gitops-pull-request: check only changed images

pipelines/gitops-pull-request-rhtap/gitops-pull-request.yaml

@@ -11,6 +11,10 @@ spec:
       name: revision
       type: string
       default: ""
+    - description: The target branch for the pull request
+      name: target-branch
+      type: string
+      default: "main"
     - description: Enterprise Contract policy to validate against
       name: ec-policy-configuration
       type: string
@@ -38,6 +42,10 @@ spec:
           value: $(params.git-url)
         - name: revision
           value: $(params.revision)
+        # We're more interested in remote branches than tags, but this fetches both.
+        # Branch refs are needed for the TARGET_BRANCH feature of gather-deploy-images.
+        - name: fetchTags
+          value: "true"
       taskRef:
         name: git-clone
         version: "0.1"
@@ -47,6 +55,9 @@ spec:
         - name: basic-auth
           workspace: git-auth
     - name: gather-deploy-images
+      params:
+        - name: TARGET_BRANCH
+          value: $(params.target-branch)
       runAfter:
         - clone-repository
       taskRef:
@@ -71,6 +82,10 @@ spec:
           value: $(params.ec-tuf-mirror)
       runAfter:
         - gather-deploy-images
+      when:
+        - input: $(tasks.gather-deploy-images.results.IMAGES_TO_VERIFY)
+          operator: notin
+          values: [""]
       taskRef:
         name: verify-enterprise-contract
         version: "0.1"

task/gather-deploy-images/0.1/README.md

@@ -2,10 +2,15 @@
 
 Extract images from deployment YAML to pass to EC for validation
 
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|TARGET_BRANCH|If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference. |""|false|
+
 ## Results
 |name|description|
 |---|---|
-|IMAGES_TO_VERIFY|The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1|
+|IMAGES_TO_VERIFY|The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string. |
 
 ## Workspaces
 |name|description|optional|

task/gather-deploy-images/0.1/gather-deploy-images.yaml

@@ -7,23 +7,56 @@ spec:
   workspaces:
     - description: Should contain a cloned gitops repo at the ./source subpath
       name: source
+  params:
+    - name: TARGET_BRANCH
+      description: >
+        If specified, will gather only the images that changed between
+        the current revision and the target branch. Useful for pull requests.
+        Note that the repository cloned on the source workspace must already
+        contain the origin/$TARGET_BRANCH reference.
+      type: string
+      default: ""
   results:
     - name: IMAGES_TO_VERIFY
-      description: The images to be verified, in a format compatible with https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1
+      description: >
+        The images to be verified, in a format compatible with
+        https://github.com/redhat-appstudio/build-definitions/tree/main/task/verify-enterprise-contract/0.1.
+        When there are no images to verify, this is an empty string.
   steps:
   - name: get-images-per-env
     image: quay.io/redhat-appstudio/appstudio-utils:5bd7d6cb0b17f9f2eab043a8ad16ba3d90551bc2@sha256:8c7fcf86af40c71aeb58e4279625c8308af5144e2f6b8e28b0ec7e795260e5f7
     workingDir: $(workspaces.source.path)/source
+    env:
+      - name: TARGET_BRANCH
+        value: $(params.TARGET_BRANCH)
     script: |
       #!/bin/bash
       set -euo pipefail
 
+      IMAGE_PATH='.spec.template.spec.containers[0].image'
       component_name=$(yq .metadata.name application.yaml)
 
       for env in development stage prod; do
-        yq '.spec.template.spec.containers[0].image' "components/${component_name}/overlays/${env}/deployment-patch.yaml"
+        yaml_path=components/${component_name}/overlays/${env}/deployment-patch.yaml
+        image=$(yq "$IMAGE_PATH" "$yaml_path")
+
+        if [ -n "$TARGET_BRANCH" ]; then
+          prev_image=$(git show "origin/$TARGET_BRANCH:$yaml_path" | yq "$IMAGE_PATH")
+          if [ "$prev_image" = "$image" ]; then
+            # don't check images that didn't change between the current revision and the target branch
+            continue
+          fi
+        fi
+
+        printf "%s\n" "$image"
       done | sort -u > /tmp/all-images.txt
 
+      if [ ! -s /tmp/all-images.txt ]; then
+        echo "No images to verify"
+        touch $(results.IMAGES_TO_VERIFY.path)
+        exit 0
+      fi
+
       # TODO: each component needs a {"source": {"git": {"url": "...", "revision": "..."}}}
       #       will that be too large for Tekton results?