From e9e4eedd4319097f4bd09ca1f37a821b8b2db730 Mon Sep 17 00:00:00 2001 From: konflux-internal-p02 Date: Thu, 12 Dec 2024 09:59:15 +0000 Subject: [PATCH] Konflux Internal p02 update odh-modelmesh-v2-17 Signed-off-by: konflux-internal-p02 --- .tekton/odh-modelmesh-v2-17-pull-request.yaml | 609 ++++++++++++++++++ .tekton/odh-modelmesh-v2-17-push.yaml | 295 +++++---- 2 files changed, 781 insertions(+), 123 deletions(-) create mode 100644 .tekton/odh-modelmesh-v2-17-pull-request.yaml diff --git a/.tekton/odh-modelmesh-v2-17-pull-request.yaml b/.tekton/odh-modelmesh-v2-17-pull-request.yaml new file mode 100644 index 00000000..554db526 --- /dev/null +++ b/.tekton/odh-modelmesh-v2-17-pull-request.yaml @@ -0,0 +1,609 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/modelmesh?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "rhoai-2.17" + creationTimestamp: null + labels: + appstudio.openshift.io/application: rhoai-v2-17 + appstudio.openshift.io/component: odh-modelmesh-v2-17 + pipelines.appstudio.openshift.io/type: build + name: odh-modelmesh-v2-17-on-pull-request + namespace: rhoai-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rhoai-tenant/odh-modelmesh-v2-17:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile.konflux + - name: path-context + value: . + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while reducing network traffic. + + _Uses `buildah` to create a container image. It also optionally creates a source image and runs some build-time tests. EC will flag a violation for [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) if any tasks are added to the pipeline. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build?tab=tags)_ + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-image-index.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc + - name: kind + value: task + resolver: bundles + workspaces: + - name: workspace + workspace: workspace + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched by Cachi2 + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:d091a9e19567a4cbdc5acd57903c71ba71dc51d749a4ba7477e689608851e981 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: output + workspace: workspace + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:53fc6d82b06534878e509f3e37f05b818f38fba01729dd1fbee6f97a9562c1ed + - name: kind + value: task + resolver: bundles + when: + - input: $(params.prefetch-input) + operator: notin + values: + - "" + workspaces: + - name: source + workspace: workspace + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:ae8dcd146ac80f5b3f9fece916b5125417fc7db1b37ec176068f9cd0801cebfb + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: source + workspace: workspace + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:bacd55a3caa34a30bcf51c00f3f719cb3f783e325257f04c27a91f688cbe9644 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + workspaces: + - name: workspace + workspace: workspace + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:5a1a165fa02270f0a947d8a2131ee9d8be0b8e9d34123828c2bef589e504ee84 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:0a5421111e7092740398691d5bd7c125cc0896f29531d19414bb5724ae41692a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:0d2db16b8f8eabdfedbaa6ecaffd93aa6fd5ad4e8c7c1c1aa5d49cf010c7a87f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:6e08cf608240f57442ca5458f3c0dade3558f4f2953be8ea939232f5d5378d58 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check:0.1@sha256:6d0bead975a9e9ce9dac98edb0a3c3908dbae3882df2775fc8760c6bb4f41f8c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + workspaces: + - name: workspace + workspace: workspace + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.1@sha256:c24a1c5c2e1e9e13027d9f35c27c4757fb317877a0b86e9d23928dc4ec49921d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:2de060c734b4a0c804525f6ff57d4a5e4a380b7e1475676582282563202f8014 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.1@sha256:f2fb1a902f1a33119e89333fd326d406ba595f384a80987ca51ad46777e22b25 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: apply-tags + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:48bb2ee92ea528b28c0814c9cc126021e499a081b69431987a774561e9ac8047 + - name: kind + value: task + resolver: bundles + workspaces: + - name: workspace + workspace: workspace + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:71c220bdc11e6308c79693d134f8799de02929549fec523ccc4f0cff1e314e14 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: {} + workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/odh-modelmesh-v2-17-push.yaml b/.tekton/odh-modelmesh-v2-17-push.yaml index 8cc546f0..7ba1b82f 100644 --- a/.tekton/odh-modelmesh-v2-17-push.yaml +++ b/.tekton/odh-modelmesh-v2-17-push.yaml @@ -1,15 +1,14 @@ apiVersion: tekton.dev/v1 kind: PipelineRun -#test2 metadata: annotations: build.appstudio.openshift.io/repo: https://github.com/red-hat-data-services/modelmesh?