diff --git a/README.md b/README.md index 80bc7db9d..5ed966719 100644 --- a/README.md +++ b/README.md @@ -30,7 +30,7 @@ There is an option to push all bundles to a single quay.io repository (this meth The pipelines can be found in the `pipelines` directory. - `core-services`: contains pipelines for the CI of Konflux core services e.g., `application-service` and `build-service`. -- `template-build`: contains common template used to generate `docker-build`, `fbc-builder`, `java-builder` and `nodejs-builder` pipelines. +- `template-build`: contains common template used to generate `docker-build`, `fbc-builder` and other pipelines. ### Tasks @@ -67,11 +67,11 @@ Buildah also has a remote version, which can be generated with: ### Prerequisites - Provisioned cluster with sufficient resources -- Deployed Konflux on the cluster (see [infra-deployments](https://github.com/redhat-appstudio/infra-deployments)) +- Deployed Konflux on the cluster (see [infra-deployments](https://github.com/redhat-appstudio/infra-deployments)) 1. Set up the image repository -PipelineRuns attempt to push to cluster-internal registry `image-registry.openshift-image-registry.svc:5000` by default. -For testing, you will likely want to use your own Quay repository. +PipelineRuns attempt to push to cluster-internal registry `image-registry.openshift-image-registry.svc:5000` by default. +For testing, you will likely want to use your own Quay repository. Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in the format `OWNER/REPOSITORY_NAME`. 2. Set up the `redhat-appstudio-staginguser-pull-secret` - Log in to `quay.io` using your credentials: @@ -89,8 +89,8 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t ``` 3. Run the tests -- To test a custom Git repository and pipeline, use `./hack/test-build.sh`. - +- To test a custom Git repository and pipeline, use `./hack/test-build.sh`. + Usage example: ``` QUAY_NAMESPACE=OWNER/REPOSITORY_NAME ./hack/test-build.sh https://github.com/jduimovich/spring-petclinic java-builder`. @@ -107,11 +107,11 @@ Specify the Quay repository using the `QUAY_NAMESPACE` environment variable in t ### Compliance Task definitions must comply with the [Enterprise Contract](https://enterprisecontract.dev/) policies. -Currently, there are two policy configurations. +Currently, there are two policy configurations. - The [all-tasks](./policies/all-tasks.yaml) policy -configuration applies to all Task definitions +configuration applies to all Task definitions - The [build-tasks](./policies/build-tasks.yaml) -policy configuration applies only to build Task definitions. +policy configuration applies only to build Task definitions. A build Task, i.e., one that produces a container image, must abide by both policy configurations. diff --git a/hack/build-and-push.sh b/hack/build-and-push.sh index d4c91bf50..09f26575f 100755 --- a/hack/build-and-push.sh +++ b/hack/build-and-push.sh @@ -275,8 +275,6 @@ do [ "$pipeline_name" == "docker-build-oci-ta" ] && docker_oci_ta_pipeline_bundle=$pipeline_bundle [ "$pipeline_name" == "docker-build-multi-platform-oci-ta" ] && docker_multi_platform_oci_ta_pipeline_bundle=$pipeline_bundle [ "$pipeline_name" == "fbc-builder" ] && fbc_pipeline_bundle=$pipeline_bundle - [ "$pipeline_name" == "nodejs-builder" ] && nodejs_pipeline_bundle=$pipeline_bundle - [ "$pipeline_name" == "java-builder" ] && java_pipeline_bundle=$pipeline_bundle if [ "$SKIP_DEVEL_TAG" == "" ] && is_official_repo "$QUAY_NAMESPACE" && [ -z "$TEST_REPO_NAME" ]; then NEW_TAG="${pipeline_bundle%:*}:devel" skopeo copy "docker://${pipeline_bundle}" "docker://${NEW_TAG}" diff --git a/hack/generate-pipelines-readme.py b/hack/generate-pipelines-readme.py index 67b47c62c..92bcdf2f1 100755 --- a/hack/generate-pipelines-readme.py +++ b/hack/generate-pipelines-readme.py @@ -24,6 +24,7 @@ def run(cmd): failed = 0 except subprocess.CalledProcessError as e: print(f"{cmd[0]} failed:\nSTDOUT:\n{e.stdout.decode()}\nSTDERR:\n{e.stderr.decode()}") + return "", "", failed except FileNotFoundError: print(f"command: {cmd[0]} doesn't exist") return "", "", failed diff --git a/hack/test-builds.sh b/hack/test-builds.sh index 736d4226f..04cd41c19 100755 --- a/hack/test-builds.sh +++ b/hack/test-builds.sh @@ -24,7 +24,5 @@ oc apply -k $SCRIPTDIR/../pipelines/ -o yaml --dry-run=client | \ bash -c "$(curl -fsSL https://raw.githubusercontent.com/redhat-appstudio/infra-deployments/main/hack/build/setup-namespace.sh)" [ "$1" == "skip_checks" ] && export SKIP_CHECKS=1 -$SCRIPTDIR/test-build.sh https://github.com/jduimovich/spring-petclinic java-builder -$SCRIPTDIR/test-build.sh https://github.com/jduimovich/single-nodejs-app nodejs-builder $SCRIPTDIR/test-build.sh https://github.com/jduimovich/single-container-app docker-build $SCRIPTDIR/test-build.sh https://github.com/Michkov/simple-fbc fbc-builder diff --git a/pipelines/java-builder/README.md b/pipelines/java-builder/README.md deleted file mode 100644 index 7828ab375..000000000 --- a/pipelines/java-builder/README.md +++ /dev/null @@ -1,280 +0,0 @@ -# "java-builder pipeline" - -## Parameters -|name|description|default value|used in (taskname:taskrefversion:taskparam)| -|---|---|---|---| -|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| -|build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| -|git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| -|rebuild| Force rebuild image| false| init:0.2:rebuild| -|revision| Revision of the Source Repository| | clone-repository:0.1:revision| -|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| - -## Available params from tasks -### apply-tags:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### build-image-index:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| -|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| -|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| -|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| -|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| -|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | -|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### clair-scan:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### clamav-scan:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### deprecated-image-check:0.4 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGES_DIGESTS| Digests of base build images.| | | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | -|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | -### ecosystem-cert-preflight-checks:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### git-clone:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | -|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | -|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | -|fetchTags| Fetch all tags for the repo.| false| | -|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | -|httpProxy| HTTP proxy server for non-SSL requests.| | | -|httpsProxy| HTTPS proxy server for SSL requests.| | | -|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | -|refspec| Refspec to fetch before checking out revision.| | | -|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| -|shortCommitLength| Length of short commit SHA| 7| | -|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | -|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | -|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | -|submodules| Initialize and fetch git submodules.| true| | -|url| Repository URL to clone from.| None| '$(params.git-url)'| -|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | -|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | -### init:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| -|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| -|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| -### prefetch-dependencies:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | -|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| -|log-level| Set cachi2 log level (debug, info, warning, error)| info| | -### push-dockerfile:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### rpms-signature-scan:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| -|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### s2i-java:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGE| Java builder image| registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202| | -|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | -|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| -|DOCKER_AUTH| unused, should be removed in next task version| | | -|IMAGE| Location of the repo where image has to be pushed| None| '$(params.output-image)'| -|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| -|PATH_CONTEXT| The location of the path to run s2i from| .| '$(params.path-context)'| -|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | -|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### sast-snyk-check:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| -### show-sbom:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | -### source-build:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGES| By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.| | | -|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| -### summary:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| -|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| -|image-url| Image URL| None| '$(params.output-image)'| -|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| - -## Results -|name|description|value| -|---|---|---| -|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| -|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| -|JAVA_COMMUNITY_DEPENDENCIES| |$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)| -## Available results from tasks -### build-image-index:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### clair-scan:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|REPORTS| Mapping of image digests to report digests| | -|SCAN_OUTPUT| Clair scan result.| | -|TEST_OUTPUT| Tekton task test output.| | -### clamav-scan:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|TEST_OUTPUT| Tekton task test output.| | -### deprecated-image-check:0.4 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|TEST_OUTPUT| Tekton task test output.| | -### ecosystem-cert-preflight-checks:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Preflight pass or fail outcome.| | -### git-clone:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| -|commit-timestamp| The commit timestamp of the checkout| | -|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | -|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| -### init:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|build| Defines if the image in param image-url should be built| | -### push-dockerfile:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### rpms-signature-scan:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|RPMS_DATA| Information about signed and unsigned RPMs| | -|TEST_OUTPUT| Tekton task test output.| | -### s2i-java:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest| -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url| -|JAVA_COMMUNITY_DEPENDENCIES| The Java dependencies that came from community sources such as Maven central.| | -|SBOM_JAVA_COMPONENTS_COUNT| The counting of Java components by publisher in JSON format| | -### sast-snyk-check:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | -### source-build:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|BUILD_RESULT| Build result.| | -|IMAGE_REF| Image reference of the built image| | -|SOURCE_IMAGE_DIGEST| The source image digest.| | -|SOURCE_IMAGE_URL| The source image url.| | - -## Workspaces -|name|description|optional|used in tasks -|---|---|---|---| -|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| -|netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| -## Available workspaces from tasks -### git-clone:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| -|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| -|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### prefetch-dependencies:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| -|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| -|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### s2i-java:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|source| Workspace containing the source code to build.| False| workspace| -### sast-snyk-check:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| -### source-build:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| The workspace where source code is included.| False| workspace| -### summary:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/java-builder/kustomization.yaml b/pipelines/java-builder/kustomization.yaml deleted file mode 100644 index 64f7ba8a8..000000000 --- a/pipelines/java-builder/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../template-build - -patches: -- path: patch.yaml - target: - kind: Pipeline diff --git a/pipelines/java-builder/patch.yaml b/pipelines/java-builder/patch.yaml deleted file mode 100644 index 3e5e4990e..000000000 --- a/pipelines/java-builder/patch.