Merge branch 'main' into bazel

konflux-ci · Oct 22, 2024 · 3debedf · 3debedf
2 parents 29d4e95 + 0244d30
commit 3debedf
Show file tree

Hide file tree

Showing 13 changed files with 134 additions and 15 deletions.
diff --git a/.github/workflows/check-ta.yaml b/.github/workflows/check-ta.yaml
@@ -12,6 +12,9 @@ jobs:
       - name: Check Trusted Artifact variants
         id: check
         run: hack/generate-ta-tasks.sh
+      - name: Check missing Trusted Artifact variants
+        id: missing
+        run: hack/missing-ta-tasks.sh
       - name: Attach patch
         if: ${{ always() && steps.check.conclusion == 'failure' }}
         uses: actions/upload-artifact@v4

diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml
@@ -54,13 +54,13 @@ spec:
             workspace: workspace
       - name: sast-unicode-check
         runAfter:
-          - build-container
+          - build-appstudio-utils
         taskRef:
           name: sast-unicode-check
         workspaces:
           - name: workspace
             workspace: workspace
-      - name: build-container
+      - name: build-appstudio-utils
         runAfter:
           - task-lint-check
         params:
@@ -75,7 +75,7 @@ spec:
             workspace: workspace
       - name: check-partner-tasks
         runAfter:
-          - build-container
+          - build-appstudio-utils
         taskSpec:
           steps:
             - name: check-task-structure
@@ -131,7 +131,7 @@ spec:
           - name: e2e_test_namespace
             value: $(params.e2e_test_namespace)
         runAfter:
-          - build-container
+          - build-appstudio-utils
         workspaces:
           - name: source
             workspace: workspace

diff --git a/.tekton/push.yaml b/.tekton/push.yaml
@@ -62,7 +62,7 @@ spec:
         workspaces:
           - name: source
             workspace: workspace
-      - name: build-container
+      - name: build-appstudio-utils
         params:
           - name: IMAGE
             value: quay.io/konflux-ci/appstudio-utils:{{ revision }}
@@ -79,11 +79,11 @@ spec:
       - name: apply-additional-image-tags
         params:
           - name: IMAGE
-            value: $(tasks.build-container.results.IMAGE_URL)
+            value: $(tasks.build-appstudio-utils.results.IMAGE_URL)
           - name: ADDITIONAL_TAGS
             value: ["latest"]
         runAfter:
-          - build-container
+          - build-appstudio-utils
         taskRef:
           name: apply-tags
 
@@ -92,7 +92,7 @@ spec:
           - name: revision
             value: "$(params.revision)"
         runAfter:
-          - build-container
+          - build-appstudio-utils
           - ec-task-checks
         workspaces:
           - name: source

diff --git a/appstudio-utils/Dockerfile b/appstudio-utils/Dockerfile
@@ -14,6 +14,7 @@ RUN dnf -y --setopt=tsflags=nodocs install \
     skopeo \
     make \
     golang \
+    zip \
     && dnf clean all
 
 COPY util-scripts /appstudio-utils/util-scripts
diff --git a/hack/missing-ta-tasks.sh b/hack/missing-ta-tasks.sh
@@ -0,0 +1,115 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+shopt -s globstar
+
+git_root=$(git rev-parse --show-toplevel)
+policy_file="${git_root}/policies/all-tasks.yaml"
+
+tmp_files=()
+trap 'rm "${tmp_files[@]}" > /dev/null 2>&1' EXIT
+
+# Tasks that are currently missing Trusted Artifact variant
+todo=(
+  task/buildah-10gb/0.2/kustomization.yaml
+  task/buildah-20gb/0.2/kustomization.yaml
+  task/buildah-24gb/0.2/kustomization.yaml
+  task/buildah-6gb/0.2/kustomization.yaml
+  task/buildah-8gb/0.2/kustomization.yaml
+  task/buildah-min/0.2/kustomization.yaml
+  task/buildah-rhtap/0.1/buildah-rhtap.yaml
+  task/download-sbom-from-url-in-attestation/0.1/download-sbom-from-url-in-attestation.yaml
+  task/fbc-related-image-check/0.1/fbc-related-image-check.yaml
+  task/fbc-validation/0.1/fbc-validation.yaml
+  task/gather-deploy-images/0.1/gather-deploy-images.yaml
+  task/generate-odcs-compose/0.2/generate-odcs-compose.yaml
+  task/generate-odcs-compose/0.2/kustomization.yaml
+  task/inspect-image/0.1/inspect-image.yaml
+  task/operator-sdk-generate-bundle/0.1/operator-sdk-generate-bundle.yaml
+  task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml
+  task/opm-render-bundles/0.1/opm-render-bundles.yaml
+  task/sast-unicode-check/0.1/sast-unicode-check.yaml
+  task/slack-webhook-notification/0.1/slack-webhook-notification.yaml
+  task/summary/0.2/summary.yaml
+  task/tkn-bundle/0.1/tkn-bundle.yaml
+  task/update-infra-deployments/0.1/update-infra-deployments.yaml
+  task/upload-sbom-to-trustification/0.1/upload-sbom-to-trustification.yaml
+  task/verify-enterprise-contract/0.1/kustomization.yaml
+  task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml
+)
+
+emit() {
+  kind="$1"
+  file="$2"
+  msg="$3"
+  if [ "${GITHUB_ACTIONS:-false}" == "true" ]; then
+    printf "::${kind} file=%s,line=1,col=0::%s\n" "${file}" "${msg}"
+  else
+    printf "${kind@U}: \033[1m%s\033[0m %s\n" "${file}" "${msg}"
+  fi
+}
+
+{
+  cd "${git_root}"
+  missing=0
+  for task in task/**/*.yaml; do
+      task_file="${task}"
+      case "${task}" in
+          */kustomization.yaml)
+              tmp=$(mktemp)
+              tmp_files+=("${tmp}")
+              kustomize build "${task%/kustomization.yaml}" > "${tmp}"
+              task_file="${tmp}"
+              ;;
+          */recipe.yaml | */patch.yaml)
+              continue
+              ;;
+      esac
+
+      for t in "${todo[@]}"; do
+        if [[ "${t}" == "${task}" ]]; then
+          emit warning "${task}" 'TODO: Task needs a Trusted Artifacts variant created'
+          continue 2
+        fi
+      done
+
+      # we are looking at a Task
+      yq -e '.kind != "Task"' "${task_file}" > /dev/null 2>&1 && continue
+
+      # path elements of the task file path
+      readarray -d / paths <<< "${task}"
+      # PVC non-optional workspaces used
+      readarray -t workspaces <<< "$(yq ea '[select(fileIndex == 0).spec.workspaces[] | .name] - [select(fileIndex == 1).sources[].ruleData.allowed_trusted_artifacts_workspaces[] | .] | .[] | {"x": .} | "\(.x)"' "${task_file}" "${policy_file}")"
+
+      # is the task using a workspace(s) to share files?
+      [[ "${#workspaces}" -eq 0 ]] && continue
+
+      # is there a newer version of the task
+      base_task_path=("${paths[@]}")
+      unset 'base_task_path[-1]'
+      version="${base_task_path[-1]/\/}"
+      unset 'base_task_path[-1]'
+      for dir in $(IFS=''; echo "${base_task_path[*]}*"); do
+          [[ ! -d "${dir}" ]] && continue
+          [[ "${version}" < "${dir/*\/}" ]] && continue 2
+      done
+
+      # there is no Trusted Artifacts variant of the task
+      unset 'paths[-1]'
+      paths[-2]="${paths[-2]%/}-oci-ta/"
+      ta_dir="$(IFS=''; echo "${paths[*]}")"
+      if [[ ! -d "${ta_dir}" ]]; then
+          emit error "${task}" "Task is using a workspace(s): ${workspaces[*]}, to share data and needs a corresponding Trusted Artifacts Task variant in ${ta_dir}"
+          missing=$((missing + 1))
+      fi
+  done
+
+  if [[ ${missing} -gt 0 ]]; then
+    if [ "${GITHUB_ACTIONS:-false}" == "true" ]; then
+      echo '::notice title=Missing Trusted Artifact Task Variant::Found Tasks that share data via PersistantVolumeClaim volumes without a corresponding Trusted Artifacts Variant. Please create the Trusted Artifacts Variant of the Task as well'
+      exit 1
+    fi
+  fi
+}
diff --git a/pipelines/docker-build-multi-platform-oci-ta/README.md b/pipelines/docker-build-multi-platform-oci-ta/README.md
@@ -10,7 +10,7 @@ This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/reposito
 |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-images:0.2:BUILD_ARGS|
 |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-images:0.2:BUILD_ARGS_FILE|
 |build-image-index| Add built image into an OCI image index| true| build-image-index:0.1:ALWAYS_BUILD_INDEX|
-|build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64', 'linux/arm64']| |
+|build-platforms| List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller.| ['linux/x86_64']| |
 |build-source-image| Build a source image.| false| |
 |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-images:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE|
 |git-url| Source Repository URL| None| clone-repository:0.1:url|