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" - build.appstudio.openshift.io/build-nudge-files: "build/operator-nudging.yaml" - pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "rhoai-2.17" && "artifacts.lock.yaml".pathChanged() - creationTimestamp: + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "rhoai-2.17" + creationTimestamp: null labels: appstudio.openshift.io/application: rhoai-v2-17 appstudio.openshift.io/component: odh-modelmesh-v2-17 @@ -23,13 +22,11 @@ spec: - name: revision value: '{{revision}}' - name: output-image - value: quay.io/rhoai/odh-modelmesh-rhel8:{{target_branch}} + value: quay.io/redhat-user-workloads/rhoai-tenant/odh-modelmesh-v2-17:{{revision}} - name: dockerfile value: Dockerfile.konflux - name: path-context value: . - - name: prefetch-input - value: [{"path": ".", "type": "rpm"}, {"path": ".", "type": "generic"}] pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while reducing network traffic. @@ -50,28 +47,28 @@ spec: - name: kind value: task resolver: bundles - - name: send-slack-notification + - name: show-summary params: - - name: message - value: "$(tasks.rhoai-init.results.slack-message-failure-text)" - - name: secret-name - value: rhoai-konflux-secret - - name: key-name - value: slack-webhook + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-image-index.status) taskRef: params: - name: name - value: slack-webhook-notification + value: summary - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:dc17b70633363d78414b8c06dc1660d25742935f106a6116995638e1210c2730 + value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - name: kind value: task resolver: bundles - when: - - input: $(tasks.status) - operator: in - values: - - "Failed" + workspaces: + - name: workspace + workspace: workspace params: - description: Source Repository URL name: git-url @@ -101,7 +98,7 @@ spec: description: Skip checks against built image name: skip-checks type: string - - default: "true" + - default: "false" description: Execute the build with network isolation name: hermetic type: string @@ -113,7 +110,7 @@ spec: description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - - default: "true" + - default: "false" description: Build a source image. name: build-source-image type: string @@ -129,9 +126,6 @@ spec: description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string - - default: "v2.16.1" - name: version - type: string results: - description: "" name: IMAGE_URL @@ -146,45 +140,6 @@ spec: name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - - name: rhoai-init - params: - - name: pipelinerun-name - value: "$(context.pipelineRun.name)" - taskSpec: - results: - - description: Notification text to be posted to slack - name: slack-message-failure-text - steps: - - image: quay.io/rhoai-konflux/alpine:latest - name: rhoai-init - env: - - name: slack_message - valueFrom: - secretKeyRef: - name: rhoai-konflux-secret - key: slack-component-failure-notification - script: | - pipelinerun_name=$(params.pipelinerun-name) - target_branch={{target_branch}} - echo "pipelinerun-name = $pipelinerun_name" - - application_name=${target_branch/rhoai-/} - application_name=rhoai-v${application_name/./-} - echo "application-name = $application_name" - - component_name=${pipelinerun_name/-on-*/} - echo "component-name = $component_name" - - KONFLUX_SERVER="https://konflux.apps.stone-prod-p02.hjvn.p1.openshiftapps.com" - build_url="${KONFLUX_SERVER}/application-pipeline/workspaces/rhoai/applications/${application_name}/pipelineruns/${pipelinerun_name}/logs" - - build_time="$(date +%Y-%m-%dT%H:%M:%S)" - - slack_message=${slack_message/__BUILD__URL__/$build_url} - slack_message=${slack_message/__PIPELINERUN__NAME__/$pipelinerun_name} - slack_message=${slack_message/__BUILD__TIME__/$build_time} - - echo -en "${slack_message}" > "$(results.slack-message-failure-text.path)" - name: init params: - name: image-url @@ -198,30 +153,24 @@ spec: - name: name value: init - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:0523b51c28375a3f222da91690e22eff11888ebc98a0c73c468af44762265c69 + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 - name: kind value: task resolver: bundles - runAfter: - - rhoai-init - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) - - name: ociStorage - value: $(params.output-image).git - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone-oci-ta + value: git-clone - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b + value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:d091a9e19567a4cbdc5acd57903c71ba71dc51d749a4ba7477e689608851e981 - name: kind value: task resolver: bundles @@ -231,33 +180,33 @@ spec: values: - "true" workspaces: + - name: output + workspace: workspace - name: basic-auth workspace: git-auth - - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) - - name: dev-package-managers - value: "true" - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies-oci-ta + value: prefetch-dependencies - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:53fc6d82b06534878e509f3e37f05b818f38fba01729dd1fbee6f97a9562c1ed - name: kind value: task resolver: bundles + when: + - input: $(params.prefetch-input) + operator: notin + values: + - "" workspaces: + - name: source + workspace: workspace - name: git-basic-auth workspace: git-auth - name: netrc @@ -281,29 +230,16 @@ spec: - name: BUILD_ARGS value: - $(params.build-args[*]) - - VERSION=$(params.version) - name: BUILD_ARGS_FILE value: $(params.build-args-file) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: LABELS - value: - - version=$(params.version) - - url=$(params.git-url) - - release=$(tasks.clone-repository.results.commit-timestamp) - - git.url=$(params.git-url) - - git.commit=$(params.revision) - - io.openshift.tags=odh-modelmesh runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: buildah - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:decef0e000a05daad9dd43b707c8b3a96b6125ff5a4ee096fd3e8c23a2881b9e + value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:ae8dcd146ac80f5b3f9fece916b5125417fc7db1b37ec176068f9cd0801cebfb - name: kind value: task resolver: bundles @@ -312,6 +248,9 @@ spec: operator: in values: - "true" + workspaces: + - name: source + workspace: workspace - name: build-image-index params: - name: IMAGE @@ -332,7 +271,7 @@ spec: - name: name value: build-image-index - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:a89c141c8d35b2e9d9904c92c9b128f7ccf36681adac7f7422b4537b8bb077e7 + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b - name: kind value: task resolver: bundles @@ -345,18 +284,14 @@ spec: params: - name: BINARY_IMAGE value: $(params.output-image) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name - value: source-build-oci-ta + value: source-build - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 + value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:bacd55a3caa34a30bcf51c00f3f719cb3f783e325257f04c27a91f688cbe9644 - name: kind value: task resolver: bundles @@ -369,6 +304,9 @@ spec: operator: in values: - "true" + workspaces: + - name: workspace + workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -439,18 +377,14 @@ spec: value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name - value: sast-snyk-check-oci-ta + value: sast-snyk-check - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:1119722a2d31b831d1aa336fd8cced0a5016c95466b6b59a58bbf3585735850f + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.3@sha256:0d2db16b8f8eabdfedbaa6ecaffd93aa6fd5ad4e8c7c1c1aa5d49cf010c7a87f - name: kind value: task resolver: bundles @@ -459,6 +393,9 @@ spec: operator: in values: - "false" + workspaces: + - name: workspace + workspace: workspace - name: clamav-scan params: - name: image-digest @@ -472,7 +409,7 @@ spec: - name: name value: clamav-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:b4f450f1447b166da671f1d5819ab5a1485083e5c27ab91f7d8b7a2ff994c8c2 + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:6e08cf608240f57442ca5458f3c0dade3558f4f2953be8ea939232f5d5378d58 - name: kind value: task resolver: bundles @@ -481,13 +418,112 @@ spec: operator: in values: - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check:0.1@sha256:6d0bead975a9e9ce9dac98edb0a3c3908dbae3882df2775fc8760c6bb4f41f8c + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + workspaces: + - name: workspace + workspace: workspace + - name: coverity-availability-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.1@sha256:c24a1c5c2e1e9e13027d9f35c27c4757fb317877a0b86e9d23928dc4ec49921d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:2de060c734b4a0c804525f6ff57d4a5e4a380b7e1475676582282563202f8014 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace + - name: sast-unicode-check + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.1@sha256:f2fb1a902f1a33119e89333fd326d406ba595f384a80987ca51ad46777e22b25 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: workspace + workspace: workspace - name: apply-tags params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - - name: ADDITIONAL_TAGS - value: - - '{{target_branch}}-{{revision}}' runAfter: - build-image-index taskRef: @@ -495,7 +531,7 @@ spec: - name: name value: apply-tags - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:87fd7fc0e937aad1a8db9b6e377d7e444f53394dafde512d68adbea6966a4702 + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e - name: kind value: task resolver: bundles @@ -509,19 +545,20 @@ spec: value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name - value: push-dockerfile-oci-ta + value: push-dockerfile - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08ef41d6a98608bd5f1de75d77f015f520911a278d1875e174b88b9d04db2441 + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:48bb2ee92ea528b28c0814c9cc126021e499a081b69431987a774561e9ac8047 - name: kind value: task resolver: bundles + workspaces: + - name: workspace + workspace: workspace - name: rpms-signature-scan params: - name: image-url @@ -535,7 +572,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:8f3b23bf1b0ef55cc79d28604d2397a0101ac9c0c42ae26e26532eb2778c801b + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:71c220bdc11e6308c79693d134f8799de02929549fec523ccc4f0cff1e314e14 - name: kind value: task resolver: bundles @@ -545,12 +582,24 @@ spec: values: - "false" workspaces: + - name: workspace - name: git-auth optional: true - name: netrc optional: true taskRunTemplate: {} workspaces: + - name: workspace + volumeClaimTemplate: + metadata: + creationTimestamp: null + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}'