From 14d06be545e1067b92e082ed28176ef66e3de050 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 23 May 2024 15:49:12 +0200 Subject: [PATCH] Regenerate Trusted Artifacts Task Run `hack/build-and-push.sh` to regenerate the Trusted Artifacts Task variants. --- task/buildah-oci-ta/0.1/README.md | 24 +- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 239 ++++++++-------- task/buildah-oci-ta/0.1/recipe.yaml | 18 ++ task/git-clone-oci-ta/0.1/README.md | 28 +- .../0.1/git-clone-oci-ta.yaml | 254 +++++++++--------- task/git-clone-oci-ta/0.1/recipe.yaml | 15 ++ .../0.1/README.md | 16 +- .../0.1/prefetch-dependencies-oci-ta.yaml | 163 +++++------ .../0.1/recipe.yaml | 16 ++ task/sast-snyk-check-oci-ta/0.1/README.md | 4 +- task/sast-snyk-check-oci-ta/0.1/recipe.yaml | 28 ++ .../0.1/sast-snyk-check-oci-ta.yaml | 185 +++++++------ task/source-build-oci-ta/0.1/README.md | 6 +- task/source-build-oci-ta/0.1/recipe.yaml | 15 ++ .../0.1/source-build-oci-ta.yaml | 192 ++++++------- 15 files changed, 650 insertions(+), 553 deletions(-) create mode 100644 task/buildah-oci-ta/0.1/recipe.yaml create mode 100644 task/git-clone-oci-ta/0.1/recipe.yaml create mode 100644 task/prefetch-dependencies-oci-ta/0.1/recipe.yaml create mode 100644 task/sast-snyk-check-oci-ta/0.1/recipe.yaml create mode 100644 task/source-build-oci-ta/0.1/recipe.yaml diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 7349528798..e3ce4d049a 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -8,24 +8,24 @@ When prefetch-dependencies task was activated it is using its artifacts to run b ## Parameters |name|description|default value|required| |---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| -|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true| -|CACHI2_ARTIFACT|The trusted artifact URI containing the prefetched dependencies.|""|false| -|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| |CONTEXT|Path to the directory to use as context.|.|false| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| |HERMETIC|Determines if build will be executed without network access.|false|false| -|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE|Reference of the image buildah will produce.||true| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|COMMIT_SHA|The image is built from this commit.|""|false| -|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| |YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| -|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| -|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| -|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| -|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| ## Results |name|description| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 65578381f3..93aefa5f7f 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -1,13 +1,13 @@ ---- apiVersion: tekton.dev/v1 kind: Task metadata: + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: image-build, appstudio, hacbs + creationTimestamp: null labels: app.kubernetes.io/version: "0.1" - build.appstudio.redhat.com/build_type: "docker" - annotations: - tekton.dev/pipelines.minVersion: "0.12.1" - tekton.dev/tags: "image-build, appstudio, hacbs" + build.appstudio.redhat.com/build_type: docker name: buildah-oci-ta spec: description: |- @@ -16,74 +16,81 @@ spec: When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. params: - - description: Reference of the image buildah will produce. - name: IMAGE - type: string - - description: The Trusted Artifact URI pointing to the artifact with the application source code. - name: SOURCE_ARTIFACT + - default: [] + description: Array of --build-arg values ("arg=value" strings) + name: BUILD_ARGS + type: array + - default: "" + description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: BUILD_ARGS_FILE type: string - - description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. + - default: "" + description: The Trusted Artifact URI pointing to the artifact with the prefetched + dependencies. name: CACHI2_ARTIFACT type: string - default: "" - - default: ./Dockerfile - description: Path to the Dockerfile to build. - name: DOCKERFILE + - default: "" + description: The image is built from this commit. + name: COMMIT_SHA type: string - default: . description: Path to the directory to use as context. name: CONTEXT type: string - - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - name: TLSVERIFY + - default: ./Dockerfile + description: Path to the Dockerfile to build. + name: DOCKERFILE type: string - - description: unused, should be removed in next task version + - default: "" + description: unused, should be removed in next task version name: DOCKER_AUTH type: string - default: "" + - default: etc-pki-entitlement + description: Name of secret which contains the entitlement certificates + name: ENTITLEMENT_SECRET + type: string - default: "false" description: Determines if build will be executed without network access. name: HERMETIC type: string - - default: "" - description: In case it is not empty, the prefetched content should be made available to the build. - name: PREFETCH_INPUT + - description: Reference of the image buildah will produce. + name: IMAGE type: string - default: "" - description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Delete image tag after specified time. Empty means to keep the image + tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, + respectively. name: IMAGE_EXPIRES_AFTER type: string - - name: COMMIT_SHA - description: The image is built from this commit. + - default: "" + description: In case it is not empty, the prefetched content should be made available + to the build. + name: PREFETCH_INPUT type: string - default: "" - - name: YUM_REPOS_D_SRC - description: Path in the git repository in which yum repository files are stored - default: repos.d - - name: YUM_REPOS_D_FETCHED - description: Path in source workspace where dynamically-fetched repos are present - default: fetched.repos.d - - name: YUM_REPOS_D_TARGET - description: Target path on the container in which yum repository files should be made available - default: /etc/yum.repos.d - - name: TARGET_STAGE - description: Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage. + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. + name: SOURCE_ARTIFACT type: string - default: "" - - name: ENTITLEMENT_SECRET - description: Name of secret which contains the entitlement certificates + - default: "" + description: Target stage in Dockerfile to build. If not specified, the Dockerfile + is processed entirely to (and including) its last stage. + name: TARGET_STAGE type: string - default: "etc-pki-entitlement" - - name: BUILD_ARGS - description: Array of --build-arg values ("arg=value" strings) - type: array - default: [] - - name: BUILD_ARGS_FILE - description: Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file + - default: "true" + description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS + registry) + name: TLSVERIFY type: string - default: "" - + - default: fetched.repos.d + description: Path in source workspace where dynamically-fetched repos are present + name: YUM_REPOS_D_FETCHED + - default: repos.d + description: Path in the git repository in which yum repository files are stored + name: YUM_REPOS_D_SRC + - default: /etc/yum.repos.d + description: Target path on the container in which yum repository files should + be made available + name: YUM_REPOS_D_TARGET results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -91,12 +98,14 @@ spec: name: IMAGE_URL - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - - name: SBOM_JAVA_COMPONENTS_COUNT - description: The counting of Java components by publisher in JSON format + - description: The counting of Java components by publisher in JSON format + name: SBOM_JAVA_COMPONENTS_COUNT type: string - - name: JAVA_COMMUNITY_DEPENDENCIES - description: The Java dependencies that came from community sources such as Maven central. + - description: The Java dependencies that came from community sources such as Maven + central. + name: JAVA_COMMUNITY_DEPENDENCIES stepTemplate: + computeResources: {} env: - name: BUILDAH_FORMAT value: oci @@ -127,28 +136,29 @@ spec: - name: BUILD_ARGS_FILE value: $(params.BUILD_ARGS_FILE) volumeMounts: - - mountPath: /var/workdir - name: workdir + - mountPath: /var/workdir + name: workdir steps: - - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + - args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + computeResources: {} + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d name: use-trusted-artifact - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - - image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb - name: build + - args: + - $(params.BUILD_ARGS[*]) computeResources: limits: memory: 4Gi requests: - memory: 512Mi cpu: 250m + memory: 512Mi env: - name: COMMIT_SHA value: $(params.COMMIT_SHA) - args: - - $(params.BUILD_ARGS[*]) + image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb + name: build script: | SOURCE_CODE_DIR=source if [ -e "$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE" ]; then @@ -183,7 +193,7 @@ spec: sed -i 's/^\s*short-name-mode\s*=\s*.*/short-name-mode = "disabled"/' /etc/containers/registries.conf # Setting new namespace to run buildah - 2^32-2 - echo 'root:1:4294967294' | tee -a /etc/subuid >> /etc/subgid + echo 'root:1:4294967294' | tee -a /etc/subuid >>/etc/subgid BUILDAH_ARGS=() @@ -264,7 +274,7 @@ spec: container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /var/workdir/container_path - echo $container > /var/workdir/container_name + echo $container >/var/workdir/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later if [ -d "/var/workdir/cachi2" ]; then @@ -274,29 +284,25 @@ spec: # Expose base image digests for image in $BASE_IMAGES; do if [ "${image}" != "scratch" ]; then - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> $(results.BASE_IMAGES_DIGESTS.path) + buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>$( results.BASE_IMAGES_DIGESTS.path) fi done # Needed to generate base images SBOM - echo "$BASE_IMAGES" > /var/workdir/base_images_from_dockerfile - + echo "$BASE_IMAGES" >/var/workdir/base_images_from_dockerfile securityContext: capabilities: add: - - SETFCAP + - SETFCAP volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - - mountPath: "/entitlement" + - mountPath: /entitlement name: etc-pki-entitlement workingDir: /var/workdir - - - name: sbom-syft-generate + - computeResources: {} image: quay.io/redhat-appstudio/syft:v0.105.1@sha256:1910b829997650c696881e5fc2fc654ddf3184c27edb1b2024e9cb2ba51ac431 - # Respect Syft configuration if the user has it in the root of their repository - # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) - workingDir: /var/workdir/source + name: sbom-syft-generate script: | echo "Running syft on the source directory" syft dir:/var/workdir/source --output cyclonedx-json=/var/workdir/sbom-source.json @@ -306,8 +312,10 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - - name: analyse-dependencies-java-sbom + workingDir: /var/workdir/source + - computeResources: {} image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 + name: analyse-dependencies-java-sbom script: | if [ -f /var/lib/containers/java ]; then /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /var/workdir/container_path) -s /var/workdir/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) @@ -315,14 +323,14 @@ spec: else touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) fi + securityContext: + runAsUser: 0 volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - securityContext: - runAsUser: 0 - - - name: merge-syft-sboms + - computeResources: {} image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a + name: merge-syft-sboms script: | #!/bin/python3 import json @@ -352,26 +360,26 @@ spec: # write the CycloneDX unified SBOM with open("./sbom-cyclonedx.json", "w") as f: json.dump(image_sbom, f, indent=4) - workingDir: /var/workdir securityContext: runAsUser: 0 - - - name: merge-cachi2-sbom + workingDir: /var/workdir + - computeResources: {} image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 + name: merge-cachi2-sbom script: | if [ -d "/var/workdir/cachi2" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json + /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" fi - workingDir: /var/workdir securityContext: runAsUser: 0 - - - name: create-purl-sbom + workingDir: /var/workdir + - computeResources: {} image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a + name: create-purl-sbom script: | #!/bin/python3 import json @@ -384,24 +392,23 @@ spec: with open("sbom-purl.json", "w") as output_file: json.dump(purl_content, output_file, indent=4) - workingDir: /var/workdir securityContext: runAsUser: 0 - - - name: create-base-images-sbom - image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 + workingDir: /var/workdir + - computeResources: {} env: - name: BASE_IMAGES_DIGESTS_PATH value: $(results.BASE_IMAGES_DIGESTS.path) + image: quay.io/redhat-appstudio/base-images-sbom-script@sha256:667669e3def018f9dbb8eaf8868887a40bc07842221e9a98f6787edcff021840 + name: create-base-images-sbom script: | python3 /app/base_images_sbom_script.py --sbom=sbom-cyclonedx.json --base-images-from-dockerfile=base_images_from_dockerfile --base-images-digests=$BASE_IMAGES_DIGESTS_PATH - workingDir: /var/workdir securityContext: runAsUser: 0 - - - name: inject-sbom-and-push + workingDir: /var/workdir + - computeResources: {} image: quay.io/redhat-appstudio/buildah:v1.31.0@sha256:34f12c7b72ec2c28f1ded0c494b428df4791c909f1f174dd21b8ed6a57cf5ddb - computeResources: {} + name: inject-sbom-and-push script: | base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) @@ -429,35 +436,33 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - securityContext: - runAsUser: 0 capabilities: add: - - SETFCAP + - SETFCAP + runAsUser: 0 volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers workingDir: /var/workdir - - - name: upload-sbom + - args: + - attach + - sbom + - --sbom + - sbom-cyclonedx.json + - --type + - cyclonedx + - $(params.IMAGE) + computeResources: {} image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5 - args: - - attach - - sbom - - --sbom - - sbom-cyclonedx.json - - --type - - cyclonedx - - $(params.IMAGE) + name: upload-sbom workingDir: /var/workdir - volumes: - - name: varlibcontainers - emptyDir: {} - - name: workdir - emptyDir: {} - name: etc-pki-entitlement secret: - secretName: $(params.ENTITLEMENT_SECRET) optional: true + secretName: $(params.ENTITLEMENT_SECRET) + - emptyDir: {} + name: varlibcontainers + - emptyDir: {} + name: workdir diff --git a/task/buildah-oci-ta/0.1/recipe.yaml b/task/buildah-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..97d348d20d --- /dev/null +++ b/task/buildah-oci-ta/0.1/recipe.yaml @@ -0,0 +1,18 @@ +--- +base: ../../buildah/0.1/buildah.yaml +removeParams: + - BUILDER_IMAGE +add: + - use-source + - use-cachi2 +removeWorkspaces: + - source +replacements: + workspaces.source.path: /var/workdir +regexReplacements: + "/workspace(/.*)": /var/workdir$1 +description: |- + Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. + In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. + When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. + When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. diff --git a/task/git-clone-oci-ta/0.1/README.md b/task/git-clone-oci-ta/0.1/README.md index fe1cbd9a91..b0317480d3 100644 --- a/task/git-clone-oci-ta/0.1/README.md +++ b/task/git-clone-oci-ta/0.1/README.md @@ -5,31 +5,31 @@ The git-clone-oci-ta Task will clone a repo from the provided url and store it a ## Parameters |name|description|default value|required| |---|---|---|---| -|url|Repository URL to clone from.||true| -|revision|Revision to checkout. (branch, tag, sha, ref, etc...)|""|false| -|refspec|Refspec to fetch before checking out revision.|""|false| -|submodules|Initialize and fetch git submodules.|true|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |depth|Perform a shallow clone, fetching only the most recent N commits.|1|false| -|sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false| -|sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false| +|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. |true|false| +|fetchTags|Fetch all tags for the repo.|false|false| |httpProxy|HTTP proxy server for non-SSL requests.|""|false| |httpsProxy|HTTPS proxy server for SSL requests.|""|false| |noProxy|Opt out of proxying HTTP/HTTPS requests.|""|false| -|verbose|Log the commands that are executed during `git-clone`'s operation.|false|false| +|ociArtifactExpiresAfter|Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.|""|false| +|ociStorage|The OCI repository where the Trusted Artifacts are stored.||true| +|refspec|Refspec to fetch before checking out revision.|""|false| +|revision|Revision to checkout. (branch, tag, sha, ref, etc...)|""|false| +|sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false| +|sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false| +|submodules|Initialize and fetch git submodules.|true|false| +|url|Repository URL to clone from.||true| |userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. |/tekton/home|false| -|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. |true|false| -|fetchTags|Fetch all tags for the repo.|false|false| -|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| -|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| -|ociStorage|The OCI repository where the clone repository will be stored.||true| -|ociArtifactExpiresAfter|Expiration date for the artifacts created in the OCI repository.|""|false| +|verbose|Log the commands that are executed during `git-clone`'s operation.|false|false| ## Results |name|description| |---|---| |commit|The precise commit SHA that was fetched by this Task.| |url|The precise URL that was fetched by this Task.| -|sourceArtifact|The OCI reference to the trusted source artifact containing the cloned git repo.| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.| ## Workspaces |name|description|optional| diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 0161d2e499..1d19cc1c28 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -1,47 +1,41 @@ ---- apiVersion: tekton.dev/v1 kind: Task metadata: - labels: - app.kubernetes.io/version: "0.1" annotations: tekton.dev/categories: Git tekton.dev/displayName: git clone oci trusted artifacts tekton.dev/pipelines.minVersion: 0.21.0 tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 tekton.dev/tags: git + creationTimestamp: null + labels: + app.kubernetes.io/version: "0.1" name: git-clone-oci-ta spec: - description: >- - The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted - artifact in the provided OCI repository. + description: The git-clone-oci-ta Task will clone a repo from the provided url and + store it as a trusted artifact in the provided OCI repository. params: - - description: Repository URL to clone from. - name: url + - default: ca-bundle.crt + description: The name of the key in the ConfigMap that contains the CA bundle + data. + name: caTrustConfigMapKey type: string - - default: "" - description: Revision to checkout. (branch, tag, sha, ref, etc...) - name: revision - type: string - - default: "" - description: Refspec to fetch before checking out revision. - name: refspec - type: string - - default: "true" - description: Initialize and fetch git submodules. - name: submodules + - default: trusted-ca + description: The name of the ConfigMap to read CA bundle data from. + name: caTrustConfigMapName type: string - default: "1" description: Perform a shallow clone, fetching only the most recent N commits. name: depth type: string - default: "true" - description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. - name: sslVerify + description: | + Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. + name: enableSymlinkCheck type: string - - default: "" - description: Define the directory patterns to match or exclude when performing a sparse checkout. - name: sparseCheckoutDirectories + - default: "false" + description: Fetch all tags for the repo. + name: fetchTags type: string - default: "" description: HTTP proxy server for non-SSL requests. @@ -55,118 +49,117 @@ spec: description: Opt out of proxying HTTP/HTTPS requests. name: noProxy type: string - - default: "false" - description: Log the commands that are executed during `git-clone`'s operation. - name: verbose + - default: "" + description: Expiration date for the trusted artifacts created in the OCI repository. + An empty string means the artifacts do not expire. + name: ociArtifactExpiresAfter type: string - - default: /tekton/home - description: | - Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. - name: userHome + - description: The OCI repository where the Trusted