diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 532e96b0c1..bfa06e6cee 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 1551ce3577..952535b8e6 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -129,6 +129,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the image just built + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Image repository where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES @@ -559,6 +561,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 45baf3dc00..95acc3aa74 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -130,6 +130,8 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST + - description: Image reference of the built image + name: IMAGE_REF - description: Image repository where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven @@ -630,6 +632,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md new file mode 100644 index 0000000000..71b2baa59b --- /dev/null +++ b/task/buildah-remote/0.2/README.md @@ -0,0 +1,48 @@ +# buildah-remote task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image buildah will produce.||true| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1c405b0103..97db9ded53 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -123,6 +123,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string @@ -612,6 +614,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index a9da914b81..5dabbe3e4f 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -9,11 +9,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description|default value|required| |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| -|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| |CONTEXT|Path to the directory to use as context.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|DOCKER_AUTH|unused, should be removed in next task version|""|false| |HERMETIC|Determines if build will be executed without network access.|false|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| @@ -39,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index fbca62f1d6..aefbf3757e 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -109,6 +109,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string @@ -509,6 +511,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 0067af0fad..65162767f5 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in |name|description| |---|---| |IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 65f3f65d4d..4450b27fdd 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the artifact just pushed + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Repository where the artifact was pushed - name: SBOM_BLOB_URL @@ -193,6 +195,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" computeResources: limits: memory: 1Gi diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 8bec2f57ff..2537498b88 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -1,70 +1,23 @@ # oci-copy task -Given an `oci-copy.yaml` file in the user's source directory, the `oci-copy` task will copy content from arbitrary urls into the OCI registry. - -It generates a limited SBOM and pushes that into the OCI registry alongside the image. - -It is not to be considered safe for general use as it cannot provide a high degree of provenance for artficats and reports them only as "general" type artifacts in the purl spec it reports in the SBOM. Use only in limited situations. - -Note: the bearer token secret, if specified, will be sent to **all servers listed in the oci-copy.yaml file**. +Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. ## Parameters |name|description|default value|required| |---|---|---|---| -|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|"does-not-exist"|false| - +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|does-not-exist|false| ## Results |name|description| |---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| |---|---|---| -|source|Workspace containing the source code to copy.|false| - -## oci-copy.yaml schema -JSON schema for the `oci-copy.yaml` file. - -```json -{ - "type": "object", - "required": ["artifacts", "artifact_type"], - "properties": { - "artifact_type": { - "description": "Artifact type to be applied to the top-level OCI artifact, i.e. `application/x-mlmodel`", - "type": "string" - }, - "artifacts": { - "type": "array", - "items": { - "type": "object", - "required": ["source", "filename", "type", "sha256sum"], - "properties": { - "source": { - "description": "URL of the artifact to copy", - "type": "string" - }, - "filename": { - "description": "Filename that should be applied to the artifact in the OCI registry", - "type": "string" - }, - "type": { - "description": "Media type that should be applied to the artifact in the OCI registry", - "type": "string" - }, - "sha256sum": { - "description": "Digest of the artifact to be checked before copy", - "type": "string" - } - } - } - } - } -} -``` +|source|Workspace containing the source artifacts to copy|false| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 58407d9c2f..d6e27d5ea5 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_URL - description: Link to the SBOM blob pushed to the registry. name: SBOM_BLOB_URL + - name: IMAGE_REF + description: Image reference of the built image stepTemplate: env: - name: OCI_COPY_FILE @@ -178,6 +180,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/task/rpm-ostree/0.1/README.md b/task/rpm-ostree/0.1/README.md new file mode 100644 index 0000000000..44b86d3fc0 --- /dev/null +++ b/task/rpm-ostree/0.1/README.md @@ -0,0 +1,31 @@ +# rpm-ostree task + +RPM Ostree + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image rpm-ostree will produce.||true| +|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|IMAGE_FILE|The file to use to build the image||true| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|PLATFORM|The platform to build on||true| +|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|BASE_IMAGES_DIGESTS|Digests of the base images used for build| +|SBOM_BLOB_URL|Reference, including digest to the SBOM blob| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index b24e79d395..560665af25 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -60,6 +60,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_BLOB_URL @@ -260,6 +262,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } >"$(results.IMAGE_REF.path)" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md index 0fa13a1e9a..617012f20d 100644 --- a/task/s2i-java/0.1/README.md +++ b/task/s2i-java/0.1/README.md @@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup |PATH_CONTEXT|The location of the path to run s2i from|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index aa131be0c3..b55e26c015 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -56,6 +56,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_JAVA_COMPONENTS_COUNT @@ -253,6 +255,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md index d06149ce66..dca3d57a4d 100644 --- a/task/s2i-nodejs/0.1/README.md +++ b/task/s2i-nodejs/0.1/README.md @@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container ## Parameters |name|description|default value|required| |---|---|---|---| -|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false| +|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false| |PATH_CONTEXT|The location of the path to run s2i from.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| ## Workspaces diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index c6028fcadf..227a7798f0 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -74,6 +74,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS steps: @@ -221,6 +223,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md index 5f00e17afa..714c9a3018 100644 --- a/task/source-build-oci-ta/0.1/README.md +++ b/task/source-build-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |name|description| |---|---| |BUILD_RESULT|Build result.| +|IMAGE_REF|Image reference of the built image| |SOURCE_IMAGE_DIGEST|The source image digest.| |SOURCE_IMAGE_URL|The source image url.| diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index dea325777c..66c430fdca 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: BUILD_RESULT description: Build result. + - name: IMAGE_REF + description: Image reference of the built image - name: SOURCE_IMAGE_DIGEST description: The source image digest. - name: SOURCE_IMAGE_URL @@ -156,6 +158,7 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -r '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" computeResources: diff --git a/task/source-build/0.1/README.md b/task/source-build/0.1/README.md index f81fac13aa..148ec06ebe 100644 --- a/task/source-build/0.1/README.md +++ b/task/source-build/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |BUILD_RESULT|Build result.| |SOURCE_IMAGE_URL|The source image url.| |SOURCE_IMAGE_DIGEST|The source image digest.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index e24ad9a0ac..19a5d77ad4 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -29,6 +29,8 @@ spec: description: The source image url. - name: SOURCE_IMAGE_DIGEST description: The source image digest. + - name: IMAGE_REF + description: Image reference of the built image workspaces: - name: workspace description: The workspace where source code is included. @@ -157,5 +159,6 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -r '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" diff --git a/task/tkn-bundle/0.1/README.md b/task/tkn-bundle/0.1/README.md index 09100bea33..eb5a7bf647 100644 --- a/task/tkn-bundle/0.1/README.md +++ b/task/tkn-bundle/0.1/README.md @@ -1,51 +1,23 @@ -# tkn-bundle - Tekton Task to push a Tekton Bundle to an image registry +# tkn-bundle task -Tekton Task to build and push Tekton Bundles (OCI images) which contain -definitions of Tekton objects, most commonly Task and Pipeline objects. +Creates and pushes a Tekton bundle containing the specified Tekton YAML files. -Task finds all `*.yaml` or `*.yml` files within `CONTEXT`, packages and pushes -them as a Tekton Bundle to the image repository, name and tag specified by the -`IMAGE` parameter. - -## Input Parameters - -The task supports the following input parameters. - -| Name | Example | Description | -|---------|-------------------------|------------------------------------------| -| IMAGE | registry.io/my-task:tag | Reference of the image task will produce | -| CONTEXT | my-task/0.1 | Paths to include in the bundle image | -| HOME | /tekton/home | Value for the HOME environment variable | - -`CONTEXT` can include multiple directories or files separated by comma or space. -Paths can be negated with exclamation mark to prevent inclusion of certain -directories or files. Negated paths are best placed at the end as they operate -on collected paths preceeding them. For example if `CONTEXT` is set to -`"0.1,!0.1/spec"` for this tree: - - . - ├── 0.1 - │   ├── README.md - │   ├── spec - │   │   ├── spec_helper.sh - │   │   ├── support - │   │   │   ├── jq_matcher.sh - │   │   │   └── task_run_subject.sh - │   │   ├── test1.yaml - │   │   ├── test2.yml - │   │   ├── test3.yaml - │   │   └── tkn-bundle_spec.sh - │   ├── TESTING.md - │   └── tkn-bundle.yaml - └── OWNERS - -Only the `0.1/tkn-bundle.yaml` file will be included in the bundle. +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image task will produce.||true| +|CONTEXT|Path to the directory to use as context.|.|false| +|HOME|Value for the HOME environment variable.|/tekton/home|false| +|STEPS_IMAGE|An optional image to configure task steps with in the bundle|""|false| ## Results - -The task emits the following results. - -| Name | Example | Description | -|--------------|-------------------------|-----------------------------------------------------------------| -| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | -| IMAGE_DIGEST | abc... | Digest of the image just built | +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed with tag only| +|IMAGE_REF|Image reference of the built image| + +## Workspaces +|name|description|optional| +|---|---|---| +|source||false| diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index d5f25a8656..eff0b9645d 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed with tag only name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF stepTemplate: env: - name: HOME @@ -134,7 +136,9 @@ spec: $(printf ' -f %s' "${FILES[@]}") \ |tee /proc/self/fd/3)" echo -n "$IMAGE" > $(results.IMAGE_URL.path) - echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path) + digest="${OUT#*Pushed Tekton Bundle to *@}"" + echo -n "${digest}" > $(results.IMAGE_DIGEST.path) + echo -n "${IMAGE}@${digest}" > "$(results.IMAGE_REF.path)" # cleanup task file [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}"