From c3f3caf841ac1d96e89f8ccc9d9b301919c2e31d Mon Sep 17 00:00:00 2001
From: Ralph Bean <rbean@redhat.com>
Date: Fri, 10 May 2024 11:50:34 -0400
Subject: [PATCH] Use the referrers API for attaching results

This makes them findable with oras discover.

Signed-off-by: Ralph Bean <rbean@redhat.com>
---
 task/clamav-scan/0.1/clamav-scan.yaml         | 19 ++++++++-----------
 task/sast-snyk-check/0.1/sast-snyk-check.yaml | 19 +++++++------------
 2 files changed, 15 insertions(+), 23 deletions(-)

diff --git a/task/clamav-scan/0.1/clamav-scan.yaml b/task/clamav-scan/0.1/clamav-scan.yaml
index bde0fd31f9..e050b88f0a 100644
--- a/task/clamav-scan/0.1/clamav-scan.yaml
+++ b/task/clamav-scan/0.1/clamav-scan.yaml
@@ -15,8 +15,6 @@ spec:
       description: Tekton task test output.
     - name: IMAGES_PROCESSED
       description: Images processed in the task.
-    - name: RESULT_URI
-      description: OCI pullspec where the full clamav output can be found.
   params:
     - name: image-digest
       description: Image digest to scan.
@@ -145,7 +143,7 @@ spec:
         - mountPath: /work
           name: work
     - name: upload
-      image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f
+      image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e
       env:
         - name: IMAGE_URL
           value: $(params.image-url)
@@ -155,12 +153,6 @@ spec:
       script: |
         #!/usr/bin/env bash
 
-        IFS=':' read -ra REPO <<< "$IMAGE_URL"
-        REPO="${REPO[0]}"
-        DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -)
-        SUFFIX=clamav
-        RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}"
-
         cd logs
 
         for UPLOAD_FILE in $(find . -name "clamscan-result*.log"); do
@@ -171,8 +163,13 @@ spec:
           MEDIA_TYPE=application/vnd.konflux.test_output+json
           args+=("${UPLOAD_FILE}:${MEDIA_TYPE}")
         done
-        retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${args[@]}"
-        echo "${RESULT_URI}" > $(results.RESULT_URI.path)
+
+        echo "Selecting auth"
+        select-oci-auth $IMAGE_URL > $HOME/auth.json
+        echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API"
+        oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}"
+        echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag"
+        oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}"
       volumeMounts:
         - mountPath: /work
           name: work
diff --git a/task/sast-snyk-check/0.1/sast-snyk-check.yaml b/task/sast-snyk-check/0.1/sast-snyk-check.yaml
index 42a445d026..0c6801fdce 100644
--- a/task/sast-snyk-check/0.1/sast-snyk-check.yaml
+++ b/task/sast-snyk-check/0.1/sast-snyk-check.yaml
@@ -13,8 +13,6 @@ spec:
   results:
     - description: Tekton task test output.
       name: TEST_OUTPUT
-    - description: OCI pullspec where the full SARIF result can be found.
-      name: RESULT_URI
   params:
     - name: SNYK_SECRET
       description: Name of secret which contains Snyk token.
@@ -97,7 +95,7 @@ spec:
         fi
         echo "${TEST_OUTPUT:-${ERROR_OUTPUT}}" | tee $(results.TEST_OUTPUT.path)
     - name: upload
-      image: quay.io/konflux-ci/oras:latest@sha256:55cf304549225435958798c3be0377faf0a3ff89f3fbe03e45c3bb656ecaf02f
+      image: quay.io/konflux-ci/oras:latest@sha256:04cbd5efbcf1a38944b050e3adbc3071218643f6aa92e95d5d25b173574bca5e
       workingDir: $(workspaces.workspace.path)/hacbs/$(context.task.name)
       env:
         - name: IMAGE_URL
@@ -113,16 +111,13 @@ spec:
         fi
 
         UPLOAD_FILE=sast_snyk_check_out.json
-
-        SUFFIX=sarif
         MEDIA_TYPE=application/sarif+json
 
-        IFS=':' read -ra REPO <<< "$IMAGE_URL"
-        REPO="${REPO[0]}"
-        DIGEST=$(echo "${IMAGE_DIGEST}" | tr : -)
-        RESULT_URI="${REPO}:${DIGEST}.${SUFFIX}"
-
-        retry oras push --no-tty --registry-config "$HOME/.docker/config.json" "${RESULT_URI}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
-        echo "${RESULT_URI}" > $(results.RESULT_URI.path)
+        echo "Selecting auth"
+        select-oci-auth $IMAGE_URL > $HOME/auth.json
+        echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers API"
+        oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-api --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
+        echo "Attaching to ${IMAGE_URL} via the OCI 1.1 Referrers Tag"
+        oras attach --no-tty --registry-config "$HOME/auth.json" --distribution-spec v1.1-referrers-tag --artifact-type "${MEDIA_TYPE}" "${IMAGE_URL}" "${UPLOAD_FILE}:${MEDIA_TYPE}"
   workspaces:
   - name: workspace