From 45783a5b7d14b1287b1679da99245d6753faf0b0 Mon Sep 17 00:00:00 2001
From: Luiz Carvalho <lucarval@redhat.com>
Date: Wed, 15 May 2024 10:24:46 -0400
Subject: [PATCH] Implement the source-build-oci-ta Task

Ref: EC-554
Co-authored-by: Zoran Regvart <zoran@regvart.com>

Signed-off-by: Luiz Carvalho <lucarval@redhat.com>
---
 task/source-build-oci-ta/0.1/README.md        |  8 ++--
 .../0.1/source-build-oci-ta.yaml              | 37 ++++++++++++-------
 2 files changed, 26 insertions(+), 19 deletions(-)

diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md
index e1f45d9299..6f7b3ee2c4 100644
--- a/task/source-build-oci-ta/0.1/README.md
+++ b/task/source-build-oci-ta/0.1/README.md
@@ -1,4 +1,4 @@
-# source-build task
+# source-build-oci-ta task
 
 Source image build.
 
@@ -7,6 +7,8 @@ Source image build.
 |---|---|---|---|
 |BINARY_IMAGE|Binary image name from which to generate the source image name.||true|
 |BASE_IMAGES|Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.|""|false|
+|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true|
+|CACHI2_ARTIFACT|The trusted artifact URI containing the prefetched dependencies.|""|false|
 
 ## Results
 |name|description|
@@ -15,7 +17,3 @@ Source image build.
 |SOURCE_IMAGE_URL|The source image url.|
 |SOURCE_IMAGE_DIGEST|The source image digest.|
 
-## Workspaces
-|name|description|optional|
-|---|---|---|
-|workspace|The workspace where source code is included.|false|
diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
index 7784d707bd..ec6ab640c0 100644
--- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
+++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml
@@ -2,7 +2,7 @@
 apiVersion: tekton.dev/v1
 kind: Task
 metadata:
-  name: source-build
+  name: source-build-oci-ta
   labels:
     app.kubernetes.io/version: "0.1"
   annotations:
@@ -21,6 +21,14 @@ spec:
         to skip handling a base image.
       type: string
       default: ""
+    - name: SOURCE_ARTIFACT
+      description: The trusted artifact URI containing the application source code.
+      type: string
+    - name: CACHI2_ARTIFACT
+      description: The trusted artifact URI containing the prefetched dependencies.
+      type: string
+      default: ""
+
   results:
     - name: BUILD_RESULT
       description: Build result.
@@ -28,18 +36,22 @@ spec:
       description: The source image url.
     - name: SOURCE_IMAGE_DIGEST
       description: The source image digest.
-  workspaces:
-    - name: workspace
-      description: The workspace where source code is included.
   volumes:
     - name: source-build-work-place
       emptyDir: {}
+  stepTemplate:
+    volumeMounts:
+      - name: source-build-work-place
+        mountPath: /var/source-build
   steps:
+    - name: use-trusted-artifact
+      image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d
+      args:
+        - use
+        - $(params.SOURCE_ARTIFACT)=/var/source-build/source
+        - $(params.CACHI2_ARTIFACT)=/var/source-build/cachi2
     - name: build
       image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:cd87bbe51f1c22ff7578f5c9caf19db4f9ee7aefd0307288383b9bd478cdf856
-      # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
-      # the cluster will set imagePullPolicy to IfNotPresent
-      # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
       computeResources:
         limits:
           memory: 2Gi
@@ -52,26 +64,23 @@ spec:
         capabilities:
           add:
             - SETFCAP
-      volumeMounts:
-        - name: source-build-work-place
-          mountPath: /var/source-build
       env:
         - name: BINARY_IMAGE
           value: "$(params.BINARY_IMAGE)"
         - name: SOURCE_DIR
-          value: "$(workspaces.workspace.path)/source"
+          value: "/var/source-build/source"
         - name: BASE_IMAGES
           value: "$(params.BASE_IMAGES)"
         - name: RESULT_FILE
           value: "$(results.BUILD_RESULT.path)"
         - name: CACHI2_ARTIFACTS_DIR
-          value: "$(workspaces.workspace.path)/cachi2"
+          value: "/var/source-build/cachi2"
         - name: RESULT_SOURCE_IMAGE_URL
           value: "$(results.SOURCE_IMAGE_URL.path)"
         - name: RESULT_SOURCE_IMAGE_DIGEST
           value: "$(results.SOURCE_IMAGE_DIGEST.path)"
         - name: WS_BUILD_RESULT_FILE
-          value: "$(workspaces.workspace.path)/source_build_result.json"
+          value: "/var/source-build/source_build_result.json"
       script: |
         #!/usr/bin/env bash
         set -euo pipefail
@@ -84,7 +93,7 @@ spec:
 
         ## This is needed for the builds performed by the rpm-ostree task
         ## otherwise, we can see this error:
-        ## "fatal: detected dubious ownership in repository at '/workspace/workspace/source'"
+        ## "fatal: detected dubious ownership in repository at '/var/source-build/source'"
         ##
         git config --global --add safe.directory $SOURCE_DIR