From 2271190da88531b1f7258c0ef5d13f7f0c6b3f64 Mon Sep 17 00:00:00 2001 From: Robert Cerven Date: Fri, 19 Apr 2024 21:46:14 +0200 Subject: [PATCH 01/15] script for generating pipelines README.md STONEBLD-2330 Signed-off-by: Robert Cerven --- hack/generate-pipelines-readme.py | 280 ++++++++++++++++++ pipelines/docker-build-rhtap/README.md | 151 ++++++++++ pipelines/docker-build/README.md | 219 ++++++++++++++ pipelines/fbc-builder/README.md | 183 ++++++++++++ pipelines/gitops-pull-request-rhtap/README.md | 90 ++++++ pipelines/java-builder/README.md | 210 +++++++++++++ pipelines/nodejs-builder/README.md | 208 +++++++++++++ pipelines/tekton-bundle-builder/README.md | 159 ++++++++++ 8 files changed, 1500 insertions(+) create mode 100755 hack/generate-pipelines-readme.py create mode 100644 pipelines/docker-build-rhtap/README.md create mode 100644 pipelines/docker-build/README.md create mode 100644 pipelines/fbc-builder/README.md create mode 100644 pipelines/gitops-pull-request-rhtap/README.md create mode 100644 pipelines/java-builder/README.md create mode 100644 pipelines/nodejs-builder/README.md create mode 100644 pipelines/tekton-bundle-builder/README.md diff --git a/hack/generate-pipelines-readme.py b/hack/generate-pipelines-readme.py new file mode 100755 index 0000000000..9f3dcdfc6e --- /dev/null +++ b/hack/generate-pipelines-readme.py @@ -0,0 +1,280 @@ +#!/usr/bin/env python +import json +import subprocess +import os +import re +import yaml +import shutil +from pathlib import Path +from tempfile import mkdtemp + +PIPELINE_GENERATE_INPUT_DIRS = ('./pipelines/', './pipelines/rhtap/') +PIPELINES_DIR = './pipelines/' +TASKS_DIR = './task/' +# mapping pipeline_name to directory name, in case it isn't the same +PIPELINE_TO_DIRECTORY_MAPPING = {'gitops-pull-request': 'gitops-pull-request-rhtap'} + + +def run(cmd): + print("Subprocess: %s" % ' '.join(cmd)) + failed = 1 + + try: + process = subprocess.run(cmd, check=True, capture_output=True) + failed = 0 + except subprocess.CalledProcessError as e: + print(f"{cmd[0]} failed:\nSTDOUT:\n{e.stdout.decode()}\nSTDERR:\n{e.stderr.decode()}") + except FileNotFoundError: + print(f"command: {cmd[0]} doesn't exist") + return "", "", failed + + if process.stderr: + print(f"{cmd[0]} STDERR:\n{process.stderr.decode()}") + + return process.stdout, process.stderr, failed + + +def main(): + temp_dir = mkdtemp() + + for input_pipeline_dir in PIPELINE_GENERATE_INPUT_DIRS: + generate_pipelines_cmd = ["oc", "kustomize", "--output", temp_dir, input_pipeline_dir] + _, _, failed = run(generate_pipelines_cmd) + if failed: + shutil.rmtree(temp_dir) + exit(1) + + for f in os.listdir(temp_dir): + pipeline_dir = f.replace("tekton.dev_v1_pipeline_", "").replace(".yaml", "") + if pipeline_dir.startswith("enterprise"): + continue + + pipeline_dir = PIPELINE_TO_DIRECTORY_MAPPING.get(pipeline_dir, pipeline_dir) + + full_path = Path(PIPELINES_DIR).joinpath(pipeline_dir) + if not full_path.exists(): + print(f"pipeline directory: {full_path}, for pipeline: {pipeline_dir} doesn't exist") + shutil.rmtree(temp_dir) + exit(1) + + pipelines_info = {} + with open(Path(temp_dir).joinpath(f), 'r') as f: + pipeline_data = yaml.safe_load(f) + + if pipeline_data.get('kind') != 'Pipeline': + print(f"generated yaml file isn't pipeline: {f} will skip it") + continue + + pipeline_name = pipeline_data['metadata']['name'] + pipelines_info[pipeline_name] = {'params': [], 'results': [], 'workspaces': [], 'tasks': []} + + for param in pipeline_data['spec'].get('params', []): + param_dict = {'used': []} + param_dict['name'] = param.get('name') + param_dict['description'] = param.get('description', "") + param_dict['default'] = param.get('default', None) + pipelines_info[pipeline_name]['params'].append(param_dict) + + for result in pipeline_data['spec'].get('results', []): + result_dict = {} + result_dict['name'] = result.get('name') + result_dict['description'] = result.get('description', "") + result_dict['value'] = result.get('value') + pipelines_info[pipeline_name]['results'].append(result_dict) + + for workspace in pipeline_data['spec'].get('workspaces', []): + workspace_dict = {} + workspace_dict['name'] = workspace.get('name') + workspace_dict['description'] = workspace.get('description', "") + workspace_dict['optional'] = workspace.get('optional', False) + pipelines_info[pipeline_name]['workspaces'].append(workspace_dict) + + param_regex = re.compile(r'^\s*\$\(params\.(\S*)\)\s*$') + + for task_object in ('finally', 'tasks'): + for task in pipeline_data['spec'].get(task_object, []): + task_dict = {} + task_dict['name'] = task['name'] + task_dict['refname'] = task['taskRef']['name'] + task_dict['refversion'] = task['taskRef'].get('version', '0.1') + task_dict['params'] = task.get('params', []) + task_dict['workspaces'] = task.get('workspaces', []) + pipelines_info[pipeline_name]['tasks'].append(task_dict) + + for param in task_dict['params']: + match = param_regex.match(param['value']) + if match: + uses_param = match.group(1) + task_param_name = f"{task_dict['name']}:{task_dict['refversion']}:{param['name']}" + + for pipeline_param in pipelines_info[pipeline_name]['params']: + if uses_param == pipeline_param['name']: + pipeline_param['used'].append(task_param_name) + + wrong_path = 0 + for task in pipelines_info[pipeline_name]['tasks']: + task_path = Path(TASKS_DIR).joinpath(task['refname']).joinpath(task['refversion']).joinpath(f"{task['refname']}.yaml") + if not task_path.exists(): + wrong_path = 1 + print(f"task definition doesn't exist: {task_path}") + + if wrong_path: + shutil.rmtree(temp_dir) + exit(1) + + all_tasks = [] + for task in pipelines_info[pipeline_name]['tasks']: + task_path = Path(TASKS_DIR).joinpath(task['refname']).joinpath(task['refversion']).joinpath(f"{task['refname']}.yaml") + with open(task_path, 'r') as f: + task_data = yaml.safe_load(f) + + task_info = {} + task_info['name'] = task_data['metadata']['name'] + task_info['pname'] = task['name'] + task_info['version'] = task['refversion'] + task_info['description'] = task_data['spec'].get('description', "") + + all_params = [] + for param in task_data['spec'].get('params', []): + param_info = {} + param_info['name'] = param['name'] + param_info['description'] = param.get('description', "") + param_info['default'] = param.get('default', None) + all_params.append(param_info) + task_info['params'] = all_params + + all_results = [] + for result in task_data['spec'].get('results', []): + result_info = {} + result_info['name'] = result.get('name') + result_info['description'] = result.get('description', "") + result_info['value'] = result.get('value', None) + all_results.append(result_info) + task_info['results'] = all_results + + all_workspaces = [] + for workspace in task_data['spec'].get('workspaces', []): + workspace_info = {} + workspace_info['name'] = workspace.get('name') + workspace_info['description'] = workspace.get('description', "") + workspace_info['optional'] = workspace.get('optional', False) + all_workspaces.append(workspace_info) + task_info['workspaces'] = all_workspaces + + all_tasks.append(task_info) + + # write README.md files + with open(Path(full_path).joinpath('README.md'), 'wt') as f: + for name, items in pipelines_info.items(): + # print pipeline params + f.write(f"# \"{name} pipeline\"\n") + f.write(f"## Parameters\n") + f.write("|name|description|default value|used in (taskname:taskrefversion:taskparam)|\n") + f.write("|---|---|---|---|\n") + for param in sorted(items['params'], key=lambda x: x['name']): + used = " ; ".join(param['used']) + desc = param['description'].replace("\n", " ") + f.write(f"|{param['name']}| {desc}| {param['default']}| {used}|\n") + + # print task params + f.write(f"## Available params from tasks\n") + for task in sorted(all_tasks, key=lambda x: x['name']): + if not task['params']: + continue + + f.write(f"### {task['name']}:{task['version']} task parameters\n") + f.write("|name|description|default value|already set by|\n") + f.write("|---|---|---|---|\n") + + for param in sorted(task['params'], key=lambda x: x['name']): + set_by = "" + for ptask in items['tasks']: + if ptask['refname'] == task['name'] and ptask['refversion'] == task['version']: + for pparam in ptask['params']: + if pparam['name'] == param['name']: + set_by = pparam['value'] + break + if set_by: + break + if set_by: + set_by = f"'{set_by}'" + + desc = param['description'].replace("\n", " ") + f.write(f"|{param['name']}| {desc}| {param['default']}| {set_by}|\n") + + # print pipeline results + f.write("\n## Results\n") + f.write("|name|description|value|\n") + f.write("|---|---|---|\n") + for result in sorted(items['results'], key=lambda x: x['name']): + desc = result['description'].replace("\n", " ") + f.write(f"|{result['name']}| {desc}|{result['value']}|\n") + + # print task results + f.write(f"## Available results from tasks\n") + for task in sorted(all_tasks, key=lambda x: x['name']): + if not task['results']: + continue + + f.write(f"### {task['name']}:{task['version']} task results\n") + f.write("|name|description|used in params (taskname:taskrefversion:taskparam)\n") + f.write("|---|---|---|\n") + + for result in sorted(task['results'], key=lambda x: x['name']): + used_in_params = [] + result_regex = re.compile(r'\s*\$\(tasks\.' + task['pname'] + '\.results\.' + result['name'] + '\)\s*') + + for task_info in items['tasks']: + + for task_param in task_info['params']: + match = result_regex.match(task_param['value']) + + if match: + task_param_name = f"{task_info['name']}:{task_info['refversion']}:{task_param['name']}" + used_in_params.append(task_param_name) + + used = " ; ".join(used_in_params) + desc = result['description'].replace("\n", " ") + f.write(f"|{result['name']}| {desc}| {used}|\n") + + # print pipeline workspaces + f.write("\n## Workspaces\n") + f.write("|name|description|optional|used in tasks\n") + f.write("|---|---|---|---|\n") + for workspace in sorted(items['workspaces'], key=lambda x: x['name']): + used_in_tasks = [] + for task in items['tasks']: + for workspace_in_task in task['workspaces']: + if workspace_in_task['workspace'] == workspace['name']: + task_workspace_name = f"{task['name']}:{task['refversion']}:{workspace_in_task['name']}" + used_in_tasks.append(task_workspace_name) + + used = " ; ".join(used_in_tasks) + desc = workspace['description'].replace("\n", " ") + f.write(f"|{workspace['name']}| {desc}|{workspace['optional']}| {used}|\n") + + # print task workspaces + f.write(f"## Available workspaces from tasks\n") + for task in sorted(all_tasks, key=lambda x: x['name']): + if not task['workspaces']: + continue + + f.write(f"### {task['name']}:{task['version']} task workspaces\n") + f.write("|name|description|optional|workspace from pipeline\n") + f.write("|---|---|---|---|\n") + + for workspace in sorted(task['workspaces'], key=lambda x: x['name']): + set_by = "" + for task in items['tasks']: + for workspace_in_pipeline in task['workspaces']: + if workspace['name'] == workspace_in_pipeline['name']: + set_by = workspace_in_pipeline['workspace'] + + desc = workspace['description'].replace("\n", " ") + f.write(f"|{workspace['name']}| {desc}| {workspace['optional']}| {set_by}|\n") + + shutil.rmtree(temp_dir) + + +if __name__ == '__main__': + main() diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md new file mode 100644 index 0000000000..a119022805 --- /dev/null +++ b/pipelines/docker-build-rhtap/README.md @@ -0,0 +1,151 @@ +# "docker-build-rhtap pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-args-file| Path to a file with build arguments which will be passed to podman during build| | build-container:0.1:BUILD_ARGS_FILE| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| +|event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| | +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name| +|hermetic| Execute the build with network isolation| false| | +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | | +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +|stackrox-secret| | rox-api-token| acs-image-check:0.1:rox-secret-name ; acs-image-scan:0.1:rox-secret-name ; acs-deploy-check:0.1:rox-secret-name| +## Available params from tasks +### acs-deploy-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|gitops-repo-url| URL of gitops repository to check.| None| '$(params.git-url)-gitops'| +|insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint. Defaults to `"false"`. | false| 'true'| +|rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'| +|verbose| | true| | +### acs-image-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image| Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1) | None| '$(params.output-image)'| +|image-digest| Digest of the image | None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint. Defaults to `"false"`. | false| 'true'| +|rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'| +### acs-image-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image| Full name of image to scan (example -- gcr.io/rox/sample:5.0-rc1) | None| '$(params.output-image)'| +|image-digest| Digest of the image to scan | None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint. Defaults to `"false"`. | false| 'true'| +|rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'| +### buildah-rhtap:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_ARGS_FILE| Path to a file with build arguments which will be passed to podman during build| | '$(params.build-args-file)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### show-sbom-rhdh:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| +### update-deployment:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|gitops-auth-secret-name| Secret of basic-auth type containing credentials to commit into gitops repository. | gitops-auth-secret| '$(params.gitops-auth-secret-name)'| +|gitops-repo-url| URL of gitops repository to update with the newly built image.| None| '$(params.git-url)-gitops'| +|image| Reference of the newly built image to use.| None| '$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)'| + +## Results +|name|description|value| +|---|---|---| +|ACS_SCAN_OUTPUT| |$(tasks.acs-image-scan.results.SCAN_OUTPUT)| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +## Available results from tasks +### acs-image-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|SCAN_OUTPUT| Summary of the roxctl scan| | +|TEST_OUTPUT| Result of the `roxctl image scan` check| | +### buildah-rhtap:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of the base images used for build| | +|IMAGE_DIGEST| Digest of the image just built| acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image| +|SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### show-sbom-rhdh:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|LINK_TO_SBOM| Placeholder result meant to make RHDH identify this task as the producer of the SBOM logs.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source| +## Available workspaces from tasks +### buildah-rhtap:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md new file mode 100644 index 0000000000..13cdd59906 --- /dev/null +++ b/pipelines/docker-build/README.md @@ -0,0 +1,219 @@ +# "docker-build pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-args-file| Path to a file with build arguments which will be passed to podman during build| | build-container:0.1:BUILD_ARGS_FILE| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| build-container:0.1:HERMETIC| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.1:PREFETCH_INPUT| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### buildah:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | +|BUILD_ARGS_FILE| Path to a file with build arguments which will be passed to podman during build| | '$(params.build-args-file)'| +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|DOCKER_AUTH| unused, should be removed in next task version| | | +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| '$(params.hermetic)'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | '$(params.prefetch-input)'| +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | +### clair-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused, should be removed in next task version.| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | +### ecosystem-cert-preflight-checks:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### sast-snyk-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### show-sbom:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | +### source-build:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES| Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| +## Available results from tasks +### buildah:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of the base images used for build| build-source-image:0.1:BASE_IMAGES ; deprecated-base-image-check:0.4:BASE_IMAGES_DIGESTS| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL| +|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | +### clair-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CLAIR_SCAN_RESULT| Clair scan result.| | +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### ecosystem-cert-preflight-checks:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Preflight pass or fail outcome.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### sast-snyk-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### source-build:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BUILD_RESULT| Build result.| | +|SOURCE_IMAGE_DIGEST| The source image digest.| | +|SOURCE_IMAGE_URL| The source image url.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace| +## Available workspaces from tasks +### buildah:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### prefetch-dependencies:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### sast-snyk-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### source-build:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| False| workspace| +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md new file mode 100644 index 0000000000..1c276df6c7 --- /dev/null +++ b/pipelines/fbc-builder/README.md @@ -0,0 +1,183 @@ +# "fbc-builder pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| | +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | | +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### buildah:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | +|BUILD_ARGS_FILE| Path to a file with build arguments which will be passed to podman during build| | | +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|DOCKERFILE| Path to the Dockerfile to build.| ./Dockerfile| '$(params.dockerfile)'| +|DOCKER_AUTH| unused, should be removed in next task version| | | +|ENTITLEMENT_SECRET| Name of secret which contains the entitlement certificates| etc-pki-entitlement| | +|HERMETIC| Determines if build will be executed without network access.| false| 'true'| +|IMAGE| Reference of the image buildah will produce.| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PREFETCH_INPUT| In case it is not empty, the prefetched content should be made available to the build.| | | +|TARGET_STAGE| Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.| | | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +|YUM_REPOS_D_FETCHED| Path in source workspace where dynamically-fetched repos are present| fetched.repos.d| | +|YUM_REPOS_D_SRC| Path in the git repository in which yum repository files are stored| repos.d| | +|YUM_REPOS_D_TARGET| Target path on the container in which yum repository files should be made available| /etc/yum.repos.d| | +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | +### fbc-validation:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGE| Fully qualified base image name.| None| '$(tasks.inspect-image.results.BASE_IMAGE)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### inspect-image:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|DOCKER_AUTH| unused, should be removed in next task version| | | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### show-sbom:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +## Available results from tasks +### buildah:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of the base images used for build| deprecated-base-image-check:0.4:BASE_IMAGES_DIGESTS| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; sbom-json-check:0.1:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; sbom-json-check:0.1:IMAGE_URL ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| +|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### fbc-related-image-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### fbc-validation:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### inspect-image:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE| +|BASE_IMAGE_REPOSITORY| Base image repository URL.| | +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| +## Available workspaces from tasks +### buildah:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### fbc-related-image-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### fbc-validation:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### inspect-image:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| | False| workspace| +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/gitops-pull-request-rhtap/README.md b/pipelines/gitops-pull-request-rhtap/README.md new file mode 100644 index 0000000000..490aa44b72 --- /dev/null +++ b/pipelines/gitops-pull-request-rhtap/README.md @@ -0,0 +1,90 @@ +# "gitops-pull-request pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|ec-policy-configuration| Enterprise Contract policy to validate against| github.com/enterprise-contract/config//default| verify-enteprise-contract:0.1:POLICY_CONFIGURATION| +|ec-public-key| The public key that EC should use to verify signatures| k8s://$(context.pipelineRun.namespace)/cosign-pub| verify-enteprise-contract:0.1:PUBLIC_KEY| +|ec-rekor-host| The Rekor host that EC should use to look up transparency logs| http://rekor-server.rhtap.svc| verify-enteprise-contract:0.1:REKOR_HOST| +|ec-strict| Should EC violations cause the pipeline to fail?| true| verify-enteprise-contract:0.1:STRICT| +|ec-tuf-mirror| The TUF mirror that EC should use| http://tuf.rhtap.svc| verify-enteprise-contract:0.1:TUF_MIRROR| +|git-url| Gitops repo url| None| clone-repository:0.1:url| +|revision| Gitops repo revision| | clone-repository:0.1:revision| +|target-branch| The target branch for the pull request| main| gather-deploy-images:0.1:TARGET_BRANCH| +## Available params from tasks +### gather-deploy-images:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|TARGET_BRANCH| If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference. | | '$(params.target-branch)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| 'true'| +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### verify-enterprise-contract:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|EFFECTIVE_TIME| Run policy checks with the provided time.| now| | +|HOMEDIR| Value for the HOME environment variable.| /tekton/home| | +|IGNORE_REKOR| Skip Rekor transparency log checks during validation.| false| | +|IMAGES| Spec section of an ApplicationSnapshot resource. Not all fields of the resource are required. A minimal example: { "components": [ { "containerImage": "quay.io/example/repo:latest" } ] } Each "containerImage" in the "components" array is validated. | None| '$(tasks.gather-deploy-images.results.IMAGES_TO_VERIFY)'| +|INFO| Include rule titles and descriptions in the output. Set to "false" to disable it.| true| | +|POLICY_CONFIGURATION| Name of the policy configuration (EnterpriseContractPolicy resource) to use. `namespace/name` or `name` syntax supported. If namespace is omitted the namespace where the task runs is used. | enterprise-contract-service/default| '$(params.ec-policy-configuration)'| +|PUBLIC_KEY| Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.| | '$(params.ec-public-key)'| +|REKOR_HOST| Rekor host for transparency log lookups| | '$(params.ec-rekor-host)'| +|SSL_CERT_DIR| Path to a directory containing SSL certs to be used when communicating with external services. This is useful when using the integrated registry and a local instance of Rekor on a development cluster which may use certificates issued by a not-commonly trusted root CA. In such cases, "/var/run/secrets/kubernetes.io/serviceaccount" is a good value. Multiple paths can be provided by using the ":" separator. | | | +|STRICT| Fail the task if policy fails. Set to "false" to disable it.| true| '$(params.ec-strict)'| +|TUF_MIRROR| TUF mirror URL. Provide a value when NOT using public sigstore deployment.| | '$(params.ec-tuf-mirror)'| + +## Results +|name|description|value| +|---|---|---| +## Available results from tasks +### gather-deploy-images:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_TO_VERIFY| The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string. | verify-enteprise-contract:0.1:IMAGES| +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| | +|url| The precise URL that was fetched by this Task.| | +### verify-enterprise-contract:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Short summary of the policy evaluation for each image| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +## Available workspaces from tasks +### gather-deploy-images:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Should contain a cloned gitops repo at the ./source subpath| False| workspace| +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### verify-enterprise-contract:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|data| The workspace where the snapshot spec json file resides| True| | diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md new file mode 100644 index 0000000000..37333a95e3 --- /dev/null +++ b/pipelines/java-builder/README.md @@ -0,0 +1,210 @@ +# "java-builder pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| | +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| | +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### clair-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused, should be removed in next task version.| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | +### ecosystem-cert-preflight-checks:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### s2i-java:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGE| Java builder image| registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202| | +|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|DOCKER_AUTH| unused, should be removed in next task version| | | +|IMAGE| Location of the repo where image has to be pushed| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|PATH_CONTEXT| The location of the path to run s2i from| .| '$(params.path-context)'| +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +### sast-snyk-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### show-sbom:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | +### source-build:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES| Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| +## Available results from tasks +### clair-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CLAIR_SCAN_RESULT| Clair scan result.