From 05d28f196e62d3b94f709ef11467d3dd759db25e Mon Sep 17 00:00:00 2001
From: Ellen-Yi-Dong <ellen.dong92@gmail.com>
Date: Fri, 1 Nov 2024 10:42:53 -0700
Subject: [PATCH] update source image and unit tests

---
 .tekton/entitlements-api-go-pull-request.yaml | 89 ++++++++++++++++++-
 .tekton/entitlements-api-go-push.yaml         | 21 ++++-
 2 files changed, 108 insertions(+), 2 deletions(-)

diff --git a/.tekton/entitlements-api-go-pull-request.yaml b/.tekton/entitlements-api-go-pull-request.yaml
index 5d7c911..1f72904 100644
--- a/.tekton/entitlements-api-go-pull-request.yaml
+++ b/.tekton/entitlements-api-go-pull-request.yaml
@@ -93,7 +93,7 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
-    - default: "false"
+    - default: "true"
       description: Add built image into an OCI image index
       name: build-image-index
       type: string
@@ -165,6 +165,74 @@ spec:
       workspaces:
       - name: basic-auth
         workspace: git-auth
+    # run unit tests
+    - name: clone-repository-oci-ta
+      params:
+      - name: url
+        value: $(params.git-url)
+      - name: revision
+        value: $(params.revision)
+      - name: ociStorage
+        # needs to be unique storage name
+        value: $(params.output-image).git
+      runAfter:
+      - init
+      taskRef:
+        params:
+        - name: name
+          value: git-clone-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c
+        - name: kind
+          value: task
+        resolver: bundles
+      workspaces:
+      # use the git-auth workspace for credentials
+      - name: basic-auth
+        workspace: git-auth
+    - name: task-running-unit-tasks
+      # make sure the task runs after the artifact is created
+      runAfter:
+        - clone-repository-oci-ta
+      params:
+        # store the trusted artifact
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository-oci-ta.results.SOURCE_ARTIFACT)
+      taskSpec:
+        params:
+          - description: The Trusted Artifact URI pointing to the artifact with the application source code.
+            name: SOURCE_ARTIFACT
+            type: string
+        volumes:
+          # New volume to store a copy of the source code accessible only to this Task.
+          - name: workdir
+            emptyDir: {}
+        stepTemplate:
+          volumeMounts:
+            - mountPath: /var/workdir
+              name: workdir
+        steps:
+        # Add the trusted artifact to the task volume
+        - name: use-trusted-artifact
+          image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:e0e457b6af10e44ff6b90208a9e69adc863a865e1c062c4cb84bf3846037d74d
+          args:
+            - use
+            - $(params.SOURCE_ARTIFACT)=/var/workdir/source
+        - name: task-run
+          # set the working directory to value from previous step
+          workingDir: /var/workdir/source
+          # Use image that suites your use case
+          image: registry.access.redhat.com/ubi8/go-toolset:1.21.13
+          securityContext:
+          # If the task step needs write access to the volume, set the runAsUser to 0 (root).
+            runAsUser: 0
+          script: |
+            #!/bin/bash
+            set -ex
+            # Execute the task
+            echo "Run unit tests"
+            bash konflux_pr_check.sh
+
     - name: prefetch-dependencies
       params:
       - name: input
@@ -261,6 +329,25 @@ spec:
         operator: in
         values:
         - "true"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - name: fail-unsigned
+        value: true
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: build-source-image
       params:
       - name: BINARY_IMAGE
diff --git a/.tekton/entitlements-api-go-push.yaml b/.tekton/entitlements-api-go-push.yaml
index 3a4d6dc..05418e4 100644
--- a/.tekton/entitlements-api-go-push.yaml
+++ b/.tekton/entitlements-api-go-push.yaml
@@ -90,7 +90,7 @@ spec:
       description: Build a source image.
       name: build-source-image
       type: string
-    - default: "false"
+    - default: "true"
       description: Add built image into an OCI image index
       name: build-image-index
       type: string
@@ -258,6 +258,25 @@ spec:
         operator: in
         values:
         - "true"
+    - name: rpms-signature-scan
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - name: fail-unsigned
+        value: true
+      runAfter:
+      - build-container
+      taskRef:
+        params:
+        - name: name
+          value: rpms-signature-scan
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8
+        - name: kind
+          value: task
+        resolver: bundles
     - name: build-source-image
       params:
       - name: BINARY_IMAGE