Artifacts are stored. + name: ociStorage type: string - - default: "true" - description: | - Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. - name: enableSymlinkCheck + - default: "" + description: Refspec to fetch before checking out revision. + name: refspec type: string - - default: "false" - description: Fetch all tags for the repo. - name: fetchTags + - default: "" + description: Revision to checkout. (branch, tag, sha, ref, etc...) + name: revision type: string - - name: caTrustConfigMapName + - default: "" + description: Define the directory patterns to match or exclude when performing + a sparse checkout. + name: sparseCheckoutDirectories type: string - description: The name of the ConfigMap to read CA bundle data from. - default: trusted-ca - - name: caTrustConfigMapKey + - default: "true" + description: Set the `http.sslVerify` global git config. Setting this to `false` + is not advised unless you are sure that you trust your git remote. + name: sslVerify type: string - description: The name of the key in the ConfigMap that contains the CA bundle data. - default: ca-bundle.crt - - name: ociStorage + - default: "true" + description: Initialize and fetch git submodules. + name: submodules type: string - description: The OCI repository where the Trusted Artifacts are stored. - - name: ociArtifactExpiresAfter + - description: Repository URL to clone from. + name: url + type: string + - default: /tekton/home + description: | + Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. + name: userHome + type: string + - default: "false" + description: Log the commands that are executed during `git-clone`'s operation. + name: verbose type: string - description: >- - Expiration date for the trusted artifacts created in the OCI repository. An empty string means - the artifacts do not expire. - default: "" - results: - description: The precise commit SHA that was fetched by this Task. name: commit - description: The precise URL that was fetched by this Task. name: url - - description: The Trusted Artifact URI pointing to the artifact with the application source code. + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. name: SOURCE_ARTIFACT type: string steps: - - name: clone + - computeResources: {} env: + - name: CHECKOUT_DIR + value: /var/workdir/source - name: HOME value: $(params.userHome) - - name: PARAM_URL - value: $(params.url) - - name: PARAM_REVISION - value: $(params.revision) - - name: PARAM_REFSPEC - value: $(params.refspec) - - name: PARAM_SUBMODULES - value: $(params.submodules) - name: PARAM_DEPTH value: $(params.depth) - - name: PARAM_SSL_VERIFY - value: $(params.sslVerify) - - name: PARAM_HTTP_PROXY - value: $(params.httpProxy) + - name: PARAM_FETCH_TAGS + value: $(params.fetchTags) - name: PARAM_HTTPS_PROXY value: $(params.httpsProxy) + - name: PARAM_HTTP_PROXY + value: $(params.httpProxy) - name: PARAM_NO_PROXY value: $(params.noProxy) - - name: PARAM_VERBOSE - value: $(params.verbose) + - name: PARAM_REFSPEC + value: $(params.refspec) + - name: PARAM_REVISION + value: $(params.revision) - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES value: $(params.sparseCheckoutDirectories) + - name: PARAM_SSL_VERIFY + value: $(params.sslVerify) + - name: PARAM_SUBMODULES + value: $(params.submodules) + - name: PARAM_URL + value: $(params.url) - name: PARAM_USER_HOME value: $(params.userHome) - - name: PARAM_FETCH_TAGS - value: $(params.fetchTags) - - name: WORKSPACE_SSH_DIRECTORY_BOUND - value: $(workspaces.ssh-directory.bound) - - name: WORKSPACE_SSH_DIRECTORY_PATH - value: $(workspaces.ssh-directory.path) + - name: PARAM_VERBOSE + value: $(params.verbose) - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND value: $(workspaces.basic-auth.bound) - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH value: $(workspaces.basic-auth.path) - - name: CHECKOUT_DIR - value: /var/workdir/source + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8 - computeResources: {} - securityContext: - runAsUser: 0 - volumeMounts: - - name: trusted-ca - mountPath: /mnt/trusted-ca - readOnly: true - - name: workdir - mountPath: /var/workdir + name: clone script: | #!/usr/bin/env sh set -eu - if [ "${PARAM_VERBOSE}" = "true" ] ; then + if [ "${PARAM_VERBOSE}" = "true" ]; then set -x fi - if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ]; then if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" # Compatibility with kubernetes.io/basic-auth secrets elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}') - echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials" - echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${PARAM_USER_HOME}/.gitconfig" + echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" >"${PARAM_USER_HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" >"${PARAM_USER_HOME}/.gitconfig" else echo "Unknown basic-auth workspace format" exit 1 @@ -182,7 +175,7 @@ spec: git config --global http.sslCAInfo "$ca_bundle" fi - if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ]; then cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh chmod 700 "${PARAM_USER_HOME}"/.ssh chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* @@ -204,66 +197,81 @@ spec: cd "${CHECKOUT_DIR}" RESULT_SHA="$(git rev-parse HEAD)" EXIT_CODE="$?" - if [ "${EXIT_CODE}" != 0 ] ; then + if [ "${EXIT_CODE}" != 0 ]; then exit "${EXIT_CODE}" fi - printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" - printf "%s" "${PARAM_URL}" > "$(results.url.path)" + printf "%s" "${RESULT_SHA}" >"$( results.commit.path)" + printf "%s" "${PARAM_URL}" >"$( results.url.path)" - if [ "${PARAM_FETCH_TAGS}" = "true" ] ; then + if [ "${PARAM_FETCH_TAGS}" = "true" ]; then echo "Fetching tags" git fetch --tags fi - - - name: symlink-check - image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976 + securityContext: + runAsUser: 0 + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + - mountPath: /var/workdir + name: workdir + - computeResources: {} env: - - name: PARAM_ENABLE_SYMLINK_CHECK - value: $(params.enableSymlinkCheck) - name: CHECKOUT_DIR value: /var/workdir/source - volumeMounts: - - name: workdir - mountPath: /var/workdir - computeResources: {} + - name: PARAM_ENABLE_SYMLINK_CHECK + value: $(params.enableSymlinkCheck) + image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976 + name: symlink-check script: | #!