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -- op: replace - path: /metadata/name - value: java-builder -- op: replace - path: /metadata/labels - value: - "pipelines.openshift.io/used-by": "build-cloud" - "pipelines.openshift.io/runtime": "java" - "pipelines.openshift.io/strategy": "s2i" -- op: replace - path: /spec/tasks/3/taskRef - value: - name: s2i-java - version: "0.1" -- op: add - path: /spec/tasks/3/params - value: - - name: PATH_CONTEXT - value: $(params.path-context) - - name: IMAGE - value: "$(params.output-image)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" -- op: add - path: /spec/results/- - value: - name: JAVA_COMMUNITY_DEPENDENCIES - value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES) diff --git a/pipelines/kustomization.yaml b/pipelines/kustomization.yaml index 729930f1e..8474b4138 100644 --- a/pipelines/kustomization.yaml +++ b/pipelines/kustomization.yaml @@ -4,8 +4,6 @@ resources: - docker-build - docker-build-oci-ta - docker-build-multi-platform-oci-ta -- java-builder -- nodejs-builder - enterprise-contract.yaml - fbc-builder - tekton-bundle-builder diff --git a/pipelines/nodejs-builder/README.md b/pipelines/nodejs-builder/README.md deleted file mode 100644 index 51b95fe39..000000000 --- a/pipelines/nodejs-builder/README.md +++ /dev/null @@ -1,278 +0,0 @@ -# "nodejs-builder pipeline" - -## Parameters -|name|description|default value|used in (taskname:taskrefversion:taskparam)| -|---|---|---|---| -|build-image-index| Add built image into an OCI image index| false| build-image-index:0.1:ALWAYS_BUILD_INDEX| -|build-source-image| Build a source image.| false| | -|dockerfile| Path to the Dockerfile inside the context specified by parameter path-context| Dockerfile| push-dockerfile:0.1:DOCKERFILE| -|git-url| Source Repository URL| None| clone-repository:0.1:url| -|hermetic| Execute the build with network isolation| false| | -|image-expires-after| Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | build-container:0.1:IMAGE_EXPIRES_AFTER ; build-image-index:0.1:IMAGE_EXPIRES_AFTER| -|output-image| Fully Qualified Output Image| None| show-summary:0.2:image-url ; init:0.2:image-url ; build-container:0.1:IMAGE ; build-image-index:0.1:IMAGE ; build-source-image:0.1:BINARY_IMAGE| -|path-context| Path to the source code of an application's component from where to build image.| .| build-container:0.1:PATH_CONTEXT ; push-dockerfile:0.1:CONTEXT| -|prefetch-input| Build dependencies to be prefetched by Cachi2| | prefetch-dependencies:0.1:input| -|rebuild| Force rebuild image| false| init:0.2:rebuild| -|revision| Revision of the Source Repository| | clone-repository:0.1:revision| -|skip-checks| Skip checks against built image| false| init:0.2:skip-checks| - -## Available params from tasks -### apply-tags:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ADDITIONAL_TAGS| Additional tags that will be applied to the image in the registry.| []| | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE| Reference of image that was pushed to registry in the buildah task.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### build-image-index:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ALWAYS_BUILD_INDEX| Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.| true| '$(params.build-image-index)'| -|COMMIT_SHA| The commit the image is built from.| | '$(tasks.clone-repository.results.commit)'| -|IMAGE| The target image and tag where the image will be pushed to.| None| '$(params.output-image)'| -|IMAGES| List of Image Manifests to be referenced by the Image Index| None| '['$(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)']'| -|IMAGE_EXPIRES_AFTER| Delete image tag after specified time resulting in garbage collection of the digest. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| -|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | -|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### clair-scan:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|docker-auth| unused, should be removed in next task version.| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### clamav-scan:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|docker-auth| unused| | | -|image-digest| Image digest to scan.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### deprecated-image-check:0.4 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGES_DIGESTS| Digests of base build images.| | | -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_DIGEST| Image digest.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|IMAGE_URL| Fully qualified image name.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|POLICY_DIR| Path to directory containing Conftest policies.| /project/repository/| | -|POLICY_NAMESPACE| Namespace for Conftest policy.| required_checks| | -### ecosystem-cert-preflight-checks:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-url| Image url to scan.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -### git-clone:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|deleteExisting| Clean out the contents of the destination directory if it already exists before cloning.| true| | -|depth| Perform a shallow clone, fetching only the most recent N commits.| 1| | -|enableSymlinkCheck| Check symlinks in the repo. If they're pointing outside of the repo, the build will fail. | true| | -|fetchTags| Fetch all tags for the repo.| false| | -|gitInitImage| Deprecated. Has no effect. Will be removed in the future.| | | -|httpProxy| HTTP proxy server for non-SSL requests.| | | -|httpsProxy| HTTPS proxy server for SSL requests.| | | -|noProxy| Opt out of proxying HTTP/HTTPS requests.| | | -|refspec| Refspec to fetch before checking out revision.| | | -|revision| Revision to checkout. (branch, tag, sha, ref, etc...)| | '$(params.revision)'| -|shortCommitLength| Length of short commit SHA| 7| | -|sparseCheckoutDirectories| Define the directory patterns to match or exclude when performing a sparse checkout.| | | -|sslVerify| Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.| true| | -|subdirectory| Subdirectory inside the `output` Workspace to clone the repo into.| source| | -|submodules| Initialize and fetch git submodules.| true| | -|url| Repository URL to clone from.| None| '$(params.git-url)'| -|userHome| Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user. | /tekton/home| | -|verbose| Log the commands that are executed during `git-clone`'s operation.| false| | -### init:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|image-url| Image URL for build by PipelineRun| None| '$(params.output-image)'| -|rebuild| Rebuild the image if exists| false| '$(params.rebuild)'| -|skip-checks| Skip checks against built image| false| '$(params.skip-checks)'| -### prefetch-dependencies:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|caTrustConfigMapKey| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|caTrustConfigMapName| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|config-file-content| Pass configuration to cachi2. Note this needs to be passed as a YAML-formatted config dump, not as a file path! | | | -|dev-package-managers| Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. | false| | -|input| Configures project packages that will have their dependencies prefetched.| None| '$(params.prefetch-input)'| -|log-level| Set cachi2 log level (debug, info, warning, error)| info| | -### push-dockerfile:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARTIFACT_TYPE| Artifact type of the Dockerfile image.| application/vnd.konflux.dockerfile| | -|CONTEXT| Path to the directory to use as context.| .| '$(params.path-context)'| -|DOCKERFILE| Path to the Dockerfile.| ./Dockerfile| '$(params.dockerfile)'| -|IMAGE| The built binary image. The Dockerfile is pushed to the same image repository alongside.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|IMAGE_DIGEST| The built binary image digest, which is used to construct the tag of Dockerfile image.| None| '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|TAG_SUFFIX| Suffix of the Dockerfile image tag.| .dockerfile| | -### rpms-signature-scan:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ca-trust-config-map-key| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|ca-trust-config-map-name| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|image-digest| Image digest to scan| None| '$(tasks.build-container.results.IMAGE_DIGEST)'| -|image-url| Image URL| None| '$(tasks.build-container.results.IMAGE_URL)'| -|workdir| Directory that will be used for storing temporary files produced by this task. | /tmp| | -### s2i-nodejs:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGE| NodeJS builder image| registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1| | -|BUILDER_IMAGE| Deprecated. Has no effect. Will be removed in the future.| | | -|COMMIT_SHA| The image is built from this commit.| | '$(tasks.clone-repository.results.commit)'| -|DOCKER_AUTH| unused, should be removed in next task version| | | -|IMAGE| Location of the repo where image has to be pushed| None| '$(params.output-image)'| -|IMAGE_EXPIRES_AFTER| Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.| | '$(params.image-expires-after)'| -|MAVEN_MIRROR_URL| The base URL of a mirror used for retrieving artifacts| | | -|PATH_CONTEXT| The location of the path to run s2i from.| .| '$(params.path-context)'| -|STORAGE_DRIVER| Storage driver to configure for buildah| vfs| | -|TLSVERIFY| Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)| true| | -### sast-snyk-check:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|ARGS| Append arguments.| --all-projects --exclude=test*,vendor,deps| | -|SNYK_SECRET| Name of secret which contains Snyk token.| snyk-secret| | -|image-digest| Image digest to report findings for.| | '$(tasks.build-image-index.results.IMAGE_DIGEST)'| -|image-url| Image URL.| | '$(tasks.build-image-index.results.IMAGE_URL)'| -### show-sbom:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|CA_TRUST_CONFIG_MAP_KEY| The name of the key in the ConfigMap that contains the CA bundle data.| ca-bundle.crt| | -|CA_TRUST_CONFIG_MAP_NAME| The name of the ConfigMap to read CA bundle data from.| trusted-ca| | -|IMAGE_URL| Fully qualified image name to show SBOM for.| None| '$(tasks.build-image-index.results.IMAGE_URL)'| -|PLATFORM| Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".| linux/amd64| | -### source-build:0.1 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|BASE_IMAGES| By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.| | | -|BINARY_IMAGE| Binary image name from which to generate the source image name.| None| '$(params.output-image)'| -### summary:0.2 task parameters -|name|description|default value|already set by| -|---|---|---|---| -|build-task-status| State of build task in pipelineRun| Succeeded| '$(tasks.build-image-index.status)'| -|git-url| Git URL| None| '$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)'| -|image-url| Image URL| None| '$(params.output-image)'| -|pipelinerun-name| pipeline-run to annotate| None| '$(context.pipelineRun.name)'| - -## Results -|name|description|value| -|---|---|---| -|CHAINS-GIT_COMMIT| |$(tasks.clone-repository.results.commit)| -|CHAINS-GIT_URL| |$(tasks.clone-repository.results.url)| -|IMAGE_DIGEST| |$(tasks.build-image-index.results.IMAGE_DIGEST)| -|IMAGE_URL| |$(tasks.build-image-index.results.IMAGE_URL)| -## Available results from tasks -### build-image-index:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES| List of all referenced image manifests| | -|IMAGE_DIGEST| Digest of the image just built| deprecated-base-image-check:0.4:IMAGE_DIGEST ; clair-scan:0.2:image-digest ; sast-snyk-check:0.2:image-digest ; clamav-scan:0.1:image-digest ; push-dockerfile:0.1:IMAGE_DIGEST| -|IMAGE_REF| Image reference of the built image containing both the repository and the digest| | -|IMAGE_URL| Image repository and tag where the built image was pushed| show-sbom:0.1:IMAGE_URL ; deprecated-base-image-check:0.4:IMAGE_URL ; clair-scan:0.2:image-url ; ecosystem-cert-preflight-checks:0.1:image-url ; sast-snyk-check:0.2:image-url ; clamav-scan:0.1:image-url ; apply-tags:0.1:IMAGE ; push-dockerfile:0.1:IMAGE| -### clair-scan:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|REPORTS| Mapping of image digests to report digests| | -|SCAN_OUTPUT| Clair scan result.| | -|TEST_OUTPUT| Tekton task test output.| | -### clamav-scan:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|TEST_OUTPUT| Tekton task test output.| | -### deprecated-image-check:0.4 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|TEST_OUTPUT| Tekton task test output.| | -### ecosystem-cert-preflight-checks:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Preflight pass or fail outcome.| | -### git-clone:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|commit| The precise commit SHA that was fetched by this Task.