| | +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### ecosystem-cert-preflight-checks:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Preflight pass or fail outcome.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### s2i-java:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of the base images used for build| build-source-image:0.1:BASE_IMAGES ; deprecated-base-image-check:0.4:BASE_IMAGES_DIGESTS| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL| +|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | +### sast-snyk-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### source-build:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BUILD_RESULT| Build result.| | +|SOURCE_IMAGE_DIGEST| The source image digest.| | +|SOURCE_IMAGE_URL| The source image url.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace| +## Available workspaces from tasks +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### prefetch-dependencies:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### s2i-java:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### sast-snyk-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### source-build:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| False| workspace| +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md new file mode 100644 index 0000000000..16e79a6e49 --- /dev/null +++ b/pipelines/nodejs-builder/README.md @@ -0,0 +1,208 @@ +# "nodejs-builder pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| | +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| | +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### clair-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused, should be removed in next task version.| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | +### ecosystem-cert-preflight-checks:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### s2i-nodejs:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGE| NodeJS builder image| registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1| | +|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | +|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| +|DOCKER_AUTH| unused, should be removed in next task version| | | +|IMAGE| Location of the repo where image has to be pushed| None| '$(params.output-image)'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|MAVEN_MIRROR_URL| The base URL of a mirror used for retrieving artifacts| | | +|PATH_CONTEXT| The location of the path to run s2i from.| .| '$(params.path-context)'| +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | +### sast-snyk-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### show-sbom:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | +### source-build:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES| Base images used to build the binary image. Each image per line in the same order of FROM instructions specified in a multistage Dockerfile. Default to an empty string, which means to skip handling a base image.| | '$(tasks.build-container.results.BASE_IMAGES_DIGESTS)'| +|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +## Available results from tasks +### clair-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CLAIR_SCAN_RESULT| Clair scan result.| | +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### ecosystem-cert-preflight-checks:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Preflight pass or fail outcome.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### s2i-nodejs:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of the base images used for build| build-source-image:0.1:BASE_IMAGES ; deprecated-base-image-check:0.4:BASE_IMAGES_DIGESTS| +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL| +### sast-snyk-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### source-build:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|BUILD_RESULT| Build result.| | +|SOURCE_IMAGE_DIGEST| The source image digest.| | +|SOURCE_IMAGE_URL| The source image url.| | + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.1:workspace| +## Available workspaces from tasks +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### prefetch-dependencies:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### s2i-nodejs:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| Workspace containing the source code to build.| False| workspace| +### sast-snyk-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### source-build:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| False| workspace| +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md new file mode 100644 index 0000000000..fc38210c82 --- /dev/null +++ b/pipelines/tekton-bundle-builder/README.md @@ -0,0 +1,159 @@ +# "tekton-bundle-builder pipeline" +## Parameters +|name|description|default value|used in (taskname:taskrefversion:taskparam)| +|---|---|---|---| +|build-source-image| Build a source image.| false| | +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| | +|git-url| Source Repository URL| None| clone-repository:0.1:url| +|hermetic| Execute the build with network isolation| false| | +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | | +|java| Java build| false| | +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| +|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| +|rebuild| Force rebuild image| false| init:0.2:rebuild| +|revision| Revision of the Source Repository| | clone-repository:0.1:revision| +|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| +## Available params from tasks +### clair-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused, should be removed in next task version.| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### ecosystem-cert-preflight-checks:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### git-clone:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | +|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | +|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | +|fetchTags| Fetch all tags for the repo.| false| | +|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | +|httpProxy| HTTP proxy server for non-SSL requests.| | | +|httpsProxy| HTTPS proxy server for SSL requests.| | | +|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | +|refspec| Refspec to fetch before checking out revision.| | | +|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| +|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | +|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | +|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | +|submodules| Initialize and fetch git submodules.| true| | +|url| Repository URL to clone from.| None| '$(params.git-url)'| +|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | +|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | +### init:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| +|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| +|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +### prefetch-dependencies:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | +|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| +|log-level| Set cachi2 log level (debug, info, warning, error)| info| | +### sast-snyk-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | +|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | +### sbom-json-check:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +### summary:0.2 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| +|image-url| Image URL| None| '$(params.output-image)'| +|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| +### tkn-bundle:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| +|HOME| Value for the HOME environment variable.| /tekton/home| | +|IMAGE| Reference of the image task will produce.| None| '$(params.output-image)'| +|STEPS_IMAGE| An optional image to configure task steps with in the bundle| | | + +## Results +|name|description|value| +|---|---|---| +|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| +|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| +|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +## Available results from tasks +### clair-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|CLAIR_SCAN_RESULT| Clair scan result.| | +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### ecosystem-cert-preflight-checks:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Preflight pass or fail outcome.| | +### git-clone:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|commit| The precise commit SHA that was fetched by this Task.| | +|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| +### init:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|build| Defines if the image in param image-url should be built| | +### sast-snyk-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|TEST_OUTPUT| Tekton task test output.| | +### sbom-json-check:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### tkn-bundle:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL| + +## Workspaces +|name|description|optional|used in tasks +|---|---|---|---| +|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.1:workspace| +## Available workspaces from tasks +### git-clone:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| +|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| +|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | +### prefetch-dependencies:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| +|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| +### sast-snyk-check:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| | False| workspace| +### summary:0.2 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|workspace| The workspace where source code is included.| True| workspace| +### tkn-bundle:0.1 task workspaces +|name|description|optional|workspace from pipeline +|---|---|---|---| +|source| | False| workspace| From e9905b11a21e9ef6099e24537fd40b2b424d927f Mon Sep 17 00:00:00 2001 From: Sushanta Das Date: Wed, 8 May 2024 14:45:41 +0530 Subject: [PATCH 02/15] STONEBLD-2419: reneable tests for source build image parent using latest --- .tekton/tasks/e2e-test.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 9c30ce6a9d..32637d5a67 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -38,8 +38,7 @@ spec: - name: APP_SUFFIX value: "$(params.app_suffix)" - name: COMPONENT_REPO_URLS - # TODO: https://issues.redhat.com/browse/STONEBLD-2419 - value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-digest-only,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-both-tag-digest,https://github.com/redhat-appstudio-qe/source-build-parent-image-from-registry-rh-io" + value: "https://github.com/redhat-appstudio-qe/devfile-sample-python-basic,https://github.com/redhat-appstudio-qe/retrodep,https://github.com/cachito-testing/pip-e2e-test,https://github.com/redhat-appstudio-qe/fbc-sample-repo,https://github.com/redhat-appstudio-qe/nodejs-no-dockerfile,https://github.com/redhat-appstudio-qe/maven-hello-world,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-digest-only,https://github.com/redhat-appstudio-qe/source-build-parent-image-with-both-tag-digest,https://github.com/redhat-appstudio-qe/source-build-use-latest-parent-image,https://github.com/redhat-appstudio-qe/source-build-parent-image-from-registry-rh-io" - name: QUAY_E2E_ORGANIZATION value: redhat-appstudio - name: E2E_APPLICATIONS_NAMESPACE From 431d60852bdb86757ab224b669622c98781ccb6d Mon Sep 17 00:00:00 2001 From: "rh-tap-build-team[bot]" <127938674+rh-tap-build-team[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 13:46:09 +0000 Subject: [PATCH 03/15] update .tekton/tasks/e2e-test.yaml --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 32637d5a67..ab7f08671a 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:27b9e94fee065d8de74a82f5ca726df6c40fd64a + image: quay.io/redhat-appstudio/e2e-tests:b9e71fe4fa3f7cad84b8d71cde1f5501b7deb8f4 # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From 24a79ede0a2200999ba8a8376e1151ffa31699de Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 2 May 2024 12:21:04 +0200 Subject: [PATCH 04/15] Remove unused `CSPLIT_CMD` variable --- hack/build-and-push.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/hack/build-and-push.sh b/hack/build-and-push.sh index 6215c99d9c..e26c680616 100755 --- a/hack/build-and-push.sh +++ b/hack/build-and-push.sh @@ -50,12 +50,6 @@ function save_ref() { echo "${tagRef}@${digest}" } -if [[ $(uname) = Darwin ]]; then - CSPLIT_CMD="gcsplit" -else - CSPLIT_CMD="csplit" -fi - if [ -z "$MY_QUAY_USER" ]; then echo "MY_QUAY_USER is not set, skip this build." exit 0 From ae2266500d496faba421dc32ffa7ba6e6a862deb Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 2 May 2024 12:43:47 +0200 Subject: [PATCH 05/15] Fix error handling in `tkn_bundle_push` When `tkn bundle push` exits with code not equal to 0, due to `errexit` being turned on (`set -e`) the script is terminated immediately without retrying. This changes the logic so if the `tkn bundle push` succeeds the retying while loop is stopped, i.e. the `&& break` branch is executed. In case of errors the `&& break` branch is not executed and the status of `tkn bundle push` is captured in the `status` variable, the retrying `while` loop continues until `max_retries` is reached. --- hack/build-and-push.sh | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/hack/build-and-push.sh b/hack/build-and-push.sh index e26c680616..44579f6e18 100755 --- a/hack/build-and-push.sh +++ b/hack/build-and-push.sh @@ -13,11 +13,8 @@ tkn_bundle_push() { local -r interval=${RETRY_INTERVAL:-5} local -r max_retries=5 while true; do - tkn bundle push "$@" + tkn bundle push "$@" && break status=$? - if [ $status == 0 ]; then - break - fi ((retry+=1)) if [ $retry -gt $max_retries ]; then return $status From a490569ede625922aa9882128611a82a19b93eb6 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 2 May 2024 12:45:53 +0200 Subject: [PATCH 06/15] Double quote variables This is to to prevent globs and multiple shell words being interpreted where one is expected. --- hack/build-and-push.sh | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/hack/build-and-push.sh b/hack/build-and-push.sh index 44579f6e18..4f9e75bd39 100755 --- a/hack/build-and-push.sh +++ b/hack/build-and-push.sh @@ -94,14 +94,14 @@ find task/*/*/ -maxdepth 0 -type d | awk -F '/' '{ print $0, $2, $3 }' | \ while read -r task_dir task_name task_version do prepared_task_file="${WORKDIR}/$task_name-${task_version}.yaml" - if [ -f $task_dir/$task_name.yaml ]; then - cp $task_dir/$task_name.yaml $prepared_task_file - task_file_sha=$(git log -n 1 --pretty=format:%H -- $task_dir/$task_name.yaml) - elif [ -f $task_dir/kustomization.yaml ]; then - oc kustomize $task_dir > $prepared_task_file - task_file_sha=$(sha256sum $prepared_task_file | awk '{print $1}') + if [ -f "$task_dir/$task_name.yaml" ]; then + cp "$task_dir/$task_name.yaml" "$prepared_task_file" + task_file_sha=$(git log -n 1 --pretty=format:%H -- "$task_dir/$task_name.yaml") + elif [ -f "$task_dir/kustomization.yaml" ]; then + oc kustomize "$task_dir" > "$prepared_task_file" + task_file_sha=$(sha256sum "$prepared_task_file" | awk '{print $1}') else - echo Unknown task in $task_dir + echo Unknown task in "$task_dir" continue fi repository=${TEST_REPO_NAME:-task-${task_name}} From 46f55f823eb83924f18d711151a652c757c2a2ee Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 10 May 2024 07:39:16 +0000 Subject: [PATCH 07/15] chore(deps): update quay.io/redhat-appstudio/build-definitions-source-image-build-utils docker digest to 35938b9 --- task/source-build/0.1/source-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index 8ed934268d..3f2cab8051 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -36,7 +36,7 @@ spec: emptyDir: {} steps: - name: build - image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:9060c5b97428682ea8a775914fda8268f76b7b60d6c46a0b110e5ff37daff97f + image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:35938b954ccc2d8638a47af2db739965a343b7e2fa2652e111b1d57d236b3481 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. From 5569c84c0f5398682fa48724a220288ed53d5625 Mon Sep 17 00:00:00 2001 From: Pavel Sturc Date: Fri, 19 Apr 2024 13:53:52 +0200 Subject: [PATCH 08/15] feat: skip CI when the PR is in draft --- .tekton/pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 478773e2e0..e76a7f5b47 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -4,7 +4,7 @@ kind: PipelineRun metadata: name: build-definitions-pull-request annotations: - pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main") || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) + pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && body.pull_request.draft == false) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.1/sast-snyk-check.yaml]" pipelinesascode.tekton.dev/task-2: "yaml-lint" pipelinesascode.tekton.dev/max-keep-runs: "5" From 75ffd823b140fc5bdec601c5b9ad0af9dc5dd759 Mon Sep 17 00:00:00 2001 From: Pavel Sturc Date: Fri, 19 Apr 2024 14:50:42 +0200 Subject: [PATCH 09/15] feat: skip CI when the PR is in draft --- .tekton/pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index e76a7f5b47..626e783a1e 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -4,7 +4,7 @@ kind: PipelineRun metadata: name: build-definitions-pull-request annotations: - pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && body.pull_request.draft == false) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) + pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || body.pull_request.draft == false) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.1/sast-snyk-check.yaml]" pipelinesascode.tekton.dev/task-2: "yaml-lint" pipelinesascode.tekton.dev/max-keep-runs: "5" From 0557cb712398572e16bae5f2137aaf733ac61e0d Mon Sep 17 00:00:00 2001 From: Pavel Sturc Date: Fri, 19 Apr 2024 17:13:45 +0200 Subject: [PATCH 10/15] Update .tekton/pull-request.yaml Co-authored-by: Adam Cmiel --- .tekton/pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 626e783a1e..3d3ba76048 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -4,7 +4,7 @@ kind: PipelineRun metadata: name: build-definitions-pull-request annotations: - pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || body.pull_request.draft == false) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) + pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || !body.pull_request.draft) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/")) pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/yaml-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.1/sast-snyk-check.yaml]" pipelinesascode.tekton.dev/task-2: "yaml-lint" pipelinesascode.tekton.dev/max-keep-runs: "5" From 861b0b8581e43b1da3b3ad81290feb3c4d60484e Mon Sep 17 00:00:00 2001 From: mkosiarc Date: Fri, 10 May 2024 15:44:58 +0200 Subject: [PATCH 11/15] Add new task for tagging images This new task "apply-tags" allows specifying additional-tags that will be added to the specified image. STONEBLD-2418 Signed-off-by: mkosiarc --- pipelines/template-build/template-build.yaml | 9 +++ task/apply-tags/0.1/README.md | 16 +++++ task/apply-tags/0.1/apply-tags.yaml | 63 ++++++++++++++++++++ task/apply-tags/OWNERS | 1 + 4 files changed, 89 insertions(+) create mode 100644 task/apply-tags/0.1/README.md create mode 100644 task/apply-tags/0.1/apply-tags.yaml create mode 100644 task/apply-tags/OWNERS diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 47aa9aa864..31cc368994 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -224,6 +224,15 @@ spec: value: $(tasks.build-container.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: apply-tags + runAfter: + - build-container + taskRef: + name: apply-tags + version: "0.1" + params: + - name: IMAGE + value: $(tasks.build-container.results.IMAGE_URL) finally: - name: show-sbom diff --git a/task/apply-tags/0.1/README.md b/task/apply-tags/0.1/README.md new file mode 100644 index 0000000000..b3bf6e3f5c --- /dev/null +++ b/task/apply-tags/0.1/README.md @@ -0,0 +1,16 @@ +# apply-tags task + +Apply-tags task will apply additional tags to the specified IMAGE. These additional tags can be provided via the ADDITIONAL_TAGS array parameter or they can also be provided in the image label "konflux.additional-tags". If you specify more than one additional tag in the label, they must be separated by a comma or a blank space, e.g: + +``` +LABEL konflux.additional-tags="tag1, tag2" +``` +``` +LABEL konflux.additional-tags="tag tag2" +``` + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of image that was pushed to registry in the buildah task.||true| +|ADDITIONAL_TAGS|Additional tags that will be applied to the image in the registry.|[]|false| diff --git a/task/apply-tags/0.1/apply-tags.yaml b/task/apply-tags/0.1/apply-tags.yaml new file mode 100644 index 0000000000..95e7c04ddd --- /dev/null +++ b/task/apply-tags/0.1/apply-tags.yaml @@ -0,0 +1,63 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "appstudio, hacbs" + name: apply-tags +spec: + description: >- + Applies additional tags to the built image. + params: + - name: IMAGE + description: Reference of image that was pushed to registry in the buildah task. + type: string + - name: ADDITIONAL_TAGS + description: Additional tags that will be applied to the image in the registry. + type: array + default: [] + steps: + - name: apply-additional-tags-from-parameter + image: registry.access.redhat.com/ubi9/skopeo:9.4-6@sha256:c4d70dec3eb0a0c831490192145ea25431fe04d1cf307f8d61e2d87adb41e7e3 + args: + - $(params.ADDITIONAL_TAGS[*]) + env: + - name: IMAGE + value: $(params.IMAGE) + script: | + #!/bin/bash + + if [ "$#" -ne 0 ]; then + IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//') + for tag in "$@"; do + echo "Applying tag $tag" + skopeo copy docker://$IMAGE docker://$IMAGE_WITHOUT_TAG:$tag + done + else + echo "No additional tags parameter specified" + fi + + - name: apply-additional-tags-from-image-label + image: registry.access.redhat.com/ubi9/skopeo:9.4-6@sha256:c4d70dec3eb0a0c831490192145ea25431fe04d1cf307f8d61e2d87adb41e7e3 + env: + - name: IMAGE + value: $(params.IMAGE) + script: | + #!/bin/bash + + ADDITIONAL_TAGS_FROM_IMAGE_LABEL=$(skopeo inspect --format '{{ index .Labels "konflux.additional-tags" }}' docker://$IMAGE) + + if [ -n "${ADDITIONAL_TAGS_FROM_IMAGE_LABEL}" ]; then + IFS=', ' read -r -a tags_array <<< "$ADDITIONAL_TAGS_FROM_IMAGE_LABEL" + + IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//') + for tag in "${tags_array[@]}" + do + echo "Applying tag $tag" + skopeo copy docker://$IMAGE docker://$IMAGE_WITHOUT_TAG:$tag + done + else + echo "No additional tags specified in the image labels" + fi diff --git a/task/apply-tags/OWNERS b/task/apply-tags/OWNERS new file mode 100644 index 0000000000..e3038ade09 --- /dev/null +++ b/task/apply-tags/OWNERS @@ -0,0 +1 @@ +Konflux Build team From 1cb5e744780c391e490b9cc70dd35ce251a82ca1 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 13 May 2024 09:33:32 +0000 Subject: [PATCH 12/15] chore(deps): update quay.io/redhat-appstudio/build-definitions-source-image-build-utils docker digest to cd87bbe --- task/source-build/0.1/source-build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index 3f2cab8051..7784d707bd 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -36,7 +36,7 @@ spec: emptyDir: {} steps: - name: build - image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:35938b954ccc2d8638a47af2db739965a343b7e2fa2652e111b1d57d236b3481 + image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:cd87bbe51f1c22ff7578f5c9caf19db4f9ee7aefd0307288383b9bd478cdf856 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. From df9fbc636a4d66b447e3f10db01d8c8d9e2b2538 Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Fri, 10 May 2024 16:25:31 -0400 Subject: [PATCH 13/15] Seed git-clone-oci-ta task from git-clone Task This commit creates a copy of the git-clone directory in the git-clone-oci-ta directory. This is done to make it easier to review the corresponding changes to support Trusted Artifacts. Signed-off-by: Luiz Carvalho --- task/git-clone-oci-ta/0.1/README.md | 37 +++ task/git-clone-oci-ta/0.1/git-clone.yaml | 306 +++++++++++++++++++++++ task/git-clone-oci-ta/OWNERS | 1 + 3 files changed, 344 insertions(+) create mode 100644 task/git-clone-oci-ta/0.1/README.md create mode 100644 task/git-clone-oci-ta/0.1/git-clone.yaml create mode 100644 task/git-clone-oci-ta/OWNERS diff --git a/task/git-clone-oci-ta/0.1/README.md b/task/git-clone-oci-ta/0.1/README.md new file mode 100644 index 0000000000..050112e9d9 --- /dev/null +++ b/task/git-clone-oci-ta/0.1/README.md @@ -0,0 +1,37 @@ +# git-clone task + +The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|url|Repository URL to clone from.||true| +|revision|Revision to checkout. (branch, tag, sha, ref, etc...)|""|false| +|refspec|Refspec to fetch before checking out revision.|""|false| +|submodules|Initialize and fetch git submodules.|true|false| +|depth|Perform a shallow clone, fetching only the most recent N commits.|1|false| +|sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false| +|subdirectory|Subdirectory inside the `output` Workspace to clone the repo into.|""|false| +|sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false| +|deleteExisting|Clean out the contents of the destination directory if it already exists before cloning.|true|false| +|httpProxy|HTTP proxy server for non-SSL requests.|""|false| +|httpsProxy|HTTPS proxy server for SSL requests.|""|false| +|noProxy|Opt out of proxying HTTP/HTTPS requests.|""|false| +|verbose|Log the commands that are executed during `git-clone`'s operation.|true|false| +|gitInitImage|Deprecated. Has no effect. Will be removed in the future.|""|false| +|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden the gitInitImage param with an image containing custom user configuration. |/tekton/home|false| +|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.|true|false| +|fetchTags|Fetch all tags for the repo.|false|false| + +## Results +|name|description| +|---|---| +|commit|The precise commit SHA that was fetched by this Task.| +|url|The precise URL that was fetched by this Task.| + +## Workspaces +|name|description|optional| +|---|---|---| +|output|The git repo will be cloned onto the volume backing this Workspace.