
+ buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
+ buildah commit $container $IMAGE
+ buildah push \
+ --tls-verify=$TLSVERIFY \
+ --digestfile $(workspaces.source.path)/image-digest $IMAGE \
+ docker://$IMAGE
+ cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
+ echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /var/lib/containers
+ name: varlibcontainers
+ workingDir: $(workspaces.source.path)
+ - name: upload-sbom
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ args:
+ - attach
+ - sbom
+ - --sbom
+ - sbom-cyclonedx.json
+ - --type
+ - cyclonedx
+ - $(params.IMAGE)
+ workingDir: $(workspaces.source.path)
+ volumes:
+ - emptyDir: {}
name: varlibcontainers
- - mountPath: /gen-source
+ - emptyDir: {}
name: gen-source
- workingDir: /gen-source
-
- - image: quay.io/redhat-appstudio/syft:v0.98.0@sha256:4d3856e6a2622700b9a9d5d74d9aaf5d8a55671653f80bf6c636677658680ede
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: sbom-syft-generate
- script: |
- syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json
- find $(cat /workspace/container_path) -xtype l -delete
- syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- - image: registry.access.redhat.com/ubi9/python-39:1-158@sha256:967000729b17efdea309e297f4b1961c38b902a1ef18f6d886b8086c2a12f01f
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- name: merge-sboms
- script: |
- #!/bin/python3
- import json
- import os
-
- # load SBOMs
- with open("./sbom-image.json") as f:
- image_sbom = json.load(f)
-
- with open("./sbom-source.json") as f:
- source_sbom = json.load(f)
-
- # fetch unique components from available SBOMs
- def get_identifier(component):
- return component["name"] + '@' + component.get("version", "")
-
- image_sbom_components = image_sbom.get("components", [])
- existing_components = [get_identifier(component) for component in image_sbom_components]
-
- source_sbom_components = source_sbom.get("components", [])
- for component in source_sbom_components:
- if get_identifier(component) not in existing_components:
- image_sbom_components.append(component)
- existing_components.append(get_identifier(component))
-
- image_sbom_components.sort(key=lambda c: get_identifier(c))
-
- # write the CycloneDX unified SBOM
- with open("./sbom-cyclonedx.json", "w") as f:
- json.dump(image_sbom, f, indent=4)
-
- # create and write the PURL unified SBOM
- purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component]
- purl_content = {"image_contents": {"dependencies": purls}}
-
- with open("sbom-purl.json", "w") as output_file:
- json.dump(purl_content, output_file, indent=4)
-
- workingDir: $(workspaces.source.path)
- securityContext:
- runAsUser: 0
-
- - image: $(params.BUILDER_IMAGE)
- name: inject-sbom-and-push
- computeResources: {}
- script: |
- # Expose base image digests
- buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
-
- base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@')
- base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE)
- container=$(buildah from --pull-never $IMAGE)
- buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/
- buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container
- buildah commit $container $IMAGE
- buildah push \
- --tls-verify=$TLSVERIFY \
- --digestfile $(workspaces.source.path)/image-digest $IMAGE \
- docker://$IMAGE
- cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
- echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
-
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /var/lib/containers
- name: varlibcontainers
- workingDir: $(workspaces.source.path)
-
- - name: upload-sbom
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- args:
- - attach
- - sbom
- - --sbom
- - sbom-cyclonedx.json
- - --type
- - cyclonedx
- - $(params.IMAGE)
- workingDir: $(workspaces.source.path)
-
- volumes:
- - emptyDir: {}
- name: varlibcontainers
- - emptyDir: {}
- name: gen-source
workspaces:
- - mountPath: /workspace/source
- name: source
- description: Workspace containing the source code to build.
+ - mountPath: /workspace/source
+ name: source
+ description: Workspace containing the source code to build.
diff --git a/task/sast-snyk-check/0.1/sast-snyk-check.yaml b/task/sast-snyk-check/0.1/sast-snyk-check.yaml
index 828f93347..3a78acb9d 100644
--- a/task/sast-snyk-check/0.1/sast-snyk-check.yaml
+++ b/task/sast-snyk-check/0.1/sast-snyk-check.yaml
@@ -85,4 +85,4 @@ spec:
fi
echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
workspaces:
- - name: workspace
+ - name: workspace
diff --git a/task/sbom-json-check/0.1/sbom-json-check.yaml b/task/sbom-json-check/0.1/sbom-json-check.yaml
index 190d0c211..37cecdabd 100644
--- a/task/sbom-json-check/0.1/sbom-json-check.yaml
+++ b/task/sbom-json-check/0.1/sbom-json-check.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: Task
metadata:
@@ -17,64 +16,64 @@ spec:
- description: Tekton task test output.