diff --git a/pipelines/docker-build-multi-platform-oci-ta/patch.yaml b/pipelines/docker-build-multi-platform-oci-ta/patch.yaml
@@ -85,4 +85,3 @@
     type: array
     default:
       - "linux/x86_64"
-      - "linux/arm64"
diff --git a/policies/all-tasks.yaml b/policies/all-tasks.yaml
@@ -12,6 +12,7 @@ sources:
         - basic-auth
         - ssh-directory
         - netrc
+        - gitops-auth
       required_task_results:
         # Certain EC rules rely on the presence of these results when validating an image.
         - task: clair-scan

diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml
@@ -96,7 +96,7 @@ spec:
               exit 0
             fi
 
-            timeout=1200  # 20 minutes
+            timeout=2400  # 40 minutes
             interval=20  # interval between checks in seconds
             elapsed=0
 

diff --git a/task/show-sbom-rhdh/0.1/README.md b/task/show-sbom-rhdh/0.1/README.md
@@ -1,6 +1,6 @@
 # show-sbom-rhdh task
 
-Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+Shows the Software Bill of Materials (SBOM) generated for the built image.
 The 'task.*' annotations are processed by Red Hat Developer Hub (RHDH) so that the log content can be rendered in its UI.
 
 ## Parameters

diff --git a/task/show-sbom-rhdh/0.1/show-sbom-rhdh.yaml b/task/show-sbom-rhdh/0.1/show-sbom-rhdh.yaml
@@ -14,7 +14,7 @@ metadata:
     task.output.location: results
 spec:
   description: >-
-    Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+    Shows the Software Bill of Materials (SBOM) generated for the built image.
     The 'task.*' annotations are processed by Red Hat Developer Hub (RHDH) so that the log content can be rendered in its UI.
   params:
     - name: IMAGE_URL

diff --git a/task/show-sbom/0.1/README.md b/task/show-sbom/0.1/README.md
@@ -1,6 +1,6 @@
 # show-sbom task
 
-Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+Shows the Software Bill of Materials (SBOM) generated for the built image.
 
 The parameter named PLATFORM can be used to specify the arch to display the sbom for in the case of a multi-arch image. 
 In the case of a single arch image, the parameter is ignored. 

diff --git a/task/show-sbom/0.1/show-sbom.yaml b/task/show-sbom/0.1/show-sbom.yaml
@@ -10,7 +10,7 @@ metadata:
     tekton.dev/tags: "konflux"
 spec:
   description: >-
-    Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+    Shows the Software Bill of Materials (SBOM) generated for the built image.
   params:
     - name: IMAGE_URL
       description: Fully qualified image name to show SBOM for.