diff --git a/.github/renovate.json5 b/.github/renovate.json5 new file mode 100644 index 000000000..75c99c04c --- /dev/null +++ b/.github/renovate.json5 @@ -0,0 +1,38 @@ +{ + // This configures Konflux Renovate bot, the thing that keeps our pipelines use up-to-date tasks. + + // After making changes to this file, you can validate it by running something like this in the root of the repo: + // $ docker run --rm -it --entrypoint=/usr/local/bin/renovate-config-validator -v "$(pwd)":/mnt -w /mnt renovate/renovate --strict + // There are more validation options, see https://docs.renovatebot.com/config-validation/ + + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + // This inherits the base Konflux config. + // Clickable link https://github.com/konflux-ci/mintmaker/blob/main/config/renovate/renovate.json + // The following was used as example (we may want to check it if the base config gets suddenly moved): + // https://github.com/enterprise-contract/ec-cli/blob/407847910ad420850385eea1db78e2a2e49c7e25/renovate.json#L1C1-L7C2 + "github>konflux-ci/mintmaker//config/renovate/renovate.json" + ], + "timezone": "Etc/UTC", + "schedule": [ + // Allowed syntax: https://docs.renovatebot.com/configuration-options/#schedule + // The time was selected (with the help of https://time.fyi/timezones) so that Renovate isn't active during business + // hours from Germany to US West Coast. This way, after we merge a PR, a new one does not pop up immediately after + // that. + "after 3am and before 7am" + ], + // Tell Renovate not to update PRs when outside of schedule. + "updateNotScheduled": false, + "dockerfile": { + "includePaths": [ + // Instruct Renovate not try to update Dockerfiles other than konflux.Dockerfile (or konflux.anything.Dockerfile) + // to have less PR noise. + "**/*konflux*.Dockerfile", + ], + }, + "enabledManagers": [ + // Restrict Renovate focus on Konflux things since we rely on GitHub's dependabot for everything else. + "tekton", + "dockerfile", + ], +} diff --git a/.tekton/determine-image-tag-oci-ta.yaml b/.tekton/determine-image-tag-oci-ta.yaml deleted file mode 100644 index a9799a3b0..000000000 --- a/.tekton/determine-image-tag-oci-ta.yaml +++ /dev/null @@ -1,44 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: determine-image-tag-oci-ta - namespace: rh-acs-tenant -# TODO(ROX-23812): Refactor to a task bundle -spec: - description: Determines the tag for the output image using the StackRox convention from 'make tag' output. - params: - - name: TAG_SUFFIX - description: Suffix to append to generated image tag. - type: string - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with - the application source code. This should be the result of the git-clone task, - results from other tasks might fail as dirty. - type: string - results: - - name: IMAGE_TAG - description: Image Tag determined by custom logic. - volumes: - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - name: determine-image-tag - image: registry.access.redhat.com/ubi8:latest - workingDir: /var/workdir/source - script: | - #!/usr/bin/env bash - set -euo pipefail - dnf -y upgrade --nobest - dnf -y install git make - - scripts/konflux/fail-build-if-git-is-dirty.sh - echo -n "$(make --quiet --no-print-directory tag)$(params.TAG_SUFFIX)" | tee "$(results.IMAGE_TAG.path)" diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml index 0448a03d8..eed357b5d 100644 --- a/.tekton/determine-image-tag-task.yaml +++ b/.tekton/determine-image-tag-task.yaml @@ -7,23 +7,38 @@ metadata: spec: description: Determines the tag for the output image using the StackRox convention from 'make tag' output. params: - - name: tag-suffix + - name: TAG_SUFFIX description: Suffix to append to generated image tag. type: string + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. This should be the result of the git-clone task, + results from other tasks might fail as dirty. + type: string results: - - name: image-tag + - name: IMAGE_TAG description: Image Tag determined by custom logic. + volumes: + - name: workdir + emptyDir: { } + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source - name: determine-image-tag image: registry.access.redhat.com/ubi8:latest + workingDir: /var/workdir/source script: | #!