diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index ce5b227a4a..a0f2cae303 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -4,13 +4,14 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.2:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:BUILD_IMAGE_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.2:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | clone-repository:0.1:ociArtifactExpiresAfter ; prefetch-dependencies:0.1:ociArtifactExpiresAfter ; build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.2:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| init:0.2:image-url ; clone-repository:0.1:ociStorage ; prefetch-dependencies:0.1:ociStorage ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -23,7 +24,17 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_IMAGE_INDEX| Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.| false| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_REF)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### buildah-oci-ta:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -58,22 +69,22 @@ |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -81,7 +92,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone-oci-ta:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -127,8 +138,8 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| None| '$(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### sast-snyk-check-oci-ta:0.1 task parameters @@ -144,14 +155,14 @@ |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build-oci-ta:0.1 task parameters |name|description|default value|already set by| @@ -166,16 +177,22 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks -### buildah-oci-ta:0.2 task results +### build-image-index:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| +|IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### buildah-oci-ta:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -203,7 +220,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |SOURCE_ARTIFACT| The Trusted Artifact URI pointing to the artifact with the application source code.| prefetch-dependencies:0.1:SOURCE_ARTIFACT| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| | ### init:0.2 task results diff --git a/pipelines/docker-build-oci-ta/patch.yaml b/pipelines/docker-build-oci-ta/patch.yaml index 2a294b5809..5b186b705f 100644 --- a/pipelines/docker-build-oci-ta/patch.yaml +++ b/pipelines/docker-build-oci-ta/patch.yaml @@ -12,19 +12,20 @@ path: /spec/workspaces/0 # Order of Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.tasks.[].name | nl -v 0 -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile # clone-repository Task - op: replace @@ -86,46 +87,46 @@ # build-source-image - op: replace - path: /spec/tasks/4/taskRef/name + path: /spec/tasks/5/taskRef/name value: source-build-oci-ta - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: add - path: /spec/tasks/4/params/- + path: /spec/tasks/5/params/- value: name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - op: remove - path: /spec/tasks/4/workspaces/0 + path: /spec/tasks/5/workspaces/0 # sast-snyk-check - op: replace - path: /spec/tasks/8/taskRef/name + path: /spec/tasks/9/taskRef/name value: sast-snyk-check-oci-ta - op: add # In the docker-build Pipeline, the snyk Task does not receive any parameters, so we cannot # append to it. - path: /spec/tasks/8/params + path: /spec/tasks/9/params value: - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: remove - path: /spec/tasks/8/workspaces/0 + path: /spec/tasks/9/workspaces/0 # push-dockerfile - op: replace - path: /spec/tasks/12/taskRef/name + path: /spec/tasks/13/taskRef/name value: push-dockerfile-oci-ta - op: add - path: /spec/tasks/12/params/- + path: /spec/tasks/13/params/- value: name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - op: remove - path: /spec/tasks/12/workspaces/0 + path: /spec/tasks/13/workspaces/0 # Order of finally Tasks from the base docker-build Pipeline: # $ kustomize build pipelines/docker-build | yq .spec.finally.[].name | nl -v 0 diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index 2ae9ac516a..8a645f2ad6 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -4,20 +4,15 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.1:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.1:BUILD_ARGS_FILE| -|build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| |event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| | |git-url| Source Repository URL| None| clone-repository:0.1:url ; acs-deploy-check:0.1:gitops-repo-url ; update-deployment:0.1:gitops-repo-url| |gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name| -|hermetic| Execute the build with network isolation| false| | |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| -|java| Java build| false| | |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | | |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| -|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| |stackrox-secret| | rox-api-token| acs-image-check:0.1:rox-secret-name ; acs-image-scan:0.1:rox-secret-name ; acs-deploy-check:0.1:rox-secret-name| ## Available params from tasks ### acs-deploy-check:0.1 task parameters @@ -78,7 +73,7 @@ |---|---|---|---| |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| -|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| +|skip-checks| Skip checks against built image| false| | ### show-sbom-rhdh:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -86,7 +81,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.results.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 55d2981f38..255bee5f99 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -8,6 +8,37 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "docker" +# Remove unused parameters from the template +# yq ".spec.params.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 git-url +# 1 revision +# 2 output-image +# 3 path-context +# 4 dockerfile +# 5 rebuild +# 6 skip-checks +# 7 hermetic +# 8 prefetch-input +# 9 java +# 10 image-expires-after +# 11 build-source-image +# 12 build-image-index + +- op: remove + path: /spec/params/12 # build-image-index +- op: remove + path: /spec/params/11 # build-source-image +- op: remove + path: /spec/params/9 # java +- op: remove + path: /spec/params/8 # prefetch-input +- op: remove + path: /spec/params/7 # hermetic +- op: remove + path: /spec/params/6 # skip-checks +- op: remove + path: /spec/tasks/0/params/2 # remove the skip-checks param +# Add additional parameters - op: add path: /spec/params/- value: @@ -42,11 +73,13 @@ description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file type: string default: "" +# Add additional results - op: add path: /spec/results/- value: name: ACS_SCAN_OUTPUT value: $(tasks.acs-image-scan.results.SCAN_OUTPUT) +# Configure build-container task - op: replace path: /spec/tasks/3/taskRef value: @@ -70,43 +103,60 @@ - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: "$(params.build-args-file)" -# Remove tasks +# Change references from build-image-index to build-container +- op: replace + path: /spec/finally/0/params/0/value # show-sbom.params.IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) +- op: replace + path: /spec/finally/1/params/3/value # show-summary.params.build-task-status + value: $(tasks.build-container.results.status) +- op: replace + path: /spec/results/0/value # IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) +- op: replace + path: /spec/results/1/value # IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + +# Remove unused tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check -# 11 apply-tags -# 12 push-dockerfile +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/12 # push-dockerfile + path: /spec/tasks/13 # push-dockerfile +- op: remove + path: /spec/tasks/12 # apply-tags - op: remove - path: /spec/tasks/11 # apply-tags + path: /spec/tasks/11 # sbom-json-check - op: remove - path: /spec/tasks/10 # sbom-json-check + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/8 # ecosystem-cert-preflight-checks - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/7 # clair-scan - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/6 # deprecated-base-image-check - op: remove - path: /spec/tasks/5 # deprecated-base-image-check + path: /spec/tasks/5 # build-source-image - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/4 # build-image-index - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: remove diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 2f79684ae5..59c61dbdf4 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -4,13 +4,14 @@ |---|---|---|---| |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.2:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.2:BUILD_ARGS_FILE| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:BUILD_IMAGE_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.2:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| build-container:0.2:HERMETIC| -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.2:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.2:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.2:CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input ; build-container:0.2:PREFETCH_INPUT| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -23,7 +24,17 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_IMAGE_INDEX| Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.| false| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_REF)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### buildah:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -56,22 +67,22 @@ |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -79,7 +90,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -123,29 +134,29 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### sast-snyk-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -155,7 +166,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -165,16 +176,22 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks -### buildah:0.2 task results +### build-image-index:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| +|IMAGES| List of all referenced image manifests| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +### buildah:0.2 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -201,7 +218,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.2:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index 560b76342f..7ee5a40c5b 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -8,6 +8,23 @@ "pipelines.openshift.io/used-by": "build-cloud" "pipelines.openshift.io/runtime": "generic" "pipelines.openshift.io/strategy": "docker" +# yq ".spec.tasks.[].name" pipelines/template-build/template-build.yaml | nl -v 0 +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile + +# build-container - op: replace path: /spec/tasks/3/taskRef value: @@ -49,6 +66,7 @@ - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: "$(params.build-args-file)" + - op: add path: /spec/results/- value: diff --git a/pipelines/fbc-builder/README.md b/pipelines/fbc-builder/README.md index 5d8662661d..488aff9cfc 100644 --- a/pipelines/fbc-builder/README.md +++ b/pipelines/fbc-builder/README.md @@ -2,14 +2,15 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:BUILD_IMAGE_INDEX| |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | | |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| @@ -21,7 +22,17 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_IMAGE_INDEX| Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.| false| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_REF)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### buildah:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -56,16 +67,16 @@ |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### fbc-validation:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGE| Fully qualified base image name.| None| '$(tasks.inspect-image.results.BASE_IMAGE)'| -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -98,35 +109,19 @@ |name|description|default value|already set by| |---|---|---|---| |DOCKER_AUTH| unused, should be removed in next task version| | | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| -### push-dockerfile:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sbom-json-check:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -136,15 +131,21 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; apply-tags:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| ### buildah:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST ; inspect-image:0.1:IMAGE_DIGEST ; fbc-validate:0.1:IMAGE_DIGEST| -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; inspect-image:0.1:IMAGE_URL ; fbc-validate:0.1:IMAGE_URL| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_URL| Image repository where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### deprecated-image-check:0.4 task results @@ -163,7 +164,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -176,22 +177,13 @@ |BASE_IMAGE| Base image source image is built from.| fbc-validate:0.1:BASE_IMAGE| |BASE_IMAGE_REPOSITORY| Base image repository URL.| | |TEST_OUTPUT| Tekton task test output.| | -### push-dockerfile:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sbom-json-check:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|TEST_OUTPUT| Tekton task test output.| | ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth| |netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; push-dockerfile:0.1:workspace ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; inspect-image:0.1:source ; fbc-validate:0.1:workspace ; fbc-related-image-check:0.1:workspace| ## Available workspaces from tasks ### buildah:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -215,10 +207,6 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |source| | False| workspace| -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/fbc-builder/patch.yaml b/pipelines/fbc-builder/patch.yaml index 9f139a8ce4..ad3a90042b 100644 --- a/pipelines/fbc-builder/patch.yaml +++ b/pipelines/fbc-builder/patch.yaml @@ -31,30 +31,37 @@ # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets -# 0 init -# 1 clone-repository -# 2 prefetch-dependencies -# 3 build-container -# 4 build-source-image -# 5 deprecated-base-image-check -# 6 clair-scan -# 7 ecosystem-cert-preflight-checks -# 8 sast-snyk-check -# 9 clamav-scan -# 10 sbom-json-check +# 0 init +# 1 clone-repository +# 2 prefetch-dependencies +# 3 build-container +# 4 build-image-index +# 5 build-source-image +# 6 deprecated-base-image-check +# 7 clair-scan +# 8 ecosystem-cert-preflight-checks +# 9 sast-snyk-check +# 10 clamav-scan +# 11 sbom-json-check +# 12 apply-tags +# 13 push-dockerfile - op: replace path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/9 # clamav-scan + path: /spec/tasks/13 # push-dockerfile - op: remove - path: /spec/tasks/8 # sast-snyk-check + path: /spec/tasks/11 # sbom-json-check - op: remove - path: /spec/tasks/7 # ecosystem-cert-preflight-checks + path: /spec/tasks/10 # clamav-scan - op: remove - path: /spec/tasks/6 # clair-scan + path: /spec/tasks/9 # sast-snyk-check - op: remove - path: /spec/tasks/4 # build-source-image + path: /spec/tasks/8 # ecosystem-cert-preflight-checks +- op: remove + path: /spec/tasks/7 # clair-scan +- op: remove + path: /spec/tasks/5 # build-source-image - op: remove path: /spec/tasks/2 # prefetch-dependencies - op: add @@ -66,15 +73,15 @@ operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: inspect-image version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) workspaces: - name: source workspace: workspace @@ -93,9 +100,9 @@ version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: BASE_IMAGE value: $(tasks.inspect-image.results.BASE_IMAGE) workspaces: diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 9ad536a989..7fe62f201e 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -2,13 +2,14 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:BUILD_IMAGE_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -21,29 +22,39 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_IMAGE_INDEX| Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.| false| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_REF)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -51,7 +62,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -95,8 +106,8 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### s2i-java:0.1 task parameters |name|description|default value|already set by| @@ -115,21 +126,21 @@ |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -139,7 +150,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -149,10 +160,16 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| |JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| ## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -176,7 +193,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -191,9 +208,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository where the built image was pushed| | |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### sast-snyk-check:0.1 task results diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index a843dd426f..dc6dae53c9 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -2,13 +2,14 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:BUILD_IMAGE_INDEX| |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| |hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| +|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| +|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| |path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| |rebuild| Force rebuild image| false| init:0.2:rebuild| @@ -21,29 +22,39 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### build-image-index:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BUILD_IMAGE_INDEX| Create an OCI image index referencing all passed params.IMAGES. This allows us to always include this task for a consistent pipeline even if a user does not want to generate the image index. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*.| false| '$(params.build-image-index)'| +|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| +|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| +|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_REF)']'| +|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| +|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | +|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clamav-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### deprecated-image-check:0.4 task parameters |name|description|default value|already set by| |---|---|---|---| |BASE_IMAGES_DIGESTS| Digests of base build images.| | | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | |POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters @@ -51,7 +62,7 @@ |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -95,8 +106,8 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### s2i-nodejs:0.1 task parameters |name|description|default value|already set by| @@ -116,21 +127,21 @@ |---|---|---|---| |ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | |SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### show-sbom:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| |PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | ### source-build:0.1 task parameters |name|description|default value|already set by| @@ -140,7 +151,7 @@ ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -150,9 +161,15 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks +### build-image-index:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES| List of all referenced image manifests| | +|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -176,7 +193,7 @@ ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA| +|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| |commit-timestamp| The commit timestamp of the checkout| | |url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| ### init:0.2 task results @@ -191,9 +208,9 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_DIGEST| Digest of the image just built| | +|IMAGE_REF| Image reference of the built image| build-image-index:0.1:IMAGES| +|IMAGE_URL| Image repository where the built image was pushed| | ### sast-snyk-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index bb66ed2f18..ea9308b240 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -2,6 +2,7 @@ ## Parameters |name|description|default value|used in (taskname:taskrefversion:taskparam)| |---|---|---|---| +|build-image-index| Add built image into an OCI image index| false| | |build-source-image| Build a source image.| false| | |dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| |git-url| Source Repository URL| None| clone-repository:0.1:url| @@ -21,21 +22,37 @@ |ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### clair-scan:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | |docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### clamav-scan:0.1 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|docker-auth| unused| | | +|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +### deprecated-image-check:0.4 task parameters +|name|description|default value|already set by| +|---|---|---|---| +|BASE_IMAGES_DIGESTS| Digests of base build images.| | | +|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | +|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | +|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | ### ecosystem-cert-preflight-checks:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### git-clone:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -79,27 +96,20 @@ |ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | |CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| |DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| +|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| +|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| |TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### sast-snyk-check:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-container.results.IMAGE_URL)'| ### sbom-json-check:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| |CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | |CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-container.results.IMAGE_URL)'| +|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| +|IMAGE_URL| Fully qualified image name to verify.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| ### summary:0.2 task parameters |name|description|default value|already set by| |---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-container.status)'| +|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| |git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| |image-url| Image URL| None| '$(params.output-image)'| |pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| @@ -116,8 +126,8 @@ |---|---|---| |CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| |CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-container.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-container.results.IMAGE_URL)| +|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| +|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| ## Available results from tasks ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -125,6 +135,16 @@ |CLAIR_SCAN_RESULT| Clair scan result.| | |IMAGES_PROCESSED| Images processed in the task.| | |TEST_OUTPUT| Tekton task test output.| | +### clamav-scan:0.1 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | +### deprecated-image-check:0.4 task results +|name|description|used in params (taskname:taskrefversion:taskparam) +|---|---|---| +|IMAGES_PROCESSED| Images processed in the task.| | +|TEST_OUTPUT| Tekton task test output.| | ### ecosystem-cert-preflight-checks:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -143,10 +163,6 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### sast-snyk-check:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | ### sbom-json-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -155,16 +171,16 @@ ### tkn-bundle:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| -|IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_DIGEST| Digest of the image just built| | |IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| +|IMAGE_URL| Image repository where the built image was pushed with tag only| | ## Workspaces |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| |netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; sast-snyk-check:0.1:workspace ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; push-dockerfile:0.1:workspace| ## Available workspaces from tasks ### git-clone:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -182,10 +198,6 @@ |name|description|optional|workspace from pipeline |---|---|---|---| |workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### sast-snyk-check:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index c852f64ef1..83730fc0fb 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -56,6 +56,10 @@ spec: description: Build a source image. type: string default: "false" + - name: build-image-index + description: Add built image into an OCI image index + type: string + default: "false" tasks: - name: init params: @@ -121,6 +125,28 @@ spec: workspaces: - name: source workspace: workspace + - name: build-image-index + when: + - input: $(tasks.init.results.build) + operator: in + values: ["true"] + runAfter: + - build-container + taskRef: + name: build-image-index + version: "0.1" + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: "$(params.image-expires-after)" + - name: BUILD_IMAGE_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_REF) - name: build-source-image when: - input: $(tasks.init.results.build) @@ -130,7 +156,7 @@ spec: operator: in values: ["true"] runAfter: - - build-container + - build-image-index taskRef: name: source-build version: "0.1" @@ -150,46 +176,46 @@ spec: version: "0.4" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index - name: clair-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clair-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: ecosystem-cert-preflight-checks when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: ecosystem-cert-preflight-checks version: "0.1" params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sast-snyk-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sast-snyk-check version: "0.1" @@ -198,59 +224,59 @@ spec: workspace: workspace params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: clamav-scan when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: clamav-scan version: "0.1" params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: sbom-json-check when: - input: $(params.skip-checks) operator: in values: ["false"] runAfter: - - build-container + - build-image-index taskRef: name: sbom-json-check version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: apply-tags runAfter: - - build-container + - build-image-index taskRef: name: apply-tags version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: push-dockerfile runAfter: - - build-container + - build-image-index taskRef: name: push-dockerfile version: "0.1" params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT @@ -266,7 +292,7 @@ spec: version: "0.1" params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: show-summary taskRef: name: summary @@ -279,15 +305,15 @@ spec: - name: image-url value: $(params.output-image) - name: build-task-status - value: $(tasks.build-container.status) + value: $(tasks.build-image-index.status) workspaces: - name: workspace workspace: workspace results: - name: IMAGE_URL - value: "$(tasks.build-container.results.IMAGE_URL)" + value: "$(tasks.build-image-index.results.IMAGE_URL)" - name: IMAGE_DIGEST - value: "$(tasks.build-container.results.IMAGE_DIGEST)" + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" - name: CHAINS-GIT_URL value: "$(tasks.clone-repository.results.url)" - name: CHAINS-GIT_COMMIT