Merge branch 'main' into allow-passing-api-token-secret-from-namespac…

…e-in-resolver

DEVELOPMENT.md

@@ -164,8 +164,11 @@ The Tekton project requires that you develop (commit) code changes to branches t
 
         ```shell
         git remote add upstream [email protected]:tektoncd/pipeline.git
+        ```
+
+    1. Optional: Prevent accidental pushing of commits by changing the upstream URL to `no_push`
 
-        # Optional: Prevent accidental pushing of commits by changing the upstream URL to `no_push`
+        ```shell
         git remote set-url --push upstream no_push
         ```
 
@@ -271,9 +274,9 @@ The recommended minimum development configuration is:
   - 8 GB of (actual or virtualized) platform memory
 - Node autoscaling, up to 3 nodes
 
-#### Using [KinD](https://kind.sigs.k8s.io/)
+#### Using [Kind](https://kind.sigs.k8s.io/)
 
-[KinD](https://kind.sigs.k8s.io/) is a great tool for working with Kubernetes clusters locally. It is particularly useful to quickly test code against different cluster [configurations](https://kind.sigs.k8s.io/docs/user/quick-start/#advanced).
+[Kind](https://kind.sigs.k8s.io/) is a great tool for working with Kubernetes clusters locally. It is particularly useful to quickly test code against different cluster [configurations](https://kind.sigs.k8s.io/docs/user/quick-start/#advanced).
 
 1. Install [required tools](./DEVELOPMENT.md#install-tools) (note: may require a newer version of Go).
 2. Install [Docker](https://www.docker.com/get-started).
@@ -353,7 +356,7 @@ While iterating on code changes to the project, you may need to:
     - Update your (external) dependencies with: `./hack/update-deps.sh`
     - Update your type definitions with: `./hack/update-codegen.sh`
     -  Update your OpenAPI specs with: `./hack/update-openapigen.sh`
-1. Update or [add new CRD types](#adding-new-types) as needed
+1. Update or [add new CRD types](#adding-new-crd-types) as needed
 1. Update, [add and run tests](./test/README.md#tests)
 
 To make changes to these CRDs, you will probably interact with:

api_compatibility_policy.md

@@ -90,26 +90,25 @@ For more information on support windows, see the [deprecations table](./docs/dep
 
 ## Feature Gates
 
-CRD API versions gate the overall stability of the CRD and its default behaviors. Within a particular CRD version, certain opt-in features may be at a lower stability level as described in [TEP-33](https://github.com/tektoncd/community/blob/main/teps/0033-tekton-feature-gates.md). These fields may be disabled by default and can be enabled by setting the right `enable-api-fields` feature-flag as described in TEP-33:
+Stability levels of feature gates are independent from CRD apiVersions. Features enabled by API fields at different levels of stability can be enabled using the flag `enable-api-fields`:
 
-* `stable` - This value indicates that only fields of the highest stability level are enabled; For `beta` CRDs, this means only beta stability fields are enabled, i.e. `alpha` fields are not enabled. For `GA` CRDs, this means only `GA` fields are enabled, i.e. `beta` and `alpha` fields would not be enabled. TODO(#6592): Decouple feature stability from API stability.
-* `beta` (default) - This value indicates that only fields which are of `beta` (or greater) stability are enabled, i.e. `alpha` fields are not enabled. 
-* `alpha` - This value indicates that fields of all stability levels are enabled, specifically `alpha`, `beta` and `GA`.
+* `stable` - This value indicates that only fields of the highest stability level are enabled; i.e. `alpha` and `beta` fields are not enabled.
 
+* `beta` (default) - This value indicates that only fields which are of `beta` (or greater) stability are enabled, i.e. `alpha` fields are not enabled.
 
-| Feature Versions -> | v1 | beta | alpha |
-|---------------------|----|------|-------|
-| stable              | x  |      |       |
-| beta                | x  | x    |       |
-| alpha               | x  | x    | x     |
-
+* `alpha` - This value indicates that fields of all stability levels are enabled, specifically `alpha`, `beta` and `GA`(`stable`).
 
 See the current list of [alpha features](https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#alpha-features) and [beta features](https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#beta-features).
 
+| `enable-api-fields` value  | stable features enabled | beta features enabled | alpha features enabled |
+|----------------------------|-------------------------|-----------------------|------------------------|
+| stable                     |             x           |                       |                        |
+| beta                       |             x           |          x            |                        |
+| alpha                      |             x           |          x            |           x            |
 
 ### Alpha features
 
-- Alpha feature in beta or GA CRDs are disabled by default and must be enabled by [setting `enable-api-fields` to `alpha`](https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#alpha-features)
+- Alpha features are disabled by default and must be enabled by [setting `enable-api-fields` to `alpha`](https://github.com/tektoncd/pipeline/blob/main/docs/additional-configs.md#alpha-features)
 
 - These features may be dropped or backwards incompatible changes made at any time, though one release worth of warning will be provided.
 
@@ -125,14 +124,13 @@ See the current list of [alpha features](https://github.com/tektoncd/pipeline/bl
   i.e. by providing a 9 month support period.
 
