feat: add build-maven-zip task

OWNERS_ALIASES

@@ -28,3 +28,6 @@ aliases:
     - joejstuart
     - robnester-rh
     - cuipinghuo
+  spmm-team:
+    - ligangty
+    - yma96

task/build-maven-zip-oci-ta/0.1/README.md

@@ -0,0 +1,24 @@
+# Build-maven-zip-oci-ta task
+
+Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
+Note that this task needs the output of prefetch-dependencies-oci-ta task. If it is not activated, there will not be any output from this task.
+
+## Parameters
+
+| name                 | description                                                            | default value    | required |
+| -------------------- | ---------------------------------------------------------------------- | ---------------- | -------- |
+| IMAGE                | Reference of the OCI-Artifact this build task will produce.            |                  | true     |
+| PREFETCH_INPUT       | The prefetched content which is used in the build.                     | generic          | false    |
+| PREFETCH_ROOT        | The root directory of the artifacts in the prefetched directory.       | maven-repository | false    |
+| BUNDLE_NAME          | The zip bundle name of archived artifacts.                             | maven-repository | false    |
+| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from.                 | trusted-ca       | false    |
+| caTrustConfigMapKey  | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt    | false    |
+
+## Results
+
+| name          | description                                                                       |
+| ------------- | --------------------------------------------------------------------------------- |
+| IMAGE_DIGEST  | Digest of the OCI-Artifact just built                                             |
+| IMAGE_URL     | Image repository and tag where the built OCI-Artifact was pushed                  |
+| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance |

task/build-maven-zip-oci-ta/0.1/build-maven-zip-oci-ta.yaml

@@ -0,0 +1,220 @@
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+    build.appstudio.redhat.com/build_type: "maven-zip"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "maven-build, konflux"
+  name: build-maven-zip-oci-ta
+spec:
+  description: |-
+    This takes existing Image Manifests and combines them in an Image Index.
+  params:
+  - description: Reference of the OCI-Artifact this build task will produce.
+    name: IMAGE
+    type: string
+  - default: "generic"
+    description: The prefetched content which is used in the build.
+    name: PREFETCH_INPUT
+    type: string
+  - default: "maven-repository"
+    description: The root of the prefetched artifacts
+    name: PREFETCH_ROOT
+    type: string
+  - default: "maven-repository"
+    description: The zip bundle name of archived artifacts
+    name: BUNDLE_NAME
+    type: string
+  - default: ""
+    description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
+    name: IMAGE_EXPIRES_AFTER
+    type: string
+  - name: CACHI2_ARTIFACT
+    description: The Trusted Artifact URI pointing to the artifact with
+      the prefetched dependencies.
+    type: string
+    default: ""
+  - name: caTrustConfigMapName
+    type: string
+    description: The name of the ConfigMap to read CA bundle data from.
+    default: trusted-ca
+  - name: caTrustConfigMapKey
+    type: string
+    description: The name of the key in the ConfigMap that contains the CA bundle data.
+    default: ca-bundle.crt
+
+  results:
+  - description: Digest of the image just built
+    name: IMAGE_DIGEST
+  - description: Image repository and tag where the built image was pushed
+    name: IMAGE_URL
+  - name: SBOM_BLOB_URL
+    description: Reference of SBOM blob digest to enable digest-based verification from provenance
+    type: string
+  stepTemplate:
+    volumeMounts:
+      - mountPath: /shared
+        name: shared
+      - mountPath: /var/workdir
+        name: workdir
+    env:
+    - name: IMAGE
+      value: $(params.IMAGE)
+    - name: INPUT
+      value: $(params.PREFETCH_INPUT)
+    - name: PKG_ROOT
+      value: $(params.PREFETCH_ROOT)
+    - name: BUNDLE_NAME
+      value: $(params.BUNDLE_NAME)
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.IMAGE_EXPIRES_AFTER)
+
+  steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac
+    args:
+      - use
+      - $(params.CACHI2_ARTIFACT)=/var/workdir/cachi2
+  - image: quay.io/konflux-ci/appstudio-utils@sha256:d0fecb67dd98d874704f2e3d20686363de7cbb42c15ad2b1d8e8c38118c50078
+    name: prepare
+    computeResources:
+      limits:
+        memory: 8Gi
+        cpu: '4'
+      requests:
+        memory: 2Gi
+        cpu: '1'
+    script: |
+      #!/bin/bash
+      set -o pipefail
+      # Generate checksums for all maven artifact files. It will ignore the checksum files
+      # and signature files if they existed there
+      pkgpath="/var/workdir/cachi2/output/deps/$INPUT"
+      if [ -d "$pkgpath/${PKG_ROOT}" ]; then
+        echo "Generating checksums for artifacts"
+        while IFS= read -r -d '' f
+        do
+          md5sum "$f" | awk '{print $1}'> "$f.md5"
+          sha1sum "$f" | awk '{print $1}'> "$f.sha1"
+          sha256sum "$f" | awk '{print $1}'> "$f.sha256"
+        done <   <(find "$pkgpath/${PKG_ROOT}" -type f ! -name "*.md5" \
+        ! -name "*.sha1" ! -name "*.sha128" ! -name "*.sha256" \
+        ! -name "*.sha512" ! -name "*.asc" -print0)
+        # Bundle the artifacts and checksums together into a zip file
+        cd "$pkgpath" || exit
+        echo "create maven zip to /var/workdir/cachi2/output/${BUNDLE_NAME}.zip"
+        zip -rq "${BUNDLE_NAME}.zip" "${PKG_ROOT}"
+        mv "${BUNDLE_NAME}.zip" "/shared/${BUNDLE_NAME}.zip"
+      else
+        echo "No ${PKG_ROOT} dir found, can not generate maven zip!"
+        exit 1
+      fi
+    securityContext:
+      capabilities:
+        add:
+          - SETFCAP
+  - image: quay.io/konflux-ci/oras:latest@sha256:9d6db5840c70e65fefe041201cc7ffe2d1661bd0582b590b54787213ccfd76e9
+    name: build
+    workingDir: /var/workdir
+    computeResources:
+      limits:
+        memory: 8Gi
+        cpu: '4'
+      requests:
+        memory: 2Gi
+        cpu: '1'
+    script: |
+      #!/bin/bash
+      set -o pipefail
+      if [ -f "/shared/${BUNDLE_NAME}.zip" ]; then
+        mv "/shared/${BUNDLE_NAME}.zip" "./${BUNDLE_NAME}.zip"
+        select-oci-auth "$IMAGE" > auth.json
+        [ -n "$IMAGE_EXPIRES_AFTER" ] && EXPIRE_LABEL=("--annotation" "quay.expires-after=$IMAGE_EXPIRES_AFTER")
+        oras push "$IMAGE" \
+          --registry-config auth.json \
+          "${EXPIRE_LABEL[@]}" \
+          --artifact-type application/vnd.maven+zip "${BUNDLE_NAME}.zip"
+        RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
+        echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
+        echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
+      else
+        echo "The maven zip file is not found!"
+        exit 1
+      fi
+
+      # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
+      if [ -f "/var/workdir/cachi2/output/bom.json" ]; then
+        cp -vf "/var/workdir/cachi2/output/bom.json" ./sbom-cachi2.json
+      else
+        echo "The SBOM file for fetched artifacts is not found!"
+        exit 1
+      fi
+    securityContext:
+      capabilities:
+        add:
+          - SETFCAP
+    volumeMounts:
+    - name: trusted-ca
+      mountPath: /mnt/trusted-ca
+      readOnly: true
+  - name: prepare-sboms
+    image: quay.io/redhat-appstudio/sbom-utility-scripts-image@sha256:53a3041dff341b7fd1765b9cc2c324625d19e804b2eaff10a6e6d9dcdbde3a91
+    workingDir: /var/workdir
+    computeResources:
+      limits:
+        memory: 512Mi
+        cpu: 200m
+      requests:
+        memory: 256Mi
+        cpu: 100m
+    script: |
+      mv sbom-cachi2.json sbom-cyclonedx.json
+      echo "Creating sbom-purl.json"
+      python3 /scripts/create_purl_sbom.py
+    securityContext:
+      runAsUser: 0
+  - name: upload-sbom
+    image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14
+    workingDir: /var/workdir
+    script: |
+      #!/bin/bash
+      ca_bundle=/mnt/trusted-ca/ca-bundle.crt
+      if [ -f "$ca_bundle" ]; then
+        echo "INFO: Using mounted CA bundle: $ca_bundle"
+        cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors
+        update-ca-trust
+      fi
+
+      cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$IMAGE"
+
+      # Remove tag from IMAGE while allowing registry to contain a port number.
+      sbom_repo="${IMAGE%:*}"
+      sbom_tag="sha256-$(< "$(results.IMAGE_DIGEST.path)" cut -d: -f2).sbom"
+      # The SBOM_BLOB_URL is created by `cosign attach sbom`.
+      echo -n "${sbom_repo}:${sbom_tag}" | tee "$(results.SBOM_BLOB_URL.path)"
+    computeResources:
+      limits:
+        memory: 512Mi
+        cpu: 200m
+      requests:
+        memory: 256Mi
+        cpu: 100m
+    volumeMounts:
+    - name: trusted-ca
+      mountPath: /mnt/trusted-ca
+      readOnly: true
+
+  volumes:
+  - name: shared
+    emptyDir: {}
+  - name: workdir
+    emptyDir: {}
+  - name: trusted-ca
+    configMap:
+      name: $(params.caTrustConfigMapName)
+      items:
+        - key: $(params.caTrustConfigMapKey)
+          path: ca-bundle.crt
+      optional: true

task/build-maven-zip-oci-ta/0.1/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+- build-maven-zip-oci-ta.yaml

task/build-maven-zip-oci-ta/OWNERS

@@ -0,0 +1,5 @@
+# See the OWNERS docs: https://go.k8s.io/owners
+approvers:
+  - spmm-team
+reviewers:
+  - spmm-team

task/build-maven-zip/0.1/README.md

@@ -0,0 +1,30 @@
+# Build-maven-zip task
+
+Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle  and pushes the OCI-artifact into container registry.
+In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
+Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task.
+
+## Parameters
+
+| name                 | description                                                            | default value    | required |
+| -------------------- | ---------------------------------------------------------------------- | ---------------- | -------- |
+| IMAGE                | Reference of the OCI-Artifact this build task will produce.            |                  | true     |
+| PREFETCH_INPUT       | The prefetched content which is used in the build.                     | generic          | false    |
+| PREFETCH_ROOT        | The root directory of the artifacts in the prefetched directory.       | maven-repository | false    |
+| BUNDLE_NAME          | The zip bundle name of archived artifacts.                             | maven-repository | false    |
+| caTrustConfigMapName | The name of the ConfigMap to read CA bundle data from.                 | trusted-ca       | false    |
+| caTrustConfigMapKey  | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt    | false    |
+
+## Results
+
+| name          | description                                                                       |
+| ------------- | --------------------------------------------------------------------------------- |
+| IMAGE_DIGEST  | Digest of the OCI-Artifact just built                                             |
+| IMAGE_URL     | Image repository and tag where the built OCI-Artifact was pushed                  |
+| SBOM_BLOB_URL | Reference of SBOM blob digest to enable digest-based verification from provenance |
+
+## Workspaces
+
+| name   | description                                    | optional |
+| ------ | ---------------------------------------------- | -------- |
+| source | Workspace containing the source code to build. | false    |