| build-container:0.1:COMMIT_SHA ; build-image-index:0.1:COMMIT_SHA| -|commit-timestamp| The commit timestamp of the checkout| | -|short-commit| The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters| | -|url| The precise URL that was fetched by this Task.| show-summary:0.2:git-url| -### init:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|build| Defines if the image in param image-url should be built| | -### push-dockerfile:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGE_REF| Digest-pinned image reference to the Dockerfile image.| | -### rpms-signature-scan:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|IMAGES_PROCESSED| Images processed in the task.| | -|RPMS_DATA| Information about signed and unsigned RPMs| | -|TEST_OUTPUT| Tekton task test output.| | -### s2i-nodejs:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|BASE_IMAGES_DIGESTS| Digests of the base images used for build| | -|IMAGE_DIGEST| Digest of the image just built| rpms-signature-scan:0.2:image-digest| -|IMAGE_REF| Image reference of the built image| | -|IMAGE_URL| Image repository and tag where the built image was pushed| build-image-index:0.1:IMAGES ; rpms-signature-scan:0.2:image-url| -### sast-snyk-check:0.2 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|TEST_OUTPUT| Tekton task test output.| | -### source-build:0.1 task results -|name|description|used in params (taskname:taskrefversion:taskparam) -|---|---|---| -|BUILD_RESULT| Build result.| | -|IMAGE_REF| Image reference of the built image| | -|SOURCE_IMAGE_DIGEST| The source image digest.| | -|SOURCE_IMAGE_URL| The source image url.| | - -## Workspaces -|name|description|optional|used in tasks -|---|---|---|---| -|git-auth| |True| clone-repository:0.1:basic-auth ; prefetch-dependencies:0.1:git-basic-auth| -|netrc| |True| prefetch-dependencies:0.1:netrc| -|workspace| |False| show-summary:0.2:workspace ; clone-repository:0.1:output ; prefetch-dependencies:0.1:source ; build-container:0.1:source ; build-source-image:0.1:workspace ; sast-snyk-check:0.2:workspace ; push-dockerfile:0.1:workspace| -## Available workspaces from tasks -### git-clone:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any git commands are run. Any other files in this Workspace are ignored. It is strongly recommended to use ssh-directory over basic-auth whenever possible and to bind a Secret to this Workspace over other volume types. | True| git-auth| -|output| The git repo will be cloned onto the volume backing this Workspace.| False| workspace| -|ssh-directory| A .ssh directory with private key, known_hosts, config, etc. Copied to the user's home before git commands are executed. Used to authenticate with the git remote when performing the clone. Binding a Secret to this Workspace is strongly recommended over other volume types. | True| | -### prefetch-dependencies:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|git-basic-auth| A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. | True| git-auth| -|netrc| Workspace containing a .netrc file. Cachi2 will use the credentials in this file when performing http(s) requests. | True| netrc| -|source| Workspace with the source code, cachi2 artifacts will be stored on the workspace as well| False| workspace| -### push-dockerfile:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| Workspace containing the source code from where the Dockerfile is discovered.| False| workspace| -### s2i-nodejs:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|source| Workspace containing the source code to build.| False| workspace| -### sast-snyk-check:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| | False| workspace| -### source-build:0.1 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| The workspace where source code is included.| False| workspace| -### summary:0.2 task workspaces -|name|description|optional|workspace from pipeline -|---|---|---|---| -|workspace| The workspace where source code is included.| True| workspace| diff --git a/pipelines/nodejs-builder/kustomization.yaml b/pipelines/nodejs-builder/kustomization.yaml deleted file mode 100644 index 64f7ba8a8..000000000 --- a/pipelines/nodejs-builder/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- ../template-build - -patches: -- path: patch.yaml - target: - kind: Pipeline diff --git a/pipelines/nodejs-builder/patch.yaml b/pipelines/nodejs-builder/patch.yaml deleted file mode 100644 index 117cfd39e..000000000 --- a/pipelines/nodejs-builder/patch.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -- op: replace - path: /metadata/name - value: nodejs-builder -- op: replace - path: /metadata/labels - value: - "pipelines.openshift.io/used-by": "build-cloud" - "pipelines.openshift.io/runtime": "nodejs" - "pipelines.openshift.io/strategy": "s2i" -- op: replace - path: /spec/tasks/3/taskRef - value: - name: s2i-nodejs - version: "0.1" -- op: add - path: /spec/tasks/3/params - value: - - name: PATH_CONTEXT - value: $(params.path-context) - - name: IMAGE - value: "$(params.output-image)" - - name: IMAGE_EXPIRES_AFTER - value: "$(params.image-expires-after)" - - name: COMMIT_SHA - value: "$(tasks.clone-repository.results.commit)" diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md deleted file mode 100644 index 96354f22c..000000000 --- a/task/s2i-java/0.1/README.md +++ /dev/null @@ -1,33 +0,0 @@ -# s2i-java task - -s2i-java task builds source code into a container image and pushes the image into container registry using S2I and buildah tool. -In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. -When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. - - -## Parameters -|name|description|default value|required| -|---|---|---|---| -|BASE_IMAGE|Java builder image|registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202|false| -|PATH_CONTEXT|The location of the path to run s2i from|.|false| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| -|DOCKER_AUTH|unused, should be removed in next task version|""|false| -|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|COMMIT_SHA|The image is built from this commit.|""|false| - -## Results -|name|description| -|---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository and tag where the built image was pushed| -|IMAGE_REF|Image reference of the built image| -|BASE_IMAGES_DIGESTS|Digests of the base images used for build| -|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| -|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| - -## Workspaces -|name|description|optional| -|---|---|---| -|source|Workspace containing the source code to build.|false| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml deleted file mode 100644 index b8dac4fde..000000000 --- a/task/s2i-java/0.1/s2i-java.yaml +++ /dev/null @@ -1,290 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - labels: - app.kubernetes.io/version: "0.1" - build-definition.include: add-sbom-and-push - build.appstudio.redhat.com/build_type: "java" - build.appstudio.redhat.com/expires-on: 2024-11-13T00:00:00Z - annotations: - tekton.dev/displayName: s2i java - tekton.dev/pipelines.minVersion: "0.19" - tekton.dev/tags: s2i, java, workspace - name: s2i-java -spec: - description: | - s2i-java task builds source code into a container image and pushes the image into container registry using S2I and buildah tool. - In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. - When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. - params: - - default: registry.access.redhat.com/ubi9/openjdk-17:1.13-10.1669632202 - description: Java builder image - name: BASE_IMAGE - type: string - - default: . - description: The location of the path to run s2i from - name: PATH_CONTEXT - type: string - - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - name: TLSVERIFY - type: string - - description: Location of the repo where image has to be pushed - name: IMAGE - type: string - - default: "" - description: Deprecated. Has no effect. Will be removed in the future. - name: BUILDER_IMAGE - type: string - - default: "" - description: unused, should be removed in next task version - name: DOCKER_AUTH - type: string - - default: "" - description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: IMAGE_EXPIRES_AFTER - type: string - - name: COMMIT_SHA - description: The image is built from this commit. - type: string - default: "" - - name: STORAGE_DRIVER - description: Storage driver to configure for buildah - type: string - default: vfs - results: - - description: Digest of the image just built - name: IMAGE_DIGEST - - description: Image repository and tag where the built image was pushed - name: IMAGE_URL - - description: Image reference of the built image - name: IMAGE_REF - - description: Digests of the base images used for build - name: BASE_IMAGES_DIGESTS - - name: SBOM_JAVA_COMPONENTS_COUNT - description: The counting of Java components by publisher in JSON format - type: string - - name: JAVA_COMMUNITY_DEPENDENCIES - description: The Java dependencies that came from community sources such as Maven central. - stepTemplate: - env: - - name: BUILDAH_FORMAT - value: oci - - name: STORAGE_DRIVER - value: $(params.STORAGE_DRIVER) - - name: PATH_CONTEXT - value: $(params.PATH_CONTEXT) - - name: BASE_IMAGE - value: $(params.BASE_IMAGE) - - name: TLSVERIFY - value: $(params.TLSVERIFY) - - name: IMAGE - value: $(params.IMAGE) - - name: IMAGE_EXPIRES_AFTER - value: $(params.IMAGE_EXPIRES_AFTER) - - name: BUILDER_IMAGE - value: $(params.BUILDER_IMAGE) - steps: - - args: - - |- - echo "MAVEN_CLEAR_REPO=true" > env-file - [ -n "$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR" ] && - echo "MAVEN_MIRROR_URL=http://$JVM_BUILD_WORKSPACE_ARTIFACT_CACHE_PORT_80_TCP_ADDR/v1/cache/default/0/" >> env-file - - echo "Generated Env file" - echo "------------------------------" - cat env-file - echo "------------------------------" - s2i build $PATH_CONTEXT $BASE_IMAGE --image-scripts-url image:///usr/local/s2i --as-dockerfile /gen-source/Dockerfile.gen --environment-file env-file - - command: - - /bin/sh - - -c - env: - - name: HOME - value: /tekton/home - image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:637c15600359cb45bc01445b5e811b6240ca239f0ebfe406b50146e34f68f631 - name: s2i-gen - computeResources: {} - workingDir: $(workspaces.source.path)/source - securityContext: - runAsUser: 0 - volumeMounts: - - mountPath: /gen-source - name: gen-source - - script: | - if [ -n "${BUILDER_IMAGE}" ]; then - echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." - fi - - # Fixing group permission on /var/lib/containers - chown root:root /var/lib/containers - - LABELS=( - "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')" - "--label" "architecture=$(uname -m)" - "--label" "vcs-type=git" - ) - [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA") - [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER") - - touch /var/lib/containers/java - sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf - buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} --ulimit nofile=4096:4096 -f /gen-source/Dockerfile.gen -t $IMAGE . - - container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /workspace/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /workspace/container_path) -xtype l -delete - echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.4-12@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6 - name: build - env: - - name: COMMIT_SHA - value: $(params.COMMIT_SHA) - computeResources: - limits: - memory: 4Gi - requests: - memory: 512Mi - cpu: 10m - securityContext: - runAsUser: 0 - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - workingDir: /gen-source - - - image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: sbom-syft-generate - # Respect Syft configuration if the user has it in the root of their repository - # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) - workingDir: $(workspaces.source.path)/source - script: | - syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json - syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - name: analyse-dependencies-java-sbom - image: quay.io/redhat-appstudio/hacbs-jvm-build-request-processor:127ee0c223a2b56a9bd20a6f2eaeed3bd6015f77 - script: | - if [ -f /var/lib/containers/java ]; then - /opt/jboss/container/java/run/run-java.sh analyse-dependencies path $(cat /workspace/container_path) -s $(workspaces.source.path)/sbom-image.json --task-run-name $(context.taskRun.name) --publishers $(results.SBOM_JAVA_COMPONENTS_COUNT.path) - sed -i 's/^/ /' $(results.SBOM_JAVA_COMPONENTS_COUNT.path) # Workaround for SRVKP-2875 - else - touch $(results.JAVA_COMMUNITY_DEPENDENCIES.path) - fi - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - securityContext: - runAsUser: 0 - - image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: merge-sboms - script: | - #!/bin/python3 - import json - import os - - # load SBOMs - with open("./sbom-image.json") as f: - image_sbom = json.load(f) - - with open("./sbom-source.json") as f: - source_sbom = json.load(f) - - # fetch unique components from available SBOMs - def get_identifier(component): - return component["name"] + '@' + component.get("version", "") - - image_sbom_components = image_sbom.get("components", []) - existing_components = [get_identifier(component) for component in image_sbom_components] - - source_sbom_components = source_sbom.get("components", []) - for component in source_sbom_components: - if get_identifier(component) not in existing_components: - image_sbom_components.append(component) - existing_components.append(get_identifier(component)) - - image_sbom_components.sort(key=lambda c: get_identifier(c)) - - # write the CycloneDX unified SBOM - with open("./sbom-cyclonedx.json", "w") as f: - json.dump(image_sbom, f, indent=4) - - # create and write the PURL unified SBOM - purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component] - purl_content = {"image_contents": {"dependencies": purls}} - - with open("sbom-purl.json", "w") as output_file: - json.dump(purl_content, output_file, indent=4) - - workingDir: $(workspaces.source.path) - securityContext: - runAsUser: 0 - - - image: registry.access.redhat.com/ubi9/buildah:9.4-12@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6 - # default above is image digest specific - name: inject-sbom-and-push - computeResources: {} - script: | - if [ -n "${BUILDER_IMAGE}" ]; then - echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." - fi - - # Expose base image digests - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) - - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - buildah commit $container $IMAGE - buildah push \ - --tls-verify=$TLSVERIFY \ - --digestfile $(workspaces.source.path)/image-digest $IMAGE \ - docker://$IMAGE - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" - - securityContext: - runAsUser: 0 - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - workingDir: $(workspaces.source.path) - - - name: upload-sbom - image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 - script: | - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" - workingDir: $(workspaces.source.path) - - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - workspaces: - - mountPath: /workspace/source - name: source - description: Workspace containing the source code to build. diff --git a/task/s2i-java/OWNERS b/task/s2i-java/OWNERS deleted file mode 100644 index d3f0ff4a7..000000000 --- a/task/s2i-java/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md deleted file mode 100644 index f129dfaf7..000000000 --- a/task/s2i-nodejs/0.1/README.md +++ /dev/null @@ -1,31 +0,0 @@ -# s2i-nodejs task - -s2i-nodejs task builds source code into a container image and pushes the image into container registry using S2I and buildah tool. -In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. - - -## Parameters -|name|description|default value|required| -|---|---|---|---| -|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false| -|PATH_CONTEXT|The location of the path to run s2i from.|.|false| -|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| -|DOCKER_AUTH|unused, should be removed in next task version|""|false| -|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| -|MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false| -|COMMIT_SHA|The image is built from this commit.|""|false| - -## Results -|name|description| -|---|---| -|IMAGE_DIGEST|Digest of the image just built| -|IMAGE_URL|Image repository and tag where the built image was pushed| -|IMAGE_REF|Image reference of the built image| -|BASE_IMAGES_DIGESTS|Digests of the base images used for build| - -## Workspaces -|name|description|optional| -|---|---|---| -|source|Workspace containing the source code to build.|false| diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml deleted file mode 100644 index 60e754622..000000000 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ /dev/null @@ -1,257 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - labels: - app.kubernetes.io/version: "0.1" - build.appstudio.redhat.com/build_type: "nodejs" - annotations: - tekton.dev/displayName: s2i nodejs - tekton.dev/pipelines.minVersion: "0.19" - tekton.dev/tags: s2i, nodejs, workspace - build.appstudio.redhat.com/expires-on: 2024-11-13T00:00:00Z - name: s2i-nodejs -spec: - description: | - s2i-nodejs task builds source code into a container image and pushes the image into container registry using S2I and buildah tool. - In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. - params: - - default: registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1 - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - description: NodeJS builder image - name: BASE_IMAGE - type: string - - default: . - description: The location of the path to run s2i from. - name: PATH_CONTEXT - type: string - - default: "true" - description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry) - name: TLSVERIFY - type: string - - description: Location of the repo where image has to be pushed - name: IMAGE - type: string - - default: "" - description: Deprecated. Has no effect. Will be removed in the future. - name: BUILDER_IMAGE - type: string - - default: "" - description: unused, should be removed in next task version - name: DOCKER_AUTH - type: string - - default: "" - description: Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. - name: IMAGE_EXPIRES_AFTER - type: string - # Unused only as placeholder - - default: "" - description: The base URL of a mirror used for retrieving artifacts - name: MAVEN_MIRROR_URL - - name: COMMIT_SHA - description: The image is built from this commit. - type: string - default: "" - - name: STORAGE_DRIVER - description: Storage driver to configure for buildah - type: string - default: vfs - stepTemplate: - env: - - name: BUILDAH_FORMAT - value: oci - - name: STORAGE_DRIVER - value: $(params.STORAGE_DRIVER) - - name: TLSVERIFY - value: $(params.TLSVERIFY) - - name: IMAGE - value: $(params.IMAGE) - - name: IMAGE_EXPIRES_AFTER - value: $(params.IMAGE_EXPIRES_AFTER) - - name: BUILDER_IMAGE - value: $(params.BUILDER_IMAGE) - results: - - description: Digest of the image just built - name: IMAGE_DIGEST - - description: Image repository and tag where the built image was pushed - name: IMAGE_URL - - description: Image reference of the built image - name: IMAGE_REF - - description: Digests of the base images used for build - name: BASE_IMAGES_DIGESTS - steps: - - name: generate - image: registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8@sha256:e518e05a730ae066e371a4bd36a5af9cedc8686fd04bd59648d20ea0a486d7e5 - command: - - s2i - - build - - $(params.PATH_CONTEXT) - - $(params.BASE_IMAGE) - - --as-dockerfile - - /gen-source/Dockerfile.gen - env: - - name: HOME - value: /tekton/home - computeResources: {} - volumeMounts: - - mountPath: /gen-source - name: gen-source - workingDir: $(workspaces.source.path)/source - - script: | - if [ -n "${BUILDER_IMAGE}" ]; then - echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." - fi - - # Fixing group permission on /var/lib/containers - chown root:root /var/lib/containers - - LABELS=( - "--label" "build-date=$(date -u +'%Y-%m-%dT%H:%M:%S')" - "--label" "architecture=$(uname -m)" - "--label" "vcs-type=git" - ) - [ -n "$COMMIT_SHA" ] && LABELS+=("--label" "vcs-ref=$COMMIT_SHA") - [ -n "$IMAGE_EXPIRES_AFTER" ] && LABELS+=("--label" "quay.expires-after=$IMAGE_EXPIRES_AFTER") - - sed -i 's/^short-name-mode = .*/short-name-mode = "disabled"/' /etc/containers/registries.conf - buildah build --tls-verify=$TLSVERIFY ${LABELS[@]} -f /gen-source/Dockerfile.gen -t $IMAGE . - - container=$(buildah from --pull-never $IMAGE) - buildah mount $container | tee /workspace/container_path - # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners - find $(cat /workspace/container_path) -xtype l -delete - echo $container > /workspace/container_name - image: registry.access.redhat.com/ubi9/buildah:9.4-12@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6 - name: build - env: - - name: COMMIT_SHA - value: $(params.COMMIT_SHA) - computeResources: - limits: - memory: 2Gi - requests: - memory: 512Mi - cpu: 10m - securityContext: - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - mountPath: /gen-source - name: gen-source - workingDir: /gen-source - - - image: registry.access.redhat.com/rh-syft-tech-preview/syft-rhel9:1.4.1@sha256:34d7065427085a31dc4949bd283c001b91794d427e1e4cdf1b21ea4faf9fee3f - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: sbom-syft-generate - # Respect Syft configuration if the user has it in the root of their repository - # (need to set the workdir, see https://github.com/anchore/syft/issues/2465) - workingDir: $(workspaces.source.path)/source - script: | - syft dir:$(workspaces.source.path)/source --output cyclonedx-json=$(workspaces.source.path)/sbom-source.json - syft dir:$(cat /workspace/container_path) --output cyclonedx-json=$(workspaces.source.path)/sbom-image.json - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - - image: registry.access.redhat.com/ubi9/python-39:1-192.1722518946@sha256:0176b477075984d5a502253f951d2502f0763c551275f9585ac515b9f241d73d - # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting - # the cluster will set imagePullPolicy to IfNotPresent - name: merge-sboms - script: | - #!/bin/python3 - import json - import os - - # load SBOMs - with open("./sbom-image.json") as f: - image_sbom = json.load(f) - - with open("./sbom-source.json") as f: - source_sbom = json.load(f) - - # fetch unique components from available SBOMs - def get_identifier(component): - return component["name"] + '@' + component.get("version", "") - - image_sbom_components = image_sbom.get("components", []) - existing_components = [get_identifier(component) for component in image_sbom_components] - - source_sbom_components = source_sbom.get("components", []) - for component in source_sbom_components: - if get_identifier(component) not in existing_components: - image_sbom_components.append(component) - existing_components.append(get_identifier(component)) - - image_sbom_components.sort(key=lambda c: get_identifier(c)) - - # write the CycloneDX unified SBOM - with open("./sbom-cyclonedx.json", "w") as f: - json.dump(image_sbom, f, indent=4) - - # create and write the PURL unified SBOM - purls = [{"purl": component["purl"]} for component in image_sbom_components if "purl" in component] - purl_content = {"image_contents": {"dependencies": purls}} - - with open("sbom-purl.json", "w") as output_file: - json.dump(purl_content, output_file, indent=4) - - workingDir: $(workspaces.source.path) - securityContext: - runAsUser: 0 - - - image: registry.access.redhat.com/ubi9/buildah:9.4-12@sha256:29402688af2b394a8400d946751520dbaea64759bbce2ef6928dc58ede6020e6 - name: inject-sbom-and-push - computeResources: {} - script: | - if [ -n "${BUILDER_IMAGE}" ]; then - echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." - fi - - # Expose base image digests - buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path) - - base_image_name=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.name"}}' $IMAGE | cut -f1 -d'@') - base_image_digest=$(buildah inspect --format '{{ index .ImageAnnotations "org.opencontainers.image.base.digest"}}' $IMAGE) - container=$(buildah from --pull-never $IMAGE) - buildah copy $container sbom-cyclonedx.json sbom-purl.json /root/buildinfo/content_manifests/ - buildah config -a org.opencontainers.image.base.name=${base_image_name} -a org.opencontainers.image.base.digest=${base_image_digest} $container - buildah commit $container $IMAGE - buildah push \ - --tls-verify=$TLSVERIFY \ - --digestfile $(workspaces.source.path)/image-digest $IMAGE \ - docker://$IMAGE - cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) - echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) - { - echo -n "${IMAGE}@" - cat "$(workspaces.source.path)/image-digest" - } > "$(results.IMAGE_REF.path)" - - securityContext: - runAsUser: 0 - capabilities: - add: - - SETFCAP - volumeMounts: - - mountPath: /var/lib/containers - name: varlibcontainers - workingDir: $(workspaces.source.path) - - - name: upload-sbom - image: quay.io/konflux-ci/appstudio-utils:ab6b0b8e40e440158e7288c73aff1cf83a2cc8a9@sha256:24179f0efd06c65d16868c2d7eb82573cce8e43533de6cea14fec3b7446e0b14 - workingDir: $(workspaces.source.path) - script: | - cosign attach sbom --sbom sbom-cyclonedx.json --type cyclonedx "$(cat "$(results.IMAGE_REF.path)")" - - volumes: - - emptyDir: {} - name: varlibcontainers - - emptyDir: {} - name: gen-source - workspaces: - - mountPath: /workspace/source - name: source - description: Workspace containing the source code to build. diff --git a/task/s2i-nodejs/OWNERS b/task/s2i-nodejs/OWNERS deleted file mode 100644 index d3f0ff4a7..000000000 --- a/task/s2i-nodejs/OWNERS +++ /dev/null @@ -1,5 +0,0 @@ -# See the OWNERS docs: https://go.k8s.io/owners -approvers: - - build-team -reviewers: - - build-team