 - Beta features are reviewed for promotion to GA/Stable on a regular basis. However, there is no guarantee that they will be promoted to GA/stable.
-
-- For beta API versions, beta is the highest level of stability possible for any feature.
 
 ### GA/Stable features
 
-- GA/Stable features are present in a [GA CRD](#ga-crds) only.
+- GA/Stable features are enabled by default.
+  - GA/Stable API-driven features are no longer controlled by the `enable-api-fields` flag because they cannot be disabled.
 
-- GA/Stable features are enabled by default
+- GA/Stable features are features that have been promoted from beta to the highest level of stability. They cannot be disabled in any CRD version.
 
 - GA/Stable features will not be removed or changed in a backwards incompatible manner without incrementing the API Version.
 
@@ -145,7 +143,7 @@ Features are first released as experimental in alpha, refined in beta, and final
 
 #### Promoting a feature to `beta`
 - After feedback of the usage of the alpha features, once the needs and motivations are validated, a feature could be promoted to `beta`. This stage is where features are further tested and refined.
-- The dedicated feature flag for this feature will change the stability level for validation to `beta`. It will continue to be disabled by default.
+- The dedicated feature flag for this feature will change its stability level to `beta`. It will continue to be disabled by default.
 
 #### Graduating a feature to `stable`
 - This is the final stage of feature graduation process, where features are considered to be complete and ready to be released for the public.

cmd/entrypoint/main.go

@@ -183,7 +183,7 @@ func main() {
 			log.Print(err.Error())
 			os.Exit(1)
 		case entrypoint.ContextError:
-			if errors.Is(err, entrypoint.ErrContextCanceled) {
+			if entrypoint.IsContextCanceledError(err) {
 				log.Print("Step was cancelled")
 				// use the SIGKILL signal to distinguish normal exit programs, just like kill -9 PID
 				os.Exit(int(syscall.SIGKILL))

cmd/resolvers/main.go

@@ -33,8 +33,8 @@ import (
 
 func main() {
 	ctx := filteredinformerfactory.WithSelectors(signals.NewContext(), v1alpha1.ManagedByLabelKey)
-	tektonHubURL := buildHubURL(os.Getenv("TEKTON_HUB_API"), "", hub.TektonHubYamlEndpoint)
-	artifactHubURL := buildHubURL(os.Getenv("ARTIFACT_HUB_API"), hub.DefaultArtifactHubURL, hub.ArtifactHubYamlEndpoint)
+	tektonHubURL := buildHubURL(os.Getenv("TEKTON_HUB_API"), "")
+	artifactHubURL := buildHubURL(os.Getenv("ARTIFACT_HUB_API"), hub.DefaultArtifactHubURL)
 
 	sharedmain.MainWithContext(ctx, "controller",
 		framework.NewController(ctx, &git.Resolver{}),
@@ -43,16 +43,12 @@ func main() {
 		framework.NewController(ctx, &cluster.Resolver{}))
 }
 
-func buildHubURL(configAPI, defaultURL, yamlEndpoint string) string {
+func buildHubURL(configAPI, defaultURL string) string {
 	var hubURL string
 	if configAPI == "" {
 		hubURL = defaultURL
 	} else {
-		if !strings.HasSuffix(configAPI, "/") {
-			configAPI += "/"
-		}
-		hubURL = configAPI + yamlEndpoint
+		hubURL = configAPI
 	}
-
-	return hubURL
+	return strings.TrimSuffix(hubURL, "/")
 }

cmd/resolvers/main_test.go

@@ -0,0 +1,40 @@
+package main
+
+import "testing"
+
+func TestBuildHubURL(t *testing.T) {
+	testCases := []struct {
+		name       string
+		configAPI  string
+		defaultURL string
+		expected   string
+	}{
+		{
+			name:       "configAPI empty",
+			configAPI:  "",
+			defaultURL: "https://tekton.dev",
+			expected:   "https://tekton.dev",
+		},
+		{
+			name:       "configAPI not empty",
+			configAPI:  "https://myhub.com",
+			defaultURL: "https://foo.com",
+			expected:   "https://myhub.com",
+		},
+		{
+			name:       "defaultURL ends with slash",
+			configAPI:  "",
+			defaultURL: "https://bar.com/",
+			expected:   "https://bar.com",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			actual := buildHubURL(tc.configAPI, tc.defaultURL)
+			if actual != tc.expected {
+				t.Errorf("expected %s, but got %s", tc.expected, actual)
+			}
+		})
+	}
+}

cmd/webhook/main.go

@@ -52,6 +52,7 @@ import (
 var types = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	// v1alpha1
 	v1alpha1.SchemeGroupVersion.WithKind("VerificationPolicy"): &v1alpha1.VerificationPolicy{},
+	v1alpha1.SchemeGroupVersion.WithKind("StepAction"):         &v1alpha1.StepAction{},
 	// v1beta1
 	v1beta1.SchemeGroupVersion.WithKind("Pipeline"):    &v1beta1.Pipeline{},
 	v1beta1.SchemeGroupVersion.WithKind("Task"):        &v1beta1.Task{},
@@ -152,6 +153,7 @@ func newConfigValidationController(name string) func(context.Context, configmap.
 
 func newConversionController(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
 	var (
+		v1alpha1GroupVersion           = v1alpha1.SchemeGroupVersion.Version
 		v1beta1GroupVersion            = v1beta1.SchemeGroupVersion.Version
 		v1GroupVersion                 = v1.SchemeGroupVersion.Version
 		resolutionv1alpha1GroupVersion = resolutionv1alpha1.SchemeGroupVersion.Version
@@ -169,6 +171,10 @@ func newConversionController(ctx context.Context, cmw configmap.Watcher) *contro
 		// conversions to and from all types.
 		// "Zygotes" are the supported versions.
 		map[schema.GroupKind]conversion.GroupKindConversion{
+			v1alpha1.Kind("StepAction"): {
+				DefinitionName: pipeline.StepActionResource.String(),
+				HubVersion:     v1alpha1GroupVersion,
+			},
 			v1.Kind("Task"): {
 				DefinitionName: pipeline.TaskResource.String(),
 				HubVersion:     v1beta1GroupVersion,

config/200-clusterrole.yaml

@@ -32,7 +32,7 @@ rules:
     # Controller needs cluster access to all of the CRDs that it is responsible for
     # managing.
   - apiGroups: ["tekton.dev"]
-    resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns"]
+    resources: ["tasks", "clustertasks", "taskruns", "pipelines", "pipelineruns", "customruns", "stepactions"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["tekton.dev"]
     resources: ["verificationpolicies"]
@@ -41,7 +41,7 @@ rules:
     resources: ["taskruns/finalizers", "pipelineruns/finalizers", "customruns/finalizers"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   - apiGroups: ["tekton.dev"]
-    resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status"]
+    resources: ["tasks/status", "clustertasks/status", "taskruns/status", "pipelines/status", "pipelineruns/status", "customruns/status", "verificationpolicies/status", "stepactions/status"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
   # resolution.tekton.dev
   - apiGroups: ["resolution.tekton.dev"]
@@ -98,6 +98,7 @@ rules:
       - resolutionrequests.resolution.tekton.dev
       - customruns.tekton.dev
       - verificationpolicies.tekton.dev
+      - stepactions.tekton.dev
   # knative.dev/pkg needs list/watch permissions to set up informers for the webhook.
   - apiGroups: ["apiextensions.k8s.io"]
     resources: ["customresourcedefinitions"]

config/300-stepaction.yaml

@@ -0,0 +1,53 @@
+# Copyright 2023 The Tekton Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: stepactions.tekton.dev
+  labels:
+    app.kubernetes.io/instance: default
+    app.kubernetes.io/part-of: tekton-pipelines
+    pipeline.tekton.dev/release: "devel"
+    version: "devel"
+spec:
+  group: tekton.dev
+  preserveUnknownFields: false
+  versions:
+  - name: v1alpha1
+    served: true
+    storage: true
+    schema:
+      openAPIV3Schema:
+        type: object
+        # One can use x-kubernetes-preserve-unknown-fields: true
+        # at the root of the schema (and inside any properties, additionalProperties)
+        # to get the traditional CRD behaviour that nothing is pruned, despite
+        # setting spec.preserveUnknownProperties: false.
+        #
+        # See https://kubernetes.io/blog/2019/06/20/crd-structural-schema/
+        # See issue: https://github.com/knative/serving/issues/912
+        x-kubernetes-preserve-unknown-fields: true
+    # Opt into the status subresource so metadata.generation
+    # starts to increment
+    subresources:
+      status: {}
+  names:
+    kind: StepAction
+    plural: stepactions
+    singular: stepaction
+    categories:
+    - tekton
+    - tekton-pipelines
+  scope: Namespaced

config/clusterrole-aggregate-edit.yaml

@@ -31,6 +31,7 @@ rules:
   - pipelineruns
   - runs
   - customruns
+  - stepactions
   verbs:
   - create
   - delete

config/clusterrole-aggregate-view.yaml

@@ -30,6 +30,7 @@ rules:
   - pipelineruns
   - runs
   - customruns
+  - stepactions
   verbs:
   - get
   - list

config/config-feature-flags.yaml

@@ -121,3 +121,8 @@ data:
   # Setting this flag to "true" will keep pod on cancellation
   # allowing examination of the logs on the pods from cancelled taskruns
   keep-pod-on-cancel: "false"
+  # Setting this flag to "true" will enable the CEL evaluation in WhenExpression
+  enable-cel-in-whenexpression: "false"
+  # Setting this flag to "true" will enable the use of StepActions in Steps
+  # This feature is in preview mode and not implemented yet. Please check #7259 for updates.
+  enable-step-actions: "false"

config/resolvers/resolvers-deployment.yaml

@@ -102,6 +102,8 @@ spec:
       # Override this env var to set a private hub api endpoint
         - name: ARTIFACT_HUB_API
           value: "https://artifacthub.io/"
+        - name: TEKTON_HUB_API
+          value: "https://api.hub.tekton.dev/"
         securityContext:
           allowPrivilegeEscalation: false
           readOnlyRootFilesystem: true