Skip to content

ROX-25508: migrate scanner pipeline to matrix builds #2375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 3, 2025
Merged

ROX-25508: migrate scanner pipeline to matrix builds #2375

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 0 additions & 14 deletions .tekton/scanner-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,6 @@ spec:
secret:
secretName: '{{ git_auth_secret }}'

taskRunSpecs:
- pipelineTaskName: build-container-amd64
stepSpecs:
# Provision more CPU to speed up build compared to the defaults.
# https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L126
#
# This is not required for multi-arch builds, because they are performed off cluster
- name: build
computeResources:
limits:
cpu: 2
requests:
cpu: 2

taskRunTemplate:
serviceAccountName: build-pipeline-scanner-4-7

Expand Down
179 changes: 36 additions & 143 deletions .tekton/scanner-component-pipeline.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,17 @@ spec:
default: docker
type: string
description: The format for the resulting image's mediaType. Valid values are oci or docker.
- default:
- linux/amd64
- linux/arm64
- linux/ppc64le
- linux/s390x
description: >
List of platforms to build the container images for. The available
set of values is determined by the configuration of the multi-platform-controller
on the cluster: https://konflux.pages.redhat.com/docs/users/getting-started/multi-platform-builds.html
name: build-platforms
type: array
- name: extra-labels
type: array
description: Additional labels to put on the built containers.
Expand Down Expand Up @@ -269,146 +280,15 @@ spec:
workspaces:
- name: git-basic-auth
workspace: git-auth
- name: build-container-amd64
params:
- name: IMAGE
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-amd64
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: TARGET_STAGE
value: $(params.build-target-stage)
- name: BUILD_ARGS
value:
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: LABELS
value: ["$(params.extra-labels[*])"]
- name: BUILD_TIMESTAMP
value: "$(tasks.clone-repository.results.commit-timestamp)"
taskRef:
- name: build-images
matrix:
params:
- name: name
value: buildah-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.6@sha256:7b4c101b71e48b267079a5b6331d22de0b25e008c9e1dcaca1c41c4312391e39
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values: ["true"]
- name: build-container-s390x
- name: PLATFORM
value:
- $(params.build-platforms)
params:
- name: IMAGE
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-s390x
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: TARGET_STAGE
value: $(params.build-target-stage)
- name: BUILD_ARGS
value:
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: PLATFORM
value: linux/s390x
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: LABELS
value: ["$(params.extra-labels[*])"]
- name: BUILD_TIMESTAMP
value: "$(tasks.clone-repository.results.commit-timestamp)"
taskRef:
params:
- name: name
value: buildah-remote-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values: ["true"]
- name: build-container-ppc64le
params:
- name: IMAGE
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-ppc64le
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
value: $(params.path-context)
- name: HERMETIC
value: $(params.hermetic)
- name: PREFETCH_INPUT
value: $(params.prefetch-input)
- name: IMAGE_EXPIRES_AFTER
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: TARGET_STAGE
value: $(params.build-target-stage)
- name: BUILD_ARGS
value:
- SCANNER_TAG=$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: PLATFORM
value: linux/ppc64le
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: LABELS
value: ["$(params.extra-labels[*])"]
- name: BUILD_TIMESTAMP
value: "$(tasks.clone-repository.results.commit-timestamp)"
taskRef:
params:
- name: name
value: buildah-remote-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.6@sha256:ac05dabe8b6b446f974cf2b6ef1079cfaa9443d7078c2ebe3ec79aa650e1b5b2
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values: ["true"]
- name: build-container-arm64
params:
- name: IMAGE
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)-arm64
value: $(params.output-image-repo):$(tasks.determine-image-tag.results.IMAGE_TAG)
- name: DOCKERFILE
value: $(params.dockerfile)
- name: CONTEXT
Expand All @@ -430,8 +310,8 @@ spec:
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: PLATFORM
value: linux/arm64
- name: IMAGE_APPEND_PLATFORM
value: "true"
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: LABELS
Expand Down Expand Up @@ -459,14 +339,12 @@ spec:
value: $(tasks.clone-repository.results.commit)
- name: IMAGES
value:
- $(tasks.build-container-amd64.results.IMAGE_REF)
- $(tasks.build-container-s390x.results.IMAGE_REF)
- $(tasks.build-container-ppc64le.results.IMAGE_REF)
- $(tasks.build-container-arm64.results.IMAGE_REF)
- $(tasks.build-images.results.IMAGE_REF[*])
- name: IMAGE_EXPIRES_AFTER
value: $(tasks.determine-image-expiration.results.IMAGE_EXPIRES_AFTER)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
runAfter: [ build-images ]
taskRef:
params:
- name: name
Expand Down Expand Up @@ -548,6 +426,11 @@ spec:
operator: in
values: ["false"]
- name: clair-scan
matrix:
params:
- name: image-platform
value:
- $(params.build-platforms)
params:
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
Expand All @@ -567,6 +450,11 @@ spec:
operator: in
values: ["false"]
- name: ecosystem-cert-preflight-checks
matrix:
params:
- name: platform
value:
- $(params.build-platforms)
params:
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
Expand Down Expand Up @@ -653,6 +541,11 @@ spec:
operator: in
values: ["false"]
- name: clamav-scan
matrix:
params:
- name: image-arch
value:
- $(params.build-platforms)
params:
- name: image-digest
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
Expand Down
14 changes: 0 additions & 14 deletions .tekton/scanner-slim-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,20 +63,6 @@ spec:
secret:
secretName: '{{ git_auth_secret }}'

taskRunSpecs:
- pipelineTaskName: build-container-amd64
stepSpecs:
# Provision more CPU to speed up build compared to the defaults.
# https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L126
#
# This is not required for multi-arch builds, because they are performed off cluster
- name: build
computeResources:
limits:
cpu: 2
requests:
cpu: 2

taskRunTemplate:
serviceAccountName: build-pipeline-scanner-slim-4-7

Expand Down