Merge branch 'main' into ec-pub-key

.tekton/push.yaml

@@ -92,6 +92,10 @@ spec:
                   value: "1"
                 - name: SKIP_INSTALL
                   value: "1"
+                - name: OUTPUT_TASK_BUNDLE_LIST
+                  value: $(workspaces.source.path)/task-bundle-list
+                - name: OUTPUT_PIPELINE_BUNDLE_LIST
+                  value: $(workspaces.source.path)/pipeline-bundle-list
               volumeMounts:
                 - mountPath: /root/.docker/config.json
                   subPath: .dockerconfigjson
@@ -138,19 +142,20 @@ spec:
                 value: "$(params.revision)"
               - name: GIT_URL
                 value: "$(params.git-url)"
+              - name: TASK_BUNDLE_LIST
+                value: $(workspaces.artifacts.path)/task-bundle-list
+              - name: PIPELINE_BUNDLE_LIST
+                value: $(workspaces.artifacts.path)/pipeline-bundle-list
               # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
               # the cluster will set imagePullPolicy to IfNotPresent
               # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
               script: |-
                 #!/usr/bin/env bash
+                set -o errexit
+                set -o nounset
+                set -o pipefail
 
-                export BUNDLES=(
-                  $(workspaces.artifacts.path)/source/task-bundle-list
-                  $(workspaces.artifacts.path)/source/pipeline-bundle-list
-                )
-
-                .tekton/scripts/build-acceptable-bundles.sh
-
+                .tekton/scripts/build-acceptable-bundles.sh "${TASK_BUNDLE_LIST}"  "${PIPELINE_BUNDLE_LIST}"
               volumeMounts:
                 - mountPath: /root/.docker/config.json
                   subPath: .dockerconfigjson

.tekton/scripts/build-acceptable-bundles.sh

@@ -1,14 +1,16 @@
 #!/usr/bin/env bash
-set -euo pipefail
+set -o errexit
+set -o nounset
+set -o pipefail
 
 # helps with debugging
 DATA_BUNDLE_REPO="${DATA_BUNDLE_REPO:-quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles}"
-BUNDLES=${BUNDLES:-()}
+mapfile -t BUNDLES < <(cat "$@")
 
 # store a list of changed task files
 task_records=()
 # loop over all changed files
-for path in $(git log -m -1 --name-only --pretty="format:" ${REVISION}); do
+for path in $(git log -m -1 --name-only --pretty="format:" "${REVISION}"); do
     # check that the file modified is the task file
     if [[ "${path}" == task/*/*/*.yaml ]]; then
         IFS='/' read -r -a path_array <<< "${path}"
@@ -22,12 +24,11 @@ for path in $(git log -m -1 --name-only --pretty="format:" ${REVISION}); do
     fi
 done
 
-echo "Tasks to be added"
-echo "${task_records[@]}"
+echo "Tasks to be added:"
+printf '%s\n' "${task_records[@]}"
 
-touch ${BUNDLES[@]}
 echo "Bundles to be added:"
-cat ${BUNDLES[@]}
+printf '%s\n' "${BUNDLES[@]}"
 
 # The OPA data bundle is tagged with the current timestamp. This has two main
 # advantages. First, it prevents the image from accidentally not having any tags,
@@ -37,11 +38,10 @@ TAG="$(date '+%s')"
 
 # task_records can be empty if a task wasn't changed
 TASK_PARAM=()
-if [ "${#task_records[@]}" -gt 0 ]; then
-    TASK_PARAM=($(printf "%s\n" "${task_records[@]}" | awk '{ print "--git=" $0 }'))
+if [ ${#task_records[@]} -gt 0 ]; then
+  mapfile -t -d ' ' TASK_PARAM < <(printf -- '--git=%s ' "${task_records[@]}")
 fi
-
-BUNDLES_PARAM=($(cat ${BUNDLES[@]} | awk '{ print "--bundle=" $0 }'))
+mapfile -t -d ' ' BUNDLES_PARAM < <(printf -- '--bundle=%s ' "${BUNDLES[@]}")
 
 PARAMS=("${TASK_PARAM[@]}" "${BUNDLES_PARAM[@]}")
 
@@ -51,7 +51,7 @@ ec track bundle --debug \
     --timeout "15m0s" \
     --freshen \
     --prune \
-    ${PARAMS[@]}
+    "${PARAMS[@]}"
 
 # To facilitate usage in some contexts, tag the image with the floating "latest" tag.
 skopeo copy "docker://${DATA_BUNDLE_REPO}:${TAG}" "docker://${DATA_BUNDLE_REPO}:latest"

