Merge branch 'main' into skip-sbom

konflux-ci · Dec 28, 2024 · 047ab18 · 047ab18
2 parents d9521cd + 4bdc144
commit 047ab18
Show file tree

Hide file tree

Showing 14 changed files with 167 additions and 150 deletions.
diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml
@@ -18,7 +18,7 @@ jobs:
           go-version-file: './${{matrix.path}}/go.mod'
           cache-dependency-path: ./${{matrix.path}}/go.sum
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@774c35bcccffb734694af9e921f12f57d882ef74
+        uses: golangci/golangci-lint-action@9937fdf7189f2958a2dc9f6d585e5d65e3326d20
         with:
           working-directory: ${{matrix.path}}
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -84,7 +84,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@dd7559424621a6dd0b32ababe9e4b271a87f78d2
+        uses: github/codeql-action/upload-sarif@78760076e3f08852c2c3aeb5334f70d074e28c59
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif
diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml
@@ -60,7 +60,7 @@ jobs:
         with:
           repository: 'konflux-ci/konflux-ci'
           path: konflux-ci
-          ref: d19c18bc2ec9c47c02d8bcf30305a3e5e198bc9f
+          ref: 22cee05b0549ba8836cfea49c4c63485eaf27f89
 
       - name: Create k8s Kind Cluster
         if: steps.tasks-to-be-tested.outputs.tasklist != ''

diff --git a/.tekton/push.yaml b/.tekton/push.yaml
@@ -148,6 +148,11 @@ spec:
                 value: "$(params.revision)"
               - name: GIT_URL
                 value: "$(params.git-url)"
+              - name: GITHUB_TOKEN
+                valueFrom:
+                  secretKeyRef:
+                    name: "{{ git_auth_secret }}"
+                    key: "git-provider-token"
               script: |
                 #!/bin/bash
                 set -euo pipefail

diff --git a/.tekton/scripts/build-acceptable-bundles.sh b/.tekton/scripts/build-acceptable-bundles.sh
@@ -7,10 +7,14 @@ set -o pipefail
 DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles}"
 mapfile -t BUNDLES < <(cat "$@")
 
+pr_number=$(gh search prs --repo konflux-ci/build-definitions --merged "${REVISION}" --json number --jq '.[].number')
+
+# changed files in a PR
+mapfile -t changed_files < <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '.files.[].path')
 # store a list of changed task files
 task_records=()
 # loop over all changed files
-for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do
+for path in "${changed_files[@]}"; do
     # check that the file modified is the task file
     if [[ "${path}" == task/*/*/*.yaml ]]; then
         IFS='/' read -r -a path_array <<< "${path}"
@@ -30,6 +34,11 @@ printf '%s\n' "${task_records[@]}"
 echo "Bundles to be added:"
 printf '%s\n' "${BUNDLES[@]}"
 
+if [[ -z ${task_records[*]} && -z ${BUNDLES[*]} ]]; then
+    echo Nothing to do...
+    exit 0
+fi
+
 # The OPA data bundle is tagged with the current timestamp. This has two main
 # advantages. First, it prevents the image from accidentally not having any tags,
 # and getting garbage collected. Second, it helps us create a timeline of the

diff --git a/.tekton/scripts/create-task-pipeline-bundle-repos.sh b/.tekton/scripts/create-task-pipeline-bundle-repos.sh
@@ -47,7 +47,7 @@ locate_in_all_namespaces() {
                 --arg description "" \
                 '$ARGS.named'
             )
-            if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --json "$payload" | jq '.error_message // empty');
+            if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --data-binary "$payload" -H "Content-Type: application/json" -H "Accept: application/json" | jq '.error_message // empty');
             then
               echo "curl returned an error when creating the repository. See the error above."
               exit 1

