diff --git a/.tekton/tasks/e2e-test.yaml b/.tekton/tasks/e2e-test.yaml index 437632b197..32637d5a67 100644 --- a/.tekton/tasks/e2e-test.yaml +++ b/.tekton/tasks/e2e-test.yaml @@ -22,7 +22,7 @@ spec: type: string steps: - name: e2e-test - image: quay.io/redhat-appstudio/e2e-tests:aee2181831ab240041e83f1c9036532415f45ccf + image: quay.io/redhat-appstudio/e2e-tests:27b9e94fee065d8de74a82f5ca726df6c40fd64a # a la infra-deployment updates, when PRs merge in e2e-tests, PRs will be opened # against build-definitions to update this tag args: [ diff --git a/.tekton/tasks/ec-checks.yaml b/.tekton/tasks/ec-checks.yaml index 04ad50214b..cfc8343df9 100644 --- a/.tekton/tasks/ec-checks.yaml +++ b/.tekton/tasks/ec-checks.yaml @@ -24,7 +24,7 @@ spec: $(all_tasks_dir all_tasks-ec) - name: validate-all-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e script: | set -euo pipefail @@ -38,7 +38,7 @@ spec: ec validate input --policy "${policy}" --output yaml --strict=true ${args[*]} - name: validate-build-tasks workingDir: "$(workspaces.source.path)/source" - image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:3d9c4a6468a7bff3958c2845f0faca982484c11ba9a335cdae4b1c4f5066da63 + image: quay.io/enterprise-contract/ec-cli:snapshot@sha256:c9a6554179211cce61405e21903a4e2ee48df33411aa50bf19a495ba2c303c5e script: | set -euo pipefail diff --git a/pipelines/docker-build-rhtap/patch.yaml b/pipelines/docker-build-rhtap/patch.yaml index 460d45bc59..4ed6df0ab2 100644 --- a/pipelines/docker-build-rhtap/patch.yaml +++ b/pipelines/docker-build-rhtap/patch.yaml @@ -28,6 +28,13 @@ type: string default: "push" description: "Event that triggered the pipeline run, e.g. push, pull_request" +- op: add + path: /spec/params/- + value: + name: build-args-file + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" - op: add path: /spec/results/- value: @@ -51,6 +58,8 @@ value: "$(params.image-expires-after)" - name: COMMIT_SHA value: "$(tasks.clone-repository.results.commit)" + - name: BUILD_ARGS_FILE + value: "$(params.build-args-file)" # Remove tasks # Example - yq .spec.tasks.[].name ../build-definitions/pipelines/template-build/template-build.yaml | nl -v 0 # to compute offsets diff --git a/pipelines/docker-build/patch.yaml b/pipelines/docker-build/patch.yaml index f5c1018935..885147cc2d 100644 --- a/pipelines/docker-build/patch.yaml +++ b/pipelines/docker-build/patch.yaml @@ -13,6 +13,13 @@ value: name: buildah version: "0.1" +- op: add + path: /spec/params/- + value: + name: build-args-file + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" - op: add path: /spec/tasks/3/params value: @@ -30,6 +37,8 @@ value: "$(params.image-expires-after)" - name: COMMIT_SHA value: "$(tasks.clone-repository.results.commit)" + - name: BUILD_ARGS_FILE + value: "$(params.build-args-file)" - op: add path: /spec/results/- value: diff --git a/pipelines/enterprise-contract-everything.yaml b/pipelines/enterprise-contract-everything.yaml index 31b5ae8d67..9342569128 100644 --- a/pipelines/enterprise-contract-everything.yaml +++ b/pipelines/enterprise-contract-everything.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat-no-hermetic.yaml b/pipelines/enterprise-contract-redhat-no-hermetic.yaml index 0bc7072c57..0816eddf95 100644 --- a/pipelines/enterprise-contract-redhat-no-hermetic.yaml +++ b/pipelines/enterprise-contract-redhat-no-hermetic.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-redhat.yaml b/pipelines/enterprise-contract-redhat.yaml index 1812e64499..651d57582a 100644 --- a/pipelines/enterprise-contract-redhat.yaml +++ b/pipelines/enterprise-contract-redhat.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract-slsa3.yaml b/pipelines/enterprise-contract-slsa3.yaml index 2dde42307c..87a4878597 100644 --- a/pipelines/enterprise-contract-slsa3.yaml +++ b/pipelines/enterprise-contract-slsa3.yaml @@ -65,7 +65,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/enterprise-contract.yaml b/pipelines/enterprise-contract.yaml index 7b8990f688..9408c6bce7 100644 --- a/pipelines/enterprise-contract.yaml +++ b/pipelines/enterprise-contract.yaml @@ -66,7 +66,7 @@ spec: resolver: bundles params: - name: bundle - value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:473dc02c4b35b58c8d45461daa7395a6e7fff913ea3a7dc19db05735a99f87b0 + value: quay.io/enterprise-contract/ec-task-bundle:snapshot@sha256:4eb948b679bf8021e13eae44cd331ce9f98fa81d54a36d043b80452057d2efe8 - name: name value: verify-enterprise-contract - name: kind diff --git a/pipelines/template-build/template-build.yaml b/pipelines/template-build/template-build.yaml index 27b3799b93..05b2779dc0 100644 --- a/pipelines/template-build/template-build.yaml +++ b/pipelines/template-build/template-build.yaml @@ -53,10 +53,6 @@ spec: description: Build a source image. type: string default: "false" - - name: build-args-file - description: Path to a file with build arguments which will be passed to podman during build - type: string - default: "" tasks: - name: init params: @@ -105,14 +101,13 @@ spec: workspaces: - name: source workspace: workspace + - name: git-basic-auth + workspace: git-auth - name: build-container when: - input: $(tasks.init.results.build) operator: in values: ["true"] - params: - - name: BUILD_ARGS_FILE - value: "$(params.build-args-file)" runAfter: - prefetch-dependencies taskRef: diff --git a/task/acs-deploy-check/0.1/acs-deploy-check.yaml b/task/acs-deploy-check/0.1/acs-deploy-check.yaml index 239d1270ae..47879bc4cc 100644 --- a/task/acs-deploy-check/0.1/acs-deploy-check.yaml +++ b/task/acs-deploy-check/0.1/acs-deploy-check.yaml @@ -124,7 +124,7 @@ spec: fi - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: repository mountPath: /workspace/repository diff --git a/task/acs-image-check/0.1/acs-image-check.yaml b/task/acs-image-check/0.1/acs-image-check.yaml index 6d7a6d87e8..25dfb531fa 100644 --- a/task/acs-image-check/0.1/acs-image-check.yaml +++ b/task/acs-image-check/0.1/acs-image-check.yaml @@ -53,7 +53,7 @@ spec: oc annotate taskrun $(context.taskRun.name) task.output.location=logs - name: rox-image-check - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: rox-secret mountPath: /rox-secret @@ -121,7 +121,7 @@ spec: cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: shared-folder mountPath: /steps-shared-folder diff --git a/task/acs-image-scan/0.1/acs-image-scan.yaml b/task/acs-image-scan/0.1/acs-image-scan.yaml index 02d3a4d8a3..2062b21088 100644 --- a/task/acs-image-scan/0.1/acs-image-scan.yaml +++ b/task/acs-image-scan/0.1/acs-image-scan.yaml @@ -60,7 +60,7 @@ spec: oc annotate taskrun $(context.taskRun.name) task.output.location=logs - name: rox-image-scan - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: rox-secret mountPath: /rox-secret @@ -160,7 +160,7 @@ spec: set_test_output_result SUCCESS "$note" - name: report - image: registry.access.redhat.com/ubi8-minimal@sha256:d8b81a38b5ad9694742ea03159d3217cd2dde3997b1ee53bbb53c33dd67be7b7 + image: registry.access.redhat.com/ubi8-minimal@sha256:f30dbf77b075215f6c827c269c073b5e0973e5cea8dacdf7ecb6a19c868f37f2 volumeMounts: - name: shared-folder mountPath: /steps-shared-folder diff --git a/task/buildah-remote/0.1/buildah-remote.yaml b/task/buildah-remote/0.1/buildah-remote.yaml index d2dc52915d..0899981cf8 100644 --- a/task/buildah-remote/0.1/buildah-remote.yaml +++ b/task/buildah-remote/0.1/buildah-remote.yaml @@ -108,8 +108,6 @@ spec: value: vfs - name: HERMETIC value: $(params.HERMETIC) - - name: PREFETCH_INPUT - value: $(params.PREFETCH_INPUT) - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -245,8 +243,8 @@ spec: BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") fi - if [ -n "${PREFETCH_INPUT}" ]; then - cp -r cachi2 /tmp/ + if [ -d "$(workspaces.source.path)/cachi2" ]; then + cp -r "$(workspaces.source.path)/cachi2" /tmp/ chmod -R go+rwX /tmp/cachi2 VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2" sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path" @@ -301,7 +299,7 @@ spec: echo $container > /workspace/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi @@ -323,7 +321,6 @@ spec: -e BUILDAH_FORMAT="$BUILDAH_FORMAT" \ -e STORAGE_DRIVER="$STORAGE_DRIVER" \ -e HERMETIC="$HERMETIC" \ - -e PREFETCH_INPUT="$PREFETCH_INPUT" \ -e CONTEXT="$CONTEXT" \ -e DOCKERFILE="$DOCKERFILE" \ -e IMAGE="$IMAGE" \ @@ -390,7 +387,7 @@ spec: - mountPath: /var/lib/containers name: varlibcontainers - computeResources: {} - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: merge-syft-sboms script: | #!/bin/python3 @@ -428,7 +425,7 @@ spec: image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 name: merge-cachi2-sbom script: | - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json @@ -439,7 +436,7 @@ spec: runAsUser: 0 workingDir: $(workspaces.source.path) - computeResources: {} - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a name: create-purl-sbom script: | #!/bin/python3 diff --git a/task/buildah-rhtap/0.1/buildah-rhtap.yaml b/task/buildah-rhtap/0.1/buildah-rhtap.yaml index 231cb93462..59489ca788 100644 --- a/task/buildah-rhtap/0.1/buildah-rhtap.yaml +++ b/task/buildah-rhtap/0.1/buildah-rhtap.yaml @@ -28,6 +28,10 @@ spec: description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) name: TLSVERIFY type: string + - name: BUILD_ARGS_FILE + description: Path to a file with build arguments which will be passed to podman during build + type: string + default: "" results: - description: Digest of the image just built name: IMAGE_DIGEST @@ -49,9 +53,11 @@ spec: value: $(params.IMAGE) - name: TLSVERIFY value: $(params.TLSVERIFY) + - name: BUILD_ARGS_FILE + value: $(params.BUILD_ARGS_FILE) steps: - name: build - image: registry.access.redhat.com/ubi9/buildah@sha256:d28590e6ff9933a50be664e95a99ed9c85e0d50101ddc7f8f7cfc9ceea57fe30 + image: registry.access.redhat.com/ubi9/buildah@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c script: | # Check if the Dockerfile exists SOURCE_CODE_DIR=source @@ -64,8 +70,14 @@ spec: exit 1 fi + BUILDAH_ARGS=() + if [ -n "${BUILD_ARGS_FILE}" ]; then + BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") + fi + # Build the image buildah build \ + ${BUILDAH_ARGS[@]} \ --tls-verify=$TLSVERIFY \ --ulimit nofile=4096:4096 \ -f "$dockerfile_path" -t $IMAGE $SOURCE_CODE_DIR/$CONTEXT @@ -111,7 +123,7 @@ spec: name: tmpfiles - name: merge-sboms - image: registry.access.redhat.com/ubi8/python-311@sha256:8ded4b6d8087706b6819ddda5d31f22b80e5aa4efa772e94d750699ccfbf98eb + image: registry.access.redhat.com/ubi8/python-311@sha256:634918e88adb803029a99cb1a5a6bb42834c2560ee098e87677efdaf7309380d env: - name: RESULT_PATH value: $(results.SBOM_BLOB_URL.path) diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 165129fec8..4e0e53b9d5 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -96,8 +96,6 @@ spec: value: vfs - name: HERMETIC value: $(params.HERMETIC) - - name: PREFETCH_INPUT - value: $(params.PREFETCH_INPUT) - name: CONTEXT value: $(params.CONTEXT) - name: DOCKERFILE @@ -197,8 +195,8 @@ spec: BUILDAH_ARGS+=("--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}") fi - if [ -n "${PREFETCH_INPUT}" ]; then - cp -r cachi2 /tmp/ + if [ -d "$(workspaces.source.path)/cachi2" ]; then + cp -r "$(workspaces.source.path)/cachi2" /tmp/ chmod -R go+rwX /tmp/cachi2 VOLUME_MOUNTS="--volume /tmp/cachi2:/cachi2" sed -i 's|^\s*run |RUN . /cachi2/cachi2.env \&\& \\\n |i' "$dockerfile_path" @@ -253,7 +251,7 @@ spec: echo $container > /workspace/container_name # Save the SBOM produced by Cachi2 so it can be merged into the final SBOM later - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then cp /tmp/cachi2/output/bom.json ./sbom-cachi2.json fi @@ -306,7 +304,7 @@ spec: runAsUser: 0 - name: merge-syft-sboms - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a script: | #!/bin/python3 import json @@ -343,7 +341,7 @@ spec: - name: merge-cachi2-sbom image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 script: | - if [ -n "${PREFETCH_INPUT}" ]; then + if [ -d "$(workspaces.source.path)/cachi2" ]; then echo "Merging contents of sbom-cachi2.json into sbom-cyclonedx.json" /src/utils/merge_syft_sbom.py sbom-cachi2.json sbom-cyclonedx.json > sbom-temp.json mv sbom-temp.json sbom-cyclonedx.json @@ -355,7 +353,7 @@ spec: runAsUser: 0 - name: create-purl-sbom - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a script: | #!/bin/python3 import json diff --git a/task/deprecated-image-check/0.1/README.md b/task/deprecated-image-check/0.1/README.md index f2e2622707..5af75d6e2b 100644 --- a/task/deprecated-image-check/0.1/README.md +++ b/task/deprecated-image-check/0.1/README.md @@ -3,7 +3,7 @@ ## Deprecation notice This task version is deprecated, please use the latest version. -Deprecation date: 2024-04-30 +Deprecation date: 2024-06-01 ## Description: The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues. diff --git a/task/deprecated-image-check/0.1/deprecated-image-check.yaml b/task/deprecated-image-check/0.1/deprecated-image-check.yaml index 3ecdc0d597..f7e271c4c1 100644 --- a/task/deprecated-image-check/0.1/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.1/deprecated-image-check.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "appstudio, hacbs" + build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z" name: deprecated-image-check spec: description: >- diff --git a/task/deprecated-image-check/0.2/README.md b/task/deprecated-image-check/0.2/README.md index f2e2622707..5af75d6e2b 100644 --- a/task/deprecated-image-check/0.2/README.md +++ b/task/deprecated-image-check/0.2/README.md @@ -3,7 +3,7 @@ ## Deprecation notice This task version is deprecated, please use the latest version. -Deprecation date: 2024-04-30 +Deprecation date: 2024-06-01 ## Description: The deprecated-image-check checks for deprecated images that are no longer maintained and prone to security issues. diff --git a/task/deprecated-image-check/0.2/deprecated-image-check.yaml b/task/deprecated-image-check/0.2/deprecated-image-check.yaml index b9810143bb..caec83c3d6 100644 --- a/task/deprecated-image-check/0.2/deprecated-image-check.yaml +++ b/task/deprecated-image-check/0.2/deprecated-image-check.yaml @@ -6,6 +6,7 @@ metadata: annotations: tekton.dev/pipelines.minVersion: "0.12.1" tekton.dev/tags: "appstudio, hacbs" + build.appstudio.redhat.com/expires-on: "2024-06-01T00:00:00Z" name: deprecated-image-check spec: description: >- diff --git a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml index 084eb609c7..cccaa012e3 100644 --- a/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml +++ b/task/generate-odcs-compose/0.1/generate-odcs-compose.yaml @@ -21,7 +21,7 @@ spec: description: Directory to write the result .repo files. steps: - name: generate-odcs-compose - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 + image: quay.io/redhat-appstudio/tools:39497ad4e7761c90fdde580cbb5bce9cb9491427 env: - name: CLIENT_ID valueFrom: diff --git a/task/init/0.2/init.yaml b/task/init/0.2/init.yaml index e6dd5c9a10..7d7f18c7f1 100644 --- a/task/init/0.2/init.yaml +++ b/task/init/0.2/init.yaml @@ -39,8 +39,9 @@ spec: echo echo "Determine if Image Already Exists" - # Build the image when image does not exists or rebuild is set to true - if ! oc image info $IMAGE_URL &>/dev/null || [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ]; then + # Build the image when rebuild is set to true or image does not exist + # The image check comes last to avoid unnecessary, slow API calls + if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! oc image info $IMAGE_URL &>/dev/null; then echo -n "true" > $(results.build.path) else echo -n "false" > $(results.build.path) diff --git a/task/prefetch-dependencies/0.1/README.md b/task/prefetch-dependencies/0.1/README.md index 076b1f338b..6a6914bb3e 100644 --- a/task/prefetch-dependencies/0.1/README.md +++ b/task/prefetch-dependencies/0.1/README.md @@ -8,8 +8,12 @@ See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. |---|---|---|---| |input|Configures project packages that will have their dependencies prefetched.||true| |dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|log-level|Set cachi2 log level (debug, info, warning, error)|info|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| ## Workspaces |name|description|optional| |---|---|---| |source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false| +|git-basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml index d69f6cdfa5..287fb7aa58 100644 --- a/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.1/prefetch-dependencies.yaml @@ -19,6 +19,17 @@ spec: notice. Use at your own risk. name: dev-package-managers default: "false" + - description: Set cachi2 log level (debug, info, warning, error) + name: log-level + default: "info" + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt steps: - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting @@ -30,6 +41,16 @@ spec: value: $(params.input) - name: DEV_PACKAGE_MANAGERS value: $(params.dev-package-managers) + - name: LOG_LEVEL + value: $(params.log-level) + - name: WORKSPACE_GIT_AUTH_BOUND + value: $(workspaces.git-basic-auth.bound) + - name: WORKSPACE_GIT_AUTH_PATH + value: $(workspaces.git-basic-auth.path) + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true script: | if [ -z "${INPUT}" ] then @@ -43,19 +64,59 @@ spec: dev_pacman_flag="" fi - cachi2 fetch-deps \ + # Copied from https://github.com/redhat-appstudio/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml + if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then + if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then + cp "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" "${HOME}/.git-credentials" + cp "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" "${HOME}/.gitconfig" + # Compatibility with kubernetes.io/basic-auth secrets + elif [ -f "${WORKSPACE_GIT_AUTH_PATH}/username" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/password" ]; then + HOSTNAME=$(cd "$(workspaces.source.path)/source" && git remote get-url origin | awk -F/ '{print $3}') + echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" > "${HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${HOME}/.gitconfig" + else + echo "Unknown git-basic-auth workspace format" + exit 1 + fi + chmod 400 "${HOME}/.git-credentials" + chmod 400 "${HOME}/.gitconfig" + fi + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cachi2 --log-level="$LOG_LEVEL" fetch-deps \ $dev_pacman_flag \ --source=$(workspaces.source.path)/source \ --output=$(workspaces.source.path)/cachi2/output \ "${INPUT}" - cachi2 generate-env $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" generate-env $(workspaces.source.path)/cachi2/output \ --format env \ --for-output-dir=/cachi2/output \ --output $(workspaces.source.path)/cachi2/cachi2.env - cachi2 inject-files $(workspaces.source.path)/cachi2/output \ + cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ --for-output-dir=/cachi2/output workspaces: - name: source description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well + - name: git-basic-auth + description: | + A Workspace containing a .gitconfig and .git-credentials file or username and password. + These will be copied to the user's home before any cachi2 commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to bind a Secret to this Workspace over other volume types. + optional: true + volumes: + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true diff --git a/task/provision-env-with-ephemeral-namespace/0.1/README.md b/task/provision-env-with-ephemeral-namespace/0.1/README.md index 41610b93e6..9e224c62b9 100644 --- a/task/provision-env-with-ephemeral-namespace/0.1/README.md +++ b/task/provision-env-with-ephemeral-namespace/0.1/README.md @@ -8,17 +8,14 @@ an ephemeral environment that will be completely clean of previous artifacts. ## Params: -| name | description | -|--------------------|-------------------------------------------------------------------| -| KONFLUXNAMESPACE | The namespace to create the spaceRequest from | -| SPACEREQUEST_NAME | The name for the newly created space request | +The task takes no parameters. ## Results: -| name | description | -|-------------------|--------------------------------------------------------------------------------------------------| -| secretRef | The name of the secret with a SA token that had admin permissions in the newly created namespace | +| name | description | +|-------------------|------------------------------------------------------------------| +| secretRef | The name of the secret with a SA token that had admin permissions in the newly created namespace | ## Source repository for task: diff --git a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml index ef2d96740b..7781fe3061 100644 --- a/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml +++ b/task/provision-env-with-ephemeral-namespace/0.1/provision-env-with-ephemeral-namespace.yaml @@ -44,7 +44,7 @@ spec: if oc wait spacerequests $SPACEREQUEST_NAME --for=condition=Ready --timeout=5m -n $KONFLUXNAMESPACE; then secretRef=$(oc get spacerequests $SPACEREQUEST_NAME -o=jsonpath='{.status.namespaceAccess[0].secretRef}') - echo $secretRef > tee "$(results.secretRef.path)" + echo -n $secretRef | tee $(results.secretRef.path) else exit 1 fi diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index 88c72da706..1bc2bce9b4 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -128,7 +128,7 @@ spec: container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /workspace/container_path echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: build env: - name: COMMIT_SHA @@ -180,7 +180,7 @@ spec: name: varlibcontainers securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + - image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. @@ -227,7 +227,7 @@ spec: securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + - image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c # default above is image digest specific name: inject-sbom-and-push computeResources: {} diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index 74f846331d..ea03d6daca 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -113,7 +113,7 @@ spec: container=$(buildah from --pull-never $IMAGE) buildah mount $container | tee /workspace/container_path echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: build env: - name: COMMIT_SHA @@ -150,7 +150,7 @@ spec: volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers - - image: registry.access.redhat.com/ubi9/python-39:1-165@sha256:4da8ddb12096a31d8d50e58ea479ba2fe2f252f215fbaf5bf90923a1827463ba + - image: registry.access.redhat.com/ubi9/python-39:1-172.1712567222@sha256:c96f839e927c52990143df4efb2872946fcd5de9e1ed2014947bb2cf3084c27a # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. @@ -197,7 +197,7 @@ spec: securityContext: runAsUser: 0 - - image: registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af + - image: registry.access.redhat.com/ubi9/buildah:9.3-12@sha256:3b11aae36f6c762e01731952ee6fb8e89c41660ce410e4c30d0bfc6496bca93c name: inject-sbom-and-push computeResources: {} script: | diff --git a/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml b/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml index 7f9bf99cbf..2b4f865345 100644 --- a/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml +++ b/task/slack-webhook-notification/0.1/slack-webhook-notification.yaml @@ -27,7 +27,7 @@ spec: optional: true steps: - name: send-message - image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 + image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:119ac25920c8bb50c8b5fd75dcbca369bf7d1f702b82f3d39663307890f0bf26 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. diff --git a/task/summary/0.1/summary.yaml b/task/summary/0.1/summary.yaml index 7093d1dde3..40b8ab3cd4 100644 --- a/task/summary/0.1/summary.yaml +++ b/task/summary/0.1/summary.yaml @@ -23,7 +23,7 @@ spec: default: Succeeded steps: - name: appstudio-summary - image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1552@sha256:06d06f15f7b641a78f2512c8817cbecaa1bf549488e273f5ac27ff1654ed33f0 + image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:119ac25920c8bb50c8b5fd75dcbca369bf7d1f702b82f3d39663307890f0bf26 # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting # the cluster will set imagePullPolicy to IfNotPresent # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released. diff --git a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml index 691dde40c7..e2d2c004f0 100644 --- a/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml +++ b/task/verify-enterprise-contract/0.1/verify-enterprise-contract.yaml @@ -111,12 +111,12 @@ spec: steps: - name: version - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [ec] args: - version - name: initialize-tuf - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 script: |- set -euo pipefail @@ -132,7 +132,7 @@ spec: - name: TUF_MIRROR value: "$(params.TUF_MIRROR)" - name: validate - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [ec] args: - validate @@ -180,23 +180,23 @@ spec: limits: memory: 2Gi - name: report - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [cat] args: - "$(params.HOMEDIR)/report.yaml" - name: report-json - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [cat] args: - "$(params.HOMEDIR)/report-json.json" - name: summary - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [jq] args: - "." - "$(results.TEST_OUTPUT.path)" - name: assert - image: registry.redhat.io/rhtas-tech-preview/ec-rhel9:0.2 + image: registry.redhat.io/rhtas/ec-rhel9:0.2 command: [jq] args: - "--argjson" diff --git a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml index 1f653c7c31..b67c1a51b1 100644 --- a/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml +++ b/task/verify-signed-rpms/0.1/verify-signed-rpms.yaml @@ -26,7 +26,7 @@ spec: emptyDir: {} steps: - name: verify-signed-rpms - image: quay.io/redhat-user-workloads/rhtap-o11y-tenant/tools/tools:20de0e480e7dd1b734775f33b46170e25ec18197 + image: quay.io/redhat-appstudio/tools:39497ad4e7761c90fdde580cbb5bce9cb9491427 volumeMounts: - name: workdir mountPath: "$(params.WORKDIR)"