From 887ad1cb6f744a7c211215392e809f83818f9182 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Tue, 26 Nov 2024 16:43:23 +0100 Subject: [PATCH 01/13] Improve listing changed files in a commit We ended up with revision 3b215506e4ecc70c287785eeda9dbf8a4350b2fe for several Tasks in the acceptable bundles, seems that the `git log` method was also listing the files that were brought in by merging the main branch onto the pull request branch. This switches to using GitHub CLI to search for a merged pull request that contains the top commit (`$REVISION`), and then lists the changed files in that pull request. This version uses the GitHub Token from the `{{git_auth_secret}}` secret created by Pipelines as code. This should contain only the list of files that were changed in the pull request and not any changed files in a merge commit. Reference: https://issues.redhat.com/browse/EC-1015 --- .tekton/push.yaml | 5 +++++ .tekton/scripts/build-acceptable-bundles.sh | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/.tekton/push.yaml b/.tekton/push.yaml index e8cca52499..5c70e22641 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -148,6 +148,11 @@ spec: value: "$(params.revision)" - name: GIT_URL value: "$(params.git-url)" + - name: GITHUB_TOKEN + valueFrom: + secretKeyRef: + name: "{{ git_auth_secret }}" + key: "git-provider-token" script: | #!/bin/bash set -euo pipefail diff --git a/.tekton/scripts/build-acceptable-bundles.sh b/.tekton/scripts/build-acceptable-bundles.sh index 6a2b9599a3..3034baa96f 100755 --- a/.tekton/scripts/build-acceptable-bundles.sh +++ b/.tekton/scripts/build-acceptable-bundles.sh @@ -7,10 +7,14 @@ set -o pipefail DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles}" mapfile -t BUNDLES < <(cat "$@") +pr_number=$(gh search prs --repo konflux-ci/build-definitions --merged "${REVISION}" --json number --jq '.[].number') + +# changed files in a PR +mapfile -t changed_files < <(gh pr view "https://github.com/konflux-ci/build-definitions/pull/${pr_number}" --json files --jq '.files.[].path') # store a list of changed task files task_records=() # loop over all changed files -for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do +for path in "${changed_files[@]}"; do # check that the file modified is the task file if [[ "${path}" == task/*/*/*.yaml ]]; then IFS='/' read -r -a path_array <<< "${path}" @@ -30,6 +34,11 @@ printf '%s\n' "${task_records[@]}" echo "Bundles to be added:" printf '%s\n' "${BUNDLES[@]}" +if [[ -z ${task_records[*]} && -z ${BUNDLES[*]} ]]; then + echo Nothing to do... + exit 0 +fi + # The OPA data bundle is tagged with the current timestamp. This has two main # advantages. First, it prevents the image from accidentally not having any tags, # and getting garbage collected. Second, it helps us create a timeline of the From 8ea9ee795e3b895b5bf57ad091f7108fdd9f0322 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Fri, 20 Dec 2024 15:37:38 +0100 Subject: [PATCH 02/13] `--json` not supported in version of curl in use The version of `curl` (7.76.1) we currently use in quay.io/konflux-ci/appstudio-utils does not support the `--json` parameter, so this reverts to using lengthier `--data-binary` and setting the Content-Type and Accept headers. --- .tekton/scripts/create-task-pipeline-bundle-repos.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/scripts/create-task-pipeline-bundle-repos.sh b/.tekton/scripts/create-task-pipeline-bundle-repos.sh index 8e7fd590d0..7242a7cd74 100755 --- a/.tekton/scripts/create-task-pipeline-bundle-repos.sh +++ b/.tekton/scripts/create-task-pipeline-bundle-repos.sh @@ -47,7 +47,7 @@ locate_in_all_namespaces() { --arg description "" \ '$ARGS.named' ) - if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --json "$payload" | jq '.error_message // empty'); + if ! err_msg=$(curl --oauth2-bearer "${QUAY_TOKEN}" "https://quay.io/api/v1/repository" --data-binary "$payload" -H "Content-Type: application/json" -H "Accept: application/json" | jq '.error_message // empty'); then echo "curl returned an error when creating the repository. See the error above." exit 1 From a7ed9f9fa94a11ffbef3dd25259b21105f64ac05 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Thu, 19 Dec 2024 16:43:32 -0500 Subject: [PATCH 03/13] feat: (re)introduce content manifest with content sets For backwards compatibility with image scanners that still expect