.tekton/tasks/e2e-test.yaml

@@ -22,7 +22,7 @@ spec:
       type: string
   steps:
     - name: e2e-test
-      image: quay.io/redhat-appstudio/e2e-tests:aee2181831ab240041e83f1c9036532415f45ccf
+      image: quay.io/redhat-appstudio/e2e-tests:27b9e94fee065d8de74a82f5ca726df6c40fd64a
       # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
       # against build-definitions to update this tag
       args: [
@@ -38,7 +38,8 @@ spec:
       - name: APP_SUFFIX
         value: "$(params.app_suffix)"
       - name: COMPONENT_REPO_URLS
-        value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-digest-only,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-both-tag-digest,https://github.com/redhat-appstudio-qe/source-build-use-latest-parent-image,https://github.com/redhat-appstudio-qe/source-build-parent-image-from-registry-rh-io"
+        # TODO: https://issues.redhat.com/browse/STONEBLD-2419
+        value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-digest-only,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-both-tag-digest,https://github.com/redhat-appstudio-qe/source-build-parent-image-from-registry-rh-io"
       - name: QUAY_E2E_ORGANIZATION
         value: redhat-appstudio
       - name: E2E_APPLICATIONS_NAMESPACE

.tekton/tasks/ec-checks.yaml

@@ -24,7 +24,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e
     script: |
       set -euo pipefail
 
@@ -38,7 +38,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e
     script: |
       set -euo pipefail
 

pipelines/docker-build-rhtap/patch.yaml

@@ -28,6 +28,13 @@
     type: string
     default: "push"
     description: "Event that triggered the pipeline run, e.g. push, pull_request"
+- op: add
+  path: /spec/params/-
+  value:
+    name: build-args-file
+    description: Path to a file with build arguments which will be passed to podman during build
+    type: string
+    default: ""
 - op: add
   path: /spec/results/-
   value:
@@ -51,6 +58,8 @@
       value: "$(params.image-expires-after)"
     - name: COMMIT_SHA
       value: "$(tasks.clone-repository.results.commit)"
+    - name: BUILD_ARGS_FILE
+      value: "$(params.build-args-file)"
 # Remove tasks
 # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0
 # to compute offsets

pipelines/docker-build/patch.yaml

@@ -13,6 +13,13 @@
   value:
     name: buildah
     version: "0.1"
+- op: add
+  path: /spec/params/-
+  value:
+    name: build-args-file
+    description: Path to a file with build arguments which will be passed to podman during build
+    type: string
+    default: ""
 - op: add
   path: /spec/tasks/3/params
   value:
@@ -30,6 +37,8 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: BUILD_ARGS_FILE
+    value: "$(params.build-args-file)"
 - op: add
   path: /spec/results/-
   value:

pipelines/enterprise-contract-everything.yaml

@@ -72,7 +72,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat-no-hermetic.yaml

@@ -72,7 +72,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat.yaml

@@ -72,7 +72,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-slsa3.yaml

@@ -72,7 +72,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract.yaml

@@ -73,7 +73,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/template-build/template-build.yaml

@@ -53,10 +53,6 @@ spec:
       description: Build a source image.
       type: string
       default: "false"
-    - name: build-args-file
-      description: Path to a file with build arguments which will be passed to podman during build
-      type: string
-      default: ""
   tasks:
     - name: init
       params:
@@ -91,9 +87,9 @@ spec:
           workspace: git-auth
     - name: prefetch-dependencies
       when:
-      - input: $(params.hermetic)
-        operator: in
-        values: ["true"]
+      - input: $(params.prefetch-input)
+        operator: notin
+        values: [""]
       params:
         - name: input
           value: $(params.prefetch-input)
@@ -105,14 +101,13 @@ spec:
       workspaces:
         - name: source
           workspace: workspace
+        - name: git-basic-auth
+          workspace: git-auth
     - name: build-container
       when:
       - input: $(tasks.init.results.build)
         operator: in
         values: ["true"]
-      params:
-        - name: BUILD_ARGS_FILE
-          value: "$(params.build-args-file)"
       runAfter:
         - prefetch-dependencies
       taskRef:
@@ -148,10 +143,14 @@ spec:
         values: ["false"]
       taskRef:
         name: deprecated-image-check
-        version: "0.3"
+        version: "0.4"
       params:
       - name: BASE_IMAGES_DIGESTS
         value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
+      - name: IMAGE_URL
+        value: $(tasks.build-container.results.IMAGE_URL)
+      - name: IMAGE_DIGEST
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
       runAfter:
         - build-container
     - name: clair-scan

renovate.json

@@ -37,7 +37,7 @@
     },
     {
       "matchPackageNames": [
-        "quay.io/redhat-appstudio/hacbs-test",
+        "quay.io/redhat-appstudio/konflux-test",
         "quay.io/redhat-appstudio/clair-in-ci",
         "quay.io/redhat-appstudio/clamav-db"
       ],

task/acs-deploy-check/0.1/acs-deploy-check.yaml

@@ -124,7 +124,7 @@ spec:
         fi
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: repository
           mountPath: /workspace/repository

task/acs-image-check/0.1/acs-image-check.yaml

@@ -53,7 +53,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-check
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -121,7 +121,7 @@ spec:
         cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

task/acs-image-scan/0.1/acs-image-scan.yaml

@@ -60,7 +60,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-scan
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -160,7 +160,7 @@ spec:
         set_test_output_result SUCCESS "$note"
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder