chore: Update determine-image-tag and add Renovate config (#1772)

stackrox · Aug 6, 2024 · 60dacd1 · 60dacd1
1 parent adcbbe6
commit 60dacd1
Show file tree

Hide file tree

Showing 4 changed files with 105 additions and 96 deletions.
diff --git a/.github/renovate.json5 b/.github/renovate.json5
@@ -0,0 +1,38 @@
+{
+  // This configures Konflux Renovate bot, the thing that keeps our pipelines use up-to-date tasks.
+
+  // After making changes to this file, you can validate it by running something like this in the root of the repo:
+  // $ docker run --rm -it --entrypoint=/usr/local/bin/renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // There are more validation options, see https://docs.renovatebot.com/config-validation/
+
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    // This inherits the base Konflux config.
+    // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
+    // The following was used as example (we may want to check it if the base config gets suddenly moved):
+    // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2
+    "github>konflux-ci/mintmaker//config/renovate/renovate.json"
+  ],
+  "timezone": "Etc/UTC",
+  "schedule": [
+    // Allowed syntax: https://docs.renovatebot.com/configuration-options/#schedule
+    // The time was selected (with the help of https://time.fyi/timezones) so that Renovate isn't active during business
+    // hours from Germany to US West Coast. This way, after we merge a PR, a new one does not pop up immediately after
+    // that.
+    "after 3am and before 7am"
+  ],
+  // Tell Renovate not to update PRs when outside of schedule.
+  "updateNotScheduled": false,
+  "dockerfile": {
+    "includePaths": [
+      // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile)
+      // to have less PR noise.
+      "**/*konflux*.Dockerfile",
+    ],
+  },
+  "enabledManagers": [
+    // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else.
+    "tekton",
+    "dockerfile",
+  ],
+}
diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml
@@ -167,7 +167,7 @@ spec:
     - name: SOURCE_ARTIFACT
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     taskRef:
-      name: determine-image-tag-oci-ta
+      name: determine-image-tag
 
   - name: prefetch-dependencies
     params:
@@ -209,7 +209,7 @@ spec:
       value: $(params.build-target-stage)
     - name: BUILD_ARGS
       value:
-        - COLLECTOR_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
+      - COLLECTOR_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
     - name: SOURCE_ARTIFACT
       value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
     - name: CACHI2_ARTIFACT
@@ -364,60 +364,60 @@ spec:
 
   - name: build-image-manifest
     params:
-      - name: IMAGE
-        value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
-      - name: COMMIT_SHA
-        value: $(tasks.clone-repository.results.commit)
-      - name: IMAGES
-        value:
-          - $(tasks.build-container-amd64.results.IMAGE_REF)
-          - $(tasks.build-container-s390x.results.IMAGE_REF)
-          - $(tasks.build-container-ppc64le.results.IMAGE_REF)
-          - $(tasks.build-container-arm64.results.IMAGE_REF)
+    - name: IMAGE
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: IMAGES
+      value:
+      - $(tasks.build-container-amd64.results.IMAGE_REF)
+      - $(tasks.build-container-s390x.results.IMAGE_REF)
+      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
+      - $(tasks.build-container-arm64.results.IMAGE_REF)
     taskRef:
       params:
-        - name: name
-          value: build-image-manifest
-        - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:71cdb1cedcfe5ea97c51d3b2a4e6bef4e04bd035efd90c9bb5a28ef5e48640ea
-        - name: kind
-          value: task
+      - name: name
+        value: build-image-manifest
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:71cdb1cedcfe5ea97c51d3b2a4e6bef4e04bd035efd90c9bb5a28ef5e48640ea
+      - name: kind
+        value: task
       resolver: bundles
     when:
-      - input: $(tasks.init.results.build)
-        operator: in
-        values: [ "true" ]
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
 