name: TEST_OUTPUT
steps:
- - name: sbom-json-check
- image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- securityContext:
- runAsUser: 0
- capabilities:
- add:
- - SETFCAP
- volumeMounts:
- - mountPath: /shared
- name: shared
- env:
- - name: IMAGE_URL
- value: $(params.IMAGE_URL)
- - name: IMAGE_DIGEST
- value: $(params.IMAGE_DIGEST)
- script: |
- #!/usr/bin/env bash
- set -euo pipefail
- source /utils.sh
- trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
+ - name: sbom-json-check
+ image: quay.io/redhat-appstudio/hacbs-test:v1.1.9@sha256:866675ee3064cf4768691ecca478063ce12f0556fb9d4f24ca95c98664ffbd43
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ securityContext:
+ runAsUser: 0
+ capabilities:
+ add:
+ - SETFCAP
+ volumeMounts:
+ - mountPath: /shared
+ name: shared
+ env:
+ - name: IMAGE_URL
+ value: $(params.IMAGE_URL)
+ - name: IMAGE_DIGEST
+ value: $(params.IMAGE_DIGEST)
+ script: |
+ #!/usr/bin/env bash
+ set -euo pipefail
+ source /utils.sh
+ trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT
- mkdir /manifests/ && cd /manifests/
+ mkdir /manifests/ && cd /manifests/
- image_with_digest="${IMAGE_URL}@${IMAGE_DIGEST}"
+ image_with_digest="${IMAGE_URL}@${IMAGE_DIGEST}"
- if ! oc image extract --registry-config ~/.docker/config.json "${image_with_digest}" --path '/root/buildinfo/content_manifests/*:/manifests/'; then
- echo "Failed to extract manifests from image ${image_with_digest}."
- note="Task $(context.task.name) failed: Failed to extract manifests from image ${image_with_digest} with oc extract. For details, check Tekton task log."
- ERROR_OUTPUT=$(make_result_json -r "ERROR" -t "$note")
- fi
+ if ! oc image extract --registry-config ~/.docker/config.json "${image_with_digest}" --path '/root/buildinfo/content_manifests/*:/manifests/'; then
+ echo "Failed to extract manifests from image ${image_with_digest}."
+ note="Task $(context.task.name) failed: Failed to extract manifests from image ${image_with_digest} with oc extract. For details, check Tekton task log."
+ ERROR_OUTPUT=$(make_result_json -r "ERROR" -t "$note")
+ fi
- touch fail_result.txt
- if [ -f "sbom-cyclonedx.json" ]
- then
- result=$(echo -n $(sbom-utility validate --input-file sbom-cyclonedx.json))
- if [[ ! $result =~ "SBOM valid against JSON schema: `true`" ]]
+ touch fail_result.txt
+ if [ -f "sbom-cyclonedx.json" ]
then
- echo "sbom-cyclonedx.json: $result" > fail_result.txt
+ result=$(echo -n $(sbom-utility validate --input-file sbom-cyclonedx.json))
+ if [[ ! $result =~ "SBOM valid against JSON schema: `true`" ]]
+ then
+ echo "sbom-cyclonedx.json: $result" > fail_result.txt
+ fi
+ else
+ echo "Cannot access sbom-cyclonedx.json: No such file or directory exists." > fail_result.txt
fi
- else
- echo "Cannot access sbom-cyclonedx.json: No such file or directory exists." > fail_result.txt
- fi
- FAIL_RESULTS="$(cat fail_result.txt)"
- if [[ -z $FAIL_RESULTS ]]
- then
- note="Task $(context.task.name) completed: Check result for JSON check result."
- TEST_OUTPUT=$(make_result_json -r "SUCCESS" -s 1 -t "$note")
- else
- echo "Failed to verify sbom-cyclonedx.json for image $IMAGE_URL with reason: $FAIL_RESULTS."
- note="Task $(context.task.name) failed: Failed to verify SBOM for image $IMAGE_URL."
- ERROR_OUTPUT=$(make_result_json -r "FAILURE" -f 1 -t "$note")
- fi
+ FAIL_RESULTS="$(cat fail_result.txt)"
+ if [[ -z $FAIL_RESULTS ]]
+ then
+ note="Task $(context.task.name) completed: Check result for JSON check result."
