From a3255406c7d002d1c1a74493ee7ba23796d96556 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Thu, 16 May 2024 18:46:09 +0200 Subject: [PATCH] Factor a common `collector-component-pipeline` and use it everywhere. --- .tekton/collector-component-pipeline.yaml | 426 ++++++++++++++++++++++ .tekton/collector-pull-request.yaml | 423 +-------------------- .tekton/collector-push.yaml | 423 +-------------------- .tekton/collector-slim-pull-request.yaml | 423 +-------------------- .tekton/collector-slim-push.yaml | 423 +-------------------- 5 files changed, 434 insertions(+), 1684 deletions(-) create mode 100644 .tekton/collector-component-pipeline.yaml diff --git a/.tekton/collector-component-pipeline.yaml b/.tekton/collector-component-pipeline.yaml new file mode 100644 index 00000000000..ab79fc8fbd7 --- /dev/null +++ b/.tekton/collector-component-pipeline.yaml @@ -0,0 +1,426 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: collector-component-pipeline + +spec: + + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: build-task-status + value: $(tasks.build-container.status) + workspaces: + - name: workspace + workspace: workspace + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - description: Suffix appended to the tag of the output image + name: output-tag-suffix + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "false" + description: Java build + name: java + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "true" + description: Initialize and fetch git submodules during cloning of repository. + name: clone-submodules + - default: "true" + description: Build a source image. + name: build-source-image + type: string + - default: "" + description: Build stage to target in container build + name: build-target-stage + type: string + + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + - description: "" + name: JAVA_COMMUNITY_DEPENDENCIES + value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) + + workspaces: + - name: workspace + - name: git-auth + - name: subscription-manager-activation-key + + tasks: + + - name: init + params: + - name: image-url + # We can't provide a real tag because it is not known at this time. + # We still provide a fake tag to the task to comply with the expected input. + # Because 'rebuild' is set to true, this has no effect. + # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers + value: $(params.output-image-repo):fake-tag + - name: rebuild + value: $(params.rebuild) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: submodules + value: $(params.clone-submodules) + - name: depth + value: "$(params.clone-depth)" + - name: fetchTags + value: "$(params.clone-fetch-tags)" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + + - name: determine-image-tag + runAfter: + # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. + - clone-repository + taskRef: + name: determine-image-tag + workspaces: + - name: source + workspace: workspace + + - name: prepare-rhel-rpm-subscriptions + runAfter: + - determine-image-tag + workspaces: + - name: source + workspace: workspace + - name: subscription-manager-activation-key + workspace: subscription-manager-activation-key + taskSpec: + steps: + # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. + - name: smuggle-activation-key + image: registry.access.redhat.com/ubi8/ubi:latest + script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle + + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - determine-image-tag + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 + - name: kind + value: task + resolver: bundles + workspaces: + - name: source + workspace: workspace + + - name: build-container + params: + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: TARGET_STAGE + value: $(params.build-target-stage) + runAfter: + - prefetch-dependencies + - prepare-rhel-rpm-subscriptions + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: source + workspace: workspace + + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-container.results.IMAGE_URL) + - name: BASE_IMAGES + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + - input: $(params.build-source-image) + operator: in + values: [ "true" ] + workspaces: + - name: workspace + workspace: workspace + + - name: inspect-image + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: inspect-image + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: source + workspace: workspace + + - name: deprecated-base-image-check + params: + - name: BASE_IMAGES_DIGESTS + value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sast-snyk-check + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + workspaces: + - name: workspace + workspace: workspace + + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: sbom-json-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sbom-json-check + - name: bundle + value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] diff --git a/.tekton/collector-pull-request.yaml b/.tekton/collector-pull-request.yaml index 18cbc69644b..b70a9d77107 100644 --- a/.tekton/collector-pull-request.yaml +++ b/.tekton/collector-pull-request.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-push.yaml b/.tekton/collector-push.yaml index 2c181e7d71c..4fd01824acf 100644 --- a/.tekton/collector-push.yaml +++ b/.tekton/collector-push.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-slim-pull-request.yaml b/.tekton/collector-slim-pull-request.yaml index fbe69acebee..8810d5ddabc 100644 --- a/.tekton/collector-slim-pull-request.yaml +++ b/.tekton/collector-slim-pull-request.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline diff --git a/.tekton/collector-slim-push.yaml b/.tekton/collector-slim-push.yaml index 663e8409bc3..4ce8a715ba7 100644 --- a/.tekton/collector-slim-push.yaml +++ b/.tekton/collector-slim-push.yaml @@ -75,424 +75,5 @@ spec: timeouts: pipeline: 1h30m0s - pipelineSpec: - - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:1f90faefa39c2e4965793c1d8321e7d5d99a6c941276a9094a4e0d483a598fca - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:bdf58a8a6bf10482fff841ce6c78c54e87d306bc6aae9515821c436d26daff35 - - name: kind - value: task - resolver: bundles - - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Output Image Repository - name: output-image-repo - type: string - - description: Suffix appended to the tag of the output image - name: output-tag-suffix - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched by Cachi2 - name: prefetch-input - type: string - - default: "false" - description: Java build - name: java - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "true" - description: Initialize and fetch git submodules during cloning of repository. - name: clone-submodules - - default: "true" - description: Build a source image. - name: build-source-image - type: string - - default: "" - description: Build stage to target in container build - name: build-target-stage - type: string - - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - - description: "" - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) - - workspaces: - - name: workspace - - name: git-auth - - name: subscription-manager-activation-key - - tasks: - - - name: init - params: - - name: image-url - # We can't provide a real tag because it is not known at this time. - # We still provide a fake tag to the task to comply with the expected input. - # Because 'rebuild' is set to true, this has no effect. - # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers - value: $(params.output-image-repo):fake-tag - - name: rebuild - value: $(params.rebuild) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:686109bd8088258f73211618824aee5d3cf9e370f65fa3e85d361790a54260ef - - name: kind - value: task - resolver: bundles - - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: submodules - value: $(params.clone-submodules) - - name: depth - value: "$(params.clone-depth)" - - name: fetchTags - value: "$(params.clone-fetch-tags)" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: output - workspace: workspace - - name: basic-auth - workspace: git-auth - - - name: determine-image-tag - runAfter: - # This task must run on a freshly cloned repository to prevent seeing any changes from other tasks. - - clone-repository - taskRef: - name: determine-image-tag - workspaces: - - name: source - workspace: workspace - - - name: prepare-rhel-rpm-subscriptions - runAfter: - - determine-image-tag - workspaces: - - name: source - workspace: workspace - - name: subscription-manager-activation-key - workspace: subscription-manager-activation-key - taskSpec: - steps: - # TODO(ROX-20651): use content sets instead of subscription manager for access to RHEL RPMs once available. - - name: smuggle-activation-key - image: registry.access.redhat.com/ubi8/ubi:latest - script: exec "$(workspaces.source.path)/source/.konflux/scripts/subscription-manager-bro.sh" smuggle - - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - runAfter: - - determine-image-tag - taskRef: - params: - - name: name - value: prefetch-dependencies - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052 - - name: kind - value: task - resolver: bundles - workspaces: - - name: source - workspace: workspace - - - name: build-container - params: - - name: IMAGE - value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: TARGET_STAGE - value: $(params.build-target-stage) - runAfter: - - prefetch-dependencies - - prepare-rhel-rpm-subscriptions - taskRef: - params: - - name: name - value: buildah - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - workspaces: - - name: source - workspace: workspace - - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-container.results.IMAGE_URL) - - name: BASE_IMAGES - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - runAfter: - - build-container - taskRef: - params: - - name: name - value: source-build - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:2d39df1d3aa17fad022ded5721bd12f4ed78d27040c9cd22395ebd3a2cdaf465 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] - - input: $(params.build-source-image) - operator: in - values: [ "true" ] - workspaces: - - name: workspace - workspace: workspace - - - name: inspect-image - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: inspect-image - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-inspect-image:0.1@sha256:919438843ea5368ec0c41c6b5f92363add4423118f9cd6ccf16bf23160fabc90 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: source - workspace: workspace - - - name: deprecated-base-image-check - params: - - name: BASE_IMAGES_DIGESTS - value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:6b1b325de0af29b6e9a0696f4d2b669a1e6a046941726cc97c5e42785aad870c - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.1@sha256:a6107f78e5fa9e087992f11d788701e4241d9875b153def796fb3bf257c3b7fd - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sast-snyk-check - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: sast-snyk-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - workspaces: - - name: workspace - workspace: workspace - - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) - runAfter: - - build-container - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:6ba32717bd837ca0d5714b518cc4530e1f1d5bef137df54c02b0c2151b9d217e - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] - - - name: sbom-json-check - params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) - runAfter: - - build-container - taskRef: - params: - - name: name - value: sbom-json-check - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:dbd467a0507cff1981d3c98f683339feaab1b387c5b5fbf1ff957e9be2e27027 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: [ "false" ] + pipelineRef: + name: collector-component-pipeline