https://raw.githubusercontent.com/containerbuildsystem/atomic-reactor/master/atomic_reactor/schemas/content_manifest.json --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 44 ++++++++++++++++-- .../0.2/buildah-remote-oci-ta.yaml | 44 ++++++++++++++++-- task/buildah-remote/0.2/buildah-remote.yaml | 45 +++++++++++++++++-- task/buildah/0.2/buildah.yaml | 45 +++++++++++++++++-- 4 files changed, 162 insertions(+), 16 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index a061774229..2e594addd2 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -518,16 +518,52 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container >/shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json <content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container >/shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 0ba2f96c86..265cc2b981 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -552,16 +552,52 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container >/shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json <content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container >/shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 0a439f0638..7e155e4770 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -529,16 +529,53 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json < content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container > /shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 8a08f85f9e..fc1a25e5f0 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -450,16 +450,53 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /shared/container_path) -xtype l -delete - echo $container > /shared/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -f "/tmp/cachi2/output/bom.json" ]; then + echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json + + # Inject a content sets file for backwards compatibility + # This is only possible for images built hermetically with prefetch + base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') + base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") + cat >content-sets.json < content-sets.json.tmp + mv content-sets.json.tmp content-sets.json + done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" + + echo "Writing to /root/buildinfo/content_manifests/content-sets.json" + buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ + buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" + + BUILDAH_ARGS=() + if [ "${SQUASH}" == "true" ]; then + BUILDAH_ARGS+=("--squash") + fi + + buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" + # End content sets backwards compatibility fi + buildah mount $container | tee /shared/container_path + # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners + find $(cat /shared/container_path) -xtype l -delete + echo $container > /shared/container_name + touch /shared/base_images_digests for image in $BASE_IMAGES; do base_image_digest=$(buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image") From cb6145f0a9f46e2dca544ace5a7f59b2af668fc2 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 09:25:14 -0500 Subject: [PATCH 04/13] Move this to its own step --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 53 +++++++----------- .../0.2/buildah-remote-oci-ta.yaml | 53 +++++++----------- task/buildah-remote/0.2/buildah-remote.yaml | 54 +++++++------------ task/buildah/0.2/buildah.yaml | 54 +++++++------------ 4 files changed, 75 insertions(+), 139 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 2e594addd2..31b022c853 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -523,40 +523,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json <content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -584,6 +550,25 @@ spec: capabilities: add: - SETFCAP + - name: icm + image: quay.io/rbean/testing:icm-injection-scripts + args: + - $(params.IMAGE) + workingDir: /var/workdir + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + securityContext: + capabilities: + add: + - SETFCAP - name: push image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c workingDir: /var/workdir diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 265cc2b981..2969e43d47 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -557,40 +557,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json <content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<<"$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -680,6 +646,25 @@ spec: name: ssh readOnly: true workingDir: /var/workdir + - args: + - $(params.IMAGE) + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/rbean/testing:icm-injection-scripts + name: icm + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: /var/workdir - computeResources: limits: cpu: "4" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 7e155e4770..c48b4f7f84 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -534,41 +534,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json < content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -658,6 +623,25 @@ spec: name: ssh readOnly: true workingDir: $(workspaces.source.path) + - args: + - $(params.IMAGE) + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi + image: quay.io/rbean/testing:icm-injection-scripts + name: icm + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) - computeResources: limits: cpu: "4" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index fc1a25e5f0..871d8037be 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -455,41 +455,6 @@ spec: if [ -f "/tmp/cachi2/output/bom.json" ]; then echo "Making copy of sbom-cachi2.json" cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json - - # Inject a content sets file for backwards compatibility - # This is only possible for images built hermetically with prefetch - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' "$IMAGE" | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' "$IMAGE") - cat >content-sets.json < content-sets.json.tmp - mv content-sets.json.tmp content-sets.json - done <<< "$(jq -r '.components[].purl' sbom-cachi2.json | grep -o -P '(?<=repository_id=).*(?=(&|$))' | sort -u)" - - echo "Writing to /root/buildinfo/content_manifests/content-sets.json" - buildah copy "$container" content-sets.json /root/buildinfo/content_manifests/ - buildah config -a "org.opencontainers.image.base.name=${base_image_name}" -a "org.opencontainers.image.base.digest=${base_image_digest}" "$container" - - BUILDAH_ARGS=() - if [ "${SQUASH}" == "true" ]; then - BUILDAH_ARGS+=("--squash") - fi - - buildah commit "${BUILDAH_ARGS[@]}" "$container" "$IMAGE" - # End content sets backwards compatibility fi buildah mount $container | tee /shared/container_path @@ -524,7 +489,24 @@ spec: mountPath: /mnt/trusted-ca readOnly: true workingDir: $(workspaces.source.path) - + - name: icm + image: quay.io/rbean/testing:icm-injection-scripts + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' + securityContext: + capabilities: + add: + - SETFCAP + volumeMounts: + - mountPath: /var/lib/containers + name: varlibcontainers + workingDir: $(workspaces.source.path) + args: [$(params.IMAGE)] - name: push image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c computeResources: From 8a6e1cede0c76ba830f0520524747902366c2c03 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 10:35:48 -0500 Subject: [PATCH 05/13] Add new task to buildah-min --- task/buildah-min/0.2/patch.yaml | 41 ++++++++++++++++++++++----------- 1 file changed, 27 insertions(+), 14 deletions(-) diff --git a/task/buildah-min/0.2/patch.yaml b/task/buildah-min/0.2/patch.yaml index b37fcc2707..e97ac9aef5 100644 --- a/task/buildah-min/0.2/patch.yaml +++ b/task/buildah-min/0.2/patch.yaml @@ -14,7 +14,7 @@ - op: replace path: /spec/steps/0/computeResources/requests/cpu value: 100m -# push step +# icm step - op: replace path: /spec/steps/1/computeResources/limits/memory value: 2Gi @@ -27,7 +27,7 @@ - op: replace path: /spec/steps/1/computeResources/requests/cpu value: 100m -# sbom-syft-generate step +# push step - op: replace path: /spec/steps/2/computeResources/limits/memory value: 2Gi @@ -36,24 +36,24 @@ value: 512Mi - op: replace path: /spec/steps/2/computeResources/limits/cpu - value: 1 + value: 500m - op: replace path: /spec/steps/2/computeResources/requests/cpu - value: 50m -# analyse-dependencies-java-sbom step + value: 100m +# sbom-syft-generate step - op: replace path: /spec/steps/3/computeResources/limits/memory - value: 256Mi + value: 2Gi - op: replace path: /spec/steps/3/computeResources/requests/memory - value: 128Mi + value: 512Mi - op: replace path: /spec/steps/3/computeResources/limits/cpu - value: 100m + value: 1 - op: replace path: /spec/steps/3/computeResources/requests/cpu - value: 10m -# prepare-sboms step + value: 50m +# analyse-dependencies-java-sbom step - op: replace path: /spec/steps/4/computeResources/limits/memory value: 256Mi @@ -66,16 +66,29 @@ - op: replace path: /spec/steps/4/computeResources/requests/cpu value: 10m -# upload-sbom step +# prepare-sboms step - op: replace path: /spec/steps/5/computeResources/limits/memory - value: 2Gi + value: 256Mi - op: replace path: /spec/steps/5/computeResources/requests/memory - value: 512Mi + value: 128Mi - op: replace path: /spec/steps/5/computeResources/limits/cpu - value: 2 + value: 100m - op: replace path: /spec/steps/5/computeResources/requests/cpu + value: 10m +# upload-sbom step +- op: replace + path: /spec/steps/6/computeResources/limits/memory + value: 2Gi +- op: replace + path: /spec/steps/6/computeResources/requests/memory + value: 512Mi +- op: replace + path: /spec/steps/6/computeResources/limits/cpu + value: 2 +- op: replace + path: /spec/steps/6/computeResources/requests/cpu value: 100m From 0b17655494de8002767aa641c146d3238155cde0 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 10:16:38 -0500 Subject: [PATCH 06/13] Squeeze under the size limit --- task/buildah-min/0.2/patch.yaml | 36 +++--------------- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 33 +++++----------- .../0.2/buildah-remote-oci-ta.yaml | 37 ++++++------------ task/buildah-remote/0.2/buildah-remote.yaml | 38 ++++++------------- task/buildah/0.2/buildah.yaml | 34 +++++------------ 5 files changed, 47 insertions(+), 131 deletions(-) diff --git a/task/buildah-min/0.2/patch.yaml b/task/buildah-min/0.2/patch.yaml index e97ac9aef5..488f0b7942 100644 --- a/task/buildah-min/0.2/patch.yaml +++ b/task/buildah-min/0.2/patch.yaml @@ -14,45 +14,19 @@ - op: replace path: /spec/steps/0/computeResources/requests/cpu value: 100m -# icm step +# icm, push, and sbom-syft-generate steps - op: replace - path: /spec/steps/1/computeResources/limits/memory + path: /spec/stepTemplate/computeResources/limits/memory value: 2Gi - op: replace - path: /spec/steps/1/computeResources/requests/memory + path: /spec/stepTemplate/computeResources/requests/memory value: 512Mi - op: replace - path: /spec/steps/1/computeResources/limits/cpu + path: /spec/stepTemplate/computeResources/limits/cpu value: 500m - op: replace - path: /spec/steps/1/computeResources/requests/cpu + path: /spec/stepTemplate/computeResources/requests/cpu value: 100m -# push step -- op: replace - path: /spec/steps/2/computeResources/limits/memory - value: 2Gi -- op: replace - path: /spec/steps/2/computeResources/requests/memory - value: 512Mi -- op: replace - path: /spec/steps/2/computeResources/limits/cpu - value: 500m -- op: replace - path: /spec/steps/2/computeResources/requests/cpu - value: 100m -# sbom-syft-generate step -- op: replace - path: /spec/steps/3/computeResources/limits/memory - value: 2Gi -- op: replace - path: /spec/steps/3/computeResources/requests/memory - value: 512Mi -- op: replace - path: /spec/steps/3/computeResources/limits/cpu - value: 1 -- op: replace - path: /spec/steps/3/computeResources/requests/cpu - value: 50m # analyse-dependencies-java-sbom step - op: replace path: /spec/steps/4/computeResources/limits/memory diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 31b022c853..fddb15e677 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -175,6 +175,13 @@ spec: - name: workdir emptyDir: {} stepTemplate: + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi env: - name: ACTIVATION_KEY value: $(params.ACTIVATION_KEY) @@ -438,9 +445,8 @@ spec: # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume - # to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on - # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced - # container. + # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on + # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key @@ -558,13 +564,6 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi securityContext: capabilities: add: @@ -618,13 +617,6 @@ spec: echo -n "${IMAGE}@" cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi securityContext: capabilities: add: @@ -643,13 +635,6 @@ spec: syft dir:"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="/var/workdir/sbom-source.json" echo "Running syft on the image filesystem" syft dir:"$(cat /shared/container_path)" --output cyclonedx-json="/var/workdir/sbom-image.json" - computeResources: - limits: - cpu: "2" - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi - name: analyse-dependencies-java-sbom image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 volumeMounts: diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 2969e43d47..f24498d47a 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -154,7 +154,13 @@ spec: name: SBOM_JAVA_COMPONENTS_COUNT type: string stepTemplate: - computeResources: {} + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi env: - name: ACTIVATION_KEY value: $(params.ACTIVATION_KEY) @@ -472,9 +478,8 @@ spec: # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume - # to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on - # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced - # container. + # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on + # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key @@ -648,13 +653,7 @@ spec: workingDir: /var/workdir - args: - $(params.IMAGE) - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi + computeResources: {} image: quay.io/rbean/testing:icm-injection-scripts name: icm securityContext: @@ -665,13 +664,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: /var/workdir - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi + - computeResources: {} image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c name: push script: | @@ -730,13 +723,7 @@ spec: name: trusted-ca readOnly: true workingDir: /var/workdir - - computeResources: - limits: - cpu: "2" - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi + - computeResources: {} image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f name: sbom-syft-generate script: | diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index c48b4f7f84..47555be75a 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -145,7 +145,13 @@ spec: central. name: JAVA_COMMUNITY_DEPENDENCIES stepTemplate: - computeResources: {} + computeResources: + limits: + cpu: "4" + memory: 4Gi + requests: + cpu: "1" + memory: 1Gi env: - name: BUILDAH_FORMAT value: oci @@ -358,7 +364,6 @@ spec: BUILD_ARG_FLAGS+=("--build-arg=$build_arg") done - dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" > /shared/parsed_dockerfile.json BASE_IMAGES=$( jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json @@ -449,9 +454,8 @@ spec: # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume - # to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on - # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced - # container. + # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on + # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key @@ -625,13 +629,7 @@ spec: workingDir: $(workspaces.source.path) - args: - $(params.IMAGE) - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi + computeResources: {} image: quay.io/rbean/testing:icm-injection-scripts name: icm securityContext: @@ -642,13 +640,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers workingDir: $(workspaces.source.path) - - computeResources: - limits: - cpu: "4" - memory: 4Gi - requests: - cpu: "1" - memory: 1Gi + - computeResources: {} image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c name: push script: | @@ -709,13 +701,7 @@ spec: name: trusted-ca readOnly: true workingDir: $(workspaces.source.path) - - computeResources: - limits: - cpu: "2" - memory: 4Gi - requests: - cpu: 500m - memory: 1Gi + - computeResources: {} image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f name: sbom-syft-generate script: | diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 871d8037be..81cb4a6c4a 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -124,6 +124,13 @@ spec: - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. stepTemplate: + computeResources: + limits: + memory: 4Gi + cpu: '4' + requests: + memory: 1Gi + cpu: '1' volumeMounts: - mountPath: /shared name: shared @@ -279,7 +286,6 @@ spec: BUILD_ARG_FLAGS+=("--build-arg=$build_arg") done - dockerfile-json "${BUILD_ARG_FLAGS[@]}" "$dockerfile_copy" > /shared/parsed_dockerfile.json BASE_IMAGES=$( jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test("^oci-archive:") | not)' /shared/parsed_dockerfile.json @@ -370,9 +376,8 @@ spec: # 2. Activation-keys will be used when the key 'org' exists in the activation key secret. # 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles. # 3. If the Dockerfile contains the string "subcription-manager register", add the activation-keys volume - # to buildah but don't pre-register for backwards compatibility. In this case mount an empty directory on - # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included in the produced - # container. + # to buildah but don't pre-register for backwards compatibility. Mount an empty directory on + # shared emptydir volume to "/etc/pki/entitlement" to prevent certificates from being included if [ "${HERMETIC}" != "true" ] && [ -e /activation-key/org ]; then cp -r --preserve=mode "$ACTIVATION_KEY_PATH" /tmp/activation-key @@ -491,13 +496,6 @@ spec: workingDir: $(workspaces.source.path) - name: icm image: quay.io/rbean/testing:icm-injection-scripts - computeResources: - limits: - memory: 4Gi - cpu: '4' - requests: - memory: 1Gi - cpu: '1' securityContext: capabilities: add: @@ -509,13 +507,6 @@ spec: args: [$(params.IMAGE)] - name: push image: quay.io/konflux-ci/buildah-task:latest@sha256:b2d6c32d1e05e91920cd4475b2761d58bb7ee11ad5dff3ecb59831c7572b4d0c - computeResources: - limits: - memory: 4Gi - cpu: '4' - requests: - memory: 1Gi - cpu: '1' script: | #!/bin/bash set -e @@ -577,13 +568,6 @@ spec: # Respect Syft configuration if the user has it in the root of their repository # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) workingDir: $(workspaces.source.path)/source - computeResources: - limits: - memory: 4Gi - cpu: '2' - requests: - memory: 1Gi - cpu: 500m script: | echo "Running syft on the source directory" syft dir:"$(workspaces.source.path)/$SOURCE_CODE_DIR/$CONTEXT" --output cyclonedx-json="$(workspaces.source.path)/sbom-source.json" From 5b221977184fb32d3775a1045f6bdf3b6d896cee Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 13:13:19 -0500 Subject: [PATCH 07/13] Use real step image --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 2 +- task/buildah-remote/0.2/buildah-remote.yaml | 2 +- task/buildah/0.2/buildah.yaml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index fddb15e677..c5989b1003 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -557,7 +557,7 @@ spec: add: - SETFCAP - name: icm - image: quay.io/rbean/testing:icm-injection-scripts + image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1 args: - $(params.IMAGE) workingDir: /var/workdir diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index f24498d47a..d043e0546c 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -654,7 +654,7 @@ spec: - args: - $(params.IMAGE) computeResources: {} - image: quay.io/rbean/testing:icm-injection-scripts + image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1 name: icm securityContext: capabilities: diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 47555be75a..d3b5aceb56 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -630,7 +630,7 @@ spec: - args: - $(params.IMAGE) computeResources: {} - image: quay.io/rbean/testing:icm-injection-scripts + image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1 name: icm securityContext: capabilities: diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 81cb4a6c4a..d91e557617 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -495,7 +495,7 @@ spec: readOnly: true workingDir: $(workspaces.source.path) - name: icm - image: quay.io/rbean/testing:icm-injection-scripts + image: quay.io/konflux-ci/icm-injection-scripts:latest@sha256:462980e94ba689b5f56c3d5dfb3358cd8c685300daf65a71532f11898935e7f1 securityContext: capabilities: add: From ba97465539540af674eb02c2958ce30fecc4a86c Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Fri, 20 Dec 2024 14:39:19 -0500 Subject: [PATCH 08/13] Shrink the buildah task some more --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 8 +++----- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 8 +++----- task/buildah-remote/0.2/buildah-remote.yaml | 8 +++----- task/buildah/0.2/buildah.yaml | 8 +++----- 4 files changed, 12 insertions(+), 20 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index c5989b1003..6b22caff88 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -273,8 +273,7 @@ spec: elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" elif [ -e "$DOCKERFILE" ]; then - # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + # Instrumented builds (SAST) use this custom dockerffile step as their base dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" @@ -330,7 +329,7 @@ spec: shift # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being # passed to buildah. In that case, the *last* occurrence takes precedence. This is why - # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence. + # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE while [[ $# -gt 0 && $1 != --* ]]; do build_args+=("$1") shift @@ -480,8 +479,7 @@ spec: if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. - # This is primarily used in instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and add some other tools. + # Instrumented builds (SAST) use this step as their base and add some other tools. while read -r volume_mount; do VOLUME_MOUNTS+=("--volume=$volume_mount") done <<<"$ADDITIONAL_VOLUME_MOUNTS" diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index d043e0546c..7e6b603a0f 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -306,8 +306,7 @@ spec: elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" elif [ -e "$DOCKERFILE" ]; then - # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + # Instrumented builds (SAST) use this custom dockerffile step as their base dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" @@ -363,7 +362,7 @@ spec: shift # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being # passed to buildah. In that case, the *last* occurrence takes precedence. This is why - # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence. + # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE while [[ $# -gt 0 && $1 != --* ]]; do build_args+=("$1") shift @@ -513,8 +512,7 @@ spec: if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. - # This is primarily used in instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and add some other tools. + # Instrumented builds (SAST) use this step as their base and add some other tools. while read -r volume_mount; do VOLUME_MOUNTS+=("--volume=$volume_mount") done <<<"$ADDITIONAL_VOLUME_MOUNTS" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index d3b5aceb56..6cfeb8597c 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -288,8 +288,7 @@ spec: elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" elif [ -e "$DOCKERFILE" ]; then - # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + # Instrumented builds (SAST) use this custom dockerffile step as their base dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" @@ -345,7 +344,7 @@ spec: shift # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being # passed to buildah. In that case, the *last* occurrence takes precedence. This is why - # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence. + # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE while [[ $# -gt 0 && $1 != --* ]]; do build_args+=("$1"); shift; done ;; --labels) @@ -489,8 +488,7 @@ spec: if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. - # This is primarily used in instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and add some other tools. + # Instrumented builds (SAST) use this step as their base and add some other tools. while read -r volume_mount; do VOLUME_MOUNTS+=("--volume=$volume_mount") done <<< "$ADDITIONAL_VOLUME_MOUNTS" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index d91e557617..266c92c319 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -210,8 +210,7 @@ spec: elif [ -e "$SOURCE_CODE_DIR/$DOCKERFILE" ]; then dockerfile_path="$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE" elif [ -e "$DOCKERFILE" ]; then - # Custom Dockerfile location is mainly used for instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and also need to provide modified Dockerfile. + # Instrumented builds (SAST) use this custom dockerffile step as their base dockerfile_path="$DOCKERFILE" elif echo "$DOCKERFILE" | grep -q "^https\?://"; then echo "Fetch Dockerfile from $DOCKERFILE" @@ -267,7 +266,7 @@ spec: shift # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being # passed to buildah. In that case, the *last* occurrence takes precedence. This is why - # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE - they take precedence. + # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE while [[ $# -gt 0 && $1 != --* ]]; do build_args+=("$1"); shift; done ;; --labels) @@ -411,8 +410,7 @@ spec: if [ -n "${ADDITIONAL_VOLUME_MOUNTS-}" ]; then # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build. - # This is primarily used in instrumented builds for SAST scanning and analyzing. - # Instrumented builds use this step as their base and add some other tools. + # Instrumented builds (SAST) use this step as their base and add some other tools. while read -r volume_mount; do VOLUME_MOUNTS+=("--volume=$volume_mount") done <<< "$ADDITIONAL_VOLUME_MOUNTS" From 35e1223ea526151855832fc8954998648a5a826a Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:32:49 +0000 Subject: [PATCH 09/13] update task/generate-odcs-compose/0.1/generate-odcs-compose.yaml --- task/generate-odcs-compose/0.1/generate-odcs-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index f9f33ff6a3..82051783d4 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 + image: quay.io/redhat-appstudio/tools@sha256:7f0769feed049589b55c654e69a6acf8de6e507725c304eba7ca7712177feb7f env: - name: CLIENT_ID valueFrom: From 0ad563f9725656f20a2b7b26239afad7937c2de0 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:32:50 +0000 Subject: [PATCH 10/13] update task/generate-odcs-compose/0.2/generate-odcs-compose.yaml --- task/generate-odcs-compose/0.2/generate-odcs-compose.