+ TEST_OUTPUT=$(make_result_json -r "SUCCESS" -s 1 -t "$note")
+ else
+ echo "Failed to verify sbom-cyclonedx.json for image $IMAGE_URL with reason: $FAIL_RESULTS."
+ note="Task $(context.task.name) failed: Failed to verify SBOM for image $IMAGE_URL."
+ ERROR_OUTPUT=$(make_result_json -r "FAILURE" -f 1 -t "$note")
+ fi
- echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
+ echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
volumes:
- - name: shared
- emptyDir: {}
+ - name: shared
+ emptyDir: {}
diff --git a/task/show-sbom/0.1/show-sbom.yaml b/task/show-sbom/0.1/show-sbom.yaml
index a4fc6b2f3..9e9e405ef 100644
--- a/task/show-sbom/0.1/show-sbom.yaml
+++ b/task/show-sbom/0.1/show-sbom.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: Task
metadata:
@@ -16,29 +15,29 @@ spec:
description: Fully qualified image name to show SBOM for.
type: string
steps:
- - name: show-sbom
- image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
- # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
- # the cluster will set imagePullPolicy to IfNotPresent
- # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
- env:
- - name: IMAGE_URL
- value: $(params.IMAGE_URL)
- script: |
- #!/busybox/sh
- status=-1
- max_try=5
- wait_sec=2
- for run in $(seq 1 $max_try); do
- status=0
- cosign download sbom $IMAGE_URL 2>>err
- status=$?
- if [ "$status" -eq 0 ]; then
- break
+ - name: show-sbom
+ image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
+ # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
+ # the cluster will set imagePullPolicy to IfNotPresent
+ # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
+ env:
+ - name: IMAGE_URL
+ value: $(params.IMAGE_URL)
+ script: |
+ #!/busybox/sh
+ status=-1
+ max_try=5
+ wait_sec=2
+ for run in $(seq 1 $max_try); do
+ status=0
+ cosign download sbom $IMAGE_URL 2>>err
+ status=$?
+ if [ "$status" -eq 0 ]; then
+ break
+ fi
+ sleep $wait_sec
+ done
+ if [ "$status" -ne 0 ]; then
+ echo "Failed to get SBOM after ${max_try} tries" >&2
+ cat err >&2
fi
- sleep $wait_sec
- done
- if [ "$status" -ne 0 ]; then
- echo "Failed to get SBOM after ${max_try} tries" >&2
- cat err >&2
- fi
diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml
index 31de95a70..60e4885e5 100644
--- a/task/source-build/0.1/source-build.yaml
+++ b/task/source-build/0.1/source-build.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: Task
metadata:
@@ -16,9 +15,7 @@ spec:
type: string
- name: BASE_IMAGES
description: >-
- Base images used to build the binary image. Each image per line in the same order of FROM
- instructions specified in a multistage Dockerfile. Default to an empty string, which means
- to skip handling a base image.
+ Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.
type: string
default: ""
results:
diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml
index f438390b3..646958a64 100644
--- a/task/tkn-bundle/0.1/tkn-bundle.yaml
+++ b/task/tkn-bundle/0.1/tkn-bundle.yaml
@@ -12,132 +12,132 @@ spec:
description: |-
Creates and pushes a Tekton bundle containing the specified Tekton YAML files.
params:
- - description: Reference of the image task will produce.
- name: IMAGE
- type: string
- - default: .
- description: Path to the directory to use as context.
- name: CONTEXT
- type: string
- - name: HOME
- type: string
- description: Value for the HOME environment variable.
- default: /tekton/home
- - name: STEPS_IMAGE
- type: string
- description: An optional image to configure task steps with in the bundle
- default: ""
+ - description: Reference of the image task will produce.
+ name: IMAGE
+ type: string
+ - default: .
+ description: Path to the directory to use as context.
+ name: CONTEXT
+ type: string
+ - name: HOME
+ type: string
+ description: Value for the HOME environment variable.
