diff --git a/task/buildah-oci-ta/0.1/README.md b/task/buildah-oci-ta/0.1/README.md index 15ec8b62a6..6584e910c4 100644 --- a/task/buildah-oci-ta/0.1/README.md +++ b/task/buildah-oci-ta/0.1/README.md @@ -37,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index b1b6308d1d..416a8b3276 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -122,6 +122,8 @@ spec: description: Digests of the base images used for build - name: IMAGE_DIGEST description: Digest of the image just built + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Image repository where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES @@ -528,6 +530,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.1/README.md b/task/buildah-remote-oci-ta/0.1/README.md new file mode 100644 index 0000000000..6d9cff8956 --- /dev/null +++ b/task/buildah-remote-oci-ta/0.1/README.md @@ -0,0 +1,45 @@ +# buildah-remote-oci-ta task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|DOCKER_AUTH|unused, should be removed in next task version|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|BASE_IMAGES_DIGESTS|Digests of the base images used for build| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| +|IMAGE_URL|Image repository where the built image was pushed| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| + diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index c5569532c6..8f61619061 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -123,6 +123,8 @@ spec: name: BASE_IMAGES_DIGESTS - description: Digest of the image just built name: IMAGE_DIGEST + - description: Image reference of the built image + name: IMAGE_REF - description: Image repository where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven @@ -598,6 +600,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote/0.1/README.md b/task/buildah-remote/0.1/README.md index 2fe50dd4c1..8f70bea517 100644 --- a/task/buildah-remote/0.1/README.md +++ b/task/buildah-remote/0.1/README.md @@ -1,32 +1,43 @@ # buildah-remote task -This task is programmatically generated from the buildah task to keep it in sync, it should not be manually modified. - -Buildah task builds source code into a container image and pushes the image into container registry using buildah tool, however while the standard buildah task is run directly on the cluster, this task is run on a remote host. This must be used in combination with the [Multi Arch Controller](https://github.com/redhat-appstudio/multi-arch-controller) which provides the credentials and host name to use to perform the build. - -This task has an additional `PLATFORM` param that is used by the Multi Arch Controller to decide which host should perform the build. - - +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. ## Parameters -| name | description |default value|required| -|---------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|---|---| -| PLATFORM | The target platform. ||true| -| IMAGE | Reference of the image buildah will produce. ||true| -| BUILDER_IMAGE | The location of the buildah builder image. |registry.access.redhat.com/ubi9/buildah:9.0.0-19@sha256:c8b1d312815452964885680fc5bc8d99b3bfe9b6961228c71a09c72ca8e915eb|false| -| DOCKERFILE | Path to the Dockerfile to build. |./Dockerfile|false| -| CONTEXT | Path to the directory to use as context. |.|false| -| TLSVERIFY | Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) |true|false| -| DOCKER_AUTH | unused, should be removed in next task version |""|false| -| HERMETIC | Determines if build will be executed without network access. |false|false| -| PREFETCH_INPUT | In case it is not empty, the prefetched content should be made available to the build. |""|false| -| IMAGE_EXPIRES_AFTER | Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. |""|false| +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image buildah will produce.||true| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|DOCKER_AUTH|unused, should be removed in next task version|""|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|PLATFORM|The platform to build on||true| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d884cd3d11..a92f38a971 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -118,6 +118,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - description: The counting of Java components by publisher in JSON format @@ -595,6 +597,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah/0.1/README.md b/task/buildah/0.1/README.md index def5b2f122..bf41ff7460 100644 --- a/task/buildah/0.1/README.md +++ b/task/buildah/0.1/README.md @@ -26,6 +26,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| |BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| |BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| |SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| ## Results @@ -33,6 +36,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 54bca444a7..6025f1b3a8 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -105,6 +105,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_JAVA_COMPONENTS_COUNT @@ -497,6 +499,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 0067af0fad..65162767f5 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in |name|description| |---|---| |IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 5e8d423e49..132db7a936 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the artifact just pushed + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Repository where the artifact was pushed - name: SBOM_BLOB_URL @@ -186,6 +188,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${IMAGE_INDEX_DIGEST}" >"$(results.IMAGE_REF.path)" computeResources: limits: memory: 1Gi diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 8bec2f57ff..2537498b88 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -1,70 +1,23 @@ # oci-copy task -Given an `oci-copy.yaml` file in the user's source directory, the `oci-copy` task will copy content from arbitrary urls into the OCI registry. - -It generates a limited SBOM and pushes that into the OCI registry alongside the image. - -It is not to be considered safe for general use as it cannot provide a high degree of provenance for artficats and reports them only as "general" type artifacts in the purl spec it reports in the SBOM. Use only in limited situations. - -Note: the bearer token secret, if specified, will be sent to **all servers listed in the oci-copy.yaml file**. +Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. ## Parameters |name|description|default value|required| |---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| - +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| ## Results |name|description| |---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| |---|---|---| -|source|Workspace containing the source code to copy.|false| - -## oci-copy.yaml schema -JSON schema for the `oci-copy.yaml` file. - -```json -{ - "type": "object", - "required": ["artifacts", "artifact_type"], - "properties": { - "artifact_type": { - "description": "Artifact type to be applied to the top-level OCI artifact, i.e. `application/x-mlmodel`", - "type": "string" - }, - "artifacts": { - "type": "array", - "items": { - "type": "object", - "required": ["source", "filename", "type", "sha256sum"], - "properties": { - "source": { - "description": "URL of the artifact to copy", - "type": "string" - }, - "filename": { - "description": "Filename that should be applied to the artifact in the OCI registry", - "type": "string" - }, - "type": { - "description": "Media type that should be applied to the artifact in the OCI registry", - "type": "string" - }, - "sha256sum": { - "description": "Digest of the artifact to be checked before copy", - "type": "string" - } - } - } - } - } -} -``` +|source|Workspace containing the source artifacts to copy|false| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 6670dddce4..2b18a91dc4 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_URL - description: Link to the SBOM blob pushed to the registry. name: SBOM_BLOB_URL + - name: IMAGE_REF + description: Image reference of the built image stepTemplate: env: - name: OCI_COPY_FILE @@ -171,6 +173,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/task/rpm-ostree/0.1/README.md b/task/rpm-ostree/0.1/README.md new file mode 100644 index 0000000000..44b86d3fc0 --- /dev/null +++ b/task/rpm-ostree/0.1/README.md @@ -0,0 +1,31 @@ +# rpm-ostree task + +RPM Ostree + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image rpm-ostree will produce.||true| +|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|IMAGE_FILE|The file to use to build the image||true| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|PLATFORM|The platform to build on||true| +|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|BASE_IMAGES_DIGESTS|Digests of the base images used for build| +|SBOM_BLOB_URL|Reference, including digest to the SBOM blob| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index a2c121496d..c617584bf9 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -60,6 +60,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_BLOB_URL @@ -260,6 +262,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } >"$(results.IMAGE_REF.path)" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md index 0fa13a1e9a..617012f20d 100644 --- a/task/s2i-java/0.1/README.md +++ b/task/s2i-java/0.1/README.md @@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup |PATH_CONTEXT|The location of the path to run s2i from|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index a9051abb32..efdea18603 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -52,6 +52,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_JAVA_COMPONENTS_COUNT @@ -249,6 +251,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md index d06149ce66..dca3d57a4d 100644 --- a/task/s2i-nodejs/0.1/README.md +++ b/task/s2i-nodejs/0.1/README.md @@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container ## Parameters |name|description|default value|required| |---|---|---|---| -|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false| +|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false| |PATH_CONTEXT|The location of the path to run s2i from.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| ## Workspaces diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index 0f8b1023c7..4075c35b34 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -70,6 +70,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS steps: @@ -217,6 +219,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md index 43bf1b2d43..b390749a5b 100644 --- a/task/source-build-oci-ta/0.1/README.md +++ b/task/source-build-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |name|description| |---|---| |BUILD_RESULT|Build result.| +|IMAGE_REF|Image reference of the built image| |SOURCE_IMAGE_DIGEST|The source image digest.| |SOURCE_IMAGE_URL|The source image url.| diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 221919f7f4..98cf2b3ff7 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -34,6 +34,8 @@ spec: results: - name: BUILD_RESULT description: Build result. + - name: IMAGE_REF + description: Image reference of the built image - name: SOURCE_IMAGE_DIGEST description: The source image digest. - name: SOURCE_IMAGE_URL @@ -99,6 +101,7 @@ spec: cat "$RESULT_FILE" | jq -r ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -r ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -r '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" computeResources: diff --git a/task/source-build/0.1/README.md b/task/source-build/0.1/README.md index e1f45d9299..40c8b4305c 100644 --- a/task/source-build/0.1/README.md +++ b/task/source-build/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |BUILD_RESULT|Build result.| |SOURCE_IMAGE_URL|The source image url.| |SOURCE_IMAGE_DIGEST|The source image digest.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index 5c0775e572..9f2a0d8a0c 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -28,6 +28,8 @@ spec: description: The source image url. - name: SOURCE_IMAGE_DIGEST description: The source image digest. + - name: IMAGE_REF + description: Image reference of the built image workspaces: - name: workspace description: The workspace where source code is included. @@ -98,5 +100,6 @@ spec: cat "$RESULT_FILE" | jq -r ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -r ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -r '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" diff --git a/task/tkn-bundle/0.1/README.md b/task/tkn-bundle/0.1/README.md index 09100bea33..eb5a7bf647 100644 --- a/task/tkn-bundle/0.1/README.md +++ b/task/tkn-bundle/0.1/README.md @@ -1,51 +1,23 @@ -# tkn-bundle - Tekton Task to push a Tekton Bundle to an image registry +# tkn-bundle task -Tekton Task to build and push Tekton Bundles (OCI images) which contain -definitions of Tekton objects, most commonly Task and Pipeline objects. +Creates and pushes a Tekton bundle containing the specified Tekton YAML files. -Task finds all `*.yaml` or `*.yml` files within `CONTEXT`, packages and pushes -them as a Tekton Bundle to the image repository, name and tag specified by the -`IMAGE` parameter. - -## Input Parameters - -The task supports the following input parameters. - -| Name | Example | Description | -|---------|-------------------------|------------------------------------------| -| IMAGE | registry.io/my-task:tag | Reference of the image task will produce | -| CONTEXT | my-task/0.1 | Paths to include in the bundle image | -| HOME | /tekton/home | Value for the HOME environment variable | - -`CONTEXT` can include multiple directories or files separated by comma or space. -Paths can be negated with exclamation mark to prevent inclusion of certain -directories or files. Negated paths are best placed at the end as they operate -on collected paths preceeding them. For example if `CONTEXT` is set to -`"0.1,!0.1/spec"` for this tree: - - . - ├── 0.1 - │   ├── README.md - │   ├── spec - │   │   ├── spec_helper.sh - │   │   ├── support - │   │   │   ├── jq_matcher.sh - │   │   │   └── task_run_subject.sh - │   │   ├── test1.yaml - │   │   ├── test2.yml - │   │   ├── test3.yaml - │   │   └── tkn-bundle_spec.sh - │   ├── TESTING.md - │   └── tkn-bundle.yaml - └── OWNERS - -Only the `0.1/tkn-bundle.yaml` file will be included in the bundle. +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image task will produce.||true| +|CONTEXT|Path to the directory to use as context.|.|false| +|HOME|Value for the HOME environment variable.|/tekton/home|false| +|STEPS_IMAGE|An optional image to configure task steps with in the bundle|""|false| ## Results - -The task emits the following results. - -| Name | Example | Description | -|--------------|-------------------------|-----------------------------------------------------------------| -| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | -| IMAGE_DIGEST | abc... | Digest of the image just built | +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed with tag only| +|IMAGE_REF|Image reference of the built image| + +## Workspaces +|name|description|optional| +|---|---|---| +|source||false| diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index 4a52ee15cc..24abb3988c 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed with tag only name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF stepTemplate: env: - name: HOME @@ -134,7 +136,9 @@ spec: $(printf ' -f %s' "${FILES[@]}") \ |tee /proc/self/fd/3)" echo -n "$IMAGE" > $(results.IMAGE_URL.path) - echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path) + digest="${OUT#*Pushed Tekton Bundle to *@}"" + echo -n "${digest}" > $(results.IMAGE_DIGEST.path) + echo -n "${IMAGE}@${digest}" > "$(results.IMAGE_REF.path)" # cleanup task file [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}"