Merge branch 'main' into SDCICD-1338

.github/workflows/check-buildah-remote.yaml

@@ -9,7 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
       - name: Install Go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
         with:
           go-version-file: './task-generator/go.mod'
       - name: Check buildah remote

.github/workflows/check-readmes.yaml

@@ -0,0 +1,24 @@
+name: Validate PR - check READMEs
+'on':
+  pull_request:
+    branches: [main]
+jobs:
+  check:
+    name: Check READMEs
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+
+      - name: Check pipeline READMEs
+        run: |
+          #!/bin/bash
+          set -e
+
+          ./hack/generate-pipelines-readme.py
+          if [[ -n $(git status -s) ]]
+          then
+            echo "pipeline READMEs are not up to date, run ./hack/generate-pipelines-readme.py and commit the resulting changes"
+            git status -s
+            exit 1
+          fi

.github/workflows/checkton.yaml

@@ -0,0 +1,33 @@
+name: Checkton
+on:
+  pull_request:
+    branches: [main]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          # Differential Checkton requires full git history
+          fetch-depth: 0
+
+      - name: Run Checkton
+        id: checkton
+        uses: chmeliik/[email protected]
+        with:
+          # Set to false when re-enabling SARIF uploads
+          fail-on-findings: true
+          find-copies-harder: true
+
+      # Currently, code scanning alerts annoyingly stay open even if you fix them.
+      # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved.
+
+      # - name: Upload SARIF file
+      #   uses: github/codeql-action/upload-sarif@v3
+      #   with:
+      #     sarif_file: ${{ steps.checkton.outputs.sarif }}
+      #     # Avoid clashing with ShellCheck
+      #     category: checkton

.github/workflows/go-ci.yaml

@@ -12,7 +12,7 @@ jobs:
         with:
           go-version-file: './task-generator/go.mod'
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@db819a10bda59ee2a8f342af52c07e329576a0f5
+        uses: golangci/golangci-lint-action@9f3ba2c3a8aadb9f3c42d252c4c227a6b0d98539
         with:
           working-directory: task-generator
           args: "--timeout=10m --build-tags='normal periodic'"
@@ -62,7 +62,7 @@ jobs:
           # we let the report trigger content trigger a failure using the GitHub Security features.
           args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ./...'
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@be825d5eefdb0c498fa30c4b57ec0690b4d0cecb
+        uses: github/codeql-action/upload-sarif@1b214db077827f5ba810f244daaecfd95c3bd111
         with:
           # Path to SARIF file relative to the root of the repository
           sarif_file: results.sarif

.tekton/pull-request.yaml

@@ -96,8 +96,9 @@ spec:
                   value: /secrets/deploy-key/private-key
                 - name: GITHUBAPP_APP_ID
                   value: "305606"
+                # https://github.com/apps/rh-tap-build-team in https://github.com/konflux-ci
                 - name: GITHUBAPP_INSTALLATION_ID
-                  value: "35269675"
+                  value: "51073377"
                 - name: GITHUB_API_URL
                   value: https://api.github.com
                 - name: REPO_OWNER

.tekton/tasks/ec-checks.yaml

@@ -23,7 +23,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:eeecd7466f12aa7cd451c980f483470a3b3c26a874f9328b65f916e12d2a86ae
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46c3fdd61817e35c193dfd0d19e16cc8ec429a1df18da2bc477a4cbd28494ddb
     script: |
       set -euo pipefail
 
@@ -37,7 +37,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:eeecd7466f12aa7cd451c980f483470a3b3c26a874f9328b65f916e12d2a86ae
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46c3fdd61817e35c193dfd0d19e16cc8ec429a1df18da2bc477a4cbd28494ddb
     script: |
       set -euo pipefail
 