/usr/bin/env bash set -euo pipefail dnf -y upgrade --nobest dnf -y install git make - cd "$(workspaces.source.path)/source" + scripts/konflux/fail-build-if-git-is-dirty.sh - echo -n "$(make --quiet --no-print-directory tag)$(params.tag-suffix)" | tee "$(results.image-tag.path)" - workspaces: - - name: source - description: The workspace where source code is included. + echo -n "$(make --quiet --no-print-directory tag)$(params.TAG_SUFFIX)" | tee "$(results.IMAGE_TAG.path)" diff --git a/.tekton/fetch-scanner-data-oci-ta-task.yaml b/.tekton/fetch-scanner-data-oci-ta-task.yaml deleted file mode 100644 index bc4ac602f..000000000 --- a/.tekton/fetch-scanner-data-oci-ta-task.yaml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: fetch-scanner-data-oci-ta - namespace: rh-acs-tenant -# TODO(ROX-22196): Make the task EC-compliant (e.g. move to a bundle) -spec: - description: Downloads blobs from definitions.stackrox.io GCloud bucket to be included in Scanner container builds. - params: - - name: blobs-to-fetch - description: | - List of scanner-data file names to fetch to include in the container build. - An empty list is allowed which results in no-op. - type: array - - name: target-dir - description: Target directory relative to workspace where to save downloaded blobs. - type: string - default: "." - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with - the application source code. This should be the result of the git-clone task, - results from other tasks might fail as dirty. - type: string - - name: ociStorage - description: The OCI repository where the Trusted Artifacts are stored. - type: string - - name: ociArtifactExpiresAfter - description: Expiration date for the trusted artifacts created in the - OCI repository. - type: string - results: - - name: SOURCE_ARTIFACT - description: The Trusted Artifact URI pointing to the artifact with the application source code - and additional smuggled activation key. - type: string - volumes: - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - steps: - - name: use-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - args: - - use - - $(params.SOURCE_ARTIFACT)=/var/workdir/source - - name: fetch-scanner-data - image: registry.access.redhat.com/ubi8/ubi-minimal:latest - # The only functioning way to pass array parameter that I found is through args array. - # Array params have weird limitations, see https://github.com/tektoncd/pipeline/blob/main/docs/tasks.md#substituting-array-parameters - # Attempts to pass this in other places result in webhook errors and pipeline not starting. - args: [ "$(params.blobs-to-fetch[*])" ] - workingDir: /var/workdir/source - script: | - #!/usr/bin/env bash - set -euo pipefail - scripts/konflux/fetch-scanner-data.sh "$(params.target-dir)" "$@" - # It should not take long to download blobs otherwise there's something odd going on. - timeout: 10m - - name: create-trusted-artifact - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d - args: - - create - - --store - - $(params.ociStorage) - - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source - env: - - name: IMAGE_EXPIRES_AFTER - value: $(params.ociArtifactExpiresAfter) diff --git a/.tekton/fetch-scanner-data-task.yaml b/.tekton/fetch-scanner-data-task.yaml index ea7bfe6eb..32ee2c415 100644 --- a/.tekton/fetch-scanner-data-task.yaml +++ b/.tekton/fetch-scanner-data-task.yaml @@ -15,23 +15,57 @@ spec: - name: target-dir description: Target directory relative to workspace where to save downloaded blobs. type: string - default: "source" + default: "." + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with + the application source code. This should be the result of the git-clone task, + results from other tasks might fail as dirty. + type: string + - name: ociStorage + description: The OCI repository where the Trusted Artifacts are stored. + type: string + - name: ociArtifactExpiresAfter + description: Expiration date for the trusted artifacts created in the + OCI repository. + type: string results: + - name: SOURCE_ARTIFACT + description: The Trusted Artifact URI pointing to the artifact with the application source code + and additional smuggled activation key. + type: string + volumes: + - name: workdir + emptyDir: { } + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir steps: + - name: use-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source - name: fetch-scanner-data image: registry.access.redhat.com/ubi8/ubi-minimal:latest # The only functioning way to pass array parameter that I found is through args array. # Array params have weird limitations, see https://github.com/tektoncd/pipeline/blob/main/docs/tasks.md#substituting-array-parameters # Attempts to pass this in other places result in webhook errors and pipeline not starting. args: [ "$(params.blobs-to-fetch[*])" ] + workingDir: /var/workdir/source script: | #!/usr/bin/env bash set -euo pipefail - exec "$(workspaces.source.path)/source/scripts/konflux/fetch-scanner-data.sh" \ - "$(workspaces.source.path)/$(params.target-dir)" \ - "$@" + scripts/konflux/fetch-scanner-data.sh "$(params.target-dir)" "$@" # It should not take long to download blobs otherwise there's something odd going on. timeout: 10m - workspaces: - - name: source - description: Workspace with the source code. + - name: create-trusted-artifact + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:601e0999ae062e5ee666538d651af7893a75e415b7952c85caa8a4452501029a + args: + - create + - --store + - $(params.ociStorage) + - $(results.SOURCE_ARTIFACT.path)=/var/workdir/source + env: + - name: IMAGE_EXPIRES_AFTER + value: $(params.ociArtifactExpiresAfter) diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index 459a75075..4bb0e7139 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -77,5 +77,9 @@ spec: requests: cpu: 1 + # Multiarch builds sometimes make the pipeline timeout after 1h. + timeouts: + pipeline: 1h30m0s + pipelineRef: name: scanner-component-pipeline diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index c012469fa..7669a87a7 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -176,14 +176,27 @@ spec: - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) taskRef: - name: determine-image-tag-oci-ta + name: determine-image-tag + + - name: fetch-scanner-data + params: + - name: blobs-to-fetch + value: [ "$(params.blobs-to-fetch[*])" ] + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image-repo):konflux-$(params.revision).prefetch + - name: ociArtifactExpiresAfter + value: $(params.oci-artifact-expires-after) + taskRef: + name: fetch-scanner-data - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) - name: ociStorage value: $(params.output-image-repo):konflux-$(params.revision).prefetch - name: ociArtifactExpiresAfter @@ -198,19 +211,6 @@ spec: value: task resolver: bundles - - name: fetch-scanner-data - params: - - name: blobs-to-fetch - value: [ "$(params.blobs-to-fetch[*])" ] - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image-repo):konflux-$(params.revision).prefetch - - name: ociArtifactExpiresAfter - value: $(params.oci-artifact-expires-after) - taskRef: - name: fetch-scanner-data-oci-ta - - name: build-container-amd64 params: - name: IMAGE @@ -233,7 +233,7 @@ spec: value: - SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG) - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) taskRef: @@ -272,7 +272,7 @@ spec: value: - SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG) - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM @@ -313,7 +313,7 @@ spec: value: - SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG) - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM @@ -354,7 +354,7 @@ spec: value: - SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG) - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: PLATFORM @@ -381,25 +381,25 @@ spec: value: $(tasks.clone-repository.results.commit) - name: IMAGES value: - - $(tasks.build-container-amd64.results.IMAGE_REF) - - $(tasks.build-container-s390x.results.IMAGE_REF) - - $(tasks.build-container-ppc64le.results.IMAGE_REF) - - $(tasks.build-container-arm64.results.IMAGE_REF) + - $(tasks.build-container-amd64.results.IMAGE_REF) + - $(tasks.build-container-s390x.results.IMAGE_REF) + - $(tasks.build-container-ppc64le.results.IMAGE_REF) + - $(tasks.build-container-arm64.results.IMAGE_REF) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) taskRef: params: - - name: name - value: build-image-manifest - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:fd0a0cf019621d6b577f1b9ab774bb1832f7cba61b4ceee2fd1bffc96895abf9 - - name: kind - value: task + - name: name + value: build-image-manifest + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:fd0a0cf019621d6b577f1b9ab774bb1832f7cba61b4ceee2fd1bffc96895abf9 + - name: kind + value: task resolver: bundles when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] - name: build-image-manifest-konflux params: @@ -409,32 +409,32 @@ spec: value: $(tasks.clone-repository.results.commit) - name: IMAGES value: - - $(tasks.build-container-amd64.results.IMAGE_REF) - - $(tasks.build-container-s390x.results.IMAGE_REF) - - $(tasks.build-container-ppc64le.results.IMAGE_REF) - - $(tasks.build-container-arm64.results.IMAGE_REF) + - $(tasks.build-container-amd64.results.IMAGE_REF) + - $(tasks.build-container-s390x.results.IMAGE_REF) + - $(tasks.build-container-ppc64le.results.IMAGE_REF) + - $(tasks.build-container-arm64.results.IMAGE_REF) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) taskRef: params: - - name: name - value: build-image-manifest - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:fd0a0cf019621d6b577f1b9ab774bb1832f7cba61b4ceee2fd1bffc96895abf9 - - name: kind - value: task + - name: name + value: build-image-manifest + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:fd0a0cf019621d6b577f1b9ab774bb1832f7cba61b4ceee2fd1bffc96895abf9 + - name: kind + value: task resolver: bundles when: - - input: $(tasks.init.results.build) - operator: in - values: [ "true" ] + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-container-amd64.results.IMAGE_URL) - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) taskRef: @@ -556,8 +556,8 @@ spec: - name: sast-snyk-check params: - - name: SOURCE_ARTIFACT - value: $(tasks.fetch-scanner-data.results.SOURCE_ARTIFACT) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) taskRef: params: - name: name diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index c8b102d05..1c74f08ee 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -77,5 +77,9 @@ spec: requests: cpu: 1 + # Multiarch builds sometimes make the pipeline timeout after 1h. + timeouts: + pipeline: 1h30m0s + pipelineRef: name: scanner-component-pipeline