   - name: build-image-manifest-extra
     matrix:
       params:
-        - name: IMAGE
-          value:
-            - $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-latest
-            - $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-slim
-            - $(params.output-image-repo):konflux-$(params.revision)
-    params:
-      - name: COMMIT_SHA
-        value: $(tasks.clone-repository.results.commit)
-      - name: IMAGES
+      - name: IMAGE
         value:
-          - $(tasks.build-container-amd64.results.IMAGE_REF)
-          - $(tasks.build-container-s390x.results.IMAGE_REF)
-          - $(tasks.build-container-ppc64le.results.IMAGE_REF)
-          - $(tasks.build-container-arm64.results.IMAGE_REF)
+        - $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-latest
+        - $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-slim
+        - $(params.output-image-repo):konflux-$(params.revision)
+    params:
+    - name: COMMIT_SHA
+      value: $(tasks.clone-repository.results.commit)
+    - name: IMAGES
+      value:
+      - $(tasks.build-container-amd64.results.IMAGE_REF)
+      - $(tasks.build-container-s390x.results.IMAGE_REF)
+      - $(tasks.build-container-ppc64le.results.IMAGE_REF)
+      - $(tasks.build-container-arm64.results.IMAGE_REF)
     taskRef:
       params:
-        - name: name
-          value: build-image-manifest
-        - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:71cdb1cedcfe5ea97c51d3b2a4e6bef4e04bd035efd90c9bb5a28ef5e48640ea
-        - name: kind
-          value: task
+      - name: name
+        value: build-image-manifest
+      - name: bundle
+        value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:71cdb1cedcfe5ea97c51d3b2a4e6bef4e04bd035efd90c9bb5a28ef5e48640ea
+      - name: kind
+        value: task
       resolver: bundles
     when:
-      - input: $(tasks.init.results.build)
-        operator: in
-        values: [ "true" ]
+    - input: $(tasks.init.results.build)
+      operator: in
+      values: [ "true" ]
 
   - name: build-source-image
     params:
@@ -546,8 +546,8 @@ spec:
 
   - name: sast-snyk-check
     params:
-      - name: SOURCE_ARTIFACT
-        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+    - name: SOURCE_ARTIFACT
+      value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
     taskRef:
       params:
       - name: name

diff --git a/.tekton/determine-image-tag-oci-ta.yaml b/.tekton/determine-image-tag-oci-ta.yaml
diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml
@@ -7,23 +7,38 @@ metadata:
 spec:
   description: Determines the tag for the output image using the StackRox convention from 'make tag' output.
   params:
-  - name: tag-suffix
+  - name: TAG_SUFFIX
     description: Suffix to append to generated image tag.
     type: string
+  - name: SOURCE_ARTIFACT
+    description: The Trusted Artifact URI pointing to the artifact with
+      the application source code. This should be the result of the git-clone task,
+      results from other tasks might fail as dirty.
+    type: string
   results:
-  - name: image-tag
+  - name: IMAGE_TAG
     description: Image Tag determined by custom logic.
+  volumes:
+  - name: workdir
+    emptyDir: { }
+  stepTemplate:
+    volumeMounts:
+    - mountPath: /var/workdir
+      name: workdir
   steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a
+    args:
+    - use
+    - $(params.SOURCE_ARTIFACT)=/var/workdir/source
   - name: determine-image-tag
     image: registry.access.redhat.com/ubi8:latest
+    workingDir: /var/workdir/source
     script: |
       #!/usr/bin/env bash
       set -euo pipefail
       dnf -y upgrade --nobest
       dnf -y install git make
-      cd "$(workspaces.source.path)/source"
+
       .konflux/scripts/fail-build-if-git-is-dirty.sh
-      echo -n "$(make --quiet --no-print-directory tag)$(params.tag-suffix)" | tee "$(results.image-tag.path)"
-  workspaces:
-  - name: source
-    description: The workspace where source code is included.
+      echo -n "$(make --quiet --no-print-directory tag)$(params.TAG_SUFFIX)" | tee "$(results.IMAGE_TAG.path)"