.tekton/tasks/yaml-lint.yaml

@@ -38,7 +38,7 @@ spec:
       script: |
         #!/bin/bash
         for task in $(find task -name '*.yaml'); do
-          if yq '.spec?.steps[] | .script' $task | grep -q 'params\.'; then
+          if yq '.spec?.steps[] | .script' $task | grep -q '\$(params\.'; then
             FAILED_TASKS="$FAILED_TASKS $task"
           fi
         done

hack/checkton-local.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -o errexit -o nounset -o pipefail
+
+get_checkton_image_based_on_action_version() {
+    sed -nE \
+        's;^\s*uses: (.*)/checkton.*(v[0-9]\S*);ghcr.io/\1/checkton:\2;p' \
+        .github/workflows/checkton.yaml
+}
+
+mapfile -t checkton_env_vars < <(
+    env CHECKTON_FIND_COPIES_HARDER="${CHECKTON_FIND_COPIES_HARDER:-true}" | grep '^CHECKTON_'
+)
+CHECKTON_IMAGE=${CHECKTON_IMAGE:-$(get_checkton_image_based_on_action_version)}
+
+{
+    echo "Checkton image: $CHECKTON_IMAGE"
+
+    echo "CHECKTON_* variables:"
+    printf "  %s\n" "${checkton_env_vars[@]}"
+} >&2
+
+
+if command -v getenforce >/dev/null && [[ "$(getenforce)" == Enforcing ]]; then
+    z=":z"
+else
+    z=""
+fi
+
+mapfile -t env_flags < <(printf -- "--env=%s\n" "${checkton_env_vars[@]}")
+
+podman run --rm --tty -v "$PWD:/code${z}" -w /code "${env_flags[@]}" "$CHECKTON_IMAGE"

pipelines/docker-build-oci-ta/README.md

@@ -162,8 +162,10 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
+|IMAGE_REF| Image reference of the built image| |
 |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
 |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
+|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
 ### clair-scan:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
@@ -218,6 +220,7 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |BUILD_RESULT| Build result.| |
+|IMAGE_REF| Image reference of the built image| |
 |SOURCE_IMAGE_DIGEST| The source image digest.| |
 |SOURCE_IMAGE_URL| The source image url.| |
 

pipelines/docker-build-rhtap/README.md

@@ -5,15 +5,15 @@
 |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.1:BUILD_ARGS|
 |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.1:BUILD_ARGS_FILE|
 |build-source-image| Build a source image.| false| |
-|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE|
+|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE|
 |event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| |
 |git-url| Source Repository URL| None| clone-repository:0.1:url ; acs-deploy-check:0.1:gitops-repo-url ; update-deployment:0.1:gitops-repo-url|
 |gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name|
 |hermetic| Execute the build with network isolation| false| |
 |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER|
 |java| Java build| false| |
 |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image|
-|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT|
+|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT|
 |prefetch-input| Build dependencies to be prefetched by Cachi2| | |
 |rebuild| Force rebuild image| false| init:0.2:rebuild|
 |revision| Revision of the Source Repository| | clone-repository:0.1:revision|
@@ -41,11 +41,6 @@
 |image-digest| Digest of the image to scan | None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
 |insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint.  Defaults to `"false"`. | false| 'true'|
 |rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'|
-### apply-tags:0.1 task parameters
-|name|description|default value|already set by|
-|---|---|---|---|
-|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| |
-|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'|
 ### buildah-rhtap:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
@@ -84,15 +79,6 @@
 |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'|
 |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'|
 |skip-checks| Skip checks against built image| false| '$(params.skip-checks)'|
-### push-dockerfile:0.1 task parameters
-|name|description|default value|already set by|
-|---|---|---|---|
-|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| |
-|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'|
-|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'|
-|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'|
-|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'|
-|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| |
 ### show-sbom-rhdh:0.1 task parameters
 |name|description|default value|already set by|
 |---|---|---|---|
@@ -129,8 +115,8 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
-|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest|
-|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; update-deployment:0.1:image|
+|IMAGE_DIGEST| Digest of the image just built| acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest|
+|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image|
 |SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| |
 ### git-clone:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
@@ -142,10 +128,6 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |build| Defines if the image in param image-url should be built| |
-### push-dockerfile:0.1 task results
-|name|description|used in params (taskname:taskrefversion:taskparam)
-|---|---|---|
-|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| |
 ### show-sbom-rhdh:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
@@ -155,8 +137,7 @@
 |name|description|optional|used in tasks
 |---|---|---|---|
 |git-auth| |True| clone-repository:0.1:basic-auth|
-|netrc| |True| |
-|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; push-dockerfile:0.1:workspace|
+|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source|
 ## Available workspaces from tasks
 ### buildah-rhtap:0.1 task workspaces
 |name|description|optional|workspace from pipeline
@@ -168,10 +149,6 @@
 |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth|
 |output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace|
 |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| |
-### push-dockerfile:0.1 task workspaces
-|name|description|optional|workspace from pipeline
-|---|---|---|---|
-|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace|
 ### summary:0.2 task workspaces
 |name|description|optional|workspace from pipeline
 |---|---|---|---|