diff --git a/task/buildah-min/0.2/patch.yaml b/task/buildah-min/0.2/patch.yaml
@@ -14,68 +14,55 @@
 - op: replace
   path: /spec/steps/0/computeResources/requests/cpu
   value: 100m
-# push step
+# icm, push, and sbom-syft-generate steps
 - op: replace
-  path: /spec/steps/1/computeResources/limits/memory
+  path: /spec/stepTemplate/computeResources/limits/memory
   value: 2Gi
 - op: replace
-  path: /spec/steps/1/computeResources/requests/memory
+  path: /spec/stepTemplate/computeResources/requests/memory
   value: 512Mi
 - op: replace
-  path: /spec/steps/1/computeResources/limits/cpu
+  path: /spec/stepTemplate/computeResources/limits/cpu
   value: 500m
 - op: replace
-  path: /spec/steps/1/computeResources/requests/cpu
+  path: /spec/stepTemplate/computeResources/requests/cpu
   value: 100m
-# sbom-syft-generate step
-- op: replace
-  path: /spec/steps/2/computeResources/limits/memory
-  value: 2Gi
-- op: replace
-  path: /spec/steps/2/computeResources/requests/memory
-  value: 512Mi
-- op: replace
-  path: /spec/steps/2/computeResources/limits/cpu
-  value: 1
-- op: replace
-  path: /spec/steps/2/computeResources/requests/cpu
-  value: 50m
 # analyse-dependencies-java-sbom step
 - op: replace
-  path: /spec/steps/3/computeResources/limits/memory
+  path: /spec/steps/4/computeResources/limits/memory
   value: 256Mi
 - op: replace
-  path: /spec/steps/3/computeResources/requests/memory
+  path: /spec/steps/4/computeResources/requests/memory
   value: 128Mi
 - op: replace
-  path: /spec/steps/3/computeResources/limits/cpu
+  path: /spec/steps/4/computeResources/limits/cpu
   value: 100m
 - op: replace
-  path: /spec/steps/3/computeResources/requests/cpu
+  path: /spec/steps/4/computeResources/requests/cpu
   value: 10m
 # prepare-sboms step
 - op: replace
-  path: /spec/steps/4/computeResources/limits/memory
+  path: /spec/steps/5/computeResources/limits/memory
   value: 256Mi
 - op: replace
-  path: /spec/steps/4/computeResources/requests/memory
+  path: /spec/steps/5/computeResources/requests/memory
   value: 128Mi
 - op: replace
-  path: /spec/steps/4/computeResources/limits/cpu
+  path: /spec/steps/5/computeResources/limits/cpu
   value: 100m
 - op: replace
-  path: /spec/steps/4/computeResources/requests/cpu
+  path: /spec/steps/5/computeResources/requests/cpu
   value: 10m
 # upload-sbom step
 - op: replace
-  path: /spec/steps/5/computeResources/limits/memory
+  path: /spec/steps/6/computeResources/limits/memory
   value: 2Gi
 - op: replace
-  path: /spec/steps/5/computeResources/requests/memory
+  path: /spec/steps/6/computeResources/requests/memory
   value: 512Mi
 - op: replace
-  path: /spec/steps/5/computeResources/limits/cpu
+  path: /spec/steps/6/computeResources/limits/cpu
   value: 2
 - op: replace
-  path: /spec/steps/5/computeResources/requests/cpu
+  path: /spec/steps/6/computeResources/requests/cpu
   value: 100m
diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml
@@ -180,6 +180,13 @@ spec:
     - name: workdir
       emptyDir: {}
   stepTemplate:
+    computeResources:
+      limits:
+        cpu: "4"
+        memory: 4Gi
+      requests:
+        cpu: "1"
+        memory: 1Gi
     env:
       - name: ACTIVATION_KEY
         value: $(params.ACTIVATION_KEY)
@@ -271,8 +278,7 @@ spec:
         elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then
           dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE"
         elif [ -e "$DOCKERFILE" ]; then
-          # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing.
-          # Instrumented builds use this step as their base and also need to provide modified Dockerfile.
+          # Instrumented builds (SAST) use this custom dockerffile step as their base
           dockerfile_path="$DOCKERFILE"
         elif echo "$DOCKERFILE" | grep -q "^https\?://"; then
           echo "Fetch Dockerfile from $DOCKERFILE"
@@ -328,7 +334,7 @@ spec:
             shift
             # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being
             # passed to buildah. In that case, the *last* occurrence takes precedence. This is why
-            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence.
+            # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE
             while [[ $# -gt 0 && $1 != --* ]]; do
               build_args+=("$1")
               shift
@@ -443,9 +449,8 @@ spec:
         # 2. Activation-keys will be used when the key 'org' exists in the activation key secret.
         # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.
         # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume
-        #    to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on
-        #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced
-        #    container.
+        #    to buildah but don't pre-register for backwards compatibility. Mount an empty directory on
+        #    shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included
 
         if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then
           cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key
@@ -479,8 +484,7 @@ spec:
 
         if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then
           # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.
-          # This is primarily used in instrumented builds for SAST scanning and analyzing.
-          # Instrumented builds use this step as their base and add some other tools.
+          # Instrumented builds (SAST) use this step as their base and add some other tools.
           while read -r volume_mount; do
             VOLUME_MOUNTS+=("--volume=$volume_mount")
           done <<<"$ADDITIONAL_VOLUME_MOUNTS"
@@ -523,16 +527,18 @@ spec:
         unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command"
 
         container=$(buildah from --pull-never "$IMAGE")
-        buildah mount $container | tee /shared/container_path
-        # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
-        find $(cat /shared/container_path) -xtype l -delete
-        echo $container >/shared/container_name
 
         # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
         if [ -f "/tmp/cachi2/output/bom.json" ]; then
+          echo "Making copy of sbom-cachi2.json"
           cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
         fi
 
+        buildah mount $container | tee /shared/container_path
+        # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners
+        find $(cat /shared/container_path) -xtype l -delete
+        echo $container >/shared/container_name
+
         touch /shared/base_images_digests
         for image in $BASE_IMAGES; do
           base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image")
@@ -553,6 +559,18 @@ spec:
         capabilities:
           add:
             - SETFCAP
+    - name: icm
+      image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1
+      args:
+        - $(params.IMAGE)
+      workingDir: /var/workdir
+      volumeMounts:
+        - mountPath: /var/lib/containers
+          name: varlibcontainers
+      securityContext:
+        capabilities:
+          add:
+            - SETFCAP
     - name: push
       image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c
       workingDir: /var/workdir
@@ -602,13 +620,6 @@ spec:
           echo -n "${IMAGE}@"
           cat "/var/workdir/image-digest"
         } >"$(results.IMAGE_REF.path)"
-      computeResources:
-        limits:
-          cpu: "4"
-          memory: 4Gi
-        requests:
-          cpu: "1"
-          memory: 1Gi
       securityContext:
         capabilities:
           add:
@@ -631,13 +642,6 @@ spec:
         syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json"
         echo "Running syft on the image filesystem"
         syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json"
-      computeResources:
-        limits:
-          cpu: "2"
-          memory: 4Gi
-        requests:
-          cpu: 500m
-          memory: 1Gi
     - name: analyse-dependencies-java-sbom
       image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77
       volumeMounts: