diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index 14a31b5a7a..ee6265d915 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -13,12 +13,12 @@ jobs: - task-generator/trusted-artifacts steps: - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a with: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum - name: golangci-lint - uses: golangci/golangci-lint-action@160a1d779cee256901ff3d68ef8ccc63ac8a04f8 + uses: golangci/golangci-lint-action@eab1d2f3d76f26c09e2ab8c957fe5bb64bf46b89 with: working-directory: ${{matrix.path}} args: "--timeout=10m --build-tags='normal periodic'" @@ -33,7 +33,7 @@ jobs: steps: - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb - name: Install Go - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a with: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum @@ -73,7 +73,7 @@ jobs: - task-generator/trusted-artifacts steps: - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb - - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a with: go-version-file: './${{matrix.path}}/go.mod' cache-dependency-path: ./${{matrix.path}}/go.sum diff --git a/.github/workflows/temp-block-buildah.yaml b/.github/workflows/temp-block-buildah.yaml index b6504b1a1f..108a9339a4 100644 --- a/.github/workflows/temp-block-buildah.yaml +++ b/.github/workflows/temp-block-buildah.yaml @@ -10,23 +10,25 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 - with: - fetch-depth: 0 - name: Check that the size of buildah-remote-oci-ta doesn't increase - env: - BASE: ${{ github.event.pull_request.base.sha }} run: | #!/bin/bash set -euo pipefail buildah_remote_oci_ta=task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml - prev_size=$(git show "$BASE:$buildah_remote_oci_ta" | wc -c) + # 34172 is the largest that the file has ever been *and worked*. + # 34200 is known to be too large (see b2f800cc603ec0907ad2b3962d46919a535e158e, + # which had to be reverted). The actual limit is somewhere in between. + safe_size=34172 current_size=$(wc -c < "$buildah_remote_oci_ta") - if [[ "$current_size" -gt "$prev_size" ]]; then + if [[ "$current_size" -gt "$safe_size" ]]; then cat << EOF >&2 - This PR increases the size of $buildah_remote_oci_ta. + This PR increases the size of $buildah_remote_oci_ta beyond the known safe limit. + + safe_size=$safe_size + current_size=$current_size Due to https://github.com/tektoncd/pipeline/issues/8388, this is risky; the resulting bundle may not be resolvable by Tekton. diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 65bcb8a4cb..b818a7868a 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -23,7 +23,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe script: | set -euo pipefail @@ -37,7 +37,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46fae4d356d678383a926de8a68f79177d7e685d5497675acf41c9d3425aaacc + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:ccbf00aee7d4af1f78ba66aa04b0899b7e770dea44f6df0a1aa0a9a12529e9fe script: | set -euo pipefail diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 57f2ad95c0..c3b235ae87 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -114,7 +114,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4f21e71a63ead03ab856631a43e12e62ed261934bd8a686f0ab75e8ec7a2037f + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:f6fb0800d707b7eb6f3ccfc0026c39bb3a5b944aa1ecacc7d8de6cb2fa1a67a6 - name: name value: verify-enterprise-contract - name: kind diff --git a/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml b/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml index a5e0dee2a0..f9c8c1e04b 100644 --- a/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml +++ b/stepactions/eaas-get-ephemeral-cluster-credentials/0.1/eaas-get-ephemeral-cluster-credentials.yaml @@ -78,7 +78,6 @@ spec: API_SERVER_URL=$("${OC[@]}" get cti "$CLUSTER_NAME" -o=jsonpath='{.status.apiServerURL}') echo "API Server URL: $API_SERVER_URL" echo -n "$API_SERVER_URL" > "$(step.results.apiServerURL.path)" - export KUBECONFIG=$CLUSTER_KUBECONFIG - CONSOLE_URL=https://$(oc get route console -n openshift-console -o go-template --template="{{.spec.host}}") + CONSOLE_URL=https://$(oc --kubeconfig "$CLUSTER_KUBECONFIG" get route console -n openshift-console -o go-template --template="{{.spec.host}}") echo "Console URL: $CONSOLE_URL" echo -n "$CONSOLE_URL" > "$(step.results.consoleURL.path)" diff --git a/task/build-image-index/0.1/build-image-index.yaml b/task/build-image-index/0.1/build-image-index.yaml index f01197779e..2c185bdde9 100644 --- a/task/build-image-index/0.1/build-image-index.yaml +++ b/task/build-image-index/0.1/build-image-index.yaml @@ -163,7 +163,7 @@ spec: add: - SETFCAP - - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af name: create-sbom computeResources: limits: diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index a9dc0ed2b6..7a0ecf4764 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -590,7 +590,7 @@ spec: securityContext: runAsUser: 0 - name: prepare-sboms - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af workingDir: /var/workdir script: | echo "Merging contents of sbom-source.json and sbom-image.json into sbom-cyclonedx.json" diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 9b4b7d8021..954bb01d48 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -704,7 +704,7 @@ spec: requests: cpu: 100m memory: 256Mi - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af name: prepare-sboms script: | #!/bin/bash diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 9d97c15269..371fac0c1e 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -682,7 +682,7 @@ spec: requests: cpu: 100m memory: 256Mi - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af name: prepare-sboms script: | #!/bin/bash diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 3ca3167367..9da3a89fc8 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -534,7 +534,7 @@ spec: runAsUser: 0 - name: prepare-sboms - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af computeResources: limits: memory: 512Mi diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index f8bd50a4a9..6022da7ed3 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af + image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 env: - name: CLIENT_ID valueFrom: diff --git a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml index b092a9f2cf..c2f4ca4f3f 100644 --- a/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.2/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af + image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 env: - name: CLIENT_ID valueFrom: diff --git a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml index 33f679b617..a72cff9bdb 100644 --- a/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml +++ b/task/rpm-ostree-oci-ta/0.2/rpm-ostree-oci-ta.yaml @@ -241,7 +241,7 @@ spec: requests: memory: 6Gi - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af workingDir: /var/workdir script: | cachi2_sbom=./cachi2/output/bom.json diff --git a/task/rpm-ostree/0.2/rpm-ostree.yaml b/task/rpm-ostree/0.2/rpm-ostree.yaml index 9d0a128d7b..164a8afc8a 100644 --- a/task/rpm-ostree/0.2/rpm-ostree.yaml +++ b/task/rpm-ostree/0.2/rpm-ostree.yaml @@ -222,7 +222,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:ff25ba051a6d583e5b85e635d39f0e804e2ac65def51ba17b0d487a1c00ce9cd + image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:11851ba63f63dfdcf722e47993f41a1f5f31a7a0dc8aa85b810ce2466daf23af script: | cachi2_sbom=./cachi2/output/bom.json if [ -f "$cachi2_sbom" ]; then diff --git a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml index ae222f5088..b38f3a9104 100644 --- a/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.1/rpms-signature-scan.yaml @@ -48,7 +48,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af + image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml index e481849048..92b17d565f 100644 --- a/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml +++ b/task/rpms-signature-scan/0.2/rpms-signature-scan.yaml @@ -44,7 +44,7 @@ spec: optional: true steps: - name: rpms-signature-scan - image: quay.io/redhat-appstudio/tools@sha256:10b96ff065c51dec133d9b23d277fd8260d15f38c39b94ae9735f34fec8429af + image: quay.io/redhat-appstudio/tools@sha256:87c71bdc6f1925de3566fe9ff7237ce122063f5972f533722868b84fb5616b61 volumeMounts: - name: workdir mountPath: "$(params.workdir)" diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index fdaf345f70..307fe59fa6 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -114,7 +114,7 @@ spec: | .name + "@" + $matched.digest ' <<<"$sbom" | tee "$BASE_IMAGES_FILE" - name: build - image: quay.io/konflux-ci/source-container-build:latest@sha256:d564bce07b9d9fee8fcd781cd60f47f29d86d0bd7c6586a2cde2b845493ad881 + image: quay.io/konflux-ci/source-container-build:latest@sha256:2b945fc0f4ff54b711f4d4d2c99476c7dab073d885f615c9414ea134652557df workingDir: /var/workdir env: - name: SOURCE_DIR diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index fd9219c4c3..8cd8bfbd03 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -102,7 +102,7 @@ spec: ' <<< "$sbom" | tee "$BASE_IMAGES_FILE" - name: build - image: quay.io/konflux-ci/source-container-build:latest@sha256:d564bce07b9d9fee8fcd781cd60f47f29d86d0bd7c6586a2cde2b845493ad881 + image: quay.io/konflux-ci/source-container-build:latest@sha256:2b945fc0f4ff54b711f4d4d2c99476c7dab073d885f615c9414ea134652557df # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent computeResources: