From 0f839fabb83220129367e69842a1f939b03661bb Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 22 Jul 2024 17:47:00 +0200 Subject: [PATCH 01/17] Add Checkton workflow Checkton is a GitHub action that runs ShellCheck on scripts embedded in YAML files (https://github.com/chmeliik/checkton) Signed-off-by: Adam Cmiel --- .github/workflows/checkton.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/checkton.yaml diff --git a/.github/workflows/checkton.yaml b/.github/workflows/checkton.yaml new file mode 100644 index 0000000000..34fc58a84b --- /dev/null +++ b/.github/workflows/checkton.yaml @@ -0,0 +1,33 @@ +name: Checkton +on: + pull_request: + branches: [main] + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # Differential Checkton requires full git history + fetch-depth: 0 + + - name: Run Checkton + id: checkton + uses: chmeliik/checkton@v0.2.1 + with: + # Set to false when re-enabling SARIF uploads + fail-on-findings: true + find-copies-harder: true + + # Currently, code scanning alerts annoyingly stay open even if you fix them. + # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved. + + # - name: Upload SARIF file + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: ${{ steps.checkton.outputs.sarif }} + # # Avoid clashing with ShellCheck + # category: checkton From 573b36a88ef80f661d4aa29d5d9bc1e7f178d96b Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 22 Jul 2024 18:06:23 +0200 Subject: [PATCH 02/17] Add script for running checkton locally If you don't want to push to a PR just to re-run the linter, you can use this script. Won't work on ARM Macs, sorry! Signed-off-by: Adam Cmiel --- hack/checkton-local.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100755 hack/checkton-local.sh diff --git a/hack/checkton-local.sh b/hack/checkton-local.sh new file mode 100755 index 0000000000..e078d94056 --- /dev/null +++ b/hack/checkton-local.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -o errexit -o nounset -o pipefail + +get_checkton_image_based_on_action_version() { + sed -nE \ + 's;^\s*uses: (.*)/checkton.*(v[0-9]\S*);ghcr.io/\1/checkton:\2;p' \ + .github/workflows/checkton.yaml +} + +mapfile -t checkton_env_vars < <( + env CHECKTON_FIND_COPIES_HARDER="${CHECKTON_FIND_COPIES_HARDER:-true}" | grep '^CHECKTON_' +) +CHECKTON_IMAGE=${CHECKTON_IMAGE:-$(get_checkton_image_based_on_action_version)} + +{ + echo "Checkton image: $CHECKTON_IMAGE" + + echo "CHECKTON_* variables:" + printf " %s\n" "${checkton_env_vars[@]}" +} >&2 + + +if command -v getenforce >/dev/null && [[ "$(getenforce)" == Enforcing ]]; then + z=":z" +else + z="" +fi + +mapfile -t env_flags < <(printf -- "--env=%s\n" "${checkton_env_vars[@]}") + +podman run --rm --tty -v "$PWD:/code${z}" -w /code "${env_flags[@]}" "$CHECKTON_IMAGE" From 1191b15340d9a8262c5821dbbcefe05e30ae84e0 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Wed, 24 Jul 2024 12:52:51 +0200 Subject: [PATCH 03/17] CI: avoid false-positive $(params.*) detection Previously, the yaml-lint task (the custom script that checks for $(params.*) usage) would flag false positives such as echo "set params.SOME_PARAM to do X" Make the regex match actual param usage more closely Signed-off-by: Adam Cmiel --- .tekton/tasks/yaml-lint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/tasks/yaml-lint.yaml b/.tekton/tasks/yaml-lint.yaml index 219da926b8..74c6b8c5ab 100644 --- a/.tekton/tasks/yaml-lint.yaml +++ b/.tekton/tasks/yaml-lint.yaml @@ -38,7 +38,7 @@ spec: script: | #!/bin/bash for task in $(find task -name '*.yaml'); do - if yq '.spec?.steps[] | .script' $task | grep -q 'params\.'; then + if yq '.spec?.steps[] | .script' $task | grep -q '\$(params\.'; then FAILED_TASKS="$FAILED_TASKS $task" fi done From 9fda0f7bcf7e1b4f0b11851314c6af07f89a3b8f Mon Sep 17 00:00:00 2001 From: Erik Skultety Date: Tue, 23 Jul 2024 16:44:46 +0200 Subject: [PATCH 04/17] Update to cachi2 0.9.1 This release changed how the container image is built and as a resulte the 'merge_syft_sbom.py' utility script is also installed to a different location, so this patch reflects that too. https://github.com/containerbuildsystem/cachi2/releases/tag/0.9.1 Signed-off-by: Erik Skultety --- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 4 ++-- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 4 ++-- task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml | 4 ++-- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 4 ++-- task/buildah-remote/0.1/buildah-remote.yaml | 4 ++-- task/buildah-remote/0.2/buildah-remote.yaml | 4 ++-- task/buildah/0.1/buildah.yaml | 4 ++-- task/buildah/0.2/buildah.yaml | 4 ++-- .../0.1/prefetch-dependencies-oci-ta.yaml | 2 +- task/prefetch-dependencies/0.1/prefetch-dependencies.yaml | 2 +- task/rpm-ostree/0.1/rpm-ostree.yaml | 4 ++-- 11 files changed, 20 insertions(+), 20 deletions(-) diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 5a702b7dd8..5262a531e8 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -489,12 +489,12 @@ spec: securityContext: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad workingDir: /var/workdir script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 0215871c7e..fca1d4aea7 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -483,12 +483,12 @@ spec: securityContext: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad workingDir: /var/workdir script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 22714fb306..9e6b048c9a 