Release EC images built together

This commit changes the tenant release pipeline so it understands that
both the CLI and the bundle images are built within the same build
Pipeline. It also removes the need to use different release Pipelines
for each image.

Signed-off-by: Luiz Carvalho <[email protected]>

Makefile

@@ -83,11 +83,6 @@ build-for-test: dist/ec_$(BUILD_IMG_ARCH)
 clean: ## Delete build output
 	@rm -f dist/*
 
-.PHONY: generate-pipelines
-generate-pipelines: ## Generate release pipelines
-	kustomize build ./release/src/cli --output ./release/cli.yaml
-	kustomize build ./release/src/tekton-task --output ./release/tekton-task.yaml
-
 ##@ Testing
 
 # Declutter the output by grepping out the files where there are no

hack/copy-snapshot-image.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+SNAPSHOT_SPEC=$1
+TARGET_REPO=$2
+
+echo "Target repo: ${TARGET_REPO}"
+
+echo "Verifying snapshot contains a single component"
+echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null
+
+GIT_SHA="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].source.git.revision')"
+IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')"
+
+TAGS=(
+    'latest'
+    "${GIT_SHA}"
+)
+for tag in "${TAGS[@]}"; do
+    echo "Pushing image with tag ${tag}"
+    cosign copy --force "${IMAGE_REF}" "${TARGET_REPO}:${tag}"
+done

hack/expand-snapshot.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+# Copyright The Enterprise Contract Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+# This script is meant to take an existing snapshot reference which includes just
+# the EC CLI image and use that to create a new snapshot which includes the EC Tekton
+# bundle image.
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Release service includes the namespace with the resource name. Let's clean that up.
+SNAPSHOT_NAME="${1#*/}"
+CLI_SNAPSHOT_PATH=$2
+BUNDLE_SNAPSHOT_PATH=$3
+
+echo "Fetching ${SNAPSHOT_NAME} snapshot"
+SNAPSHOT_SPEC="$(oc get snapshot ${SNAPSHOT_NAME} -o json | jq '.spec')"
+echo "${SNAPSHOT_SPEC}"
+
+echo "Verifying snapshot contains a single component"
+echo "${SNAPSHOT_SPEC}" | jq -e '.components | length == 1' > /dev/null
+
+CLI_IMAGE_REF="$(echo "${SNAPSHOT_SPEC}" | jq -r '.components[0].containerImage')"
+echo "CLI image ref: ${CLI_IMAGE_REF}"
+
+echo "Storing EC CLI snapshot in ${CLI_SNAPSHOT_PATH}"
+echo "${SNAPSHOT_SPEC}" > "${CLI_SNAPSHOT_PATH}"
+
+BUNDLE_IMAGE_REF="$(
+    cosign download attestation "${CLI_IMAGE_REF}" | jq -r '.payload | @base64d | fromjson |
+        .predicate.buildConfig.tasks[] | select(.name == "build-tekton-bundle") |
+        .results[] | select(.name == "IMAGE_REF") | .value'
+)"
+
+echo "Bundle image ref: ${BUNDLE_IMAGE_REF}"
+
+echo "Creating new snapshot spec for bundle and storing in ${BUNDLE_SNAPSHOT_PATH}"
+echo "${SNAPSHOT_SPEC}" | jq  --arg bundle "${BUNDLE_IMAGE_REF}" \
+    '.components[0].name = "tekton-bundle" | .components[0].containerImage = $bundle' | \
+    tee "${BUNDLE_SNAPSHOT_PATH}"

release/README.md

@@ -1,19 +1,17 @@
-# Release Pipelines
+# Release Pipeline
 
-This directory contains the Tekton Pipelines used to release EC from the main branch. These
-Pipelines execute in [Konflux](https://konflux-ci.dev/).
-
-The Pipelines are generated via [kustomize](https://kustomize.io/) from the `src` directory. To
-make changes to the Pipelines, update the corresponding files in that directory and run the
-`make generate-pipelines` command (requires `kustomize`).
+This directory contains the Tekton Pipeline used to release EC from the main branch. The Pipeline
+executes in [Konflux](https://konflux-ci.dev/).
 
 ## Setup
 
-The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeliens
+The [setup.yaml](setup.yaml) file should be applied to the namespace where the release Pipeline
 will run. This creates a ServiceAccount with access to perform the release.
 
-## Why are there two Pipelines?
+## Why are there two verify-enterprise-contract Tasks?
 
-Currently, it is not possible to specify the EC policy in the ReleasePlan, nor any general Pipeline
-parameter. Because the CLI and the Tekton Task require different EC policies, the only way to
-achieve this is by using different Pipelines with different default values for the EC policy.
+The CLI and the bundle images require different EC policies. The bundle image, for example, does not
+include binary content, as such, it makes little sense to run scan it with an anti-virus for example.
+Currently, it is not possible to use a single EC policy for different components, but there are plans
+for doing so. When that becomes a reality, a single snapshot and a single execution of the
+verify-enterprise-contract would be sufficient.