Skip to content

Red Hat Konflux update cli-v06 #3304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
red-hat-konflux wants to merge 1 commit into
base: release-v0.6
Choose a base branch
from
+100 −122
Open

Red Hat Konflux update cli-v06 #3304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 50 additions & 60 deletions .tekton/cli-v06-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,39 +29,12 @@ spec:
value: 5d
- name: dockerfile
value: Dockerfile.dist
- name: path-context
value: .
- name: prefetch-input
value: '[{"type": "gomod"}, {"type": "gomod", "path": "tools/kubectl"}, {"type":
"rpm"}]'
- name: build-source-image
value: "true"
- name: build-args-file
value: quick-build-args.conf
- name: hermetic
value: "true"
- name: enable-cache-proxy
value: "true"
pipelineSpec:
description: |
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization.

_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/policy/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
- name: IMAGE_URL
value: $(tasks.build-image-index.results.IMAGE_URL)
taskRef:
params:
- name: name
value: show-sbom
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:a7346ed61237db4f82ff782e0c9e8b30536e0e67b907ad600341a6d192e80012
- name: kind
value: task
resolver: bundles
params:
- description: Source Repository URL
name: git-url
Expand All @@ -83,10 +56,6 @@ spec:
path-context
name: dockerfile
type: string
- default: "false"
description: Force rebuild image
name: rebuild
type: string
- default: "false"
description: Skip checks against built image
name: skip-checks
Expand All @@ -96,7 +65,7 @@ spec:
name: hermetic
type: string
- default: ""
description: Build dependencies to be prefetched by Cachi2
description: Build dependencies to be prefetched
name: prefetch-input
type: string
- default: ""
Expand All @@ -112,6 +81,22 @@ spec:
description: Add built image into an OCI image index
name: build-image-index
type: string
- default: docker
description: The format for the resulting image's mediaType. Valid values are
oci or docker.
name: buildah-format
type: string
- default: "false"
description: Enable cache proxy configuration
name: enable-cache-proxy
- default: "true"
description: Use the package registry proxy when prefetching dependencies
name: enable-package-registry-proxy
- default: .
description: Target directories in component's source code to scan with SAST
tools. Multiple values should be separated with commas.
name: sast-target-dirs
type: string
- default: []
description: Array of --build-arg values ("arg=value" strings) for buildah
name: build-args
Expand All @@ -125,10 +110,6 @@ spec:
VMs
name: privileged-nested
type: string
- default: "true"
description: Enable cache proxy
name: enable-cache-proxy
type: string
results:
- description: ""
name: IMAGE_URL
Expand All @@ -144,12 +125,15 @@ spec:
value: $(tasks.clone-repository.results.commit)
tasks:
- name: init
params:
- name: enable-cache-proxy
value: $(params.enable-cache-proxy)
taskRef:
params:
- name: name
value: init
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:b797dd453ddad669365de6de4649e3a9e37e77aa26eb9862ca079a36cbfe64a4
value: quay.io/konflux-ci/tekton-catalog/task-init:0.4@sha256:5a423246792ac501ea279229b42ee57da9927da441c04b5c9ff86817b0856b08
- name: kind
value: task
resolver: bundles
Expand All @@ -163,10 +147,6 @@ spec:
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
- name: depth
value: "0"
- name: fetchTags
value: "true"
runAfter:
- init
taskRef:
Expand All @@ -185,22 +165,22 @@ spec:
params:
- name: input
value: $(params.prefetch-input)
- name: enable-package-registry-proxy
value: $(params.enable-package-registry-proxy)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
- name: dev-package-managers
value: "true"
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:4736b695b658a0b304a122dc53836bb22484ff28f7fe112cc44d3c12566b5220
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.3@sha256:a2efbcdcecfa5293a622eb356a18f5c88e5714046b214fe8730b43b1a7dbb77d
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -232,12 +212,18 @@ spec:
value: $(params.build-args-file)
- name: PRIVILEGED_NESTED
value: $(params.privileged-nested)
- name: SOURCE_URL
value: $(tasks.clone-repository.results.url)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: HTTP_PROXY
value: $(tasks.init.results.http-proxy)
- name: NO_PROXY
value: $(tasks.init.results.no-proxy)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
- name: ENABLE_CACHE_PROXY
value: $(params.enable-cache-proxy)
runAfter:
- prefetch-dependencies
taskRef:
Expand All @@ -253,32 +239,30 @@ spec:
params:
- name: IMAGE
value: $(params.output-image)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: ALWAYS_BUILD_INDEX
value: $(params.build-image-index)
- name: IMAGES
value:
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
runAfter:
- build-container
taskRef:
params:
- name: name
value: build-image-index
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.2@sha256:020a1b4126cc6b7c7a919c2b549b94e6b7b826aaaa0d0f2e67d1980df967e498
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb
- name: kind
value: task
resolver: bundles
- name: build-source-image
params:
- name: BINARY_IMAGE
value: "$(tasks.build-image-index.results.IMAGE_URL)"
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: BINARY_IMAGE_DIGEST
value: "$(tasks.build-image-index.results.IMAGE_DIGEST)"
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down Expand Up @@ -312,7 +296,7 @@ spec:
- name: name
value: deprecated-image-check
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:5ff16b7e6b4a8aa1adb352e74b9f831f77ff97bafd1b89ddb0038d63335f1a67
value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:3457a4ca93f8d55f14ebd407532b1223c689eacc34f0abb3003db4111667bdae
- name: kind
value: task
resolver: bundles
Expand All @@ -334,7 +318,7 @@ spec:
- name: name
value: clair-scan
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:3a39bc7c528ea8c5ec636859bd017de54d29b6ac0b49beaa7410f87e4ef2a1f1
value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609
- name: kind
value: task
resolver: bundles
Expand All @@ -354,7 +338,7 @@ spec:
- name: name
value: ecosystem-cert-preflight-checks
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:2468c01818fbaad2235e4fca438f28e847260e3e354cf5a441bbd671684af2db
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:01f29882054e5ee2441e6e6852f2fbdb9ebe1fbfdf6701ea147421dfe6b158d7
- name: kind
value: task
resolver: bundles
Expand All @@ -369,6 +353,8 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand Down Expand Up @@ -402,7 +388,7 @@ spec:
- name: name
value: clamav-scan
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:b318e8721de5e5e64572e09be414c2c951e7cdb4aaf3f0691ab3e02a9f8bfef3
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a
- name: kind
value: task
resolver: bundles
Expand All @@ -417,6 +403,8 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand All @@ -443,6 +431,8 @@ spec:
value: $(tasks.build-image-index.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
- name: TARGET_DIRS
value: $(params.sast-target-dirs)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand All @@ -454,7 +444,7 @@ spec:
- name: name
value: sast-unicode-check-oci-ta
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:5a93fe7f1f3990167d87cb3f30bc13293e02cf5a6da88f46cf0368b3328c2d56
value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749
- name: kind
value: task
resolver: bundles
Expand Down Expand Up @@ -516,7 +506,7 @@ spec:
- name: name
value: rpms-signature-scan
- name: bundle
value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:2f3015ac7a642ea7f104d2194a8cb45921570f9539c6604ddcb5f62796f22a53
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93
- name: kind
value: task
resolver: bundles
Expand Down
Loading
Loading