stackrox
diff --git a/‎.github/renovate.json5‎
Lines changed: 38 additions & 0 deletions b/‎.github/renovate.json5‎
Lines changed: 38 additions & 0 deletions
diff --git a/‎.tekton/determine-image-tag-oci-ta.yaml‎
Lines changed: 0 additions & 44 deletions b/‎.tekton/determine-image-tag-oci-ta.yaml‎
Lines changed: 0 additions & 44 deletions
diff --git a/‎.tekton/determine-image-tag-task.yaml‎
Lines changed: 22 additions & 7 deletions b/‎.tekton/determine-image-tag-task.yaml‎
Lines changed: 22 additions & 7 deletions
diff --git a/‎.tekton/fetch-scanner-data-oci-ta-task.yaml‎
Lines changed: 0 additions & 71 deletions b/‎.tekton/fetch-scanner-data-oci-ta-task.yaml‎
Lines changed: 0 additions & 71 deletions
diff --git a/‎.tekton/fetch-scanner-data-task.yaml‎
Lines changed: 41 additions & 7 deletions b/‎.tekton/fetch-scanner-data-task.yaml‎
Lines changed: 41 additions & 7 deletions
diff --git a/‎.tekton/scanner-build.yaml‎
Lines changed: 4 additions & 0 deletions b/‎.tekton/scanner-build.yaml‎
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,38 @@
+{
+  // This configures Konflux Renovate bot, the thing that keeps our pipelines use up-to-date tasks.
+
+  // After making changes to this file, you can validate it by running something like this in the root of the repo:
+  // $ docker run --rm -it --entrypoint=/usr/local/bin/renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict
+  // There are more validation options, see https://docs.renovatebot.com/config-validation/
+
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    // This inherits the base Konflux config.
+    // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json
+    // The following was used as example (we may want to check it if the base config gets suddenly moved):
+    // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2
+    "github>konflux-ci/mintmaker//config/renovate/renovate.json"
+  ],
+  "timezone": "Etc/UTC",
+  "schedule": [
+    // Allowed syntax: https://docs.renovatebot.com/configuration-options/#schedule
+    // The time was selected (with the help of https://time.fyi/timezones) so that Renovate isn't active during business
+    // hours from Germany to US West Coast. This way, after we merge a PR, a new one does not pop up immediately after
+    // that.
+    "after 3am and before 7am"
+  ],
+  // Tell Renovate not to update PRs when outside of schedule.
+  "updateNotScheduled": false,
+  "dockerfile": {
+    "includePaths": [
+      // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile)
+      // to have less PR noise.
+      "**/*konflux*.Dockerfile",
+    ],
+  },
+  "enabledManagers": [
+    // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else.
+    "tekton",
+    "dockerfile",
+  ],
+}
@@ -7,23 +7,38 @@ metadata:
 spec:
   description: Determines the tag for the output image using the StackRox convention from 'make tag' output.
   params:
-  - name: tag-suffix
+  - name: TAG_SUFFIX
     description: Suffix to append to generated image tag.
     type: string
+  - name: SOURCE_ARTIFACT
+    description: The Trusted Artifact URI pointing to the artifact with
+      the application source code. This should be the result of the git-clone task,
+      results from other tasks might fail as dirty.
+    type: string
   results:
-  - name: image-tag
+  - name: IMAGE_TAG
     description: Image Tag determined by custom logic.
+  volumes:
+  - name: workdir
+    emptyDir: { }
+  stepTemplate:
+    volumeMounts:
+    - mountPath: /var/workdir
+      name: workdir
   steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a
+    args:
+    - use
+    - $(params.SOURCE_ARTIFACT)=/var/workdir/source
   - name: determine-image-tag
     image: registry.access.redhat.com/ubi8:latest
+    workingDir: /var/workdir/source
     script: |
       #!/usr/bin/env bash
       set -euo pipefail
       dnf -y upgrade --nobest
       dnf -y install git make
-      cd "$(workspaces.source.path)/source"
+
       scripts/konflux/fail-build-if-git-is-dirty.sh
-      echo -n "$(make --quiet --no-print-directory tag)$(params.tag-suffix)" | tee "$(results.image-tag.path)"
-  workspaces:
-  - name: source
-    description: The workspace where source code is included.
+      echo -n "$(make --quiet --no-print-directory tag)$(params.TAG_SUFFIX)" | tee "$(results.IMAGE_TAG.path)"
@@ -15,23 +15,57 @@ spec:
   - name: target-dir
     description: Target directory relative to workspace where to save downloaded blobs.
     type: string
-    default: "source"
+    default: "."
+  - name: SOURCE_ARTIFACT
+    description: The Trusted Artifact URI pointing to the artifact with
+      the application source code. This should be the result of the git-clone task,
+      results from other tasks might fail as dirty.
+    type: string
+  - name: ociStorage
+    description: The OCI repository where the Trusted Artifacts are stored.
+    type: string
+  - name: ociArtifactExpiresAfter
+    description: Expiration date for the trusted artifacts created in the
+      OCI repository.
+    type: string
   results:
+  - name: SOURCE_ARTIFACT
+    description: The Trusted Artifact URI pointing to the artifact with the application source code
+      and additional smuggled activation key.
+    type: string
+  volumes:
+  - name: workdir
+    emptyDir: { }
+  stepTemplate:
+    volumeMounts:
+    - mountPath: /var/workdir
+      name: workdir
   steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a
+    args:
+    - use
+    - $(params.SOURCE_ARTIFACT)=/var/workdir/source
   - name: fetch-scanner-data
     image: registry.access.redhat.com/ubi8/ubi-minimal:latest
     # The only functioning way to pass array parameter that I found is through args array.
     # Array params have weird limitations, see https://github.com/tektoncd/pipeline/blob/main/docs/tasks.md#substituting-array-parameters
     # Attempts to pass this in other places result in webhook errors and pipeline not starting.
     args: [ "$(params.blobs-to-fetch[*])" ]
+    workingDir: /var/workdir/source
     script: |
       #!/usr/bin/env bash
       set -euo pipefail
-      exec "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \
-                  "$(workspaces.source.path)/$(params.target-dir)" \
-                  "$@"
+      scripts/konflux/fetch-scanner-data.sh "$(params.target-dir)" "$@"
     # It should not take long to download blobs otherwise there's something odd going on.
     timeout: 10m
-  workspaces:
-  - name: source
-    description: Workspace with the source code.
+  - name: create-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a
+    args:
+    - create
+    - --store
+    - $(params.ociStorage)
+    - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source
+    env:
+    - name: IMAGE_EXPIRES_AFTER
+      value: $(params.ociArtifactExpiresAfter)
@@ -77,5 +77,9 @@ spec:
         requests:
           cpu: 1
 
+  # Multiarch builds sometimes make the pipeline timeout after 1h.
+  timeouts:
+    pipeline: 1h30m0s
+
   pipelineRef:
     name: scanner-component-pipeline