/usr/bin/env bash set -euo pipefail check_symlinks() { FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false - while read symlink - do + while read symlink; do target=$(readlink -f "$symlink") if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink" FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true fi done < <(find $CHECKOUT_DIR -type l -print) - if [ "$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO" = true ] ; then + if [ "$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO" = true ]; then return 1 fi } - if [ "${PARAM_ENABLE_SYMLINK_CHECK}" = "true" ] ; then + if [ "${PARAM_ENABLE_SYMLINK_CHECK}" = "true" ]; then echo "Running symlink check" check_symlinks fi - - - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + volumeMounts: + - mountPath: /var/workdir + name: workdir + - args: + - create + - --store + - $(params.ociStorage) + - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source + computeResources: {} env: - name: IMAGE_EXPIRES_AFTER value: $(params.ociArtifactExpiresAfter) + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: create-trusted-artifact volumeMounts: - - name: workdir - mountPath: /var/workdir - args: - - create - - --store - - $(params.ociStorage) - - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source - + - mountPath: /var/workdir + name: workdir + volumes: + - configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + name: trusted-ca + - emptyDir: {} + name: workdir workspaces: - description: | A .ssh directory with private key, known_hosts, config, etc. Copied to @@ -280,13 +288,3 @@ spec: Secret to this Workspace over other volume types. name: basic-auth optional: true - volumes: - - name: workdir - emptyDir: {} - - name: trusted-ca - configMap: - name: $(params.caTrustConfigMapName) - items: - - key: $(params.caTrustConfigMapKey) - path: ca-bundle.crt - optional: true diff --git a/task/git-clone-oci-ta/0.1/recipe.yaml b/task/git-clone-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..4b35d69707 --- /dev/null +++ b/task/git-clone-oci-ta/0.1/recipe.yaml @@ -0,0 +1,15 @@ +--- +base: ../../git-clone/0.1/git-clone.yaml +removeParams: + - gitInitImage + - deleteExisting + - subdirectory +addEnvironment: + - name: CHECKOUT_DIR + value: /var/workdir/source +add: + - create-source +removeWorkspaces: + - output +description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted + artifact in the provided OCI repository. diff --git a/task/prefetch-dependencies-oci-ta/0.1/README.md b/task/prefetch-dependencies-oci-ta/0.1/README.md index d98fd692ee..51b413c36f 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/README.md +++ b/task/prefetch-dependencies-oci-ta/0.1/README.md @@ -8,20 +8,20 @@ https://github.com/containerbuildsystem/cachi2#basic-usage. ## Parameters |name|description|default value|required| |---|---|---|---| -|input|Configures project packages that will have their dependencies prefetched.||true| -|source-artifact|The trusted artifact URI containing the application source code.||true| -|oci-storage|The OCI repository where the trusted artifacts with the modified cloned repository and the prefetched depedencies will be stored.||true| -|oci-artifact-expires-after|Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.|""|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| |dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|input|Configures project packages that will have their dependencies prefetched.||true| |log-level|Set cachi2 log level (debug, info, warning, error)|info|false| -|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| -|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ociArtifactExpiresAfter|Expiration date for the trusted artifacts created in the OCI repository. An empty string means the artifacts do not expire.|""|false| +|ociStorage|The OCI repository where the Trusted Artifacts are stored.||true| ## Results |name|description| |---|---| -|source-artifact|The trusted artifact URI containing the modified application source.| -|cachi2-artifact|The trusted artifact URI containing the fetched dependencies.| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.| ## Workspaces |name|description|optional| diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 69eed7fdb1..7a7d03d0ae 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -1,12 +1,12 @@ ---- apiVersion: tekton.dev/v1 kind: Task metadata: + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: image-build, hacbs + creationTimestamp: null labels: app.kubernetes.io/version: "0.1" - annotations: - tekton.dev/pipelines.minVersion: "0.12.1" - tekton.dev/tags: "image-build, hacbs" name: prefetch-dependencies-oci-ta spec: description: |- @@ -15,73 +15,73 @@ spec: For additional info on Cachi2, see docs at https://github.com/containerbuildsystem/cachi2#basic-usage. params: - - description: Configures project packages that will have their dependencies prefetched. - name: input - - description: The Trusted Artifact URI pointing to the artifact with the application source code. + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. name: SOURCE_ARTIFACT type: string - - description: The OCI repository where the Trusted Artifacts are stored. - name: ociStorage + - default: ca-bundle.crt + description: The name of the key in the ConfigMap that contains the CA bundle + data. + name: caTrustConfigMapKey type: string - - description: >- - Expiration date for the trusted artifacts created in the OCI repository. An empty string means - the artifacts do not expire. - name: ociArtifactExpiresAfter + - default: trusted-ca + description: The name of the ConfigMap to read CA bundle data from. + name: caTrustConfigMapName type: string - default: "" - - description: > - Enable in-development package managers. WARNING: the behavior may change at any time without - notice. Use at your own risk. + - default: "false" + description: | + Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. name: dev-package-managers - default: "false" - - description: Set cachi2 log level (debug, info, warning, error) + - description: Configures project packages that will have their dependencies prefetched. + name: input + - default: info + description: Set cachi2 log level (debug, info, warning, error) name: log-level - default: "info" - - name: caTrustConfigMapName + - default: "" + description: Expiration date for the trusted artifacts created in the OCI repository. + An empty string means the artifacts do not expire. + name: ociArtifactExpiresAfter type: string - description: The name of the ConfigMap to read CA bundle data from. - default: trusted-ca - - name: caTrustConfigMapKey + - description: The OCI repository where the Trusted Artifacts are stored. + name: ociStorage type: string - description: The name of the key in the ConfigMap that contains the CA bundle data. - default: ca-bundle.crt results: - - description: The Trusted Artifact URI pointing to the artifact with the application source code. - name: SOURCE_ARTIFACT - type: string - - description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. - name: CACHI2_ARTIFACT - type: string + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. + name: SOURCE_ARTIFACT + type: string + - description: The Trusted Artifact URI pointing to the artifact with the prefetched + dependencies. + name: CACHI2_ARTIFACT + type: string stepTemplate: + computeResources: {} volumeMounts: - - mountPath: /var/workdir - name: workdir + - mountPath: /var/workdir + name: workdir steps: - - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + - args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + computeResources: {} + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d name: use-trusted-artifact - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 - name: prefetch-dependencies + - computeResources: {} env: - - name: INPUT - value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + - name: INPUT + value: $(params.input) - name: LOG_LEVEL value: $(params.log-level) - name: WORKSPACE_GIT_AUTH_BOUND value: $(workspaces.git-basic-auth.bound) - name: WORKSPACE_GIT_AUTH_PATH value: $(workspaces.git-basic-auth.path) - volumeMounts: - - name: trusted-ca - mountPath: /mnt/trusted-ca - readOnly: true + image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 + name: prefetch-dependencies script: | - if [ -z "${INPUT}" ] - then + if [ -z "${INPUT}" ]; then # Confirm input was provided though it's likely the whole task would be skipped if it wasn't echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" exit 0 @@ -94,15 +94,15 @@ spec: fi # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml - if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then + if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ]; then if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then cp "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" "${HOME}/.git-credentials" cp "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" "${HOME}/.gitconfig" # Compatibility with kubernetes.io/basic-auth secrets elif [ -f "${WORKSPACE_GIT_AUTH_PATH}/username" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/password" ]; then HOSTNAME=$(cd "/var/workdir/source" && git remote get-url origin | awk -F/ '{print $3}') - echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" > "${HOME}/.git-credentials" - echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${HOME}/.gitconfig" + echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" >"${HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" >"${HOME}/.gitconfig" else echo "Unknown git-basic-auth workspace format" exit 1 @@ -119,44 +119,49 @@ spec: fi cachi2 --log-level="$LOG_LEVEL" fetch-deps \ - $dev_pacman_flag \ - --source=/var/workdir/source \ - --output=/var/workdir/cachi2/output \ - "${INPUT}" + $dev_pacman_flag \ + --source=/var/workdir/source \ + --output=/var/workdir/cachi2/output \ + "${INPUT}" cachi2 --log-level="$LOG_LEVEL" generate-env /var/workdir/cachi2/output \ - --format env \ - --for-output-dir=/cachi2/output \ - --output /var/workdir/cachi2/cachi2.env + --format env \ + --for-output-dir=/cachi2/output \ + --output /var/workdir/cachi2/cachi2.env cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ - --for-output-dir=/cachi2/output - - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - name: create-trusted-artifact + --for-output-dir=/cachi2/output + volumeMounts: + - mountPath: /mnt/trusted-ca + name: trusted-ca + readOnly: true + - args: + - create + - --store + - $(params.ociStorage) + - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source + - $(results.CACHI2_ARTIFACT.path)=/var/workdir/cachi2 + computeResources: {} env: - name: IMAGE_EXPIRES_AFTER value: $(params.ociArtifactExpiresAfter) - args: - - create - - --store - - $(params.ociStorage) - - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source - - $(results.CACHI2_ARTIFACT.path)=/var/workdir/cachi2 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: create-trusted-artifact + volumes: + - configMap: + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + name: $(params.caTrustConfigMapName) + optional: true + name: trusted-ca + - emptyDir: {} + name: workdir workspaces: - - name: git-basic-auth - description: | + - description: | A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. + name: git-basic-auth optional: true - volumes: - - name: workdir - emptyDir: {} - - name: trusted-ca - configMap: - name: $(params.caTrustConfigMapName) - items: - - key: $(params.caTrustConfigMapKey) - path: ca-bundle.crt - optional: true diff --git a/task/prefetch-dependencies-oci-ta/0.1/recipe.yaml b/task/prefetch-dependencies-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..dbed9f6e6f --- /dev/null +++ b/task/prefetch-dependencies-oci-ta/0.1/recipe.yaml @@ -0,0 +1,16 @@ +--- +base: ../../prefetch-dependencies/0.1/prefetch-dependencies.yaml +add: + - use-source + - create-source + - create-cachi2 +description: |- + Task that uses Cachi2 to prefetch build dependencies. The fetched dependencies and the + application source code are stored as a trusted artifact in the provided OCI repository. + For additional info on Cachi2, see docs at + https://github.com/containerbuildsystem/cachi2#basic-usage. +preferStepTemplate: true +removeWorkspaces: + - source +replacements: + workspaces.source.path: /var/workdir diff --git a/task/sast-snyk-check-oci-ta/0.1/README.md b/task/sast-snyk-check-oci-ta/0.1/README.md index 227286f85c..77cdd4e86a 100644 --- a/task/sast-snyk-check-oci-ta/0.1/README.md +++ b/task/sast-snyk-check-oci-ta/0.1/README.md @@ -11,9 +11,9 @@ See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information ## Parameters |name|description|default value|required| |---|---|---|---| -|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true| -|SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false| |ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false| +|SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| ## Results |name|description| diff --git a/task/sast-snyk-check-oci-ta/0.1/recipe.yaml b/task/sast-snyk-check-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..9ab5637245 --- /dev/null +++ b/task/sast-snyk-check-oci-ta/0.1/recipe.yaml @@ -0,0 +1,28 @@ +--- +base: ../../sast-snyk-check/0.1/sast-snyk-check.yaml +add: + - use-source +description: >- + Scans source code for security vulnerabilities, including common issues such as SQL injection, + cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application + Security Testing (SAST) tool. + + + Follow the steps given + [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) + to obtain a snyk-token and to enable the snyk task in a Pipeline. + + + The snyk binary used in this Task comes from a container image defined in + https://github.com/konflux-ci/konflux-test + + + See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk + tool. +preferStepTemplate: true +removeWorkspaces: + - workspace +replacements: + workspaces.workspace.path: /var/workdir +regexReplacements: + hacbs/\$\(context.task.name\): source diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index 7bd2be6403..333df1c87f 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -1,114 +1,109 @@ ---- apiVersion: tekton.dev/v1 kind: Task metadata: + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: appstudio, hacbs + creationTimestamp: null labels: app.kubernetes.io/version: "0.1" - annotations: - tekton.dev/pipelines.minVersion: "0.12.1" - tekton.dev/tags: "appstudio, hacbs" name: sast-snyk-check-oci-ta spec: - description: >- - Scans