From 457d3908e9aff25abd87d4d841e1802ff1d7b7da Mon Sep 17 00:00:00 2001 From: Martin Marosi Date: Fri, 3 Jan 2025 09:24:50 +0100 Subject: [PATCH] Use git submodule to build frontend container. --- .gitmodules | 3 + .tekton/api-frontend-pull-request.yaml | 488 +++++++++++++----------- .tekton/api-frontend-push.yaml | 490 ++++++++++++------------- build-tools | 1 + 4 files changed, 519 insertions(+), 463 deletions(-) create mode 100644 .gitmodules create mode 160000 build-tools diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..435e8f9 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,3 @@ +[submodule "build-tools"] + path = build-tools + url = https://github.com/RedHatInsights/insights-frontend-builder-common.git diff --git a/.tekton/api-frontend-pull-request.yaml b/.tekton/api-frontend-pull-request.yaml index dc0eb89..1d947c6 100644 --- a/.tekton/api-frontend-pull-request.yaml +++ b/.tekton/api-frontend-pull-request.yaml @@ -18,55 +18,38 @@ metadata: namespace: rh-platform-experien-tenant spec: params: - - name: dockerfile - value: ./Dockerfile - name: git-url value: '{{source_url}}' - - name: image-expires-after - value: 5d + - name: revision + value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rh-platform-experien-tenant/api-frontend/api-frontend:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: build-tools/Dockerfile - name: path-context value: . - - name: revision - value: '{{revision}}' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1580a8766406207d3a7500cc0c62f8ec4cd935d772008a74dd71ec7e94af2f45 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:abdf426424f1331c27be80ed98a0fbcefb8422767d1724308b9d57b37f977155 - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -104,10 +87,6 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. @@ -116,27 +95,31 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array - default: "" - description: Path to a file with build arguments which will be passed to podman - during build + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) tasks: - name: init params: @@ -151,11 +134,11 @@ spec: - name: name value: init - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:596b7c11572bb94eb67d9ffb4375068426e2a8249ff2792ce04ad2a4bc593a63 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - name: kind value: task resolver: bundles - - name: clone-repository-oci-ta + - name: clone-repository params: - name: url value: $(params.git-url) @@ -163,6 +146,8 @@ spec: value: $(params.revision) - name: ociStorage value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: @@ -170,7 +155,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0cf39c32d86900dce3f7d53f828826dd96ad917c5f4c0b01fb1865346601447d - name: kind value: task resolver: bundles @@ -182,6 +167,7 @@ spec: workspaces: - name: basic-auth workspace: git-auth + workspace: git-auth - name: clone-repository params: - name: url @@ -209,91 +195,60 @@ spec: workspace: workspace - name: basic-auth workspace: git-auth - - name: prefetch-dependencies + workspace: git-auth + - name: clone-repository params: - - name: input - value: $(params.prefetch-input) + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) runAfter: - - clone-repository + - init taskRef: params: - name: name - value: prefetch-dependencies + value: git-clone - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c848a0e47e93b922f9cc8503946c0a6d3c99b9af3f0e2aef84a00d88df570e45 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:68a87cafeb43367160497d91a1a66bceef7acc179e809e8eb3996c1deb096042 - name: kind value: task resolver: bundles when: - - input: $(params.prefetch-input) - operator: notin + - input: $(tasks.init.results.build) + operator: in values: - - "" + - "true" workspaces: - - name: source + - name: output workspace: workspace - - name: git-basic-auth + - name: basic-auth workspace: git-auth - - name: parse-build-deploy-script + - name: prefetch-dependencies params: - - name: path-context - value: $(params.path-context) - taskRef: - resolver: git - params: - - name: url - value: https://github.com/RedHatInsights/konflux-consoledot-frontend-build - - name: revision - value: 6ca6bf7cbbe1dd25a5b8e50ebb832041533bf4b3 - - name: pathInRepo - value: tasks/parse-build-deploy-script/parse-build-deploy-script.yaml - workspaces: - - name: source - workspace: workspace + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository - - name: create-frontend-dockerfile taskRef: - resolver: git params: - - name: url - value: https://github.com/RedHatInsights/konflux-consoledot-frontend-build - - name: revision - value: 6ca6bf7cbbe1dd25a5b8e50ebb832041533bf4b3 - - name: pathInRepo - value: tasks/create-frontend-dockerfile/create-frontend-dockerfile.yaml + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:2c9d502b106ec88eb9926ccfdb774609d8ae2894d56559b0e75ee9deaaec3646 + - name: kind + value: task + resolver: bundles workspaces: - - name: source - workspace: workspace - params: - - name: path-context - value: $(params.path-context) - - name: component - value: $(tasks.parse-build-deploy-script.results.component) - - name: image - value: $(tasks.parse-build-deploy-script.results.image) - - name: node-build-version - value: $(tasks.parse-build-deploy-script.results.node-build-version) - - name: quay-expire-time - value: $(tasks.parse-build-deploy-script.results.quay-expire-time) - - name: npm-build-script - value: $(tasks.parse-build-deploy-script.results.npm-build-script) - - name: yarn-build-script - value: $(tasks.parse-build-deploy-script.results.yarn-build-script) - - name: route-path - value: $(tasks.parse-build-deploy-script.results.route-path) - - name: beta-route-path - value: $(tasks.parse-build-deploy-script.results.beta-route-path) - - name: preview-route-path - value: $(tasks.parse-build-deploy-script.results.preview-route-path) - - name: ci-root - value: $(tasks.parse-build-deploy-script.results.ci-root) - - name: server-name - value: $(tasks.parse-build-deploy-script.results.server-name) - - name: dist-folder - value: $(tasks.parse-build-deploy-script.results.dist-folder) - runAfter: - - parse-build-deploy-script + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE @@ -310,17 +265,23 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies - - create-frontend-dockerfile taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.2@sha256:92b07d9db14c54972b3f93e98d33431cb9d832364acfc36ed8165b3064153bce + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:234dc22d721913f08560cb033b384e5d98ff6d2e92713ea69159bd89bc3dec2b - name: kind value: task resolver: bundles @@ -329,21 +290,27 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image + - name: build-image-index params: - - name: BINARY_IMAGE + - name: IMAGE value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: build-image-index - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:14b91ad9124b722b44222685013faaf9af8ac5b66030d9abeb1c61da3c118cdd + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 - name: kind value: task resolver: bundles @@ -352,44 +319,48 @@ spec: operator: in values: - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: rpms-signature-scan + - name: build-source-image params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: rpms-signature-scan + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:84f5c0ae4de3f3c0c8e52a0f35fc11d16735c5fb03f7f4ab37e4b011750294a7 - name: kind value: task resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:b91642a29e3fd204f724ce9e6ab97f3799b1d0102f6458a10e45f840281409ca + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 - name: kind value: task resolver: bundles @@ -401,17 +372,17 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.2@sha256:89ca5c9ddcaf609509aaed9c937c2a72cf400810e3a7892adfb9ac247a13693d + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 - name: kind value: task resolver: bundles @@ -423,15 +394,15 @@ spec: - name: ecosystem-cert-preflight-checks params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:fc2cda064580364bb80c3ad6f438002de0033963fc33985d01ad249346b93433 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 - name: kind value: task resolver: bundles @@ -441,14 +412,23 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - clone-repository + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.3@sha256:a35e1b1e108fe50737e47d5d71368ec882809fdd854096691d4e6fa7bc67e77b + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 - name: kind value: task resolver: bundles @@ -457,23 +437,20 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:10976247ae6c9ae7b04670e8d52e7b521c4ce98806891ddcd7248d3c10b56980 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb - name: kind value: task resolver: bundles @@ -482,20 +459,104 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: sast-coverity-check params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: coverity-availability-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.2@sha256:6c38a42ed80453553b05d157fc85ba4f5bc6b9c04dd75ab3e204219ee7b226ba + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 - name: kind value: task resolver: bundles @@ -507,77 +568,70 @@ spec: - name: apply-tags params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-apply-tags:0.1@sha256:c77f899e166e88d9d7960d2261cbba7d218282346d71accc6c859bdf2ab883fc + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 - name: kind value: task resolver: bundles - - name: run-unit-tests - description: Validates frontend unit tests + - name: push-dockerfile params: - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository-oci-ta.results.SOURCE_ARTIFACT) + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - clone-repository-oci-ta - workspaces: - - name: basic-auth - workspace: git-auth - taskSpec: + - build-image-index + taskRef: params: - - description: The Trusted Artifact URI pointing to the artifact with the application source code. - name: SOURCE_ARTIFACT - type: string - volumes: - # New volume to store a copy of the source code accessible only to this Task. - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - readOnly: false - sidecars: - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir - - image: registry.access.redhat.com/ubi8/nodejs-20 - workingDir: /var/workdir - name: unit-tests - securityContext: - runAsUser: 0 - script: | - #!/bin/bash - set -ex - - npm install - npm test + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:d3d7bfda98e475476f0665d76c7762236310e299dfaeb96776dc72dc93dbfd94 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:9e33cbc0128aa1a34d6996c87fceac03a6aa05d1c18564a73abbb9b6a710fd6a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/api-frontend-push.yaml b/.tekton/api-frontend-push.yaml index 447df1d..223380f 100644 --- a/.tekton/api-frontend-push.yaml +++ b/.tekton/api-frontend-push.yaml @@ -17,53 +17,36 @@ metadata: namespace: rh-platform-experien-tenant spec: params: - - name: dockerfile - value: ./Dockerfile - name: git-url value: '{{source_url}}' + - name: revision + value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rh-platform-experien-tenant/api-frontend/api-frontend:{{revision}} + - name: dockerfile + value: build-tools/Dockerfile - name: path-context value: . - - name: revision - value: '{{revision}}' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1580a8766406207d3a7500cc0c62f8ec4cd935d772008a74dd71ec7e94af2f45 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:abdf426424f1331c27be80ed98a0fbcefb8422767d1724308b9d57b37f977155 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - name: kind value: task resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -101,10 +84,6 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. @@ -113,27 +92,31 @@ spec: description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array - default: "" - description: Path to a file with build arguments which will be passed to podman - during build + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) tasks: - name: init params: @@ -148,11 +131,11 @@ spec: - name: name value: init - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:596b7c11572bb94eb67d9ffb4375068426e2a8249ff2792ce04ad2a4bc593a63 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - name: kind value: task resolver: bundles - - name: clone-repository-oci-ta + - name: clone-repository params: - name: url value: $(params.git-url) @@ -160,6 +143,8 @@ spec: value: $(params.revision) - name: ociStorage value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: @@ -167,7 +152,7 @@ spec: - name: name value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta@sha256:0f4360ce144d46171ebd2e8f4d4575539a0600e02208ba5fc9beeb2c27ddfd4c + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:0cf39c32d86900dce3f7d53f828826dd96ad917c5f4c0b01fb1865346601447d - name: kind value: task resolver: bundles @@ -179,118 +164,32 @@ spec: workspaces: - name: basic-auth workspace: git-auth - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:68a87cafeb43367160497d91a1a66bceef7acc179e809e8eb3996c1deb096042 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c848a0e47e93b922f9cc8503946c0a6d3c99b9af3f0e2aef84a00d88df570e45 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:2c9d502b106ec88eb9926ccfdb774609d8ae2894d56559b0e75ee9deaaec3646 - name: kind value: task resolver: bundles - when: - - input: $(params.prefetch-input) - operator: notin - values: - - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth - - name: parse-build-deploy-script - params: - - name: path-context - value: $(params.path-context) - taskRef: - resolver: git - params: - - name: url - value: https://github.com/RedHatInsights/konflux-consoledot-frontend-build - - name: revision - value: 6ca6bf7cbbe1dd25a5b8e50ebb832041533bf4b3 - - name: pathInRepo - value: tasks/parse-build-deploy-script/parse-build-deploy-script.yaml - workspaces: - - name: source - workspace: workspace - runAfter: - - clone-repository - - name: create-frontend-dockerfile - taskRef: - resolver: git - params: - - name: url - value: https://github.com/RedHatInsights/konflux-consoledot-frontend-build - - name: revision - value: 6ca6bf7cbbe1dd25a5b8e50ebb832041533bf4b3 - - name: pathInRepo - value: tasks/create-frontend-dockerfile/create-frontend-dockerfile.yaml - workspaces: - - name: source - workspace: workspace - params: - - name: path-context - value: $(params.path-context) - - name: component - value: $(tasks.parse-build-deploy-script.results.component) - - name: image - value: $(tasks.parse-build-deploy-script.results.image) - - name: node-build-version - value: $(tasks.parse-build-deploy-script.results.node-build-version) - - name: quay-expire-time - value: $(tasks.parse-build-deploy-script.results.quay-expire-time) - - name: npm-build-script - value: $(tasks.parse-build-deploy-script.results.npm-build-script) - - name: yarn-build-script - value: $(tasks.parse-build-deploy-script.results.yarn-build-script) - - name: route-path - value: $(tasks.parse-build-deploy-script.results.route-path) - - name: beta-route-path - value: $(tasks.parse-build-deploy-script.results.beta-route-path) - - name: preview-route-path - value: $(tasks.parse-build-deploy-script.results.preview-route-path) - - name: ci-root - value: $(tasks.parse-build-deploy-script.results.ci-root) - - name: server-name - value: $(tasks.parse-build-deploy-script.results.server-name) - - name: dist-folder - value: $(tasks.parse-build-deploy-script.results.dist-folder) - runAfter: - - parse-build-deploy-script + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE @@ -307,17 +206,23 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies - - create-frontend-dockerfile taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.2@sha256:92b07d9db14c54972b3f93e98d33431cb9d832364acfc36ed8165b3064153bce + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:234dc22d721913f08560cb033b384e5d98ff6d2e92713ea69159bd89bc3dec2b - name: kind value: task resolver: bundles @@ -326,21 +231,27 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - - name: build-source-image + - name: build-image-index params: - - name: BINARY_IMAGE + - name: IMAGE value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: build-image-index - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:14b91ad9124b722b44222685013faaf9af8ac5b66030d9abeb1c61da3c118cdd + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 - name: kind value: task resolver: bundles @@ -349,44 +260,48 @@ spec: operator: in values: - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - workspaces: - - name: workspace - workspace: workspace - - name: rpms-signature-scan + - name: build-source-image params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: rpms-signature-scan + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8 + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:84f5c0ae4de3f3c0c8e52a0f35fc11d16735c5fb03f7f4ab37e4b011750294a7 - name: kind value: task resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:b91642a29e3fd204f724ce9e6ab97f3799b1d0102f6458a10e45f840281409ca + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 - name: kind value: task resolver: bundles @@ -398,17 +313,17 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.2@sha256:89ca5c9ddcaf609509aaed9c937c2a72cf400810e3a7892adfb9ac247a13693d + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 - name: kind value: task resolver: bundles @@ -420,15 +335,15 @@ spec: - name: ecosystem-cert-preflight-checks params: - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:fc2cda064580364bb80c3ad6f438002de0033963fc33985d01ad249346b93433 + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 - name: kind value: task resolver: bundles @@ -438,14 +353,23 @@ spec: values: - "false" - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - clone-repository + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.3@sha256:a35e1b1e108fe50737e47d5d71368ec882809fdd854096691d4e6fa7bc67e77b + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 - name: kind value: task resolver: bundles @@ -454,23 +378,20 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:10976247ae6c9ae7b04670e8d52e7b521c4ce98806891ddcd7248d3c10b56980 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb - name: kind value: task resolver: bundles @@ -479,20 +400,104 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: sast-coverity-check params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: sast-shell-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.2@sha256:6c38a42ed80453553b05d157fc85ba4f5bc6b9c04dd75ab3e204219ee7b226ba + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 - name: kind value: task resolver: bundles @@ -504,77 +509,70 @@ spec: - name: apply-tags params: - name: IMAGE - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-apply-tags:0.1@sha256:c77f899e166e88d9d7960d2261cbba7d218282346d71accc6c859bdf2ab883fc + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 - name: kind value: task resolver: bundles - - name: run-unit-tests - description: Validates frontend unit tests + - name: push-dockerfile params: - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository-oci-ta.results.SOURCE_ARTIFACT) + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - clone-repository-oci-ta - workspaces: - - name: basic-auth - workspace: git-auth - taskSpec: + - build-image-index + taskRef: params: - - description: The Trusted Artifact URI pointing to the artifact with the application source code. - name: SOURCE_ARTIFACT - type: string - volumes: - # New volume to store a copy of the source code accessible only to this Task. - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - readOnly: false - sidecars: - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:81c4864dae6bb11595f657be887e205262e70086a05ed16ada827fd6391926ac - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir - - image: registry.access.redhat.com/ubi8/nodejs-20 - workingDir: /var/workdir - name: unit-tests - securityContext: - runAsUser: 0 - script: | - #!/bin/bash - set -ex - - npm install - npm test + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:d3d7bfda98e475476f0665d76c7762236310e299dfaeb96776dc72dc93dbfd94 + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:9e33cbc0128aa1a34d6996c87fceac03a6aa05d1c18564a73abbb9b6a710fd6a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/build-tools b/build-tools new file mode 160000 index 0000000..d00ba15 --- /dev/null +++ b/build-tools @@ -0,0 +1 @@ +Subproject commit d00ba15e41d3c1362cd6408eefaeb7b5a1eadece