+ default: /tekton/home
+ - name: STEPS_IMAGE
+ type: string
+ description: An optional image to configure task steps with in the bundle
+ default: ""
results:
- - description: Digest of the image just built
- name: IMAGE_DIGEST
- - description: Image repository where the built image was pushed with tag only
- name: IMAGE_URL
+ - description: Digest of the image just built
+ name: IMAGE_DIGEST
+ - description: Image repository where the built image was pushed with tag only
+ name: IMAGE_URL
stepTemplate:
env:
- - name: HOME
- value: "$(params.HOME)"
- - name: TASK_FILE
- value: tekton_task_files
+ - name: HOME
+ value: "$(params.HOME)"
+ - name: TASK_FILE
+ value: tekton_task_files
steps:
- - image: registry.access.redhat.com/ubi9/toolbox@sha256:7391628396216c011ed3a310f1fa54c6a9221e36f7fa59c94ae7796de51e7a25
- name: modify-task-files
- env:
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: STEPS_IMAGE
- value: $(params.STEPS_IMAGE)
- script: |
- #!/bin/env bash
- set -o errexit
- set -o pipefail
- set -o nounset
+ - image: registry.access.redhat.com/ubi9/toolbox@sha256:7391628396216c011ed3a310f1fa54c6a9221e36f7fa59c94ae7796de51e7a25
+ name: modify-task-files
+ env:
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: STEPS_IMAGE
+ value: $(params.STEPS_IMAGE)
+ script: |
+ #!/bin/env bash
+ set -o errexit
+ set -o pipefail
+ set -o nounset
- # expand '**', and don't return glob expression when no matches found
- shopt -s globstar nullglob
+ # expand '**', and don't return glob expression when no matches found
+ shopt -s globstar nullglob
- # read \$CONTEXT as an array split by comma or space into PATHS
- IFS=', ' read -r -a PATHS <<< "$CONTEXT"
- FILES=()
- for path in "${PATHS[@]}"; do
- # keeps current path expanded
- paths=()
- # are we negating the current path
- neg=0
- if [[ "${path}" == \!* ]]; then
- neg=1
- path="${path#\!}"
- fi
- if [[ -d "$(workspaces.source.path)/${path}" ]]; then
- # for directories look for any .yaml or .yml files
- paths+=(
- $(workspaces.source.path)/${path}/**/*.yaml
- $(workspaces.source.path)/${path}/**/*.yml
- )
- else
- # for files add the file to the collected paths
- paths+=("${path}")
- fi
- if [[ $neg == 0 ]]; then
- # collect curent paths to FILES
- FILES+=("${paths[@]}")
- else
- if [[ ${#PATHS[@]} -eq 1 ]]; then
- # single negative path provided, first include everything then
- # subtract the negative elements
- FILES=(
- $(workspaces.source.path)/**/*.yaml
- $(workspaces.source.path)/**/*.yml
+ # read \$CONTEXT as an array split by comma or space into PATHS
+ IFS=', ' read -r -a PATHS <<< "$CONTEXT"
+ FILES=()
+ for path in "${PATHS[@]}"; do
+ # keeps current path expanded
+ paths=()
+ # are we negating the current path
+ neg=0
+ if [[ "${path}" == \!* ]]; then
+ neg=1
+ path="${path#\!}"
+ fi
+ if [[ -d "$(workspaces.source.path)/${path}" ]]; then
+ # for directories look for any .yaml or .yml files
+ paths+=(
+ $(workspaces.source.path)/${path}/**/*.yaml
+ $(workspaces.source.path)/${path}/**/*.yml
)
+ else
+ # for files add the file to the collected paths
+ paths+=("${path}")
fi
- for p in "${paths[@]}"; do
- # remove any collected paths from FILES, leaves blank elements in place
- FILES=("${FILES[@]/$p/}")
- done
- # remove blank elements
- TMP=("${FILES[@]}")
- FILES=()
- for p in "${TMP[@]}"; do
- [[ -n "${p}" ]] && FILES+=("${p}")
+ if [[ $neg == 0 ]]; then
+ # collect curent paths to FILES
+ FILES+=("${paths[@]}")
+ else
+ if [[ ${#PATHS[@]} -eq 1 ]]; then
+ # single negative path provided, first include everything then
+ # subtract the negative elements
+ FILES=(
+ $(workspaces.source.path)/**/*.yaml
+ $(workspaces.source.path)/**/*.yml
+ )
+ fi
+ for p in "${paths[@]}"; do
+ # remove any collected paths from FILES, leaves blank elements in place
+ FILES=("${FILES[@]/$p/}")
+ done
+ # remove blank elements