pipelines/docker-build-rhtap/patch.yaml

@@ -90,7 +90,11 @@
   path: /spec/tasks/3/runAfter/0
   value: clone-repository
 - op: remove
-  path: /spec/tasks/10  # sbom-json-check
+  path: /spec/tasks/12 # push-dockerfile
+- op: remove
+  path: /spec/tasks/11 # apply-tags
+- op: remove
+  path: /spec/tasks/10 # sbom-json-check
 - op: remove
   path: /spec/tasks/9  # clamav-scan
 - op: remove
@@ -105,6 +109,8 @@
   path: /spec/tasks/4  # build-source-image
 - op: remove
   path: /spec/tasks/2  # prefetch-dependencies
+- op: remove
+  path: /spec/workspaces/2  # netrc (only used for prefetch-dependencies)
 - op: add
   path: /spec/tasks/-
   value:

pipelines/docker-build/README.md

@@ -161,8 +161,10 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
+|IMAGE_REF| Image reference of the built image| |
 |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
 |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
+|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| |
 |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
 ### clair-scan:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
@@ -211,6 +213,7 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |BUILD_RESULT| Build result.| |
+|IMAGE_REF| Image reference of the built image| |
 |SOURCE_IMAGE_DIGEST| The source image digest.| |
 |SOURCE_IMAGE_URL| The source image url.| |
 

pipelines/enterprise-contract.yaml

@@ -80,7 +80,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:705b40276dfb9f9e9a54fb524dd3aba8588f82152bf56e4cb69d4b5822acfd53
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:53b1c38167d024da257454702122a3c95c3afbcb6b33d6ff5a2936bfbb203fdf
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml

@@ -88,6 +88,10 @@ spec:
           value: $(params.ec-tuf-mirror)
       runAfter:
         - get-images-to-verify
+      when:
+        - input: $(tasks.get-images-to-verify.results.IMAGES_TO_VERIFY)
+          operator: notin
+          values: [""]
       taskRef:
         name: verify-enterprise-contract
         version: "0.1"
@@ -110,6 +114,10 @@ spec:
     - name: download-sboms
       runAfter:
         - get-images-to-upload-sbom
+      when:
+        - input: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY)
+          operator: notin
+          values: [""]
       params:
         - name: IMAGES
           value: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY)
@@ -131,6 +139,10 @@ spec:
     - name: upload-sboms-to-trustification
       runAfter:
         - download-sboms
+      when:
+        - input: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY)
+          operator: notin
+          values: [""]
       params:
         - name: SBOMS_DIR
           value: sboms

pipelines/java-builder/README.md

@@ -180,6 +180,7 @@
 |---|---|---|
 |BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
+|IMAGE_REF| Image reference of the built image| |
 |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
 |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| |
 |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| |
@@ -196,6 +197,7 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |BUILD_RESULT| Build result.| |
+|IMAGE_REF| Image reference of the built image| |
 |SOURCE_IMAGE_DIGEST| The source image digest.| |
 |SOURCE_IMAGE_URL| The source image url.| |
 

pipelines/nodejs-builder/README.md

@@ -180,6 +180,7 @@
 |---|---|---|
 |BASE_IMAGES_DIGESTS| Digests of the base images used for build| |
 |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST|
+|IMAGE_REF| Image reference of the built image| |
 |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE|
 ### sast-snyk-check:0.1 task results
 |name|description|used in params (taskname:taskrefversion:taskparam)
@@ -194,6 +195,7 @@
 |name|description|used in params (taskname:taskrefversion:taskparam)
 |---|---|---|
 |BUILD_RESULT| Build result.| |
+|IMAGE_REF| Image reference of the built image| |
 |SOURCE_IMAGE_DIGEST| The source image digest.| |
 |SOURCE_IMAGE_URL| The source image url.| |