ci: modify Konflux pipelines

.tekton/bundle-build-pipeline.yaml

@@ -0,0 +1,397 @@
+apiVersion: tekton.dev/v1
+kind: Pipeline
+metadata:
+  name: bundle-build-pipeline
+spec:
+  tasks:
+    - name: init
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: init
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:f239f38bba3a8351c8cb0980fde8e2ee477ded7200178b0f45175e4006ff1dca
+          - name: kind
+            value: task
+      params:
+        - name: image-url
+          value: "$(params.output-image)"
+        - name: rebuild
+          value: "$(params.rebuild)"
+        - name: skip-checks
+          value: "$(params.skip-checks)"
+    - name: clone-repository
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: git-clone-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:d1e63ec00bed1c9f0f571fa76b4da570be49a7c255c610544a461495230ba1b1
+          - name: kind
+            value: task
+      when:
+        - input: "$(tasks.init.results.build)"
+          operator: in
+          values:
+            - 'true'
+      runAfter:
+        - init
+      params:
+        - name: url
+          value: "$(params.git-url)"
+        - name: revision
+          value: "$(params.revision)"
+        - name: ociStorage
+          value: "$(params.output-image).git"
+        - name: ociArtifactExpiresAfter
+          value: "$(params.image-expires-after)"
+      workspaces:
+        - name: basic-auth
+          workspace: git-auth
+    - name: prefetch-dependencies
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: prefetch-dependencies-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3c11f5de6a0281bf93857f0c85bbbdfeda4cc118337da273fef0c138bda5eebb
+          - name: kind
+            value: task
+      params:
+        - name: input
+          value: "$(params.prefetch-input)"
+        - name: hermetic
+          value: "$(params.hermetic)"
+        - name: dev-package-managers
+          value: $(params.prefetch-dev-package-managers-enabled)
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+        - name: ociStorage
+          value: $(params.output-image).prefetch
+        - name: ociArtifactExpiresAfter
+          value: $(params.image-expires-after)
+    - name: build-container
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: buildah-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:8e83e9406fb7f9b89b4a425bbecc3022de85b5501fca03c58330a32c9ba36b33
+          - name: kind
+            value: task
+      runAfter:
+        - clone-repository
+      when:
+        - input: "$(tasks.init.results.build)"
+          operator: in
+          values:
+            - 'true'
+      params:
+        - name: IMAGE
+          value: "$(params.output-image)"
+        - name: DOCKERFILE
+          value: "$(params.dockerfile)"
+        - name: CONTEXT
+          value: "$(params.path-context)"
+        - name: HERMETIC
+          value: "$(params.hermetic)"
+        - name: PREFETCH_INPUT
+          value: "$(params.prefetch-input)"
+        - name: IMAGE_EXPIRES_AFTER
+          value: "$(params.image-expires-after)"
+        - name: COMMIT_SHA
+          value: "$(tasks.clone-repository.results.commit)"
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    - name: build-source-image
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: source-build-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:178298b5c8bbc2f8fa91ef94aca57a5a2dcb3834c71c8835bae51a20fe30e4e7
+          - name: kind
+            value: task
+      when:
+        - input: "$(tasks.init.results.build)"
+          operator: in
+          values:
+            - 'true'
+        - input: "$(params.build-source-image)"
+          operator: in
+          values:
+            - 'true'
+      runAfter:
+        - build-container
+      params:
+        - name: BINARY_IMAGE
+          value: "$(params.output-image)"
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
+    - name: deprecated-base-image-check
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: deprecated-image-check
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:443ffa897ee35e416a0bfd39721c68cbf88cfa5c74c843c5183218d0cd586e82
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: IMAGE_URL
+          value: $(tasks.build-container.results.IMAGE_URL)
+        - name: IMAGE_DIGEST
+          value: $(tasks.build-container.results.IMAGE_DIGEST)
+    - name: clair-scan
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: clair-scan
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:90e371fe7ec2288259a906bc1fd49c53b8b97a0b0b02da0893fb65e3be2a5801
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: image-digest
+          value: "$(tasks.build-container.results.IMAGE_DIGEST)"
+        - name: image-url
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: ecosystem-cert-preflight-checks
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: ecosystem-cert-preflight-checks
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: image-url
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: sast-snyk-check
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: sast-snyk-check-oci-ta
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.2@sha256:dcab261bc2c287ce8b4ef02407afea5a54b79f78590ecda947494c05d39a3c15