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -560,12 +560,12 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 01bd04dce9..ec1f9c77a4 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -554,12 +554,12 @@ spec: runAsUser: 0 workingDir: /var/workdir - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json >sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index 674d8e1012..b81d15e982 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -553,12 +553,12 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 26b8293c41..ba4f09725e 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -536,12 +536,12 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad name: merge-cachi2-sbom script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 02f63137d8..1f6ab2c058 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -449,11 +449,11 @@ spec: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 60fb253d6c..e647b36489 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -433,11 +433,11 @@ spec: runAsUser: 0 - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad script: | if [ -f "sbom-cachi2.json" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json + merge_syft_sbom sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 0e688aad17..97f921cb3a 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -126,7 +126,7 @@ spec: yq 'del(.goproxy_url)' <<<"${CONFIG_FILE_CONTENT}" >/mnt/config/config.yaml fi - name: prefetch-dependencies - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad volumeMounts: - mountPath: /mnt/trusted-ca name: trusted-ca diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index a78abc4136..d058fe8c96 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -56,7 +56,7 @@ spec: yq 'del(.goproxy_url)' <<< "${CONFIG_FILE_CONTENT}" > /mnt/config/config.yaml fi - - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + - image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent name: prefetch-dependencies diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index 560665af25..b86f48a496 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -214,12 +214,12 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - name: merge-cachi2-sbom - image: quay.io/redhat-appstudio/cachi2:0.8.0@sha256:5cf15d6f3fb151a3e12c8a17024062b7cc62b0c3e1b165e4a9fa5bf7a77bdc30 + image: quay.io/redhat-appstudio/cachi2:0.9.1@sha256:df67f9e063b544a8c49a271359377fed560562615e0278f6d0b9a3485f3f8fad script: | cachi2_sbom=./cachi2/output/bom.json if [ -f "$cachi2_sbom" ]; then echo "Merging contents of $cachi2_sbom into sbom-cyclonedx.json" - /src/utils/merge_syft_sbom.py "$cachi2_sbom" sbom-cyclonedx.json > sbom-temp.json + merge_syft_sbom "$cachi2_sbom" sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json else echo "Skipping step since no Cachi2 SBOM was produced" From ba2b81e7c83a972f6c8493b61070d88920fe0845 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 17:56:29 +0000 Subject: [PATCH 05/17] chore(deps): update github/codeql-action digest to 1b214db --- .github/workflows/go-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index facca49177..cf078ea341 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -62,7 +62,7 @@ jobs: # we let the report trigger content trigger a failure using the GitHub Security features. args: '-tags normal,periodic -no-fail -fmt sarif -out results.sarif ./...' - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@be825d5eefdb0c498fa30c4b57ec0690b4d0cecb + uses: github/codeql-action/upload-sarif@1b214db077827f5ba810f244daaecfd95c3bd111 with: # Path to SARIF file relative to the root of the repository sarif_file: results.sarif From b9075d38f6bcd7196b23d61eba751685d3fd798b Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 18:12:42 +0000 Subject: [PATCH 06/17] chore(deps): update golangci/golangci-lint-action digest to 9f3ba2c --- .github/workflows/go-ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/go-ci.yaml b/.github/workflows/go-ci.yaml index cf078ea341..fb4a1cb6c1 100644 --- a/.github/workflows/go-ci.yaml +++ b/.github/workflows/go-ci.yaml @@ -12,7 +12,7 @@ jobs: with: go-version-file: './task-generator/go.mod' - name: golangci-lint - uses: golangci/golangci-lint-action@db819a10bda59ee2a8f342af52c07e329576a0f5 + uses: golangci/golangci-lint-action@9f3ba2c3a8aadb9f3c42d252c4c227a6b0d98539 with: working-directory: task-generator args: "--timeout=10m --build-tags='normal periodic'" From 1d3490405a0bad0e88beef029f18ab17757d2b12 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 19:27:05 +0000 Subject: [PATCH 07/17] chore(deps): update quay.io/redhat-appstudio/build-trusted-artifacts:latest docker digest --- task/build-vm-image/0.1/build-vm-image.yaml | 2 +- task/buildah-oci-ta/0.1/buildah-oci-ta.yaml | 2 +- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml | 2 +- task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 2 +- task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml | 2 +- task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 2 +- .../0.1/prefetch-dependencies-oci-ta.yaml | 4 ++-- task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml | 2 +- task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml | 2 +- task/source-build-oci-ta/0.1/source-build-oci-ta.yaml | 2 +- 11 files changed, 12 insertions(+), 12 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index a756ad2a64..bb52a5c924 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -65,7 +65,7 @@ spec: name: varlibcontainers steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:ad38a34d39906a5298583de2dfffe965ccd252da52cb4e6ed0f9d6405d10afe9 args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml index 5262a531e8..f438ac5abf 100644 --- a/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.1/buildah-oci-ta.yaml @@ -216,7 +216,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index fca1d4aea7..8224f5f89b 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -212,7 +212,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml index 9e6b048c9a..fe3f2e4405 100644 --- a/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.1/buildah-remote-oci-ta.yaml @@ -198,7 +198,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ec1f9c77a4..ea2c2195ca 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -194,7 +194,7 @@ spec: - $(params.SOURCE_ARTIFACT)=/var/workdir/source - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2 computeResources: {} - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a name: use-trusted-artifact - args: - $(params.BUILD_ARGS[*]) diff --git a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml index 5326422218..70f7eddab4 100644 --- a/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml +++ b/task/git-clone-oci-ta/0.1/git-clone-oci-ta.yaml @@ -279,7 +279,7 @@ spec: check_symlinks fi - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - create - --store diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 4450b27fdd..f07ca37760 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -61,7 +61,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml index 97f921cb3a..b849e81c4c 100644 --- a/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml +++ b/task/prefetch-dependencies-oci-ta/0.1/prefetch-dependencies-oci-ta.yaml @@ -112,7 +112,7 @@ spec: echo -n "" >$(results.CACHI2_ARTIFACT.path) fi - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source @@ -208,7 +208,7 @@ spec: cachi2 --log-level="$LOG_LEVEL" inject-files /var/workdir/cachi2/output \ --for-output-dir=/cachi2/output - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - create - --store diff --git a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml index 918f3c791b..91d3ded56a 100644 --- a/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml +++ b/task/push-dockerfile-oci-ta/0.1/push-dockerfile-oci-ta.yaml @@ -49,7 +49,7 @@ spec: emptyDir: {} steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:0651a06076d809c2daf63a2d54abfef1a1d9b00e39aa6238b47f43c4f152f9b1 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml index 5e45cfc96f..750fe3f55b 100644 --- a/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml +++ b/task/sast-snyk-check-oci-ta/0.1/sast-snyk-check-oci-ta.yaml @@ -53,7 +53,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index 5ca7b44264..eb636069ca 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -55,7 +55,7 @@ spec: name: workdir steps: - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:bf4bfae950fe31d08f44488bb788bea8800cd6d75f5e09fcc21cf98689c61185 + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a args: - use - $(params.SOURCE_ARTIFACT)=/var/workdir/source From 1943ce97d5aa51eac46342c12d6475a2f6ca1ea0 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 22 Jul 2024 12:02:54 +0000 Subject: [PATCH 08/17] fix(deps): update module sigs.k8s.io/controller-runtime to v0.18.4 --- task-generator/go.mod | 6 +++--- task-generator/go.sum | 30 ++++++++---------------------- 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/task-generator/go.mod b/task-generator/go.mod index fb4e5de8cb..bcde9f2310 100644 --- a/task-generator/go.mod +++ b/task-generator/go.mod @@ -10,7 +10,7 @@ require ( k8s.io/apimachinery v0.30.3 k8s.io/cli-runtime v0.30.3 k8s.io/klog/v2 v2.120.1 - sigs.k8s.io/controller-runtime v0.16.3 + sigs.k8s.io/controller-runtime v0.18.4 ) require ( @@ -28,14 +28,14 @@ require ( github.com/go-kit/log v0.2.1 // indirect github.com/go-logfmt/logfmt v0.6.0 // indirect github.com/go-logr/logr v1.4.1 // indirect - github.com/go-logr/zapr v1.2.4 // indirect + github.com/go-logr/zapr v1.3.0 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.4 // indirect github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/protobuf v1.5.4 // indirect - github.com/google/cel-go v0.17.1 // indirect + github.com/google/cel-go v0.17.8 // indirect github.com/google/gnostic-models v0.6.8 // indirect github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect diff --git a/task-generator/go.sum b/task-generator/go.sum index aee057e22f..8373f140c6 100644 --- a/task-generator/go.sum +++ b/task-generator/go.sum @@ -48,7 +48,6 @@ github.com/alecthomas/units v0.0.0-20211218093645-b94a6e3cc137/go.mod h1:OMCwj8V github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kdvxnR2qWY= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18= github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM= -github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= @@ -82,8 +81,8 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= -github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84= +github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg= github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= @@ -102,11 +101,10 @@ github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= github.com/go-logfmt/logfmt v0.6.0 h1:wGYYu3uicYdqXVgoYbvnkrPVXkuLM1p1ifugDMEdRi4= github.com/go-logfmt/logfmt