|false| +|ssh-directory|A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. |true| +|basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/git-clone-oci-ta/0.1/git-clone.yaml b/task/git-clone-oci-ta/0.1/git-clone.yaml new file mode 100644 index 0000000000..fa3247646e --- /dev/null +++ b/task/git-clone-oci-ta/0.1/git-clone.yaml @@ -0,0 +1,306 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/categories: Git + tekton.dev/displayName: git clone + tekton.dev/pipelines.minVersion: 0.21.0 + tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 + tekton.dev/tags: git + name: git-clone +spec: + description: |- + The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. + params: + - description: Repository URL to clone from. + name: url + type: string + - default: "" + description: Revision to checkout. (branch, tag, sha, ref, etc...) + name: revision + type: string + - default: "" + description: Refspec to fetch before checking out revision. + name: refspec + type: string + - default: "true" + description: Initialize and fetch git submodules. + name: submodules + type: string + - default: "1" + description: Perform a shallow clone, fetching only the most recent N commits. + name: depth + type: string + - default: "true" + description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. + name: sslVerify + type: string + - default: "source" + description: Subdirectory inside the `output` Workspace to clone the repo into. + name: subdirectory + type: string + - default: "" + description: Define the directory patterns to match or exclude when performing a sparse checkout. + name: sparseCheckoutDirectories + type: string + - default: "true" + description: Clean out the contents of the destination directory if it already exists before cloning. + name: deleteExisting + type: string + - default: "" + description: HTTP proxy server for non-SSL requests. + name: httpProxy + type: string + - default: "" + description: HTTPS proxy server for SSL requests. + name: httpsProxy + type: string + - default: "" + description: Opt out of proxying HTTP/HTTPS requests. + name: noProxy + type: string + - default: "false" + description: Log the commands that are executed during `git-clone`'s operation. + name: verbose + type: string + - default: "" + description: Deprecated. Has no effect. Will be removed in the future. + name: gitInitImage + type: string + - default: /tekton/home + description: | + Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. + name: userHome + type: string + - default: "true" + description: | + Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. + name: enableSymlinkCheck + type: string + - default: "false" + description: Fetch all tags for the repo. + name: fetchTags + type: string + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + results: + - description: The precise commit SHA that was fetched by this Task. + name: commit + - description: The precise URL that was fetched by this Task. + name: url + steps: + - name: clone + env: + - name: HOME + value: $(params.userHome) + - name: PARAM_URL + value: $(params.url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_REFSPEC + value: $(params.refspec) + - name: PARAM_SUBMODULES + value: $(params.submodules) + - name: PARAM_DEPTH + value: $(params.depth) + - name: PARAM_SSL_VERIFY + value: $(params.sslVerify) + - name: PARAM_SUBDIRECTORY + value: $(params.subdirectory) + - name: PARAM_DELETE_EXISTING + value: $(params.deleteExisting) + - name: PARAM_HTTP_PROXY + value: $(params.httpProxy) + - name: PARAM_HTTPS_PROXY + value: $(params.httpsProxy) + - name: PARAM_NO_PROXY + value: $(params.noProxy) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES + value: $(params.sparseCheckoutDirectories) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: PARAM_FETCH_TAGS + value: $(params.fetchTags) + - name: PARAM_GIT_INIT_IMAGE + value: $(params.gitInitImage) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8 + computeResources: {} + securityContext: + runAsUser: 0 + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + script: | + #!/usr/bin/env sh + set -eu + + if [ "${PARAM_VERBOSE}" = "true" ] ; then + set -x + fi + + if [ -n "${PARAM_GIT_INIT_IMAGE}" ]; then + echo "WARNING: provided deprecated gitInitImage parameter has no effect." + fi + + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then + if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + # Compatibility with kubernetes.io/basic-auth secrets + elif [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password" ]; then + HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}') + echo "https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME" > "${PARAM_USER_HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${PARAM_USER_HOME}/.gitconfig" + else + echo "Unknown basic-auth workspace format" + exit 1 + fi + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + + # Should be called after the gitconfig is copied from the repository secret + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + git config --global http.sslCAInfo "$ca_bundle" + fi + + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* + fi + + CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" + + cleandir() { + # Delete any existing contents of the repo directory if it exists. + # + # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" + # or the root of a mounted volume. + if [ -d "${CHECKOUT_DIR}" ] ; then + # Delete non-hidden files and directories + rm -rf "${CHECKOUT_DIR:?}"/* + # Delete files and directories starting with . but excluding .. + rm -rf "${CHECKOUT_DIR}"/.[!.]* + # Delete files and directories starting with .. plus any other character + rm -rf "${CHECKOUT_DIR}"/..?* + fi + } + + if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then + cleandir + fi + + test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" + test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" + test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" + + /ko-app/git-init \ + -url="${PARAM_URL}" \ + -revision="${PARAM_REVISION}" \ + -refspec="${PARAM_REFSPEC}" \ + -path="${CHECKOUT_DIR}" \ + -sslVerify="${PARAM_SSL_VERIFY}" \ + -submodules="${PARAM_SUBMODULES}" \ + -depth="${PARAM_DEPTH}" \ + -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}" + cd "${CHECKOUT_DIR}" + RESULT_SHA="$(git rev-parse HEAD)" + EXIT_CODE="$?" + if [ "${EXIT_CODE}" != 0 ] ; then + exit "${EXIT_CODE}" + fi + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${PARAM_URL}" > "$(results.url.path)" + + if [ "${PARAM_FETCH_TAGS}" = "true" ] ; then + echo "Fetching tags" + git fetch --tags + fi + + - name: symlink-check + image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. + env: + - name: PARAM_ENABLE_SYMLINK_CHECK + value: $(params.enableSymlinkCheck) + - name: PARAM_SUBDIRECTORY + value: $(params.subdirectory) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + computeResources: {} + script: | + #!/usr/bin/env bash + set -euo pipefail + + CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" + check_symlinks() { + FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false + while read symlink + do + target=$(readlink -f "$symlink") + if ! [[ "$target" =~ ^$CHECKOUT_DIR ]]; then + echo "The cloned repository contains symlink pointing outside of the cloned repository: $symlink" + FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true + fi + done < <(find $CHECKOUT_DIR -type l -print) + if [ "$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO" = true ] ; then + return 1 + fi + } + + if [ "${PARAM_ENABLE_SYMLINK_CHECK}" = "true" ] ; then + echo "Running symlink check" + check_symlinks + fi + workspaces: + - description: The git repo will be cloned onto the volume backing this Workspace. + name: output + - description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. + name: ssh-directory + optional: true + - description: | + A Workspace containing a .gitconfig and .git-credentials file or username and password. + These will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + name: basic-auth + optional: true + volumes: + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true diff --git a/task/git-clone-oci-ta/OWNERS b/task/git-clone-oci-ta/OWNERS new file mode 100644 index 0000000000..aa72b50760 --- /dev/null +++ b/task/git-clone-oci-ta/OWNERS @@ -0,0 +1 @@ +Stonesoup Build Team From 67b5cd1ef6bc9946b646b42b285ef39938a76e0f Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Fri, 10 May 2024 16:29:29 -0400 Subject: [PATCH 14/15] Rename git-clone.yaml to git-clone-oci-ta.yaml Signed-off-by: Luiz Carvalho --- .../0.1/{git-clone.yaml => git-clone-oci-ta.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename task/git-clone-oci-ta/0.1/{git-clone.yaml => git-clone-oci-ta.yaml} (100%) diff --git a/task/git-clone-oci-ta/0.1/git-clone.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml similarity index 100% rename from task/git-clone-oci-ta/0.1/git-clone.yaml rename to task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml From 09d6e65894f8cd1a13ba4019d5c0342e19ec773d Mon Sep 17 00:00:00 2001 From: Luiz Carvalho Date: Fri, 10 May 2024 16:53:55 -0400 Subject: [PATCH 15/15] Implement git-clone-oci-ta Task Ref: EC-550 Co-authored-by: Zoran Regvart Signed-off-by: Luiz Carvalho --- task/git-clone-oci-ta/0.1/README.md | 19 ++-- .../0.1/git-clone-oci-ta.yaml | 102 ++++++++---------- 2 files changed, 53 insertions(+), 68 deletions(-) diff --git a/task/git-clone-oci-ta/0.1/README.md b/task/git-clone-oci-ta/0.1/README.md index 050112e9d9..fe1cbd9a91 100644 --- a/task/git-clone-oci-ta/0.1/README.md +++ b/task/git-clone-oci-ta/0.1/README.md @@ -1,6 +1,6 @@ -# git-clone task +# git-clone-oci-ta task -The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. +The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted artifact in the provided OCI repository. ## Parameters |name|description|default value|required| @@ -11,27 +11,28 @@ The git-clone Task will clone a repo from the provided url into the output Works |submodules|Initialize and fetch git submodules.