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index 63a7140304..20d533f783 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 + image: quay.io/redhat-appstudio/tools@sha256:7f0769feed049589b55c654e69a6acf8de6e507725c304eba7ca7712177feb7f env: - name: CLIENT_ID valueFrom: From 716f7521beba8e1d9dcb2648aa6a29a59f16d8f1 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:32:50 +0000 Subject: [PATCH 11/13] update task/rpms-signature-scan/0.1/rpms-signature-scan.yaml --- task/rpms-signature-scan/0.1/rpms-signature-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index 161997edc3..42c688a144 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -48,7 +48,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 + image: quay.io/redhat-appstudio/tools@sha256:7f0769feed049589b55c654e69a6acf8de6e507725c304eba7ca7712177feb7f volumeMounts: - name: workdir mountPath: "$(params.workdir)" @@ -76,7 +76,7 @@ spec: --fail-unsigned "${FAIL_UNSIGNED}" \ --workdir "${WORKDIR}" \ - name: output-results - image: quay.io/konflux-ci/konflux-test:v1.4.9@sha256:eee855e60b437d9a55a30e63f2eb7f95d9fd6d3b111c32cac8730c9b7a071394 + image: quay.io/konflux-ci/konflux-test:v1.4.10@sha256:a9c8deb7582ac15ce0f0df0c7c7f017c33d8f12113c7efa3ed6811fd65e4706f volumeMounts: - name: workdir mountPath: "$(params.workdir)" From 867f4a4c74483e4262e842a963aa6b7d6e09b917 Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 13:32:51 +0000 Subject: [PATCH 12/13] update task/rpms-signature-scan/0.2/rpms-signature-scan.yaml --- task/rpms-signature-scan/0.2/rpms-signature-scan.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml index ba99ad91bb..f3d08e361a 100644 --- a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml @@ -44,7 +44,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:a66737d174ecf43a95e29670bbc6a5598d2279a087eb3624e32bf0b0b62011d7 + image: quay.io/redhat-appstudio/tools@sha256:7f0769feed049589b55c654e69a6acf8de6e507725c304eba7ca7712177feb7f volumeMounts: - name: workdir mountPath: "$(params.workdir)" @@ -69,7 +69,7 @@ spec: --image-digest "${IMAGE_DIGEST}" \ --workdir "${WORKDIR}" \ - name: output-results - image: quay.io/konflux-ci/konflux-test:v1.4.9@sha256:eee855e60b437d9a55a30e63f2eb7f95d9fd6d3b111c32cac8730c9b7a071394 + image: quay.io/konflux-ci/konflux-test:v1.4.10@sha256:a9c8deb7582ac15ce0f0df0c7c7f017c33d8f12113c7efa3ed6811fd65e4706f volumeMounts: - name: workdir mountPath: "$(params.workdir)" From 4bdc1443811d2052a1c7ff54fe00db0bfb6729e9 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 22 Dec 2024 18:20:34 +0000 Subject: [PATCH 13/13] chore(deps): update github-actions --- .github/workflows/go-ci.yaml | 4 ++-- .github/workflows/run-task-tests.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index 9c3fa115d7..5d4689a14c 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -18,7 +18,7 @@ jobs: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@774c35bcccffb734694af9e921f12f57d882ef74 + uses: golangci/golangci-lint-action@9937fdf7189f2958a2dc9f6d585e5d65e3326d20 with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -84,7 +84,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ${{matrix.path}}/...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@dd7559424621a6dd0b32ababe9e4b271a87f78d2 + uses: github/codeql-action/upload-sarif@78760076e3f08852c2c3aeb5334f70d074e28c59 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif diff --git a/.github/workflows/run-task-tests.yaml b/.github/workflows/run-task-tests.yaml index 7cb3a6d026..f68bffbeee 100644 --- a/.github/workflows/run-task-tests.yaml +++ b/.github/workflows/run-task-tests.yaml @@ -60,7 +60,7 @@ jobs: with: repository: 'konflux-ci/konflux-ci' path: konflux-ci - ref: d19c18bc2ec9c47c02d8bcf30305a3e5e198bc9f + ref: 22cee05b0549ba8836cfea49c4c63485eaf27f89 - name: Create k8s Kind Cluster if: steps.tasks-to-be-tested.outputs.tasklist != ''