source code for security vulnerabilities, including common issues such as SQL injection, - cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application - Security Testing (SAST) tool. - - - Follow the steps given - [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) - to obtain a snyk-token and to enable the snyk task in a Pipeline. + description: |- + Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. + Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline. - The snyk binary used in this Task comes from a container image defined in - https://github.com/konflux-ci/konflux-test + The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test - - See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk - tool. - results: - - description: Tekton task test output. - name: TEST_OUTPUT + See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool. params: - - name: SOURCE_ARTIFACT - type: string - description: The Trusted Artifact URI pointing to the artifact with the application source code. - - name: SNYK_SECRET - description: Name of secret which contains Snyk token. - default: snyk-secret - - name: ARGS - type: string - description: Append arguments. - default: "--all-projects --exclude=test*,vendor,deps" - volumes: - - name: snyk-secret - secret: - secretName: $(params.SNYK_SECRET) - optional: true - - name: workdir - emptyDir: {} + - default: --all-projects --exclude=test*,vendor,deps + description: Append arguments. + name: ARGS + type: string + - default: snyk-secret + description: Name of secret which contains Snyk token. + name: SNYK_SECRET + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. + name: SOURCE_ARTIFACT + type: string + results: + - description: Tekton task test output. + name: TEST_OUTPUT stepTemplate: + computeResources: {} volumeMounts: - - mountPath: /var/workdir - name: workdir + - mountPath: /var/workdir + name: workdir steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - name: sast-snyk-check - image: quay.io/redhat-appstudio/konflux-test:v1.4.0@sha256:54d49b37c9a2e280d42961a57e4f7a16c171d6b065559f1329b548db85300bea - workingDir: /var/workdir/source - volumeMounts: - - name: snyk-secret - mountPath: "/etc/secrets" - readOnly: true - env: - - name: SNYK_SECRET - value: $(params.SNYK_SECRET) - - name: ARGS - value: $(params.ARGS) - script: | - #!/usr/bin/env bash - set -euo pipefail - . /utils.sh - trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT + - args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + computeResources: {} + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: use-trusted-artifact + - computeResources: {} + env: + - name: ARGS + value: $(params.ARGS) + - name: SNYK_SECRET + value: $(params.SNYK_SECRET) + image: quay.io/redhat-appstudio/konflux-test:v1.4.0@sha256:54d49b37c9a2e280d42961a57e4f7a16c171d6b065559f1329b548db85300bea + name: sast-snyk-check + script: | + #!/usr/bin/env bash + set -euo pipefail + . /utils.sh + trap 'handle_error $(results.TEST_OUTPUT.path)' EXIT - SNYK_TOKEN_PATH="/etc/secrets/snyk_token" + SNYK_TOKEN_PATH="/etc/secrets/snyk_token" - if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then - # SNYK token is provided - SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" - export SNYK_TOKEN - else - to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' - note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" - TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") - echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" - exit 0 - fi + if [ -f "${SNYK_TOKEN_PATH}" ] && [ -s "${SNYK_TOKEN_PATH}" ]; then + # SNYK token is provided + SNYK_TOKEN="$(cat ${SNYK_TOKEN_PATH})" + export SNYK_TOKEN + else + to_enable_snyk='[here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/)' + note="Task $(context.task.name) skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key "snyk_token" containing the Snyk token by following the steps given ${to_enable_snyk}" + TEST_OUTPUT=$(make_result_json -r SKIPPED -t "$note") + echo "${TEST_OUTPUT}" | tee "$(results.TEST_OUTPUT.path)" + exit 0 + fi - SNYK_EXIT_CODE=0 - SOURCE_CODE_DIR=/var/workdir/source - snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$? - test_not_skipped=0 - SKIP_MSG="We found 0 supported files" - grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? + SNYK_EXIT_CODE=0 + SOURCE_CODE_DIR=/var/workdir/source + snyk code test $ARGS $SOURCE_CODE_DIR --sarif-file-output=sast_snyk_check_out.json 1>&2 >>stdout.txt || SNYK_EXIT_CODE=$? + test_not_skipped=0 + SKIP_MSG="We found 0 supported files" + grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$? - if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then - cat sast_snyk_check_out.json - TEST_OUTPUT= - parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true + if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then + cat sast_snyk_check_out.json + TEST_OUTPUT= + parse_test_output $(context.task.name) sarif sast_snyk_check_out.json || true - # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation - elif [[ "$test_not_skipped" -eq 0 ]]; then - note="Task $(context.task.name) success: Snyk code test found zero supported files." - ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") - else - echo "sast-snyk-check test failed because of the following issues:" - cat stdout.txt - note="Task $(context.task.name) failed: For details, check Tekton task log." - ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") - fi - echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + # When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation + elif [[ "$test_not_skipped" -eq 0 ]]; then + note="Task $(context.task.name) success: Snyk code test found zero supported files." + ERROR_OUTPUT=$(make_result_json -r SUCCESS -t "$note") + else + echo "sast-snyk-check test failed because of the following issues:" + cat stdout.txt + note="Task $(context.task.name) failed: For details, check Tekton task log." + ERROR_OUTPUT=$(make_result_json -r ERROR -t "$note") + fi + echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path) + volumeMounts: + - mountPath: /etc/secrets + name: snyk-secret + readOnly: true + workingDir: /var/workdir/source + volumes: + - name: snyk-secret + secret: + optional: true + secretName: $(params.SNYK_SECRET) + - emptyDir: {} + name: workdir diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md index 6f7b3ee2c4..d82e3bc286 100644 --- a/task/source-build-oci-ta/0.1/README.md +++ b/task/source-build-oci-ta/0.1/README.md @@ -5,10 +5,10 @@ Source image build. ## Parameters |name|description|default value|required| |---|---|---|---| -|BINARY_IMAGE|Binary image name from which to generate the source image name.||true| |BASE_IMAGES|Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.|""|false| -|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true| -|CACHI2_ARTIFACT|The trusted artifact URI containing the prefetched dependencies.|""|false| +|BINARY_IMAGE|Binary image name from which to generate the source image name.