v0.6.0/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= -github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo= -github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -156,8 +154,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= -github.com/google/cel-go v0.17.1 h1:s2151PDGy/eqpCI80/8dl4VL3xTkqI/YubXLXCFw0mw= -github.com/google/cel-go v0.17.1/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= +github.com/google/cel-go v0.17.8 h1:j9m730pMZt1Fc4oKhCLUHfjj6527LuhYcYw0Rl8gqto= +github.com/google/cel-go v0.17.8/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY= github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I= github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M= @@ -321,7 +319,6 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= @@ -334,7 +331,6 @@ github.com/yuin/goldmark v1.1.25/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= @@ -345,16 +341,12 @@ go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= -go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= -go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ= go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto= go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE= go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0= -go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q= -go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg= go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8= go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= @@ -396,7 +388,6 @@ golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzB golang.org/x/mod v0.1.1-0.20191107180719-034126e5016b/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= -golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA= golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= @@ -432,7 +423,6 @@ golang.org/x/net v0.0.0-20200822124328-c89045814202/go.mod h1:/O7V0waA8r7cgGh81R golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= -golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210525063256-abc453219eb5/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= @@ -458,7 +448,6 @@ golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M= @@ -497,9 +486,7 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210603081109-ebe580a85c40/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -571,7 +558,6 @@ golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= -golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/tools v0.20.0 h1:hz/CVckiOxybQvFw6h7b/q80NTr9IUQb4s1IIzW7KNY= golang.org/x/tools v0.20.0/go.mod h1:WvitBU7JJf6A4jOdg4S1tviW9bhUxkgeCui/0JHctQg= @@ -723,8 +709,8 @@ knative.dev/pkg v0.0.0-20240219120257-9227ebb57a4e/go.mod h1:nCYpiIXemsTvpmuVNfJ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= -sigs.k8s.io/controller-runtime v0.16.3 h1:2TuvuokmfXvDUamSx1SuAOO3eTyye+47mJCigwG62c4= -sigs.k8s.io/controller-runtime v0.16.3/go.mod h1:j7bialYoSn142nv9sCOJmQgDXQXxnroFU4VnX/brVJ0= +sigs.k8s.io/controller-runtime v0.18.4 h1:87+guW1zhvuPLh1PHybKdYFLU0YJp4FhJRmiHvm5BZw= +sigs.k8s.io/controller-runtime v0.18.4/go.mod h1:TVoGrfdpbA9VRFaRnKgk9P5/atA0pMwq+f+msb9M8Sg= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= From c0df9eb3b6bbabbb99cb007a31b38f55f08b197a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 20:57:03 +0000 Subject: [PATCH 09/17] chore(deps): update actions/setup-go digest to 0a12ed9 --- .github/workflows/check-buildah-remote.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-buildah-remote.yaml b/.github/workflows/check-buildah-remote.yaml index afdc172a44..d2d2f41daa 100644 --- a/.github/workflows/check-buildah-remote.yaml +++ b/.github/workflows/check-buildah-remote.yaml @@ -9,7 +9,7 @@ jobs: steps: - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 - name: Install Go - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5 + uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5 with: go-version-file: './task-generator/go.mod' - name: Check buildah remote From 182ba1459dc2b53c823dcf56e720260275889f6c Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 24 Jul 2024 07:45:40 +0000 Subject: [PATCH 10/17] chore(deps): update ec --- .tekton/tasks/ec-checks.yaml | 4 ++-- pipelines/enterprise-contract.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 0ebdf0c89b..bc51eccc66 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -23,7 +23,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:eeecd7466f12aa7cd451c980f483470a3b3c26a874f9328b65f916e12d2a86ae + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46c3fdd61817e35c193dfd0d19e16cc8ec429a1df18da2bc477a4cbd28494ddb script: | set -euo pipefail @@ -37,7 +37,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:eeecd7466f12aa7cd451c980f483470a3b3c26a874f9328b65f916e12d2a86ae + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:46c3fdd61817e35c193dfd0d19e16cc8ec429a1df18da2bc477a4cbd28494ddb script: | set -euo pipefail diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 8143ed300f..aa7af71506 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -80,7 +80,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:705b40276dfb9f9e9a54fb524dd3aba8588f82152bf56e4cb69d4b5822acfd53 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:53b1c38167d024da257454702122a3c95c3afbcb6b33d6ff5a2936bfbb203fdf - name: name value: verify-enterprise-contract - name: kind From 6302db9e1b3dbe3b77c88824d0e57b5547bba8b3 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Thu, 25 Jul 2024 10:13:48 +0200 Subject: [PATCH 11/17] pipelines: re-generate READMEs Signed-off-by: Adam Cmiel --- pipelines/docker-build-oci-ta/README.md | 2 ++ pipelines/docker-build/README.md | 2 ++ pipelines/java-builder/README.md | 2 ++ pipelines/nodejs-builder/README.md | 2 ++ pipelines/tekton-bundle-builder/README.md | 1 + 5 files changed, 9 insertions(+) diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index fc1a675a98..d7755d3206 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -162,6 +162,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -218,6 +219,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BUILD_RESULT| Build result.| | +|IMAGE_REF| Image reference of the built image| | |SOURCE_IMAGE_DIGEST| The source image digest.| | |SOURCE_IMAGE_URL| The source image url.| | diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 8485ebf8ee..615f7af08e 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -161,6 +161,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -211,6 +212,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BUILD_RESULT| Build result.| | +|IMAGE_REF| Image reference of the built image| | |SOURCE_IMAGE_DIGEST| The source image digest.| | |SOURCE_IMAGE_URL| The source image url.| | diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md index 180cb68224..dd98c77eec 100644 --- a/pipelines/java-builder/README.md +++ b/pipelines/java-builder/README.md @@ -180,6 +180,7 @@ |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | @@ -196,6 +197,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BUILD_RESULT| Build result.| | +|IMAGE_REF| Image reference of the built image| | |SOURCE_IMAGE_DIGEST| The source image digest.| | |SOURCE_IMAGE_URL| The source image url.| | diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md index 212097cc60..8c61c28eee 100644 --- a/pipelines/nodejs-builder/README.md +++ b/pipelines/nodejs-builder/README.md @@ -180,6 +180,7 @@ |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | |IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; clamav-scan:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ### sast-snyk-check:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -194,6 +195,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BUILD_RESULT| Build result.| | +|IMAGE_REF| Image reference of the built image| | |SOURCE_IMAGE_DIGEST| The source image digest.| | |SOURCE_IMAGE_URL| The source image url.| | diff --git a/pipelines/tekton-bundle-builder/README.md b/pipelines/tekton-bundle-builder/README.md index e3ae7475f2..0f7d36f8b0 100644 --- a/pipelines/tekton-bundle-builder/README.md +++ b/pipelines/tekton-bundle-builder/README.md @@ -148,6 +148,7 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |IMAGE_DIGEST| Digest of the image just built| clair-scan:0.1:image-digest ; sast-snyk-check:0.1:image-digest ; sbom-json-check:0.1:IMAGE_DIGEST ; push-dockerfile:0.1:IMAGE_DIGEST| +|IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed with tag only| clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| ## Workspaces From f8ad065abb9ce1694eb06eb9306bfe375db0cec7 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 22 Jul 2024 16:18:30 +0200 Subject: [PATCH 12/17] CI: check if pipeline READMEs are up to date STONEBLD-2401 Signed-off-by: Adam Cmiel --- .github/workflows/check-readmes.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/check-readmes.yaml diff --git a/.github/workflows/check-readmes.yaml b/.github/workflows/check-readmes.yaml new file mode 100644 index 0000000000..6a9edf75ed --- /dev/null +++ b/.github/workflows/check-readmes.yaml @@ -0,0 +1,24 @@ +name: Validate PR - check READMEs +'on': + pull_request: + branches: [main] +jobs: + check: + name: Check READMEs + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v4 + + - name: Check pipeline READMEs + run: | + #!/bin/bash + set -e + + ./hack/generate-pipelines-readme.py + if [[ -n $(git status -s) ]] + then + echo "pipeline READMEs are not up to date, run ./hack/generate-pipelines-readme.py and commit the resulting changes" + git status -s + exit 1 + fi From ceb8c863012d52266f9f9de798469d12fa21c11e Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Thu, 23 May 2024 12:48:18 +0200 Subject: [PATCH 13/17] Fix GH app installation ID for commenting on PRs STONEBLD-2339 The build-definitions repo has moved to the konflux-ci org. The https://github.com/apps/rh-tap-build-team app had to be reinstalled in the new org, thus changing the installation ID. Update the installation ID for the create-comment task, which may try to comment on build-definitions pull requests. NOTE: do not update the default installation ID in the update-infra-deployments task - infra-deployments is staying in the redhat-appstudio org. Signed-off-by: Adam Cmiel --- .tekton/pull-request.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.tekton/pull-request.yaml b/.tekton/pull-request.yaml index 1feb1d8b5f..55279e1dd4 100644 --- a/.tekton/pull-request.yaml +++ b/.tekton/pull-request.yaml @@ -96,8 +96,9 @@ spec: value: /secrets/deploy-key/private-key - name: GITHUBAPP_APP_ID value: "305606" + # https://github.com/apps/rh-tap-build-team in https://github.com/konflux-ci - name: GITHUBAPP_INSTALLATION_ID - value: "35269675" + value: "51073377" - name: GITHUB_API_URL value: https://api.github.com - name: REPO_OWNER From 5004c6a7402b8242688e052cfba58da832f83678 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 24 Jul 2024 15:08:27 -0400 Subject: [PATCH 14/17] Create the SBOM_BLOB_URL for v0.2 buildah tasks Now that the BASE_IMAGE_DIGESTS result has been removed, there should now be enough room for us to re-add the SBOM_BLOB_URL. This will enable EC verification of the SBOM based on the digest which is recorded in the provenenance. It will prevent supply-chain attacks which are driven by modifying the floating tag of the uploaded SBOM. Even with the referrer's API, the digest can be used to identify which SBOM should be the one built from Konflux. This was added in #645 and then removed in #654 due to the limitation of Tekton results' size. Signed-off-by: arewm --- pipelines/docker-build-oci-ta/README.md | 1 + pipelines/docker-build/README.md | 1 + task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 12 +++++ task/buildah-remote-oci-ta/0.2/README.md | 47 +++++++++++++++++++ .../0.2/buildah-remote-oci-ta.yaml | 12 +++++ task/buildah-remote/0.2/README.md | 1 + task/buildah-remote/0.2/buildah-remote.yaml | 12 +++++ task/buildah/0.2/README.md | 1 + task/buildah/0.2/buildah.yaml | 10 ++++ 10 files changed, 98 insertions(+) create mode 100644 task/buildah-remote-oci-ta/0.2/README.md diff --git a/pipelines/docker-build-oci-ta/README.md b/pipelines/docker-build-oci-ta/README.md index d7755d3206..0f0bd61160 100644 --- a/pipelines/docker-build-oci-ta/README.md +++ b/pipelines/docker-build-oci-ta/README.md @@ -165,6 +165,7 @@ |IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/pipelines/docker-build/README.md b/pipelines/docker-build/README.md index 615f7af08e..f80c902460 100644 --- a/pipelines/docker-build/README.md +++ b/pipelines/docker-build/README.md @@ -164,6 +164,7 @@ |IMAGE_REF| Image reference of the built image| | |IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.1:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.1:image-url ; clamav-scan:0.1:image-url ; sbom-json-check:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| |JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | +|SBOM_BLOB_URL| Reference of SBOM blob digest to enable digest-based verification from provenance| | |SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | ### clair-scan:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index bfa06e6cee..5f3a1fe947 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -41,5 +41,6 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_REF|Image reference of the built image| |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 8224f5f89b..96d8c3ed91 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -136,6 +136,10 @@ spec: - name: JAVA_COMMUNITY_DEPENDENCIES description: The Java dependencies that came from community sources such as Maven central. + - name: SBOM_BLOB_URL + description: Reference of SBOM blob digest to enable digest-based verification + from provenance + type: string - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string @@ -529,6 +533,8 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers script: | + #!/bin/bash + set -e base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -565,6 +571,12 @@ spec: echo -n "${IMAGE}@" cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.2/README.md b/task/buildah-remote-oci-ta/0.2/README.md new file mode 100644 index 0000000000..31a521038a --- /dev/null +++ b/task/buildah-remote-oci-ta/0.2/README.md @@ -0,0 +1,47 @@ +# buildah-remote-oci-ta task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|IMAGE|Reference of the image buildah will produce.||true| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| +|IMAGE_URL|Image repository where the built image was pushed| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| + diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index ea2c2195ca..0388b5245c 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -137,6 +137,10 @@ spec: - description: The Java dependencies that came from community sources such as Maven central. name: JAVA_COMMUNITY_DEPENDENCIES + - description: Reference of SBOM blob digest to enable digest-based verification + from provenance + name: SBOM_BLOB_URL + type: string - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string @@ -600,6 +604,8 @@ spec: image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050 name: inject-sbom-and-push script: | + #!/bin/bash + set -e base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -636,6 +642,12 @@ spec: echo -n "${IMAGE}@" cat "/var/workdir/image-digest" } >"$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md index 71b2baa59b..f9ffb1e873 100644 --- a/task/buildah-remote/0.2/README.md +++ b/task/buildah-remote/0.2/README.md @@ -39,6 +39,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| |IMAGE_REF|Image reference of the built image| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index ba4f09725e..81038369fa 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -125,6 +125,10 @@ spec: name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF + - description: Reference of SBOM blob digest to enable digest-based verification + from provenance + name: SBOM_BLOB_URL + type: string - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string @@ -582,6 +586,8 @@ spec: image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050 name: inject-sbom-and-push script: | + #!