Skip to content

Commit

Permalink
Script to manually update trusted tasks
Browse files Browse the repository at this point in the history
This script can be run if there is a CI failure and trusted tasks bundle
has not been updated with the newest revisions (digest bumps) or
versions (new versions of Tasks).

By default it will update both git and oci references, resolving the
Tasks from the local git repository and from the remote quay.io
repository (quay.io/redhat-appstudio-tekton-catalog by default).

Since there is no resolver that supports `kustomize`, the Task
definitions that rely on it will not be included.

Fixes: https://issues.redhat.com/browse/EC-545
  • Loading branch information
zregvart committed May 9, 2024
1 parent e9905b1 commit e69acca
Showing 1 changed file with 86 additions and 0 deletions.
86 changes: 86 additions & 0 deletions hack/trusted-tasks-update.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
#!/usr/bin/env bash
# Resolves all tasks from the `/task` directory of this repository and any Task
# bundles in the `$QUAY_NAMESPACE` quay.io namespace (defaults to
# `redhat-appstudio-tekton-catalog`) and runs `ec track bundle` with those git
# and image references in order to catalogue the latest versions in the trusted
# tasks list in `$INPUT_IMAGE` written to `$OUTPUT_IMAGE` (both default to
# `quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest`).
#
# By default both git and image refrences are collected, what is collected can
# be controlled by `$COLLECT` which can be set to `git` or `oci`
#
# Parameters via environment variables:
# COLLECT - can be set to `oci` or `git` (defaults to both), what to
# resolve
# INPUT_IMAGE - Conftest OCI bundle containing the trusted tasks list, defaults
# to:
# `quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest`
# OUTPUT_IMAGE - Conftest OCI bundle to write the trusted task list to, defaults
# to `$INPUT_IMAGE`
# QUAY_NAMESPACE - Quay namespace to query for Task bundles (defaults to
# `redhat-appstudio-tekton-catalog`)

set -o errexit
set -o nounset
set -o pipefail

COLLECT=${COLLECT:-git oci}
mapfile -td ' ' < <(echo "${COLLECT}")
INPUT_IMAGE=${INPUT_IMAGE:-quay.io/redhat-appstudio-tekton-catalog/data-acceptable-bundles:latest}
OUTPUT_IMAGE=${OUTPUT_IMAGE:-$INPUT_IMAGE}
GIT_REPOSITORY=git+https://github.com/redhat-appstudio/build-definitions.git
QUAY_NAMESPACE=${QUAY_NAMESPACE:-redhat-appstudio-tekton-catalog}

HACK_DIR="$(dirname "${BASH_SOURCE[0]}")"

git_params=()
if [[ " ${COLLECT[*]} " =~ " git " ]]; then
echo -n Resolving git Tasks
for task_dir in "${HACK_DIR}"/../task/*/*; do
[ ! -d "${task_dir}" ] && continue
[ -f "${task_dir}/kustomization.yaml" ] && continue
mapfile -td '/' dirparts < <(echo "${task_dir}")
task_file="${task_dir}/${dirparts[-2]}.yaml"
[ ! -f "${task_file}" ] && continue

task_git_url=${GIT_REPOSITORY}//${task_file/#*task/task}
git_params+=("--git=${task_git_url}")
echo -n .
done
echo
fi

oci_params=()
if [[ " ${COLLECT[*]} " =~ " oci " ]]; then
echo -n Resolving OCI Tasks bundles
for repository in $(
curl -sSL "https://quay.io/api/v1/repository?namespace=${QUAY_NAMESPACE}&public=true" -H 'Accept: application/json' |
jq -r '.repositories.[].name | select(startswith("task-")) | "quay.io/'"${QUAY_NAMESPACE}"'/\(.)"'
); do
mapfile -t refs < <(
skopeo list-tags docker://"${repository}" |
jq --arg repository "${repository}" -r '.Tags[] | select(test("^(\\d+)(\\.\\d)*$")) | "\($repository):\(.)"'
)
for ref in "${refs[@]}"; do
oci_params+=("--bundle=${ref}")
done
echo -n .
done
echo
fi

echo Collected git parameters:
printf "%s\n" "${git_params[@]}"

echo Collected OCI parameters:
printf "%s\n" "${oci_params[@]}"

echo Running:
PS4=''
set -x
ec track bundle \
--freshen \
--input "oci:${INPUT_IMAGE}" \
--output "oci:${OUTPUT_IMAGE}" \
"${git_params[@]}" \
"${oci_params[@]}"

0 comments on commit e69acca

Please sign in to comment.