||true| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| ## Results |name|description| diff --git a/task/source-build-oci-ta/0.1/recipe.yaml b/task/source-build-oci-ta/0.1/recipe.yaml new file mode 100644 index 0000000000..1211dc3ee5 --- /dev/null +++ b/task/source-build-oci-ta/0.1/recipe.yaml @@ -0,0 +1,15 @@ +--- +base: ../../source-build/0.1/source-build.yaml +add: + - use-source + - use-cachi2 +removeWorkspaces: + - workspace +removeVolumes: + - source-build-work-place +regexReplacements: + \/var\/source-build: /var/workdir + \/workspace\/workspace: /var/workdir +preferStepTemplate: true +replacements: + workspaces.workspace.path: /var/workdir diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index de09be39cc..978d52ef03 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -1,112 +1,114 @@ ---- apiVersion: tekton.dev/v1 kind: Task metadata: - name: source-build-oci-ta + annotations: + tekton.dev/pipelines.minVersion: 0.12.1 + tekton.dev/tags: appstudio + creationTimestamp: null labels: app.kubernetes.io/version: "0.1" - annotations: - tekton.dev/pipelines.minVersion: "0.12.1" - tekton.dev/tags: "appstudio" + name: source-build-oci-ta spec: description: Source image build. params: - - name: BINARY_IMAGE - description: Binary image name from which to generate the source image name. - type: string - - name: BASE_IMAGES - description: >- - Base images used to build the binary image. Each image per line in the same order of FROM - instructions specified in a multistage Dockerfile. Default to an empty string, which means - to skip handling a base image. - type: string - default: "" - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with the application source code. - type: string - - name: CACHI2_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. - type: string - default: "" - + - default: "" + description: Base images used to build the binary image. Each image per line in + the same order of FROM instructions specified in a multistage Dockerfile. Default + to an empty string, which means to skip handling a base image. + name: BASE_IMAGES + type: string + - description: Binary image name from which to generate the source image name. + name: BINARY_IMAGE + type: string + - default: "" + description: The Trusted Artifact URI pointing to the artifact with the prefetched + dependencies. + name: CACHI2_ARTIFACT + type: string + - description: The Trusted Artifact URI pointing to the artifact with the application + source code. + name: SOURCE_ARTIFACT + type: string results: - - name: BUILD_RESULT - description: Build result. - - name: SOURCE_IMAGE_URL - description: The source image url. - - name: SOURCE_IMAGE_DIGEST - description: The source image digest. - volumes: - - name: workdir - emptyDir: {} + - description: Build result. + name: BUILD_RESULT + - description: The source image url. + name: SOURCE_IMAGE_URL + - description: The source image digest. + name: SOURCE_IMAGE_DIGEST stepTemplate: + computeResources: {} volumeMounts: - - name: workdir - mountPath: /var/workdir + - mountPath: /var/workdir + name: workdir steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - - name: build - image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:cd87bbe51f1c22ff7578f5c9caf19db4f9ee7aefd0307288383b9bd478cdf856 - computeResources: - limits: - memory: 2Gi - requests: - memory: 512Mi - cpu: 250m - workingDir: "/var/workdir" - securityContext: - runAsUser: 0 - capabilities: - add: - - SETFCAP - env: - - name: BINARY_IMAGE - value: "$(params.BINARY_IMAGE)" - - name: SOURCE_DIR - value: "/var/workdir/source" - - name: BASE_IMAGES - value: "$(params.BASE_IMAGES)" - - name: RESULT_FILE - value: "$(results.BUILD_RESULT.path)" - - name: CACHI2_ARTIFACTS_DIR - value: "/var/workdir/cachi2" - - name: RESULT_SOURCE_IMAGE_URL - value: "$(results.SOURCE_IMAGE_URL.path)" - - name: RESULT_SOURCE_IMAGE_DIGEST - value: "$(results.SOURCE_IMAGE_DIGEST.path)" - - name: WS_BUILD_RESULT_FILE - value: "/var/workdir/source_build_result.json" - script: | - #!/usr/bin/env bash - set -euo pipefail + - args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 + computeResources: {} + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: use-trusted-artifact + - computeResources: + limits: + memory: 2Gi + requests: + cpu: 250m + memory: 512Mi + env: + - name: BASE_IMAGES + value: $(params.BASE_IMAGES) + - name: BINARY_IMAGE + value: $(params.BINARY_IMAGE) + - name: CACHI2_ARTIFACTS_DIR + value: /var/workdir/cachi2 + - name: RESULT_FILE + value: $(results.BUILD_RESULT.path) + - name: RESULT_SOURCE_IMAGE_DIGEST + value: $(results.SOURCE_IMAGE_DIGEST.path) + - name: RESULT_SOURCE_IMAGE_URL + value: $(results.SOURCE_IMAGE_URL.path) + - name: SOURCE_DIR + value: /var/workdir/source + - name: WS_BUILD_RESULT_FILE + value: /var/workdir/source_build_result.json + image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:cd87bbe51f1c22ff7578f5c9caf19db4f9ee7aefd0307288383b9bd478cdf856 + name: build + script: | + #!/usr/bin/env bash + set -euo pipefail - app_dir=/opt/source_build - registry_allowlist=" - registry.access.redhat.com - registry.redhat.io - " + app_dir=/opt/source_build + registry_allowlist=" + registry.access.redhat.com + registry.redhat.io + " - ## This is needed for the builds performed by the rpm-ostree task - ## otherwise, we can see this error: - ## "fatal: detected dubious ownership in repository at '/var/workdir/source'" - ## - git config --global --add safe.directory $SOURCE_DIR + ## This is needed for the builds performed by the rpm-ostree task + ## otherwise, we can see this error: + ## "fatal: detected dubious ownership in repository at '/var/workdir/source'" + ## + git config --global --add safe.directory $SOURCE_DIR - ${app_dir}/appenv/bin/python3 ${app_dir}/source_build.py \ - --output-binary-image "$BINARY_IMAGE" \ - --workspace /var/workdir \ - --source-dir "$SOURCE_DIR" \ - --base-images "$BASE_IMAGES" \ - --write-result-to "$RESULT_FILE" \ - --cachi2-artifacts-dir "$CACHI2_ARTIFACTS_DIR" \ - --registry-allowlist="$registry_allowlist" + ${app_dir}/appenv/bin/python3 ${app_dir}/source_build.py \ + --output-binary-image "$BINARY_IMAGE" \ + --workspace /var/workdir \ + --source-dir "$SOURCE_DIR" \ + --base-images "$BASE_IMAGES" \ + --write-result-to "$RESULT_FILE" \ + --cachi2-artifacts-dir "$CACHI2_ARTIFACTS_DIR" \ + --registry-allowlist="$registry_allowlist" - cat "$RESULT_FILE" | jq -r ".image_url" >"$RESULT_SOURCE_IMAGE_URL" - cat "$RESULT_FILE" | jq -r ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + cat "$RESULT_FILE" | jq -r ".image_url" >"$RESULT_SOURCE_IMAGE_URL" + cat "$RESULT_FILE" | jq -r ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" - cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" + cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" + securityContext: + capabilities: + add: + - SETFCAP + runAsUser: 0 + workingDir: /var/workdir + volumes: + - emptyDir: {} + name: workdir