From 129c53508f087c4373fc2f4f4ffc9aa5033fc4b8 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Tue, 14 Jan 2025 11:40:04 +0000 Subject: [PATCH 1/2] Red Hat Konflux update rh-syft Signed-off-by: red-hat-konflux --- .tekton/rh-syft-pull-request.yaml | 422 +++++++++++++++++++++--------- .tekton/rh-syft-push.yaml | 418 ++++++++++++++++++++--------- 2 files changed, 592 insertions(+), 248 deletions(-) diff --git a/.tekton/rh-syft-pull-request.yaml b/.tekton/rh-syft-pull-request.yaml index a5991f9e7..9c3a96123 100644 --- a/.tekton/rh-syft-pull-request.yaml +++ b/.tekton/rh-syft-pull-request.yaml @@ -7,7 +7,8 @@ metadata: build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "redhat-latest" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "redhat-latest" creationTimestamp: null labels: appstudio.openshift.io/application: rh-syft @@ -17,60 +18,35 @@ metadata: namespace: rhtap-build-tenant spec: params: - - name: dockerfile - value: Dockerfile - name: git-url - value: '{{repo_url}}' - - name: image-expires-after - value: 5d + value: '{{source_url}}' + - name: revision + value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-build-tenant/rh-syft/rh-syft:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile - name: path-context value: . - - name: revision - value: '{{revision}}' - # enable hermetic mode with Go module prefetching - - name: hermetic - value: 'true' - - name: prefetch-input - value: '[{"type": "gomod", "path": "."}]' - # enable source container build - - name: build-source-image - value: 'true' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:8062d5b13b5236030407cbd620a75cb7c091f43be178eeefea58d2e3dddcaa74 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:716d50d6f79c119e729a41ddf4eca7ddc521dbfb32cc10c7e1ef1942da887e26 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - name: kind value: task resolver: bundles @@ -86,11 +62,13 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - default: "false" @@ -109,24 +87,33 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - default: "false" description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -147,7 +134,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:ad2c6461433b867a5b8c5243048014f71295f4f7b0b684e6289246e37f698204 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - name: kind value: task resolver: bundles @@ -157,23 +144,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) - # test fixtures include symlinks that point outside the repo - - name: enableSymlinkCheck - value: 'false' - # tags are crucial for determining versions - - name: fetchTags - value: 'true' - # tags don't work with a shallow clone, do a full clone - - name: depth - value: '0' + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:a3e22f57fbf8398fbe93fbeeb38e03756cd073182d6d109fe8e8cde57b561603 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 - name: kind value: task resolver: bundles @@ -183,33 +165,34 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:d1a7af2e0696f1d36dc722d770ca7c29c075c8a03a1fbc8f687447816042abd6 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 - name: kind value: task resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" workspaces: - - name: source - workspace: workspace + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE @@ -226,14 +209,52 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.3@sha256:260c7ab23046b57cc88e40900403aa5e5cf0eaec69e445bc1b09f8016b6c925e + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 - name: kind value: task resolver: bundles @@ -242,21 +263,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:67554fe0d804396b373ed0be25ea432f8de02b2af6100e39d998783ac0bebe5c + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 - name: kind value: task resolver: bundles @@ -269,23 +291,20 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:785041d12054bd66ef0e2d5f30f18520246a463b3dde51612eff4758eb2dfa66 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 - name: kind value: task resolver: bundles @@ -297,17 +316,17 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.2@sha256:c2c88e251702dcf0db4a0ce0a8053c51aa1a2f7329defa9bb6ce4121c506dd55 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 - name: kind value: task resolver: bundles @@ -316,22 +335,44 @@ spec: operator: in values: - "false" - - name: sast-snyk-check + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check params: - - name: ARGS - value: --report --project-name=redhat-appstudio/rh-syft - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.3@sha256:dc6c765e0012a049e568319c8f2a7ba2fc98068fcde3ef4b7e3036d41c69fc89 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 - name: kind value: task resolver: bundles @@ -340,23 +381,20 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.2@sha256:070615d706ffde2722c94de3c4e4c1b39a8d36aaef0e933b2b7ce9f1754789bf + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae - name: kind value: task resolver: bundles @@ -365,20 +403,164 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: sast-coverity-check params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - build-container + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: rpms-signature-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.2@sha256:41b312164e423767b5b0bf2bdbaa81f564356a7f8499f5ef0a809c0da0798ca8 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 - name: kind value: task resolver: bundles @@ -388,22 +570,12 @@ spec: values: - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/rh-syft-push.yaml b/.tekton/rh-syft-push.yaml index 8fa767057..889c2891a 100644 --- a/.tekton/rh-syft-push.yaml +++ b/.tekton/rh-syft-push.yaml @@ -6,7 +6,8 @@ metadata: build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "redhat-latest" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "redhat-latest" creationTimestamp: null labels: appstudio.openshift.io/application: rh-syft @@ -16,58 +17,33 @@ metadata: namespace: rhtap-build-tenant spec: params: - - name: dockerfile - value: Dockerfile - name: git-url - value: '{{repo_url}}' + value: '{{source_url}}' + - name: revision + value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/rhtap-build-tenant/rh-syft/rh-syft:{{revision}} + - name: dockerfile + value: Dockerfile - name: path-context value: . - - name: revision - value: '{{revision}}' - # enable hermetic mode with Go module prefetching - - name: hermetic - value: 'true' - - name: prefetch-input - value: '[{"type": "gomod", "path": "."}]' - # enable source container build - - name: build-source-image - value: 'true' pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-show-sbom:0.1@sha256:8062d5b13b5236030407cbd620a75cb7c091f43be178eeefea58d2e3dddcaa74 - - name: kind - value: task - resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - workspaces: - - name: workspace - workspace: workspace - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:716d50d6f79c119e729a41ddf4eca7ddc521dbfb32cc10c7e1ef1942da887e26 + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - name: kind value: task resolver: bundles @@ -83,11 +59,13 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - default: "false" @@ -106,24 +84,33 @@ spec: description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - - default: "false" - description: Java build - name: java - type: string - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - default: "false" description: Build a source image. name: build-source-image type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string results: - description: "" name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) @@ -144,7 +131,7 @@ spec: - name: name value: init - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-init:0.2@sha256:ad2c6461433b867a5b8c5243048014f71295f4f7b0b684e6289246e37f698204 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:90dda596d44b3f861889da2fba161dff34c6116fe76c3989e3f84262ea0f29cd - name: kind value: task resolver: bundles @@ -154,23 +141,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) - # test fixtures include symlinks that point outside the repo - - name: enableSymlinkCheck - value: 'false' - # tags are crucial for determining versions - - name: fetchTags - value: 'true' - # tags don't work with a shallow clone, do a full clone - - name: depth - value: '0' + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:a3e22f57fbf8398fbe93fbeeb38e03756cd073182d6d109fe8e8cde57b561603 + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:f72fcca6732516339d55ac5f01660e287968e64e857a40a8608db27e298b5126 - name: kind value: task resolver: bundles @@ -180,33 +162,34 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:d1a7af2e0696f1d36dc722d770ca7c29c075c8a03a1fbc8f687447816042abd6 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:994f816e36ac832f4020647afd69223a015c84c503f925013c573fed52f05420 - name: kind value: task resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" workspaces: - - name: source - workspace: workspace + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc - name: build-container params: - name: IMAGE @@ -223,14 +206,52 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.3@sha256:260c7ab23046b57cc88e40900403aa5e5cf0eaec69e445bc1b09f8016b6c925e + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.3@sha256:11b9ce26fd2933ccc81ca3f983e094ec54326a2e0aaf8bdcc4c0b8fea1a42c53 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:479775c8655d815fb515aeb97efc0e64284a8520c452754981970900b937a393 - name: kind value: task resolver: bundles @@ -239,21 +260,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:67554fe0d804396b373ed0be25ea432f8de02b2af6100e39d998783ac0bebe5c + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:75e882bf1619dd45a4043060ce42a6ad3ce781264ade5b7f66a1d994ee159126 - name: kind value: task resolver: bundles @@ -266,23 +288,20 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.4@sha256:785041d12054bd66ef0e2d5f30f18520246a463b3dde51612eff4758eb2dfa66 + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:650330fde0773f73f6bac77ae573031c44c79165d9503b0d5ec1db3e6ef981d7 - name: kind value: task resolver: bundles @@ -294,17 +313,17 @@ spec: - name: clair-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clair-scan:0.2@sha256:c2c88e251702dcf0db4a0ce0a8053c51aa1a2f7329defa9bb6ce4121c506dd55 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:907f11c67b0330480cbf85c23b1085acc5a049ab90af980169251860a3d97ef7 - name: kind value: task resolver: bundles @@ -313,22 +332,44 @@ spec: operator: in values: - "false" - - name: sast-snyk-check + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check params: - - name: ARGS - value: --report --project-name=redhat-appstudio/rh-syft - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.3@sha256:dc6c765e0012a049e568319c8f2a7ba2fc98068fcde3ef4b7e3036d41c69fc89 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:af93b35e6e71a6ff7f3785ad8d8497b11204a5c0c33ab1a78b44f9d43f49c7a5 - name: kind value: task resolver: bundles @@ -337,23 +378,20 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace - name: clamav-scan params: - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - - build-container + - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.2@sha256:070615d706ffde2722c94de3c4e4c1b39a8d36aaef0e933b2b7ce9f1754789bf + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:c12e7a774bb07ad2796c01071b0dc0f199111b0ee99c45b55fa599e23b200bae - name: kind value: task resolver: bundles @@ -362,20 +400,164 @@ spec: operator: in values: - "false" - - name: sbom-json-check + - name: sast-coverity-check params: - - name: IMAGE_URL - value: $(tasks.build-container.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:fde1e556e69b8293a38d815473040f0d1ee3567c520c52cb1bd4ea712c715b4f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:18c1c2665cdb10ca589f69f75f2bb49758f9ed75b69a9171d562856dec3cfd76 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:7553ec6925d0586b286502669b8e31a39dc73501f657426bac99019ac598d6ab + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:2c2d88c07623b2d25163994ded6e9f29205ea5bbab090f4c86379739940028b9 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST - value: $(tasks.build-container.results.IMAGE_DIGEST) + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - - build-container + - build-image-index taskRef: params: - name: name - value: sbom-json-check + value: push-dockerfile-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.2@sha256:41b312164e423767b5b0bf2bdbaa81f564356a7f8499f5ef0a809c0da0798ca8 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:98ccae6ac132ab837fc51a70514be5fca656e09d6d4ad93230bd10f0119258aa + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:39cd56ffa26ff5edfd5bf9b61e902cae35a345c078cd9dcbc0737d30f3ce5ef1 - name: kind value: task resolver: bundles @@ -385,22 +567,12 @@ spec: values: - "false" workspaces: - - name: workspace - name: git-auth optional: true + - name: netrc + optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' From 3575f86dfd2a1c84875a282f39a09b1403469201 Mon Sep 17 00:00:00 2001 From: Mykola Morhun Date: Tue, 14 Jan 2025 13:59:11 +0200 Subject: [PATCH 2/2] Customize build pipelines --- .tekton/rh-syft-pull-request.yaml | 19 +++++++++++++++++++ .tekton/rh-syft-push.yaml | 19 +++++++++++++++++++ 2 files changed, 38 insertions(+) diff --git a/.tekton/rh-syft-pull-request.yaml b/.tekton/rh-syft-pull-request.yaml index 9c3a96123..60a274090 100644 --- a/.tekton/rh-syft-pull-request.yaml +++ b/.tekton/rh-syft-pull-request.yaml @@ -22,6 +22,14 @@ spec: value: '{{source_url}}' - name: revision value: '{{revision}}' + # enable hermetic mode with Go module prefetching + - name: hermetic + value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "."}]' + # enable source container build + - name: build-source-image + value: 'true' - name: output-image value: quay.io/redhat-user-workloads/rhtap-build-tenant/rh-syft/rh-syft:on-pr-{{revision}} - name: image-expires-after @@ -144,6 +152,15 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + # test fixtures include symlinks that point outside the repo + - name: enableSymlinkCheck + value: 'false' + # tags are crucial for determining versions + - name: fetchTags + value: 'true' + # tags don't work with a shallow clone, do a full clone + - name: depth + value: '0' - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter @@ -365,6 +382,8 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: ARGS + value: --report --project-name=redhat-appstudio/rh-syft runAfter: - build-image-index taskRef: diff --git a/.tekton/rh-syft-push.yaml b/.tekton/rh-syft-push.yaml index 889c2891a..734392822 100644 --- a/.tekton/rh-syft-push.yaml +++ b/.tekton/rh-syft-push.yaml @@ -21,6 +21,14 @@ spec: value: '{{source_url}}' - name: revision value: '{{revision}}' + # enable hermetic mode with Go module prefetching + - name: hermetic + value: 'true' + - name: prefetch-input + value: '[{"type": "gomod", "path": "."}]' + # enable source container build + - name: build-source-image + value: 'true' - name: output-image value: quay.io/redhat-user-workloads/rhtap-build-tenant/rh-syft/rh-syft:{{revision}} - name: dockerfile @@ -141,6 +149,15 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + # test fixtures include symlinks that point outside the repo + - name: enableSymlinkCheck + value: 'false' + # tags are crucial for determining versions + - name: fetchTags + value: 'true' + # tags don't work with a shallow clone, do a full clone + - name: depth + value: '0' - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter @@ -362,6 +379,8 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: ARGS + value: --report --project-name=redhat-appstudio/rh-syft runAfter: - build-image-index taskRef: