redhat-appstudio · github-actions · Feb 1, 2025
diff --git a/pac/docker-build-rhtap/docker-pull-request.yaml b/pac/docker-build-rhtap/docker-pull-request.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/docker-build-rhtap/docker-push.yaml b/pac/docker-build-rhtap/docker-push.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/pipelines/docker-build-rhtap.yaml b/pac/pipelines/docker-build-rhtap.yaml
@@ -143,6 +143,62 @@ spec:
       workspaces:
         - name: source
           workspace: workspace
+    - name: sast-unicode-check
+      params:
+        - name: image-url
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: sast-unicode-check
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
+      workspaces:
+        - name: workspace
+          workspace: workspace
+    - name: apply-tags
+      params:
+        - name: IMAGE
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: apply-tags
+    - name: push-dockerfile
+      params:
+        - name: IMAGE
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+        - name: IMAGE_DIGEST
+          value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+        - name: DOCKERFILE
+          value: $(params.dockerfile)
+        - name: CONTEXT
+          value: $(params.path-context)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: push-dockerfile
+      workspaces:
+        - name: workspace
+          workspace: workspace
+    - name: rpms-signature-scan
+      params:
+        - name: image-url
+          value: $(tasks.build-image-index.results.IMAGE_URL)
+        - name: image-digest
+          value: $(tasks.build-image-index.results.IMAGE_DIGEST)
+      runAfter:
+        - build-image-index
+      taskRef:
+        name: rpms-signature-scan
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
     - name: acs-image-check
       params:
         - name: rox-secret-name

diff --git a/pac/source-repo/docker-pull-request.yaml b/pac/source-repo/docker-pull-request.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/source-repo/docker-push.yaml b/pac/source-repo/docker-push.yaml
@@ -10,12 +10,16 @@ metadata:
     pipelinesascode.tekton.dev/task-0: "{{values.rawUrl}}/pac/tasks/init.yaml"
     pipelinesascode.tekton.dev/task-1: "{{values.rawUrl}}/pac/tasks/git-clone.yaml"
     pipelinesascode.tekton.dev/task-2: "{{values.rawUrl}}/pac/tasks/buildah-rhtap.yaml"
-    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
-    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
-    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
-    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
-    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
-    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/summary.yaml"
+    pipelinesascode.tekton.dev/task-3: "{{values.rawUrl}}/pac/tasks/sast-unicode-check.yaml"
+    pipelinesascode.tekton.dev/task-4: "{{values.rawUrl}}/pac/tasks/apply-tags.yaml"
+    pipelinesascode.tekton.dev/task-5: "{{values.rawUrl}}/pac/tasks/push-dockerfile.yaml"
+    pipelinesascode.tekton.dev/task-6: "{{values.rawUrl}}/pac/tasks/rpms-signature-scan.yaml"
+    pipelinesascode.tekton.dev/task-7: "{{values.rawUrl}}/pac/tasks/acs-image-check.yaml"
+    pipelinesascode.tekton.dev/task-8: "{{values.rawUrl}}/pac/tasks/acs-image-scan.yaml"
+    pipelinesascode.tekton.dev/task-9: "{{values.rawUrl}}/pac/tasks/acs-deploy-check.yaml"
+    pipelinesascode.tekton.dev/task-10: "{{values.rawUrl}}/pac/tasks/update-deployment.yaml"
+    pipelinesascode.tekton.dev/task-11: "{{values.rawUrl}}/pac/tasks/show-sbom-rhdh.yaml"
+    pipelinesascode.tekton.dev/task-12: "{{values.rawUrl}}/pac/tasks/summary.yaml"
 spec:
   params:
     - name: dockerfile

diff --git a/pac/tasks/acs-deploy-check.yaml b/pac/tasks/acs-deploy-check.yaml
@@ -154,7 +154,7 @@ spec:
         fi
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
+      image: registry.access.redhat.com/ubi8-minimal@sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
       volumeMounts:
         - name: repository
           mountPath: /workspace/repository

diff --git a/pac/tasks/acs-image-check.yaml b/pac/tasks/acs-image-check.yaml
@@ -53,7 +53,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-check
-      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
+      image: registry.access.redhat.com/ubi8-minimal@sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -121,7 +121,7 @@ spec:
         cp roxctl_image_check_output.json /steps-shared-folder/acs-image-check.json
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
+      image: registry.access.redhat.com/ubi8-minimal@sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

diff --git a/pac/tasks/acs-image-scan.yaml b/pac/tasks/acs-image-scan.yaml
@@ -60,7 +60,7 @@ spec:
         oc annotate taskrun $(context.taskRun.name) task.output.location=logs
 
     - name: rox-image-scan
-      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
+      image: registry.access.redhat.com/ubi8-minimal@sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
       volumeMounts:
         - name: rox-secret
           mountPath: /rox-secret
@@ -171,7 +171,7 @@ spec:
         set_test_output_result SUCCESS "$note"
 
     - name: report
-      image: registry.access.redhat.com/ubi8-minimal@sha256:7583ca0ea52001562bd81a961da3f75222209e6192e4e413ee226cff97dbd48c
+      image: registry.access.redhat.com/ubi8-minimal@sha256:d16d4445b1567f29449fba3b6d2bc37db467dc3067d33e940477e55aecdf6e8e
       volumeMounts:
         - name: shared-folder
           mountPath: /steps-shared-folder

diff --git a/pac/tasks/apply-tags.yaml b/pac/tasks/apply-tags.yaml
@@ -0,0 +1,85 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.12.1"
+    tekton.dev/tags: "konflux"
+  name: apply-tags
+spec:
+  description: >-
+    Applies additional tags to the built image.
+  params:
+  - name: IMAGE
+    description: Reference of image that was pushed to registry in the buildah task.
+    type: string
+  - name: ADDITIONAL_TAGS
+    description: Additional tags that will be applied to the image in the registry.
+    type: array
+    default: []
+  - name: CA_TRUST_CONFIG_MAP_NAME
+    type: string
+    description: The name of the ConfigMap to read CA bundle data from.
+    default: trusted-ca
+  - name: CA_TRUST_CONFIG_MAP_KEY
+    type: string
+    description: The name of the key in the ConfigMap that contains the CA bundle data.
+    default: ca-bundle.crt
+  stepTemplate:
+    volumeMounts:
+      - name: trusted-ca
+        mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt
+        subPath: ca-bundle.crt
+        readOnly: true
+  steps:
+    - name: apply-additional-tags-from-parameter
+      image: registry.access.redhat.com/ubi9/skopeo:9.5-1737537999@sha256:b28469b997a6f7ef996859e8d4f4bd25b964084fc2caac23a9c01b8a53adb1d7
+      args:
+        - $(params.ADDITIONAL_TAGS[*])
+      env:
+      - name: IMAGE
+        value: $(params.IMAGE)
+      script: |
+        #!/bin/bash
+
+        if [ "$#" -ne 0 ]; then
+          IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//')
+          for tag in "$@"; do
+            echo "Applying tag $tag"
+            skopeo copy --multi-arch index-only docker://"$IMAGE" docker://"$IMAGE_WITHOUT_TAG:$tag"
+          done
+        else
+          echo "No additional tags parameter specified"
+        fi
+
+    - name: apply-additional-tags-from-image-label
+      image: registry.access.redhat.com/ubi9/skopeo:9.5-1737537999@sha256:b28469b997a6f7ef996859e8d4f4bd25b964084fc2caac23a9c01b8a53adb1d7
+      env:
+      - name: IMAGE
+        value: $(params.IMAGE)
+      script: |
+        #!/bin/bash
+
+        ADDITIONAL_TAGS_FROM_IMAGE_LABEL=$(skopeo inspect --no-tags --format '{{ index .Labels "konflux.additional-tags" }}' "docker://$IMAGE")
+
+        if [ -n "${ADDITIONAL_TAGS_FROM_IMAGE_LABEL}" ]; then
+          IFS=', ' read -r -a tags_array <<< "$ADDITIONAL_TAGS_FROM_IMAGE_LABEL"
+
+          IMAGE_WITHOUT_TAG=$(echo "$IMAGE" | sed 's/:[^:]*$//')
+          for tag in "${tags_array[@]}"
+          do
+              echo "Applying tag $tag"
+              skopeo copy --multi-arch index-only docker://"$IMAGE" docker://"$IMAGE_WITHOUT_TAG:$tag"
+          done
+        else
+          echo "No additional tags specified in the image labels"
+        fi
+  volumes:
+  - name: trusted-ca
+    configMap:
+      name: $(params.CA_TRUST_CONFIG_MAP_NAME)
+      items:
+        - key: $(params.CA_TRUST_CONFIG_MAP_KEY)
+          path: ca-bundle.crt
+      optional: true
diff --git a/pac/tasks/buildah-rhtap.yaml b/pac/tasks/buildah-rhtap.yaml
@@ -65,7 +65,7 @@ spec:
       value: $(params.BUILD_ARGS_FILE)
   steps:
   - name: build
-    image: registry.access.redhat.com/ubi9/buildah@sha256:c62b2318eb4709c216ad25969abae5ff6b56e9879d266b539a46fdfc99e8361e
+    image: registry.access.redhat.com/ubi9/buildah@sha256:27d837f9bc69ad3c3651cf3315e2501b137c11baa553d9d46140e5cf7fa7873a
     args:
       - $(params.BUILD_ARGS[*])
     script: |
@@ -103,6 +103,13 @@ spec:
         --digestfile /tmp/files/image-digest $IMAGE \
         docker://$IMAGE
 
+      # Push the image to a unique tag to avoid race conditions
+      buildah push \
+        --tls-verify="$TLSVERIFY" \
+        --retry=5 \
+        --digestfile /tmp/files/image-digest "$IMAGE" \
+        "docker://${IMAGE%:*}:$(context.taskRun.name)"
+
       # Set task results
       buildah images --format '{{ .Name }}:{{ .Tag }}@{{ .Digest }}' | grep -v $IMAGE > $(results.BASE_IMAGES_DIGESTS.path)
       cat /tmp/files/image-digest | tee $(results.IMAGE_DIGEST.path)
@@ -137,7 +144,7 @@ spec:
       name: tmpfiles
 
   - name: merge-sboms
-    image: registry.access.redhat.com/ubi8/python-311@sha256:ec2f4c89e18373c75a72f5b47da4d3ee826e8961a9c6a26ba2fd3112f5a41e4a
+    image: registry.access.redhat.com/ubi8/python-311@sha256:552046341bbe2e4a0e89be4401403ccd39293ea53a736db2e5ec695bc6d906aa
     env:
       - name: RESULT_PATH
         value: $(results.SBOM_BLOB_URL.path)

diff --git a/pac/tasks/init.yaml b/pac/tasks/init.yaml
@@ -25,7 +25,7 @@ spec:
 
   steps:
     - name: init
-      image: registry.access.redhat.com/ubi9/skopeo:9.4-14.1728984400@sha256:891ee232a9319ed0f675c318f9605422bde7436328e7faec7dc896a206a78e54
+      image: registry.access.redhat.com/ubi9/skopeo:9.5-1737537999@sha256:b28469b997a6f7ef996859e8d4f4bd25b964084fc2caac23a9c01b8a53adb1d7
       env:
         - name: IMAGE_URL
           value: $(params.image-url)
@@ -41,7 +41,7 @@ spec:
         echo "Determine if Image Already Exists"
         # Build the image when rebuild is set to true or image does not exist
         # The image check comes last to avoid unnecessary, slow API calls
-        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --raw docker://$IMAGE_URL &>/dev/null; then
+        if [ "$REBUILD" == "true" ] || [ "$SKIP_CHECKS" == "false" ] || ! skopeo inspect --no-tags --raw "docker://$IMAGE_URL" &>/dev/null; then
           echo -n "true" > $(results.build.path)
         else
           echo -n "false" > $(results.build.path)