From 6dd763ae8a335560cbfd45f10db3d85d81a85e39 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Mon, 22 Jul 2024 11:52:48 +0200 Subject: [PATCH] `IMAGE_REF` result from image building Tasks This helps in the reuse of the results when using matrix feature of Tekton. Given that the concatenation of two results from matrix-spawned Tasks is not supported, e.g. $(tasks.build-container-multiarch.results.IMAGE_URL[*])@$(tasks.build-container-multiarch.results.IMAGE_DIGEST[*]) will not expand correctly. This produces the image reference in full in the `IMAGE_REF` result, so the result from the matrix-spawned Tasks can be referenced using: $(tasks.build-container-multiarch.results.IMAGE_REF[*]) Reference: https://issues.redhat.com/browse/EC-654 --- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 6 +++ .../0.2/buildah-remote-oci-ta.yaml | 6 +++ task/buildah-remote/0.2/README.md | 48 +++++++++++++++++++ task/buildah-remote/0.2/buildah-remote.yaml | 6 +++ task/buildah/0.2/README.md | 3 +- task/buildah/0.2/buildah.yaml | 6 +++ task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 3 ++ task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 3 ++ task/rpm-ostree/0.1/README.md | 31 ++++++++++++ task/rpm-ostree/0.1/rpm-ostree.yaml | 6 +++ task/s2i-java/0.1/README.md | 4 +- task/s2i-java/0.1/s2i-java.yaml | 6 +++ task/s2i-nodejs/0.1/README.md | 6 ++- task/s2i-nodejs/0.1/s2i-nodejs.yaml | 6 +++ task/source-build-oci-ta/0.1/README.md | 1 + .../0.1/source-build-oci-ta.yaml | 3 ++ task/source-build/0.1/README.md | 1 + task/source-build/0.1/source-build.yaml | 3 ++ task/tkn-bundle/0.1/README.md | 9 ++-- task/tkn-bundle/0.1/tkn-bundle.yaml | 6 ++- 23 files changed, 156 insertions(+), 10 deletions(-) create mode 100644 task/buildah-remote/0.2/README.md create mode 100644 task/rpm-ostree/0.1/README.md diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 532e96b0c1..bfa06e6cee 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 1551ce3577..952535b8e6 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -129,6 +129,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the image just built + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Image repository where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES @@ -559,6 +561,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 45baf3dc00..95acc3aa74 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -130,6 +130,8 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST + - description: Image reference of the built image + name: IMAGE_REF - description: Image repository where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven @@ -630,6 +632,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md new file mode 100644 index 0000000000..71b2baa59b --- /dev/null +++ b/task/buildah-remote/0.2/README.md @@ -0,0 +1,48 @@ +# buildah-remote task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image buildah will produce.||true| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1c405b0103..97db9ded53 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -123,6 +123,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string @@ -612,6 +614,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index a9da914b81..5dabbe3e4f 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -9,11 +9,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description|default value|required| |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| -|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| |CONTEXT|Path to the directory to use as context.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|DOCKER_AUTH|unused, should be removed in next task version|""|false| |HERMETIC|Determines if build will be executed without network access.|false|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| @@ -39,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index fbca62f1d6..aefbf3757e 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -109,6 +109,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string @@ -509,6 +511,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 0067af0fad..65162767f5 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in |name|description| |---|---| |IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 65f3f65d4d..4450b27fdd 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the artifact just pushed + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Repository where the artifact was pushed - name: SBOM_BLOB_URL @@ -193,6 +195,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" computeResources: limits: memory: 1Gi diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 8bec2f57ff..ce8b1cef73 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -22,6 +22,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 58407d9c2f..d6e27d5ea5 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_URL - description: Link to the SBOM blob pushed to the registry. name: SBOM_BLOB_URL + - name: IMAGE_REF + description: Image reference of the built image stepTemplate: env: - name: OCI_COPY_FILE @@ -178,6 +180,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/task/rpm-ostree/0.1/README.md b/task/rpm-ostree/0.1/README.md new file mode 100644 index 0000000000..44b86d3fc0 --- /dev/null +++ b/task/rpm-ostree/0.1/README.md @@ -0,0 +1,31 @@ +# rpm-ostree task + +RPM Ostree + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image rpm-ostree will produce.||true| +|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|IMAGE_FILE|The file to use to build the image||true| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|PLATFORM|The platform to build on||true| +|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|BASE_IMAGES_DIGESTS|Digests of the base images used for build| +|SBOM_BLOB_URL|Reference, including digest to the SBOM blob| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index b24e79d395..560665af25 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -60,6 +60,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_BLOB_URL @@ -260,6 +262,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } >"$(results.IMAGE_REF.path)" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md index 0fa13a1e9a..617012f20d 100644 --- a/task/s2i-java/0.1/README.md +++ b/task/s2i-java/0.1/README.md @@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup |PATH_CONTEXT|The location of the path to run s2i from|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index aa131be0c3..b55e26c015 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -56,6 +56,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_JAVA_COMPONENTS_COUNT @@ -253,6 +255,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md index d06149ce66..dca3d57a4d 100644 --- a/task/s2i-nodejs/0.1/README.md +++ b/task/s2i-nodejs/0.1/README.md @@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container ## Parameters |name|description|default value|required| |---|---|---|---| -|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false| +|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false| |PATH_CONTEXT|The location of the path to run s2i from.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| ## Workspaces diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index c6028fcadf..227a7798f0 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -74,6 +74,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS steps: @@ -221,6 +223,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md index 5f00e17afa..714c9a3018 100644 --- a/task/source-build-oci-ta/0.1/README.md +++ b/task/source-build-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |name|description| |---|---| |BUILD_RESULT|Build result.| +|IMAGE_REF|Image reference of the built image| |SOURCE_IMAGE_DIGEST|The source image digest.| |SOURCE_IMAGE_URL|The source image url.| diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index dea325777c..5ca7b44264 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: BUILD_RESULT description: Build result. + - name: IMAGE_REF + description: Image reference of the built image - name: SOURCE_IMAGE_DIGEST description: The source image digest. - name: SOURCE_IMAGE_URL @@ -156,6 +158,7 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" computeResources: diff --git a/task/source-build/0.1/README.md b/task/source-build/0.1/README.md index f81fac13aa..148ec06ebe 100644 --- a/task/source-build/0.1/README.md +++ b/task/source-build/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |BUILD_RESULT|Build result.| |SOURCE_IMAGE_URL|The source image url.| |SOURCE_IMAGE_DIGEST|The source image digest.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index e24ad9a0ac..15ad65c47f 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -29,6 +29,8 @@ spec: description: The source image url. - name: SOURCE_IMAGE_DIGEST description: The source image digest. + - name: IMAGE_REF + description: Image reference of the built image workspaces: - name: workspace description: The workspace where source code is included. @@ -157,5 +159,6 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" diff --git a/task/tkn-bundle/0.1/README.md b/task/tkn-bundle/0.1/README.md index 09100bea33..2c317a2db5 100644 --- a/task/tkn-bundle/0.1/README.md +++ b/task/tkn-bundle/0.1/README.md @@ -45,7 +45,8 @@ Only the `0.1/tkn-bundle.yaml` file will be included in the bundle. The task emits the following results. -| Name | Example | Description | -|--------------|-------------------------|-----------------------------------------------------------------| -| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | -| IMAGE_DIGEST | abc... | Digest of the image just built | +| Name | Example | Description | +|--------------|---------------------------------------|-----------------------------------------------------------------| +| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | +| IMAGE_DIGEST | abc... | Digest of the image just built | +| IMAGE_REF | registry.io/my-task:tag@sha256:abc... | Image reference of the built image | diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index d5f25a8656..7d0dbdf909 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed with tag only name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF stepTemplate: env: - name: HOME @@ -134,7 +136,9 @@ spec: $(printf ' -f %s' "${FILES[@]}") \ |tee /proc/self/fd/3)" echo -n "$IMAGE" > $(results.IMAGE_URL.path) - echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path) + digest="${OUT#*Pushed Tekton Bundle to *@}" + echo -n "${digest}" > $(results.IMAGE_DIGEST.path) + echo -n "${IMAGE}@${digest}" > "$(results.IMAGE_REF.path)" # cleanup task file [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}"