+ TMP=("${FILES[@]}")
+ FILES=()
+ for p in "${TMP[@]}"; do
+ [[ -n "${p}" ]] && FILES+=("${p}")
+ done
+ fi
+ done
+
+ if [[ -n "${STEPS_IMAGE}" ]]; then
+ for f in "${FILES[@]}"; do
+ yq e '(.spec.steps[] | select(has("image")).image) = "env(STEPS_IMAGE)"' -i $f
done
fi
- done
- if [[ -n "${STEPS_IMAGE}" ]]; then
- for f in "${FILES[@]}"; do
- yq e '(.spec.steps[] | select(has("image")).image) = "env(STEPS_IMAGE)"' -i $f
- done
- fi
-
- printf "%s\n" "${FILES[@]}" > "${TASK_FILE}"
- workingDir: $(workspaces.source.path)
- - image: quay.io/openshift-pipeline/openshift-pipelines-cli-tkn:5.0
- name: build
- env:
- - name: CONTEXT
- value: $(params.CONTEXT)
- - name: IMAGE
- value: $(params.IMAGE)
- script: |
- #!/bin/env bash
+ printf "%s\n" "${FILES[@]}" > "${TASK_FILE}"
+ workingDir: $(workspaces.source.path)
+ - image: quay.io/openshift-pipeline/openshift-pipelines-cli-tkn:5.0
+ name: build
+ env:
+ - name: CONTEXT
+ value: $(params.CONTEXT)
+ - name: IMAGE
+ value: $(params.IMAGE)
+ script: |
+ #!/bin/env bash
- set -o errexit
- set -o pipefail
- set -o nounset
+ set -o errexit
+ set -o pipefail
+ set -o nounset
- mapfile -t FILES < "${TASK_FILE}"
- [[ ${#FILES[@]} -eq 0 ]] \
- && echo "No YAML files matched by \"$CONTEXT\" in \"$(workspaces.source.path)\", aborting the build" \
- && exit 1
- exec 3>&1;
+ mapfile -t FILES < "${TASK_FILE}"
+ [[ ${#FILES[@]} -eq 0 ]] \
+ && echo "No YAML files matched by \"$CONTEXT\" in \"$(workspaces.source.path)\", aborting the build" \
+ && exit 1
+ exec 3>&1;
- OUT="$(tkn bundle push "$IMAGE" \
- $(printf ' -f %s' "${FILES[@]}") \
- |tee /proc/self/fd/3)"
- echo -n "$IMAGE" > $(results.IMAGE_URL.path)
- echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path)
+ OUT="$(tkn bundle push "$IMAGE" \
+ $(printf ' -f %s' "${FILES[@]}") \
+ |tee /proc/self/fd/3)"
+ echo -n "$IMAGE" > $(results.IMAGE_URL.path)
+ echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path)
- # cleanup task file
- [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}"
- workingDir: $(workspaces.source.path)
+ # cleanup task file
+ [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}"
+ workingDir: $(workspaces.source.path)
workspaces:
- - name: source
+ - name: source
diff --git a/task/update-infra-deployments/0.1/update-infra-deployments.yaml b/task/update-infra-deployments/0.1/update-infra-deployments.yaml
index 03da24f01..92f8faa46 100644
--- a/task/update-infra-deployments/0.1/update-infra-deployments.yaml
+++ b/task/update-infra-deployments/0.1/update-infra-deployments.yaml
@@ -49,7 +49,6 @@ spec:
secretName: $(params.shared-secret)
- name: shared-dir
emptyDir: {}
-
steps:
- name: git-clone-infra-deployments
image: $(params.GIT_IMAGE)
@@ -94,7 +93,6 @@ spec:
echo "No modified files after running the script, exiting..."
exit 1
fi
-
# Based on https://github.com/tektoncd/catalog/tree/main/task/github-app-token/0.2/
- name: create-mr
image: quay.io/redhat-appstudio/github-app-token@sha256:b4f2af12e9beea68055995ccdbdb86cfe1be97688c618117e5da2243dc1da18e
@@ -325,7 +323,6 @@ spec:
if __name__ == '__main__':
main()
-
workspaces:
- name: artifacts
description: Workspace containing arbitrary artifacts used during the task run.
diff --git a/task/verify-signed-rpms/0.1/kustomization.yaml b/task/verify-signed-rpms/0.1/kustomization.yaml
index 5d0669b41..cbe690b2c 100644
--- a/task/verify-signed-rpms/0.1/kustomization.yaml
+++ b/task/verify-signed-rpms/0.1/kustomization.yaml
@@ -1,5 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
-
resources:
-- verify-signed-rpms.yaml
+ - verify-signed-rpms.yaml
diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml
index 13192b1e7..953416910 100644
--- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml
+++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml
@@ -1,4 +1,3 @@
----
apiVersion: tekton.dev/v1
kind: Task
metadata: