From 16f3f301c5a59f9580b367d5c41a47ae498bd4be Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 3 Jul 2024 14:46:10 -0400 Subject: [PATCH 01/11] Ignore bundle_values.env This gets generated as a side-effect when you run hack/build-and-push.sh --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 69f039aada..428157c6d0 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ .idea/ pipeline-bundle-list task-bundle-list +bundle_values.env From 212fbf34ad98d843af47dba5eece35848c0e1649 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 3 Jul 2024 19:49:01 +0000 Subject: [PATCH 02/11] chore(deps): update ec --- .tekton/tasks/ec-checks.yaml | 4 ++-- pipelines/enterprise-contract.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 6d6ac109af..aae6d165c1 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -23,7 +23,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:dc7d404596385e7d3c624ec0492524a1d57efe2b0c10cf0ec2158d49c0290a83 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:868c24978b21099988c09a7e35136db5219755e13a62c65247642ce13be6ec6b script: | set -euo pipefail @@ -37,7 +37,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:dc7d404596385e7d3c624ec0492524a1d57efe2b0c10cf0ec2158d49c0290a83 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:868c24978b21099988c09a7e35136db5219755e13a62c65247642ce13be6ec6b script: | set -euo pipefail diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 5261a36b63..145595112f 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -73,7 +73,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:186ed09cdebd169a501ac8a379e7bc1a4f4d50ab5a5ec410a09058991c7f3699 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:41a5947107beba8cab3c3af1e4d9b9556c93b955d1f5c7224fc8ae68b050f1a2 - name: name value: verify-enterprise-contract - name: kind From a625895250e2e55bb37a2bf27fcb9cd7f113f991 Mon Sep 17 00:00:00 2001 From: Chenxiong Qi Date: Tue, 2 Jul 2024 10:46:52 +0800 Subject: [PATCH 03/11] Use quay.io/konflux-ci/source-container-build STONEBLD-2563 Signed-off-by: Chenxiong Qi --- task/source-build-oci-ta/0.1/source-build-oci-ta.yaml | 2 +- task/source-build/0.1/source-build.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 6d7ee3fdfa..221919f7f4 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -53,7 +53,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 - name: build - image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:0d199c56ed01b88f8a7d244742989bfc63980e8624cc6cc8f792d79f6ece40be + image: quay.io/konflux-ci/source-container-build:9ad131acf5154d2f280b7b46a1abc543952d325c@sha256:94271c32e4578208ac90308695d2b625d4e932d65f0cdd116b200c39228f5ece workingDir: /var/workdir env: - name: BINARY_IMAGE diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index cbb54612c2..5c0775e572 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -36,7 +36,7 @@ spec: emptyDir: {} steps: - name: build - image: quay.io/redhat-appstudio/build-definitions-source-image-build-utils@sha256:0d199c56ed01b88f8a7d244742989bfc63980e8624cc6cc8f792d79f6ece40be + image: quay.io/konflux-ci/source-container-build:9ad131acf5154d2f280b7b46a1abc543952d325c@sha256:94271c32e4578208ac90308695d2b625d4e932d65f0cdd116b200c39228f5ece # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent computeResources: From 1b59ab81092566622bc451cd2ab4b70891d1d768 Mon Sep 17 00:00:00 2001 From: flacatus Date: Thu, 4 Jul 2024 14:04:46 +0200 Subject: [PATCH 04/11] Change e2e image to konflux workloads --- .tekton/tasks/e2e-test.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 80ece4a753..baf1cdf08e 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -26,7 +26,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/konflux-ci/e2e-tests:a1fd47cbb639276f08f9c51769a15a106a9e68ff + image: quay.io/redhat-user-workloads/rhtap-qe-shared-tenant/konflux-e2e/konflux-e2e-tests:7dab163f24f482021262680e7a602d6af84ca84b # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ From 1fdda42700609363e7ad4e8c70d26b221562acc9 Mon Sep 17 00:00:00 2001 From: Zoran Regvart Date: Thu, 4 Jul 2024 15:19:22 +0200 Subject: [PATCH 05/11] Combine three bundle build tasks into one Seems that scheduling Task pods often runs into issues, most likely the inability to mount persistent volumes caused by "volume node affinity conflict". To minimize this issue three separate bundle build Tasks are now combined into a single Tasks as three Steps instead. Reference: https://issues.redhat.com/browse/EC-705 Co-authored-by: Adam Cmiel --- .tekton/push.yaml | 193 ++++++++++++++-------------------------------- 1 file changed, 57 insertions(+), 136 deletions(-) diff --git a/.tekton/push.yaml b/.tekton/push.yaml index 6c96ca6568..e90c08c412 100644 --- a/.tekton/push.yaml +++ b/.tekton/push.yaml @@ -42,20 +42,6 @@ spec: - name: output workspace: workspace - - name: clone-repository-to-redhat-appstudio-workspace - params: - - name: url - value: $(params.git-url) - - name: revision - value: "$(params.revision)" - - name: depth - value: "0" - taskRef: - name: git-clone - workspaces: - - name: output - workspace: workspace-redhat-appstudio - - name: ec-task-checks runAfter: - clone-repository @@ -78,28 +64,27 @@ spec: - name: source workspace: workspace - - name: build-bundles-redhat-appstudio + - name: build-bundles params: - name: revision value: "$(params.revision)" runAfter: - - build-container - - clone-repository-to-redhat-appstudio-workspace + - ec-task-checks workspaces: - name: source - workspace: workspace-redhat-appstudio + workspace: workspace taskSpec: params: - name: revision type: string steps: - - name: build-bundles + - name: build-bundles-konflux-ci image: quay.io/konflux-ci/appstudio-utils:{{ revision }} workingDir: $(workspaces.source.path)/source command: ["./hack/build-and-push.sh"] env: - name: QUAY_NAMESPACE - value: redhat-appstudio-tekton-catalog + value: konflux-ci/tekton-catalog - name: BUILD_TAG value: "$(params.revision)" - name: SKIP_BUILD @@ -107,41 +92,16 @@ spec: - name: SKIP_INSTALL value: "1" - name: OUTPUT_TASK_BUNDLE_LIST - value: $(workspaces.source.path)/task-bundle-list + value: $(workspaces.source.path)/task-bundle-list-konflux-ci - name: OUTPUT_PIPELINE_BUNDLE_LIST - value: $(workspaces.source.path)/pipeline-bundle-list - volumeMounts: - - mountPath: /root/.docker/config.json - subPath: .dockerconfigjson - name: quay-secret - volumes: - - name: quay-secret - secret: - secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret - workspaces: - - name: source - - - name: build-bundles-konflux-ci - params: - - name: revision - value: "$(params.revision)" - runAfter: - - build-container - workspaces: - - name: source - workspace: workspace - taskSpec: - params: - - name: revision - type: string - steps: - - name: build-bundles + value: $(workspaces.source.path)/pipeline-bundle-list-konflux-ci + - name: build-bundles-redhat-appstudio image: quay.io/konflux-ci/appstudio-utils:{{ revision }} workingDir: $(workspaces.source.path)/source command: ["./hack/build-and-push.sh"] env: - name: QUAY_NAMESPACE - value: konflux-ci/tekton-catalog + value: redhat-appstudio-tekton-catalog - name: BUILD_TAG value: "$(params.revision)" - name: SKIP_BUILD @@ -149,55 +109,16 @@ spec: - name: SKIP_INSTALL value: "1" - name: OUTPUT_TASK_BUNDLE_LIST - value: $(workspaces.source.path)/task-bundle-list + value: $(workspaces.source.path)/task-bundle-list-appstudio - name: OUTPUT_PIPELINE_BUNDLE_LIST - value: $(workspaces.source.path)/pipeline-bundle-list - workspaces: - - name: source - - - name: update-infra-repo - runAfter: - - build-bundles-redhat-appstudio - - build-bundles-konflux-ci - params: - - name: ORIGIN_REPO - value: $(params.git-url) - - name: REVISION - value: $(params.revision) - - name: SCRIPT - value: | - sed -i -E 's/[0-9a-f]{40}/$(params.revision)/g' components/build-service/base/build-pipeline-config/build-pipeline-config.yaml - taskRef: - name: update-infra-deployments - - # Note: pushes to redhat-appstudio-tekton-catalog, but contains the bundles - # from both redhat-appstudio-tekton-catalog and konflux-ci/tekton-catalog - - name: build-acceptable-bundles-redhat-appstudio - runAfter: - - build-bundles-redhat-appstudio - - build-bundles-konflux-ci - workspaces: - - name: artifacts - workspace: workspace - - name: artifacts-redhat-appstudio - workspace: workspace-redhat-appstudio - taskSpec: - workspaces: - - name: artifacts - description: Workspace containing arbitrary artifacts used during the task run. - - name: artifacts-redhat-appstudio - description: Same as 'artifacts', but for tasks that push to the old redhat-appstudio location. - volumes: - - name: quay-secret - secret: - secretName: redhat-appstudio-tekton-catalog-build-definitions-pull-secret - results: - - name: DATA_BUNDLE_REPO - - name: DATA_BUNDLE_TAG - steps: - - name: build-bundles + value: $(workspaces.source.path)/pipeline-bundle-list-appstudio + volumeMounts: + - mountPath: /root/.docker/config.json + subPath: .dockerconfigjson + name: quay-secret + - name: update-acceptable-bundles image: quay.io/konflux-ci/appstudio-utils:{{ revision }} - workingDir: $(workspaces.artifacts.path)/source + workingDir: $(workspaces.source.path)/source env: - name: REVISION value: "$(params.revision)" @@ -207,56 +128,64 @@ spec: #!/bin/bash set -euo pipefail - DATA_BUNDLE_REPO=quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles + DATA_BUNDLE_REPO=quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles DATA_BUNDLE_TAG=$(date '+%s') export DATA_BUNDLE_REPO DATA_BUNDLE_TAG .tekton/scripts/build-acceptable-bundles.sh "$@" - echo -n "$DATA_BUNDLE_REPO" > "$(results.DATA_BUNDLE_REPO.path)" - echo -n "$DATA_BUNDLE_TAG" > "$(results.DATA_BUNDLE_TAG.path)" + echo -n "${DATA_BUNDLE_TAG}" > acceptable_bundle_tag args: - - $(workspaces.artifacts.path)/task-bundle-list - - $(workspaces.artifacts.path)/pipeline-bundle-list - - $(workspaces.artifacts-redhat-appstudio.path)/task-bundle-list - - $(workspaces.artifacts-redhat-appstudio.path)/pipeline-bundle-list - volumeMounts: - - mountPath: /root/.docker/config.json - subPath: .dockerconfigjson - name: quay-secret - - # Note: copies the redhat-appstudio-tekton-catalog data-acceptable-bundles image - - name: build-acceptable-bundles-konflux-ci - runAfter: - - build-acceptable-bundles-redhat-appstudio - taskSpec: - steps: - - name: copy-bundles + - $(workspaces.source.path)/task-bundle-list-konflux-ci + - $(workspaces.source.path)/pipeline-bundle-list-konflux-ci + - $(workspaces.source.path)/task-bundle-list-appstudio + - $(workspaces.source.path)/pipeline-bundle-list-appstudio + - name: copy-acceptable-bundle-to-appstudio image: quay.io/konflux-ci/appstudio-utils:{{ revision }} - env: - - name: DATA_BUNDLE_RH_APPSTUDIO - value: $(tasks.build-acceptable-bundles-redhat-appstudio.results.DATA_BUNDLE_REPO) - - name: DATA_BUNDLE_TAG - value: $(tasks.build-acceptable-bundles-redhat-appstudio.results.DATA_BUNDLE_TAG) + workingDir: $(workspaces.source.path)/source script: | #!/bin/bash set -euo pipefail - set -x - DATA_BUNDLE_KONFLUX_CI=quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles + DATA_BUNDLE_REPO=quay.io/konflux-ci/tekton-catalog/data-acceptable-bundles + DATA_BUNDLE_TAG=$( Date: Mon, 1 Jul 2024 16:33:13 -0400 Subject: [PATCH 06/11] Incorporate auth param for oci-copy task --- task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 26 +++++++++++++++++-- task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 25 ++++++++++++++++-- 4 files changed, 49 insertions(+), 4 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 65cd28337b..fb832ae075 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,6 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index a37030e6ea..ffa5582b1d 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -13,6 +13,11 @@ spec: description: Given a file in the user's source directory, copy content from arbitrary urls into the OCI registry. params: + - name: BEARER_TOKEN_SECRET_NAME + description: Name of a secret which will be made available to the build + as an Authorization header + type: string + default: "" - name: IMAGE description: Reference of the image we will push type: string @@ -85,16 +90,33 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers + env: + - name: BEARER_TOKEN + valueFrom: + secretKeyRef: + key: token + name: $(params.BEARER_TOKEN_SECRET_NAME) + optional: true script: | - set -eu + set -e set -o pipefail + CURL_ARGS=() + if [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") + else + echo "Proceeding with anonymous requests" + fi + + set -u + for varfile in /var/workdir/vars/*; do echo "Reading $varfile" source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index bb2826b124..b52e0a1d51 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -11,6 +11,7 @@ It is not to be considered safe for general use as it cannot provide a high degr |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 189083a80c..cb901ed329 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -18,6 +18,10 @@ spec: description: Path to the oci copy file. name: OCI_COPY_FILE type: string + - name: BEARER_TOKEN_SECRET_NAME + description: Name of a secret which will be made available to the build as an Authorization header + type: string + default: "" results: - description: Digest of the artifact just pushed name: IMAGE_DIGEST @@ -71,16 +75,33 @@ spec: capabilities: add: - SETFCAP + env: + - name: BEARER_TOKEN + valueFrom: + secretKeyRef: + name: $(params.BEARER_TOKEN_SECRET_NAME) + key: token + optional: true script: | - set -eu + set -e set -o pipefail + CURL_ARGS=() + if [ -n "${BEARER_TOKEN}" ]; then + echo "Found bearer token. Using it for authentication." + CURL_ARGS+=(-H "Authorization: Bearer ${BEARER_TOKEN}") + else + echo "Proceeding with anonymous requests" + fi + + set -u + for varfile in /var/workdir/vars/*; do echo "Reading $varfile" source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check From 59b7475eebb48fae95f3ae7cafb7afce35d399d9 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 3 Jul 2024 14:50:47 -0400 Subject: [PATCH 07/11] Explicitly fail if curl errors Without this, we can end up writing an HTTP error response into the output file and proceeding. Although that would be caught by a (somewhat confusing) checksum mismatch shortly after. --- task/oci-copy/0.1/oci-copy.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index cb901ed329..bce9d5f7db 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -101,7 +101,7 @@ spec: source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check From 4ca2a7027fefdb7678a0f40bb046df3dc6774edd Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 3 Jul 2024 16:12:45 -0400 Subject: [PATCH 08/11] Document that the same token will be sent to all the servers --- task/oci-copy/0.1/README.md | 5 ++++- task/oci-copy/0.1/oci-copy.yaml | 5 ++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index b52e0a1d51..704e0a6e5f 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -6,12 +6,15 @@ It generates a limited SBOM and pushes that into the OCI registry alongside the It is not to be considered safe for general use as it cannot provide a high degree of provenance for artficats and reports them only as "general" type artifacts in the purl spec it reports in the SBOM. Use only in limited situations. +Note: the bearer token secret, if specified, will be sent to **all servers listed in the oci-copy.yaml file**. + ## Parameters |name|description|default value|required| |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|""|false| + ## Results |name|description| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index bce9d5f7db..ab21991de3 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -19,7 +19,10 @@ spec: name: OCI_COPY_FILE type: string - name: BEARER_TOKEN_SECRET_NAME - description: Name of a secret which will be made available to the build as an Authorization header + description: >- + Name of a secret which will be made available to the build as an Authorization header. Note, the token will + be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, + different taskruns and therefore different oci artifacts must be used. type: string default: "" results: From 3b51b71e76a91eda7a8631d3634b5d62dc4f7ee8 Mon Sep 17 00:00:00 2001 From: Ralph Bean Date: Wed, 3 Jul 2024 16:19:18 -0400 Subject: [PATCH 09/11] chore: run hack/generate-ta-tasks.sh --- task/oci-copy-oci-ta/0.1/README.md | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index fb832ae075..6c7e32c6bd 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -5,7 +5,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in ## Parameters |name|description|default value|required| |---|---|---|---| -|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header|""|false| +|BEARER_TOKEN_SECRET_NAME|Name of a secret which will be made available to the build as an Authorization header. Note, the token will be sent to all servers found in the oci-copy.yaml file. If you do not wish to send the token to all servers, different taskruns and therefore different oci artifacts must be used.|""|false| |IMAGE|Reference of the image we will push||true| |OCI_COPY_FILE|Path to the oci copy file.|./oci-copy.yaml|false| |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index ffa5582b1d..f6b97faf03 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -15,7 +15,10 @@ spec: params: - name: BEARER_TOKEN_SECRET_NAME description: Name of a secret which will be made available to the build - as an Authorization header + as an Authorization header. Note, the token will be sent to all servers + found in the oci-copy.yaml file. If you do not wish to send the token + to all servers, different taskruns and therefore different oci artifacts + must be used. type: string default: "" - name: IMAGE @@ -116,7 +119,7 @@ spec: source $varfile echo "Downloading $OCI_SOURCE to $OCI_FILENAME" - curl "${CURL_ARGS[@]}" --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME + curl "${CURL_ARGS[@]}" --fail --silent --show-error --location $OCI_SOURCE -o $OCI_FILENAME echo "Confirming that digest of $OCI_FILENAME matches expected $OCI_ARTIFACT_DIGEST" echo "$OCI_ARTIFACT_DIGEST $OCI_FILENAME" | sha256sum --check From 582f9449c38d832bdbe5fbf5a25a7c75228a24db Mon Sep 17 00:00:00 2001 From: Chenxiong Qi Date: Thu, 4 Jul 2024 20:34:32 +0800 Subject: [PATCH 10/11] feat: setup renovate to update source-container-build image Signed-off-by: Chenxiong Qi --- renovate.json | 1 + 1 file changed, 1 insertion(+) diff --git a/renovate.json b/renovate.json index bb02d767b1..efeadc3f41 100644 --- a/renovate.json +++ b/renovate.json @@ -19,6 +19,7 @@ "quay.io/konflux-ci/pull-request-builds", "quay.io/redhat-appstudio/github-app-token", "quay.io/konflux-ci/appstudio-utils", + "quay.io/konflux-ci/source-container-build", "quay.io/redhat-appstudio/e2e-tests", "quay.io/redhat-appstudio/buildah", "quay.io/redhat-appstudio/syft", From 12f31d38fcc241598c7abc3e054e0425ee61c0ac Mon Sep 17 00:00:00 2001 From: mkosiarc Date: Tue, 25 Jun 2024 10:29:29 +0200 Subject: [PATCH 11/11] Update build-image-manifest readme The task generates image index, that contains info about individual arch-specific image manifests and not the image manifests themselves. KFLUXBUGS-1145 Signed-off-by: mkosiarc --- task/build-image-manifest/0.1/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/build-image-manifest/0.1/README.md b/task/build-image-manifest/0.1/README.md index de44286711..acb4aa3498 100644 --- a/task/build-image-manifest/0.1/README.md +++ b/task/build-image-manifest/0.1/README.md @@ -1,6 +1,6 @@ # build-image-manifest task -This task generates an image manifest from a collection of existing single platform images to create a multi-platform image. +This task generates an image index from a collection of existing single platform images to create a multi-platform image. ## Parameters | name | description |default value|required|