diff --git a/task/build-image-manifest/0.1/build-image-manifest.yaml b/task/build-image-manifest/0.1/build-image-manifest.yaml
index 2967c78248..fcfb205e75 100644
--- a/task/build-image-manifest/0.1/build-image-manifest.yaml
+++ b/task/build-image-manifest/0.1/build-image-manifest.yaml
@@ -105,3 +105,26 @@ spec:
capabilities:
add:
- SETFCAP
+
+ - name: push-dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ dockerfile_path=$(mktemp --suffix="${suffix}")
+
+ arch_image_digest=$(oras manifest fetch "$IMAGE" | yq -P -oy | yq '.manifests[0].digest')
+ oras pull "${image_without_tag}@${arch_image_digest/:/-}${suffix}" >"$dockerfile_path"
+
+ echo "Selecting auth for $IMAGE"
+ select-oci-auth $IMAGE >auth.json
+
+ retry oras push --no-tty --registry-config auth.json --artifact-type "$artype" "$df_image" "$dockerfile_path"
diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
index b1b6308d1d..65fe5cc534 100644
--- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
+++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml
@@ -248,6 +248,10 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
+
+ # Record the original Dockerfile for pushing later.
+ cp "$dockerfile_path" /shared/Dockerfile
+
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
@@ -544,3 +548,24 @@ spec:
- cyclonedx
- $(params.IMAGE)
workingDir: /var/workdir
+ - name: push-dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ - name: DOCKERFILE_PATH
+ value: /shared/Dockerfile
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ echo "Selecting auth for $IMAGE"
+ auth_json=$(mktemp)
+ select-oci-auth $IMAGE >"$auth_json"
+
+ cd "$(dirname $DOCKERFILE_PATH)"
+ retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)"
diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
index c5569532c6..00cd3cb9d2 100644
--- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
+++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml
@@ -265,6 +265,10 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
+
+ # Record the original Dockerfile for pushing later.
+ cp "$dockerfile_path" /shared/Dockerfile
+
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
@@ -619,6 +623,28 @@ spec:
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
name: upload-sbom
workingDir: /var/workdir
+ - computeResources: {}
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ - name: DOCKERFILE_PATH
+ value: /shared/Dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ name: push-dockerfile
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ echo "Selecting auth for $IMAGE"
+ auth_json=$(mktemp)
+ select-oci-auth $IMAGE >"$auth_json"
+
+ cd "$(dirname $DOCKERFILE_PATH)"
+ retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- name: additional-secret
secret:
diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml
index d884cd3d11..80b8069c70 100644
--- a/task/buildah-remote/0.1/buildah-remote.yaml
+++ b/task/buildah-remote/0.1/buildah-remote.yaml
@@ -257,6 +257,10 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
+
+ # Record the original Dockerfile for pushing later.
+ cp "$dockerfile_path" /shared/Dockerfile
+
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
@@ -616,6 +620,28 @@ spec:
image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
name: upload-sbom
workingDir: $(workspaces.source.path)
+ - computeResources: {}
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ - name: DOCKERFILE_PATH
+ value: /shared/Dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ name: push-dockerfile
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ echo "Selecting auth for $IMAGE"
+ auth_json=$(mktemp)
+ select-oci-auth $IMAGE >"$auth_json"
+
+ cd "$(dirname $DOCKERFILE_PATH)"
+ retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)"
volumes:
- emptyDir: {}
name: varlibcontainers
diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
index fe15071f82..e3e5b6e9e7 100644
--- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml
+++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml
@@ -76,6 +76,8 @@ spec:
exit 1
fi
+ cp "$dockerfile_path" /tmp/files/Dockerfile
+
BUILDAH_ARGS=()
if [ -n "${BUILD_ARGS_FILE}" ]; then
BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}")
@@ -216,6 +218,28 @@ spec:
name: tmpfiles
workingDir: /tmp/files
+ - name: push-dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ - name: DOCKERFILE_PATH
+ value: /tmp/files/Dockerfile
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ echo "Selecting auth for $IMAGE"
+ auth_json=$(mktemp)
+ select-oci-auth $IMAGE >"$auth_json"
+
+ cd $(dirname "$DOCKERFILE_PATH")
+ retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)"
+
volumes:
- emptyDir: {}
name: varlibcontainers
diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml
index 54bca444a7..98d5272ca7 100644
--- a/task/buildah/0.1/buildah.yaml
+++ b/task/buildah/0.1/buildah.yaml
@@ -112,6 +112,7 @@ spec:
type: string
- name: JAVA_COMMUNITY_DEPENDENCIES
description: The Java dependencies that came from community sources such as Maven central.
+
stepTemplate:
volumeMounts:
- mountPath: /shared
@@ -202,6 +203,10 @@ spec:
echo "Cannot find Dockerfile $DOCKERFILE"
exit 1
fi
+
+ # Record the original Dockerfile for pushing later.
+ cp "$dockerfile_path" /shared/Dockerfile
+
if [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && grep -q '^\s*RUN \(./\)\?mvn' "$dockerfile_path"; then
sed -i -e "s|^\s*RUN \(\(./\)\?mvn\)\(.*\)|RUN echo \"mirror.defaulthttp://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/*\" > /tmp/settings.yaml; \1 -s /tmp/settings.yaml \3|g" "$dockerfile_path"
touch /var/lib/containers/java
@@ -520,6 +525,28 @@ spec:
- $(params.IMAGE)
workingDir: $(workspaces.source.path)
+ - name: push-dockerfile
+ image: quay.io/konflux-ci/oras@sha256:5d0a8a5535fcc4ba467264cacbdeab2fb8662a538a61cb7fc8b3155e3f20fa39
+ env:
+ - name: IMAGE_DIGEST_FILE
+ value: $(results.IMAGE_DIGEST.path)
+ - name: DOCKERFILE_PATH
+ value: /shared/Dockerfile
+ script: |
+ suffix=".dockerfile"
+ image_without_tag=${IMAGE%:*}
+ # remove the potential existing newline
+ manifest_digest=$(cat "${IMAGE_DIGEST_FILE}" | tr -d '\r\n')
+ df_image=${image_without_tag}:${manifest_digest/:/-}${suffix}
+ artype=application/vnd.konflux.dockerfile
+
+ echo "Selecting auth for $IMAGE"
+ auth_json=$(mktemp)
+ select-oci-auth $IMAGE >"$auth_json"
+
+ cd "$(dirname $DOCKERFILE_PATH)"
+ retry oras push --no-tty --registry-config "$auth_json" --artifact-type "$artype" "$df_image" "$(basename $DOCKERFILE_PATH)"
+
volumes:
- name: varlibcontainers
emptyDir: {}