forked from konflux-ci/build-definitions
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
extend the sast-coverity-check CI task to support buildful scanning #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
For parity with BUILD_ARGS, support arguments from BUILD_ARGS_FILE when resolving base images. Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
in order to comply with the required labels check, the generated dockerfile needs to have labels amended to it. By providing an additional file with this data, it can be appended in order to pass the compliance check ``` ❯ cat -p config/metadata/additional-labels.txt LABEL com.redhat.component="" \ description="" \ distribution-scope="" \ io.k8s.description="" \ name="" \ release="" \ url="" \ vendor="" \ version="" ``` Signed-off-by: Brady Pratt <[email protected]>
This commit passes new environment variables to the e2e tests containing references to the oci-ta build Pipelines. This allows us to test those Pipelines. Ref: EC-715 Signed-off-by: Luiz Carvalho <[email protected]>
Due to tektoncd/cli#2402, annotation values that contain commas or double-quotes currently break 'tkn bundle push'. Escape such annotation values in a way that's compatible with the pflag.StringSlice [1] parser that 'tkn bundle push' uses to parse CLI arguments. [1]: https://pkg.go.dev/github.com/spf13/pflag#FlagSet.StringSlice Signed-off-by: Adam Cmiel <[email protected]>
There is no volumeMount for workdir in the oci-copy task, and it's presence in the volumes causes duplicate volumes in the oci-copy-oci-ta Task. This could also be resolved by making the generator aware of duplicate volumes and volumeMounts. Let's do that if it indeed does become an issue.
The secret in the namespace where this pipeline runs is called 'snyk-secret', not 'snyk-shared-secret'. Remove the param since 'snyk-secret' is the default value. Signed-off-by: Adam Cmiel <[email protected]>
The PR pipeline already runs Snyk, but doesn't upload the results anywhere. Run Snyk in the push pipeline as well and upload the results to snyk.io. Note: we should not upload to Snyk from the PR pipeline. Each PR would overwrite the Snyk results from other PRs. By uploading only in the push pipeline, the results will at least always reflect the state in 'main'. The results can be found in the 'konflux-ci/build-definitions' project in the Snyk organization associated with the Snyk token used by the pipeline (currently the 'developer-red-hat-trusted-application-pipeline' organization). Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Jiri Sztuka <[email protected]>
In order to fix KFLUXBUGS-1616, we need to ensure the digest of the Image Index is also included in the list of PROCESSED_IMAGES. This will allow EC to verify the Image Index directly as well as the Image Manifests. Signed-off-by: Luiz Carvalho <[email protected]>
redhat-appstudio/cosign image is getting deprecated due to migration to konflux-ci, replace with konflux-ci/appstudio-utils image
- Describe steps needed for local testing - Improve info about test-build.sh and test-builds.sh - Fix typos and other nitpicks
Task-generator doesn't have a README. Add a README with a description of what the generator does and its usage
Replace the python jwcrypto library with the more readily available openssl tools. This is part of an effort to move away from the quay.io/redhat-appstudio/github-app-token image. Signed-off-by: Adam Cmiel <[email protected]>
Replace the python requests library with the python urllib library, which is part of the stdlib. This is part of an effort to move away from the quay.io/redhat-appstudio/github-app-token image. Signed-off-by: Adam Cmiel <[email protected]>
The quay.io/redhat-appstudio/github-app-token image is highly suspect. - It is a copy of quay.io/chmouel/github-app-token - an image in a personal namespace with unclear origins and content. - It has not been updated for 4 years. - It has 175 critical vlunerabilities according to quay.io. The update-infra-deployments task no longer depends on anything this image provides - replace it with a generic python image. Signed-off-by: Adam Cmiel <[email protected]>
Handle the cases of GITHUB_APP_KEY_PATH not set / set to a non-existent file more gracefully. Signed-off-by: Adam Cmiel <[email protected]>
It's enought to have such PR opened weekly Signed-off-by: Martin Basti <[email protected]>
The rule checks that Task step image is accessible. Reference: https://issues.redhat.com/browse/EC-912
We encountered transient 502 errors from quay today. Add retries here to avoid task failure when we encounter flakiness.
Fixing linting Fixing linting
It turns out that IBM Cloud and AWS s3 bucket urls are constructed differently, and the region is in a different place in the string. Add a conditional here to catch AWS-style urls.
fix: extract region from aws s3 urls
Added in konflux-ci#1529 due to tektoncd/pipeline#8388 as this is not yet deployed in the cluster. This reverts commit 51cb724.
If they increase the file size (tektoncd/pipeline#8388) Signed-off-by: Adam Cmiel <[email protected]>
Signed-off-by: Julen Landa Alustiza <[email protected]>
when getting ephemeral cluster credentials the kubeconfig file was assigned to the KUBECONFIG env var which is deleted before the script ends. This change removes that assignment and instead explicitly mentions the kubeconfig path when it's used. Signed-off-by: Yftach Herzog <[email protected]>
... which is not used for anything
... to make the interface compatible with the `build-container` task
... from the build-container task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related: https://issues.redhat.com/browse/OSH-750