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: image-digest
+          value: "$(tasks.build-container.results.IMAGE_DIGEST)"
+        - name: image-url
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: clamav-scan
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: clamav-scan
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:1981b5aa330a4d59f59d760e54a36ebd596948abf6a36e45e103d4fd82ecbcf3
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: image-digest
+          value: "$(tasks.build-container.results.IMAGE_DIGEST)"
+        - name: image-url
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: sbom-json-check
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: sbom-json-check
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-sbom-json-check:0.2@sha256:468b5615993bb6d75df3d66180df5eb8728bbef59efe509eb5ac89b7ac582f16
+          - name: kind
+            value: task
+      when:
+        - input: "$(params.skip-checks)"
+          operator: in
+          values:
+            - 'false'
+      runAfter:
+        - build-container
+      params:
+        - name: IMAGE_URL
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+        - name: IMAGE_DIGEST
+          value: "$(tasks.build-container.results.IMAGE_DIGEST)"
+    - name: rpms-signature-scan
+      params:
+        - name: image-url
+          value: $(tasks.build-container.results.IMAGE_URL)
+        - name: image-digest
+          value: $(tasks.build-container.results.IMAGE_DIGEST)
+      runAfter:
+        - build-container
+      taskRef:
+        params:
+          - name: name
+            value: rpms-signature-scan
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:0c9667fba291af05997397a32e5e938ccaa46e93a2e14bad228e64a6427c5545
+          - name: kind
+            value: task
+        resolver: bundles
+      when:
+        - input: $(params.skip-checks)
+          operator: in
+          values:
+            - "false"
+  params:
+    - name: git-url
+      type: string
+      description: Source Repository URL
+    - name: revision
+      type: string
+      description: Revision of the Source Repository
+      default: ''
+    - name: output-image
+      type: string
+      description: Fully Qualified Output Image
+    - name: path-context
+      type: string
+      description: Path to the source code of an application's component from where to
+        build image.
+      default: "."
+    - name: dockerfile
+      type: string
+      description: Path to the Dockerfile inside the context specified by parameter path-context
+      default: Dockerfile
+    - name: rebuild
+      type: string
+      description: Force rebuild image
+      default: 'false'
+    - default: "false"
+      description: Skip checks against built image
+      name: skip-checks
+      type: string
+    - default: "false"
+      description: Execute the build with network isolation
+      name: hermetic
+      type: string
+    - default: ''
+      description: Build dependencies to be prefetched by Cachi2
+      name: prefetch-input
+      type: string
+    - default: "false"
+      description: Enable dev-package-managers in prefetch task
+      name: prefetch-dev-package-managers-enabled
+      type: string
+    - name: java
+      type: string
+      description: Java build
+      default: 'false'
+    - name: image-expires-after
+      description: Image tag expiration time, time values could be something like 1h,
+        2d, 3w for hours, days, and weeks, respectively.
+      default: ''
+    - name: build-source-image
+      type: string
+      description: Build a source image.
+      default: 'false'
+  workspaces:
+    - name: git-auth
+      optional: true
+  results:
+    - name: IMAGE_URL
+      description: ''
+      value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: IMAGE_DIGEST
+      description: ''
+      value: "$(tasks.build-container.results.IMAGE_DIGEST)"
+    - name: CHAINS-GIT_URL
+      description: ''
+      value: "$(tasks.clone-repository.results.url)"
+    - name: CHAINS-GIT_COMMIT
+      description: ''
+      value: "$(tasks.clone-repository.results.commit)"
+    - name: JAVA_COMMUNITY_DEPENDENCIES
+      description: ''
+      value: "$(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)"
+  finally:
+    - name: show-sbom
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: show-sbom
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b
+          - name: kind
+            value: task
+      params:
+        - name: IMAGE_URL
+          value: "$(tasks.build-container.results.IMAGE_URL)"
+    - name: show-summary
+      taskRef:
+        resolver: bundles
+        params:
+          - name: name
+            value: summary
+          - name: bundle
+            value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b
+          - name: kind
+            value: task
+      params:
+        - name: pipelinerun-name
+          value: "$(context.pipelineRun.name)"
+        - name: git-url
+          value: "$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)"
+        - name: image-url
+          value: "$(params.output-image)"
+        - name: build-task-status
+          value: "$(tasks.build-container.status)"