/bin/bash + set -e base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -618,6 +624,12 @@ spec: echo -n "${IMAGE}@" cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" + + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: capabilities: add: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index 5dabbe3e4f..510a1a7664 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| |IMAGE_REF|Image reference of the built image| +|SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index e647b36489..c731057375 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -111,6 +111,9 @@ spec: name: IMAGE_URL - description: Image reference of the built image name: IMAGE_REF + - name: SBOM_BLOB_URL + description: Reference of SBOM blob digest to enable digest-based verification from provenance + type: string - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string @@ -479,6 +482,8 @@ spec: image: quay.io/konflux-ci/buildah:latest@sha256:9ef792d74bcc1d330de6be58b61f2cdbfa1c23b74a291eb2136ffd452d373050 computeResources: {} script: | + #!/bin/bash + set -e base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) container=$(buildah from --pull-never $IMAGE) @@ -516,6 +521,11 @@ spec: cat "$(workspaces.source.path)/image-digest" } > "$(results.IMAGE_REF.path)" + # Remove tag from IMAGE while allowing registry to contain a port number. + sbom_repo="${IMAGE%:*}" + sbom_digest="$(sha256sum sbom-cyclonedx.json | cut -d' ' -f1)" + # The SBOM_BLOB_URL is created by `cosign attach sbom`. + echo -n "${sbom_repo}@sha256:${sbom_digest}" | tee "$(results.SBOM_BLOB_URL.path)" securityContext: runAsUser: 0 capabilities: From f1af7703e51d771445c99f9ddb4ad8c3e0bb4e90 Mon Sep 17 00:00:00 2001 From: arewm Date: Thu, 25 Jul 2024 15:43:17 -0400 Subject: [PATCH 15/17] Ensure that /shared/base_images_digests exists When there are no base images (i.e. it is FROM scratch), we need to make sure that the base_images_digests file exists. Signed-off-by: arewm --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 1 + task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml | 1 + task/buildah-remote/0.2/buildah-remote.yaml | 1 + task/buildah/0.2/buildah.yaml | 1 + 4 files changed, 4 insertions(+) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 96d8c3ed91..92f9c295e7 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -404,6 +404,7 @@ spec: cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi + touch /shared/base_images_digests for image in $BASE_IMAGES; do if [ "${image}" != "scratch" ]; then buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 0388b5245c..6db39a03ca 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -416,6 +416,7 @@ spec: cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi + touch /shared/base_images_digests for image in $BASE_IMAGES; do if [ "${image}" != "scratch" ]; then buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >>/shared/base_images_digests diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 81038369fa..f23ebb69c9 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -398,6 +398,7 @@ spec: cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi + touch /shared/base_images_digests for image in $BASE_IMAGES; do if [ "${image}" != "scratch" ]; then buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index c731057375..425ec93ae7 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -340,6 +340,7 @@ spec: cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi + touch /shared/base_images_digests for image in $BASE_IMAGES; do if [ "${image}" != "scratch" ]; then buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' --filter reference="$image" >> /shared/base_images_digests From c22a0bb0d4bcbaebb27fd4ceb317ae71b3ddae85 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Thu, 25 Jul 2024 14:02:07 +0200 Subject: [PATCH 16/17] docker-build-rhtap: drop unnecessary things As usual, the docker-build-rhtap pipeline has inherited unnecessary things from template-build.yaml because the approach of using kustomization to strip out tasks is fragile. * Remove unnecessary tasks: apply-tags, push-dockerfile * Remove unused workspace: netrc Signed-off-by: Adam Cmiel --- pipelines/docker-build-rhtap/README.md | 33 ++++--------------------- pipelines/docker-build-rhtap/patch.yaml | 8 +++++- 2 files changed, 12 insertions(+), 29 deletions(-) diff --git a/pipelines/docker-build-rhtap/README.md b/pipelines/docker-build-rhtap/README.md index e14d37536b..2ae9ac516a 100644 --- a/pipelines/docker-build-rhtap/README.md +++ b/pipelines/docker-build-rhtap/README.md @@ -5,7 +5,7 @@ |build-args| Array of --build-arg values ("arg=value" strings) for buildah| []| build-container:0.1:BUILD_ARGS| |build-args-file| Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file| | build-container:0.1:BUILD_ARGS_FILE| |build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE ; push-dockerfile:0.1:DOCKERFILE| +|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| build-container:0.1:DOCKERFILE| |event-type| Event that triggered the pipeline run, e.g. push, pull_request| push| | |git-url| Source Repository URL| None| clone-repository:0.1:url ; acs-deploy-check:0.1:gitops-repo-url ; update-deployment:0.1:gitops-repo-url| |gitops-auth-secret-name| Secret name to enable this pipeline to update the gitops repo with the new image. | gitops-auth-secret| update-deployment:0.1:gitops-auth-secret-name| @@ -13,7 +13,7 @@ |image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER| |java| Java build| false| | |output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; acs-image-check:0.1:image ; acs-image-scan:0.1:image| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT ; push-dockerfile:0.1:CONTEXT| +|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:CONTEXT| |prefetch-input| Build dependencies to be prefetched by Cachi2| | | |rebuild| Force rebuild image| false| init:0.2:rebuild| |revision| Revision of the Source Repository| | clone-repository:0.1:revision| @@ -41,11 +41,6 @@ |image-digest| Digest of the image to scan | None| '$(tasks.build-container.results.IMAGE_DIGEST)'| |insecure-skip-tls-verify| When set to `"true"`, skip verifying the TLS certs of the Central endpoint. Defaults to `"false"`. | false| 'true'| |rox-secret-name| Secret containing the StackRox server endpoint and API token with CI permissions under rox-api-endpoint and rox-api-token keys. For example: rox-api-endpoint: rox.stackrox.io:443 ; rox-api-token: eyJhbGciOiJS... | None| '$(params.stackrox-secret)'| -### apply-tags:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-container.results.IMAGE_URL)'| ### buildah-rhtap:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -84,15 +79,6 @@ |image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| |rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| |skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| -### push-dockerfile:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-container.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | ### show-sbom-rhdh:0.1 task parameters |name|description|default value|already set by| |---|---|---|---| @@ -129,8 +115,8 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| push-dockerfile:0.1:IMAGE_DIGEST ; acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| -|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE ; update-deployment:0.1:image| +|IMAGE_DIGEST| Digest of the image just built| acs-image-check:0.1:image-digest ; acs-image-scan:0.1:image-digest| +|IMAGE_URL| Image repository where the built image was pushed| show-sbom:0.1:IMAGE_URL ; update-deployment:0.1:image| |SBOM_BLOB_URL| Link to the SBOM layer pushed to the registry as part of an OCI artifact.| | ### git-clone:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) @@ -142,10 +128,6 @@ |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| |build| Defines if the image in param image-url should be built| | -### push-dockerfile:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | ### show-sbom-rhdh:0.1 task results |name|description|used in params (taskname:taskrefversion:taskparam) |---|---|---| @@ -155,8 +137,7 @@ |name|description|optional|used in tasks |---|---|---|---| |git-auth| |True| clone-repository:0.1:basic-auth| -|netrc| |True| | -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source ; push-dockerfile:0.1:workspace| +|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; build-container:0.1:source| ## Available workspaces from tasks ### buildah-rhtap:0.1 task workspaces |name|description|optional|workspace from pipeline @@ -168,10 +149,6 @@ |basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| |output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| |ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| ### summary:0.2 task workspaces |name|description|optional|workspace from pipeline |---|---|---|---| diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 7a4f13b1fd..55d2981f38 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -90,7 +90,11 @@ path: /spec/tasks/3/runAfter/0 value: clone-repository - op: remove - path: /spec/tasks/10 # sbom-json-check + path: /spec/tasks/12 # push-dockerfile +- op: remove + path: /spec/tasks/11 # apply-tags +- op: remove + path: /spec/tasks/10 # sbom-json-check - op: remove path: /spec/tasks/9 # clamav-scan - op: remove @@ -105,6 +109,8 @@ path: /spec/tasks/4 # build-source-image - op: remove path: /spec/tasks/2 # prefetch-dependencies +- op: remove + path: /spec/workspaces/2 # netrc (only used for prefetch-dependencies) - op: add path: /spec/tasks/- value: From d455bce6ffa3e029786f5f631115e76789c156df Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 26 Jul 2024 11:00:22 +0200 Subject: [PATCH 17/17] gitops-pull-request: add missing when conditions When the 'gather-deploy-images' task doesn't find any images that changed between the current ref and the base branch, it returns an empty string. Skip the verify-ec and download-sbom -> upload-sbom tasks when this happens. Otherwise, those tasks would run unnecessarily and/or fail. Signed-off-by: Adam Cmiel --- .../gitops-pull-request.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml b/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml index 0eed8bb390..8f35e27b57 100644 --- a/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml +++ b/pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml @@ -88,6 +88,10 @@ spec: value: $(params.ec-tuf-mirror) runAfter: - get-images-to-verify + when: + - input: $(tasks.get-images-to-verify.results.IMAGES_TO_VERIFY) + operator: notin + values: [""] taskRef: name: verify-enterprise-contract version: "0.1" @@ -110,6 +114,10 @@ spec: - name: download-sboms runAfter: - get-images-to-upload-sbom + when: + - input: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY) + operator: notin + values: [""] params: - name: IMAGES value: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY) @@ -131,6 +139,10 @@ spec: - name: upload-sboms-to-trustification runAfter: - download-sboms + when: + - input: $(tasks.get-images-to-upload-sbom.results.IMAGES_TO_VERIFY) + operator: notin + values: [""] params: - name: SBOMS_DIR value: sboms