Merge branch 'main' into private_repos

.tekton/tasks/e2e-test.yaml

@@ -22,7 +22,7 @@ spec:
       type: string
   steps:
     - name: e2e-test
-      image: quay.io/redhat-appstudio/e2e-tests:aee2181831ab240041e83f1c9036532415f45ccf
+      image: quay.io/redhat-appstudio/e2e-tests:27b9e94fee065d8de74a82f5ca726df6c40fd64a
       # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened
       # against build-definitions to update this tag
       args: [

.tekton/tasks/ec-checks.yaml

@@ -24,7 +24,7 @@ spec:
       $(all_tasks_dir all_tasks-ec)
   - name: validate-all-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e
     script: |
       set -euo pipefail
 
@@ -38,7 +38,7 @@ spec:
       ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]}
   - name: validate-build-tasks
     workingDir: "$(workspaces.source.path)/source"
-    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63
+    image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e
     script: |
       set -euo pipefail
 

pipelines/docker-build-rhtap/patch.yaml

@@ -28,6 +28,13 @@
     type: string
     default: "push"
     description: "Event that triggered the pipeline run, e.g. push, pull_request"
+- op: add
+  path: /spec/params/-
+  value:
+    name: build-args-file
+    description: Path to a file with build arguments which will be passed to podman during build
+    type: string
+    default: ""
 - op: add
   path: /spec/results/-
   value:
@@ -51,6 +58,8 @@
       value: "$(params.image-expires-after)"
     - name: COMMIT_SHA
       value: "$(tasks.clone-repository.results.commit)"
+    - name: BUILD_ARGS_FILE
+      value: "$(params.build-args-file)"
 # Remove tasks
 # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0
 # to compute offsets

pipelines/docker-build/patch.yaml

@@ -13,6 +13,13 @@
   value:
     name: buildah
     version: "0.1"
+- op: add
+  path: /spec/params/-
+  value:
+    name: build-args-file
+    description: Path to a file with build arguments which will be passed to podman during build
+    type: string
+    default: ""
 - op: add
   path: /spec/tasks/3/params
   value:
@@ -30,6 +37,8 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: BUILD_ARGS_FILE
+    value: "$(params.build-args-file)"
 - op: add
   path: /spec/results/-
   value:

pipelines/enterprise-contract-everything.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat-no-hermetic.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-redhat.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract-slsa3.yaml

@@ -65,7 +65,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/enterprise-contract.yaml

@@ -66,7 +66,7 @@ spec:
         resolver: bundles
         params:
           - name: bundle
-            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0
+            value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8
           - name: name
             value: verify-enterprise-contract
           - name: kind

pipelines/template-build/template-build.yaml

@@ -53,10 +53,6 @@ spec:
       description: Build a source image.
       type: string
       default: "false"
-    - name: build-args-file
-      description: Path to a file with build arguments which will be passed to podman during build
-      type: string
-      default: ""
   tasks:
     - name: init
       params:
@@ -105,14 +101,13 @@ spec:
       workspaces:
         - name: source
           workspace: workspace
+        - name: git-basic-auth
+          workspace: git-auth
     - name: build-container
       when:
       - input: $(tasks.init.results.build)
         operator: in
         values: ["true"]
-      params:
-        - name: BUILD_ARGS_FILE
-          value: "$(params.build-args-file)"
       runAfter:
         - prefetch-dependencies
       taskRef:

task/acs-deploy-check/0.1/acs-deploy-check.yaml

@@ -124,7 +124,7 @@ spec:
         fi
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: repository
           mountPath: /workspace/repository

task/acs-image-check/0.1/acs-image-check.yaml

@@ -53,7 +53,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-check
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -121,7 +121,7 @@ spec:
         cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

task/acs-image-scan/0.1/acs-image-scan.yaml

@@ -60,7 +60,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-scan
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -160,7 +160,7 @@ spec:
         set_test_output_result SUCCESS "$note"
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7
+      image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

task/buildah-remote/0.1/buildah-remote.yaml

@@ -108,8 +108,6 @@ spec:
       value: vfs
     - name: HERMETIC
       value: $(params.HERMETIC)
-    - name: PREFETCH_INPUT
-      value: $(params.PREFETCH_INPUT)
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -245,8 +243,8 @@ spec:
         BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}")
       fi
 
-      if [ -n "${PREFETCH_INPUT}" ]; then
-        cp -r cachi2 /tmp/
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
+        cp -r "$(workspaces.source.path)/cachi2" /tmp/
         chmod -R go+rwX /tmp/cachi2
         VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
         sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n    |i' "$dockerfile_path"
@@ -301,7 +299,7 @@ spec:
       echo $container > /workspace/container_name
 
       # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
-      if [ -n "${PREFETCH_INPUT}" ]; then
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
         cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
       fi
 
@@ -323,7 +321,6 @@ spec:
        -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \
        -e STORAGE_DRIVER="$STORAGE_DRIVER" \
        -e HERMETIC="$HERMETIC" \
-       -e PREFETCH_INPUT="$PREFETCH_INPUT" \
        -e CONTEXT="$CONTEXT" \
        -e DOCKERFILE="$DOCKERFILE" \
        -e IMAGE="$IMAGE" \
@@ -390,7 +387,7 @@ spec:
     - mountPath: /var/lib/containers
       name: varlibcontainers
   - computeResources: {}
-    image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba
+    image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a
     name: merge-syft-sboms
     script: |
       #!/bin/python3
@@ -428,7 +425,7 @@ spec:
     image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
     name: merge-cachi2-sbom
     script: |
-      if [ -n "${PREFETCH_INPUT}" ]; then
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
         echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
         /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
         mv sbom-temp.json sbom-cyclonedx.json
@@ -439,7 +436,7 @@ spec:
       runAsUser: 0
     workingDir: $(workspaces.source.path)
   - computeResources: {}
-    image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba
+    image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a
     name: create-purl-sbom
     script: |
       #!/bin/python3

task/buildah-rhtap/0.1/buildah-rhtap.yaml

@@ -28,6 +28,10 @@ spec:
     description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
     name: TLSVERIFY
     type: string
+  - name: BUILD_ARGS_FILE
+    description: Path to a file with build arguments which will be passed to podman during build
+    type: string
+    default: ""
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -49,9 +53,11 @@ spec:
       value: $(params.IMAGE)
     - name: TLSVERIFY
       value: $(params.TLSVERIFY)
+    - name: BUILD_ARGS_FILE
+      value: $(params.BUILD_ARGS_FILE)
   steps:
   - name: build
-    image: registry.access.redhat.com/ubi9/buildah@sha256:d28590e6ff9933a50be664e95a99ed9c85e0d50101ddc7f8f7cfc9ceea57fe30
+    image: registry.access.redhat.com/ubi9/buildah@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c
     script: |
       # Check if the Dockerfile exists
       SOURCE_CODE_DIR=source
@@ -64,8 +70,14 @@ spec:
         exit 1
       fi
 
+      BUILDAH_ARGS=()
+      if [ -n "${BUILD_ARGS_FILE}" ]; then
+        BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}")
+      fi
+
       # Build the image
       buildah build \
+        ${BUILDAH_ARGS[@]} \
         --tls-verify=$TLSVERIFY \
         --ulimit nofile=4096:4096 \
         -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT
@@ -111,7 +123,7 @@ spec:
       name: tmpfiles
 
   - name: merge-sboms
-    image: registry.access.redhat.com/ubi8/python-311@sha256:8ded4b6d8087706b6819ddda5d31f22b80e5aa4efa772e94d750699ccfbf98eb
+    image: registry.access.redhat.com/ubi8/python-311@sha256:634918e88adb803029a99cb1a5a6bb42834c2560ee098e87677efdaf7309380d
     env:
       - name: RESULT_PATH
         value: $(results.SBOM_BLOB_URL.path)

task/buildah/0.1/buildah.yaml

@@ -96,8 +96,6 @@ spec:
       value: vfs
     - name: HERMETIC
       value: $(params.HERMETIC)
-    - name: PREFETCH_INPUT
-      value: $(params.PREFETCH_INPUT)
     - name: CONTEXT
       value: $(params.CONTEXT)
     - name: DOCKERFILE
@@ -197,8 +195,8 @@ spec:
         BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}")
       fi
 
-      if [ -n "${PREFETCH_INPUT}" ]; then
-        cp -r cachi2 /tmp/
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
+        cp -r "$(workspaces.source.path)/cachi2" /tmp/
         chmod -R go+rwX /tmp/cachi2
         VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2"
         sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n    |i' "$dockerfile_path"
@@ -253,7 +251,7 @@ spec:
       echo $container > /workspace/container_name
 
       # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later
-      if [ -n "${PREFETCH_INPUT}" ]; then
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
         cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json
       fi
 
@@ -306,7 +304,7 @@ spec:
       runAsUser: 0
 
   - name: merge-syft-sboms
-    image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba
+    image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a
     script: |
       #!/bin/python3
       import json
@@ -343,7 +341,7 @@ spec:
   - name: merge-cachi2-sbom
     image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8
     script: |
-      if [ -n "${PREFETCH_INPUT}" ]; then
+      if [ -d "$(workspaces.source.path)/cachi2" ]; then
         echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json"
         /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json
         mv sbom-temp.json sbom-cyclonedx.json
@@ -355,7 +353,7 @@ spec:
       runAsUser: 0
 
   - name: create-purl-sbom
-    image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba
+    image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a
     script: |
       #!/bin/python3
       import json

task/deprecated-image-check/0.1/README.md

@@ -3,7 +3,7 @@
 ## Deprecation notice
 
 This task version is deprecated, please use the latest version.
-Deprecation date: 2024-04-30
+Deprecation date: 2024-06-01
 
 ## Description:
 The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues.

task/deprecated-image-check/0.1/deprecated-image-check.yaml

@@ -6,6 +6,7 @@ metadata:
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: "appstudio, hacbs"
+    build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z"
   name: deprecated-image-check
 spec:
   description: >-

task/deprecated-image-check/0.2/README.md

@@ -3,7 +3,7 @@
 ## Deprecation notice
 
 This task version is deprecated, please use the latest version.
-Deprecation date: 2024-04-30
+Deprecation date: 2024-06-01
 
 ## Description:
 The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues.

task/deprecated-image-check/0.2/deprecated-image-check.yaml

@@ -6,6 +6,7 @@ metadata:
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
     tekton.dev/tags: "appstudio, hacbs"
+    build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z"
   name: deprecated-image-check
 spec:
   description: >-