|true|false| |depth|Perform a shallow clone, fetching only the most recent N commits.|1|false| |sslVerify|Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.|true|false| -|subdirectory|Subdirectory inside the `output` Workspace to clone the repo into.|""|false| |sparseCheckoutDirectories|Define the directory patterns to match or exclude when performing a sparse checkout.|""|false| -|deleteExisting|Clean out the contents of the destination directory if it already exists before cloning.|true|false| |httpProxy|HTTP proxy server for non-SSL requests.|""|false| |httpsProxy|HTTPS proxy server for SSL requests.|""|false| |noProxy|Opt out of proxying HTTP/HTTPS requests.|""|false| -|verbose|Log the commands that are executed during `git-clone`'s operation.|true|false| -|gitInitImage|Deprecated. Has no effect. Will be removed in the future.|""|false| -|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden the gitInitImage param with an image containing custom user configuration. |/tekton/home|false| -|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.|true|false| +|verbose|Log the commands that are executed during `git-clone`'s operation.|false|false| +|userHome|Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. |/tekton/home|false| +|enableSymlinkCheck|Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. |true|false| |fetchTags|Fetch all tags for the repo.|false|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ociStorage|The OCI repository where the clone repository will be stored.||true| +|ociArtifactExpiresAfter|Expiration date for the artifacts created in the OCI repository.|""|false| ## Results |name|description| |---|---| |commit|The precise commit SHA that was fetched by this Task.| |url|The precise URL that was fetched by this Task.| +|sourceArtifact|The OCI reference to the trusted source artifact containing the cloned git repo.| ## Workspaces |name|description|optional| |---|---|---| -|output|The git repo will be cloned onto the volume backing this Workspace.|false| |ssh-directory|A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. |true| |basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index fa3247646e..fdd96a9c9e 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -1,3 +1,4 @@ +--- apiVersion: tekton.dev/v1 kind: Task metadata: @@ -5,14 +6,15 @@ metadata: app.kubernetes.io/version: "0.1" annotations: tekton.dev/categories: Git - tekton.dev/displayName: git clone + tekton.dev/displayName: git clone oci trusted artifacts tekton.dev/pipelines.minVersion: 0.21.0 tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64 tekton.dev/tags: git - name: git-clone + name: git-clone-oci-ta spec: - description: |- - The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. + description: >- + The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted + artifact in the provided OCI repository. params: - description: Repository URL to clone from. name: url @@ -37,18 +39,10 @@ spec: description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote. name: sslVerify type: string - - default: "source" - description: Subdirectory inside the `output` Workspace to clone the repo into. - name: subdirectory - type: string - default: "" description: Define the directory patterns to match or exclude when performing a sparse checkout. name: sparseCheckoutDirectories type: string - - default: "true" - description: Clean out the contents of the destination directory if it already exists before cloning. - name: deleteExisting - type: string - default: "" description: HTTP proxy server for non-SSL requests. name: httpProxy @@ -65,10 +59,6 @@ spec: description: Log the commands that are executed during `git-clone`'s operation. name: verbose type: string - - default: "" - description: Deprecated. Has no effect. Will be removed in the future. - name: gitInitImage - type: string - default: /tekton/home description: | Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. @@ -91,11 +81,22 @@ spec: type: string description: The name of the key in the ConfigMap that contains the CA bundle data. default: ca-bundle.crt + - name: ociStorage + type: string + description: The OCI repository where the clone repository will be stored. + - name: ociArtifactExpiresAfter + type: string + description: Expiration date for the artifacts created in the OCI repository. + default: "" + results: - description: The precise commit SHA that was fetched by this Task. name: commit - description: The precise URL that was fetched by this Task. name: url + - description: The OCI reference to the trusted source artifact containing the cloned git repo. + name: sourceArtifact + type: string steps: - name: clone env: @@ -113,10 +114,6 @@ spec: value: $(params.depth) - name: PARAM_SSL_VERIFY value: $(params.sslVerify) - - name: PARAM_SUBDIRECTORY - value: $(params.subdirectory) - - name: PARAM_DELETE_EXISTING - value: $(params.deleteExisting) - name: PARAM_HTTP_PROXY value: $(params.httpProxy) - name: PARAM_HTTPS_PROXY @@ -131,10 +128,6 @@ spec: value: $(params.userHome) - name: PARAM_FETCH_TAGS value: $(params.fetchTags) - - name: PARAM_GIT_INIT_IMAGE - value: $(params.gitInitImage) - - name: WORKSPACE_OUTPUT_PATH - value: $(workspaces.output.path) - name: WORKSPACE_SSH_DIRECTORY_BOUND value: $(workspaces.ssh-directory.bound) - name: WORKSPACE_SSH_DIRECTORY_PATH @@ -143,6 +136,8 @@ spec: value: $(workspaces.basic-auth.bound) - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH value: $(workspaces.basic-auth.path) + - name: CHECKOUT_DIR + value: /var/source image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8:v1.8.2-8@sha256:a538c423e7a11aae6ae582a411fdb090936458075f99af4ce5add038bb6983e8 computeResources: {} securityContext: @@ -151,6 +146,8 @@ spec: - name: trusted-ca mountPath: /mnt/trusted-ca readOnly: true + - name: source + mountPath: /var/source script: | #!/usr/bin/env sh set -eu @@ -159,10 +156,6 @@ spec: set -x fi - if [ -n "${PARAM_GIT_INIT_IMAGE}" ]; then - echo "WARNING: provided deprecated gitInitImage parameter has no effect." - fi - if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then if [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" ]; then cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" @@ -193,27 +186,6 @@ spec: chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* fi - CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" - - cleandir() { - # Delete any existing contents of the repo directory if it exists. - # - # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/" - # or the root of a mounted volume. - if [ -d "${CHECKOUT_DIR}" ] ; then - # Delete non-hidden files and directories - rm -rf "${CHECKOUT_DIR:?}"/* - # Delete files and directories starting with . but excluding .. - rm -rf "${CHECKOUT_DIR}"/.[!.]* - # Delete files and directories starting with .. plus any other character - rm -rf "${CHECKOUT_DIR}"/..?* - fi - } - - if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then - cleandir - fi - test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}" test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}" test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}" @@ -243,22 +215,19 @@ spec: - name: symlink-check image: registry.redhat.io/ubi9:9.2-696@sha256:089bd3b82a78ac45c0eed231bb58bfb43bfcd0560d9bba240fc6355502c92976 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. env: - name: PARAM_ENABLE_SYMLINK_CHECK value: $(params.enableSymlinkCheck) - - name: PARAM_SUBDIRECTORY - value: $(params.subdirectory) - - name: WORKSPACE_OUTPUT_PATH - value: $(workspaces.output.path) + - name: CHECKOUT_DIR + value: /var/source + volumeMounts: + - name: source + mountPath: /var/source computeResources: {} script: | #!/usr/bin/env bash set -euo pipefail - CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}" check_symlinks() { FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false while read symlink @@ -278,9 +247,22 @@ spec: echo "Running symlink check" check_symlinks fi + + - name: create-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + env: + - name: IMAGE_EXPIRES_AFTER + value: $(params.ociArtifactExpiresAfter) + volumeMounts: + - name: source + mountPath: /var/source + args: + - create + - --store + - $(params.ociStorage) + - $(results.sourceArtifact.path)=/var/source + workspaces: - - description: The git repo will be cloned onto the volume backing this Workspace. - name: output - description: | A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate @@ -297,6 +279,8 @@ spec: name: basic-auth optional: true volumes: + - name: source + emptyDir: {} - name: trusted-ca configMap: name: $(params.caTrustConfigMapName)