-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Red Hat Konflux update cac-content-fork
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
red-hat-konflux
committed
Dec 16, 2024
1 parent
c96fc14
commit 29fb0ec
Showing
2 changed files
with
1,157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,580 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: PipelineRun | ||
metadata: | ||
annotations: | ||
build.appstudio.openshift.io/repo: https://github.com/openshift/cac-content-fork?rev={{revision}} | ||
build.appstudio.redhat.com/commit_sha: '{{revision}}' | ||
build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' | ||
build.appstudio.redhat.com/target_branch: '{{target_branch}}' | ||
pipelinesascode.tekton.dev/max-keep-runs: "3" | ||
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch | ||
== "master" | ||
creationTimestamp: null | ||
labels: | ||
appstudio.openshift.io/application: compliance-operator | ||
appstudio.openshift.io/component: cac-content-fork | ||
pipelines.appstudio.openshift.io/type: build | ||
name: cac-content-fork-on-pull-request | ||
namespace: ocp-isc-tenant | ||
spec: | ||
params: | ||
- name: git-url | ||
value: '{{source_url}}' | ||
- name: revision | ||
value: '{{revision}}' | ||
- name: output-image | ||
value: quay.io/redhat-user-workloads/ocp-isc-tenant/cac-content-fork:on-pr-{{revision}} | ||
- name: image-expires-after | ||
value: 5d | ||
- name: dockerfile | ||
value: Dockerfiles/compliance-operator-content-konflux.Containerfile | ||
pipelineSpec: | ||
description: | | ||
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. | ||
_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. | ||
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ | ||
finally: | ||
- name: show-sbom | ||
params: | ||
- name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
taskRef: | ||
params: | ||
- name: name | ||
value: show-sbom | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
params: | ||
- description: Source Repository URL | ||
name: git-url | ||
type: string | ||
- default: "" | ||
description: Revision of the Source Repository | ||
name: revision | ||
type: string | ||
- description: Fully Qualified Output Image | ||
name: output-image | ||
type: string | ||
- default: . | ||
description: Path to the source code of an application's component from where | ||
to build image. | ||
name: path-context | ||
type: string | ||
- default: Dockerfile | ||
description: Path to the Dockerfile inside the context specified by parameter | ||
path-context | ||
name: dockerfile | ||
type: string | ||
- default: "false" | ||
description: Force rebuild image | ||
name: rebuild | ||
type: string | ||
- default: "false" | ||
description: Skip checks against built image | ||
name: skip-checks | ||
type: string | ||
- default: "false" | ||
description: Execute the build with network isolation | ||
name: hermetic | ||
type: string | ||
- default: "" | ||
description: Build dependencies to be prefetched by Cachi2 | ||
name: prefetch-input | ||
type: string | ||
- default: "" | ||
description: Image tag expiration time, time values could be something like | ||
1h, 2d, 3w for hours, days, and weeks, respectively. | ||
name: image-expires-after | ||
- default: "false" | ||
description: Build a source image. | ||
name: build-source-image | ||
type: string | ||
- default: "false" | ||
description: Add built image into an OCI image index | ||
name: build-image-index | ||
type: string | ||
- default: [] | ||
description: Array of --build-arg values ("arg=value" strings) for buildah | ||
name: build-args | ||
type: array | ||
- default: "" | ||
description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file | ||
name: build-args-file | ||
type: string | ||
results: | ||
- description: "" | ||
name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- description: "" | ||
name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- description: "" | ||
name: CHAINS-GIT_URL | ||
value: $(tasks.clone-repository.results.url) | ||
- description: "" | ||
name: CHAINS-GIT_COMMIT | ||
value: $(tasks.clone-repository.results.commit) | ||
tasks: | ||
- name: init | ||
params: | ||
- name: image-url | ||
value: $(params.output-image) | ||
- name: rebuild | ||
value: $(params.rebuild) | ||
- name: skip-checks | ||
value: $(params.skip-checks) | ||
taskRef: | ||
params: | ||
- name: name | ||
value: init | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: clone-repository | ||
params: | ||
- name: url | ||
value: $(params.git-url) | ||
- name: revision | ||
value: $(params.revision) | ||
- name: ociStorage | ||
value: $(params.output-image).git | ||
- name: ociArtifactExpiresAfter | ||
value: $(params.image-expires-after) | ||
runAfter: | ||
- init | ||
taskRef: | ||
params: | ||
- name: name | ||
value: git-clone-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
workspaces: | ||
- name: basic-auth | ||
workspace: git-auth | ||
- name: prefetch-dependencies | ||
params: | ||
- name: input | ||
value: $(params.prefetch-input) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) | ||
- name: ociStorage | ||
value: $(params.output-image).prefetch | ||
- name: ociArtifactExpiresAfter | ||
value: $(params.image-expires-after) | ||
runAfter: | ||
- clone-repository | ||
taskRef: | ||
params: | ||
- name: name | ||
value: prefetch-dependencies-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
workspaces: | ||
- name: git-basic-auth | ||
workspace: git-auth | ||
- name: netrc | ||
workspace: netrc | ||
- name: build-container | ||
params: | ||
- name: IMAGE | ||
value: $(params.output-image) | ||
- name: DOCKERFILE | ||
value: $(params.dockerfile) | ||
- name: CONTEXT | ||
value: $(params.path-context) | ||
- name: HERMETIC | ||
value: $(params.hermetic) | ||
- name: PREFETCH_INPUT | ||
value: $(params.prefetch-input) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.image-expires-after) | ||
- name: COMMIT_SHA | ||
value: $(tasks.clone-repository.results.commit) | ||
- name: BUILD_ARGS | ||
value: | ||
- $(params.build-args[*]) | ||
- name: BUILD_ARGS_FILE | ||
value: $(params.build-args-file) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- prefetch-dependencies | ||
taskRef: | ||
params: | ||
- name: name | ||
value: buildah-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:33cc4005cb06a865676d523fa92a0312466c688fc4c98993700e42f2034efc75 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: build-image-index | ||
params: | ||
- name: IMAGE | ||
value: $(params.output-image) | ||
- name: COMMIT_SHA | ||
value: $(tasks.clone-repository.results.commit) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.image-expires-after) | ||
- name: ALWAYS_BUILD_INDEX | ||
value: $(params.build-image-index) | ||
- name: IMAGES | ||
value: | ||
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-container | ||
taskRef: | ||
params: | ||
- name: name | ||
value: build-image-index | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: build-source-image | ||
params: | ||
- name: BINARY_IMAGE | ||
value: $(params.output-image) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: source-build-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- input: $(params.build-source-image) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: deprecated-base-image-check | ||
params: | ||
- name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: deprecated-image-check | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: clair-scan | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: clair-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: ecosystem-cert-preflight-checks | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: ecosystem-cert-preflight-checks | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-snyk-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-snyk-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: clamav-scan | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: clamav-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-coverity-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- coverity-availability-check | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-coverity-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- input: $(tasks.coverity-availability-check.results.STATUS) | ||
operator: in | ||
values: | ||
- success | ||
- name: coverity-availability-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: coverity-availability-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-shell-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-shell-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-unicode-check | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-shell-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: apply-tags | ||
params: | ||
- name: IMAGE | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: apply-tags | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: push-dockerfile | ||
params: | ||
- name: IMAGE | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: DOCKERFILE | ||
value: $(params.dockerfile) | ||
- name: CONTEXT | ||
value: $(params.path-context) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: push-dockerfile-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08ef41d6a98608bd5f1de75d77f015f520911a278d1875e174b88b9d04db2441 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: rpms-signature-scan | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: rpms-signature-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec536e55a039052823ba74e07db3175554fb046649671d1fefd776ca064d00ac | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
workspaces: | ||
- name: git-auth | ||
optional: true | ||
- name: netrc | ||
optional: true | ||
taskRunTemplate: {} | ||
workspaces: | ||
- name: git-auth | ||
secret: | ||
secretName: '{{ git_auth_secret }}' | ||
status: {} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,577 @@ | ||
apiVersion: tekton.dev/v1 | ||
kind: PipelineRun | ||
metadata: | ||
annotations: | ||
build.appstudio.openshift.io/repo: https://github.com/openshift/cac-content-fork?rev={{revision}} | ||
build.appstudio.redhat.com/commit_sha: '{{revision}}' | ||
build.appstudio.redhat.com/target_branch: '{{target_branch}}' | ||
pipelinesascode.tekton.dev/max-keep-runs: "3" | ||
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch | ||
== "master" | ||
creationTimestamp: null | ||
labels: | ||
appstudio.openshift.io/application: compliance-operator | ||
appstudio.openshift.io/component: cac-content-fork | ||
pipelines.appstudio.openshift.io/type: build | ||
name: cac-content-fork-on-push | ||
namespace: ocp-isc-tenant | ||
spec: | ||
params: | ||
- name: git-url | ||
value: '{{source_url}}' | ||
- name: revision | ||
value: '{{revision}}' | ||
- name: output-image | ||
value: quay.io/redhat-user-workloads/ocp-isc-tenant/cac-content-fork:{{revision}} | ||
- name: dockerfile | ||
value: Dockerfiles/compliance-operator-content-konflux.Containerfile | ||
pipelineSpec: | ||
description: | | ||
This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. | ||
_Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. | ||
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ | ||
finally: | ||
- name: show-sbom | ||
params: | ||
- name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
taskRef: | ||
params: | ||
- name: name | ||
value: show-sbom | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
params: | ||
- description: Source Repository URL | ||
name: git-url | ||
type: string | ||
- default: "" | ||
description: Revision of the Source Repository | ||
name: revision | ||
type: string | ||
- description: Fully Qualified Output Image | ||
name: output-image | ||
type: string | ||
- default: . | ||
description: Path to the source code of an application's component from where | ||
to build image. | ||
name: path-context | ||
type: string | ||
- default: Dockerfile | ||
description: Path to the Dockerfile inside the context specified by parameter | ||
path-context | ||
name: dockerfile | ||
type: string | ||
- default: "false" | ||
description: Force rebuild image | ||
name: rebuild | ||
type: string | ||
- default: "false" | ||
description: Skip checks against built image | ||
name: skip-checks | ||
type: string | ||
- default: "false" | ||
description: Execute the build with network isolation | ||
name: hermetic | ||
type: string | ||
- default: "" | ||
description: Build dependencies to be prefetched by Cachi2 | ||
name: prefetch-input | ||
type: string | ||
- default: "" | ||
description: Image tag expiration time, time values could be something like | ||
1h, 2d, 3w for hours, days, and weeks, respectively. | ||
name: image-expires-after | ||
- default: "false" | ||
description: Build a source image. | ||
name: build-source-image | ||
type: string | ||
- default: "false" | ||
description: Add built image into an OCI image index | ||
name: build-image-index | ||
type: string | ||
- default: [] | ||
description: Array of --build-arg values ("arg=value" strings) for buildah | ||
name: build-args | ||
type: array | ||
- default: "" | ||
description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file | ||
name: build-args-file | ||
type: string | ||
results: | ||
- description: "" | ||
name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- description: "" | ||
name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- description: "" | ||
name: CHAINS-GIT_URL | ||
value: $(tasks.clone-repository.results.url) | ||
- description: "" | ||
name: CHAINS-GIT_COMMIT | ||
value: $(tasks.clone-repository.results.commit) | ||
tasks: | ||
- name: init | ||
params: | ||
- name: image-url | ||
value: $(params.output-image) | ||
- name: rebuild | ||
value: $(params.rebuild) | ||
- name: skip-checks | ||
value: $(params.skip-checks) | ||
taskRef: | ||
params: | ||
- name: name | ||
value: init | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:60063fefe88e111d129cb59caff97c912722927c8a0f750253553d4c527a2396 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: clone-repository | ||
params: | ||
- name: url | ||
value: $(params.git-url) | ||
- name: revision | ||
value: $(params.revision) | ||
- name: ociStorage | ||
value: $(params.output-image).git | ||
- name: ociArtifactExpiresAfter | ||
value: $(params.image-expires-after) | ||
runAfter: | ||
- init | ||
taskRef: | ||
params: | ||
- name: name | ||
value: git-clone-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
workspaces: | ||
- name: basic-auth | ||
workspace: git-auth | ||
- name: prefetch-dependencies | ||
params: | ||
- name: input | ||
value: $(params.prefetch-input) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) | ||
- name: ociStorage | ||
value: $(params.output-image).prefetch | ||
- name: ociArtifactExpiresAfter | ||
value: $(params.image-expires-after) | ||
runAfter: | ||
- clone-repository | ||
taskRef: | ||
params: | ||
- name: name | ||
value: prefetch-dependencies-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
workspaces: | ||
- name: git-basic-auth | ||
workspace: git-auth | ||
- name: netrc | ||
workspace: netrc | ||
- name: build-container | ||
params: | ||
- name: IMAGE | ||
value: $(params.output-image) | ||
- name: DOCKERFILE | ||
value: $(params.dockerfile) | ||
- name: CONTEXT | ||
value: $(params.path-context) | ||
- name: HERMETIC | ||
value: $(params.hermetic) | ||
- name: PREFETCH_INPUT | ||
value: $(params.prefetch-input) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.image-expires-after) | ||
- name: COMMIT_SHA | ||
value: $(tasks.clone-repository.results.commit) | ||
- name: BUILD_ARGS | ||
value: | ||
- $(params.build-args[*]) | ||
- name: BUILD_ARGS_FILE | ||
value: $(params.build-args-file) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- prefetch-dependencies | ||
taskRef: | ||
params: | ||
- name: name | ||
value: buildah-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.2@sha256:33cc4005cb06a865676d523fa92a0312466c688fc4c98993700e42f2034efc75 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: build-image-index | ||
params: | ||
- name: IMAGE | ||
value: $(params.output-image) | ||
- name: COMMIT_SHA | ||
value: $(tasks.clone-repository.results.commit) | ||
- name: IMAGE_EXPIRES_AFTER | ||
value: $(params.image-expires-after) | ||
- name: ALWAYS_BUILD_INDEX | ||
value: $(params.build-image-index) | ||
- name: IMAGES | ||
value: | ||
- $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-container | ||
taskRef: | ||
params: | ||
- name: name | ||
value: build-image-index | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:37328a4b2fc686435531ba423c26c2051822a4e70b06088c4d8eaf0e8fa6d65b | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: build-source-image | ||
params: | ||
- name: BINARY_IMAGE | ||
value: $(params.output-image) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: source-build-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(tasks.init.results.build) | ||
operator: in | ||
values: | ||
- "true" | ||
- input: $(params.build-source-image) | ||
operator: in | ||
values: | ||
- "true" | ||
- name: deprecated-base-image-check | ||
params: | ||
- name: IMAGE_URL | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: deprecated-image-check | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:f8efb0b22692fad908a1a75f8d5c0b6ed3b0bcd2a9853577e7be275e5bac1bb8 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: clair-scan | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: clair-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:e428b37d253621365ffb24d4053e5f3141988ae6a30fce1c8ba73b7211396eb0 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: ecosystem-cert-preflight-checks | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: ecosystem-cert-preflight-checks | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:df8a25a3431a70544172ed4844f9d0c6229d39130633960729f825a031a7dea9 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-snyk-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-snyk-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:6d232347739a0366dcfc4e40afbcb5d1937dd3fea8952afb1bd6a4b0c5d1c1f5 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: clamav-scan | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: clamav-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:d78221853f7ff2befc6669dd0eeb91e6611ae84ac7754150ea0f071d92ff41cb | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-coverity-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- coverity-availability-check | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-coverity-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.1@sha256:a2a504ffd550e8029034fd737e237e194c13e1b593c8e37402218408e5d632df | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- input: $(tasks.coverity-availability-check.results.STATUS) | ||
operator: in | ||
values: | ||
- success | ||
- name: coverity-availability-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: coverity-availability-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.1@sha256:c6c04c3b7ab71c039fe5958559f3d0bf30cb56239ee3be6a7806a71912660da4 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-shell-check | ||
params: | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-shell-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: sast-unicode-check | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
- name: CACHI2_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: sast-shell-check-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:ac6a35e4143a68f841e363da3f21f2123de9f3acf76596f79ecb60c501eed408 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
- name: apply-tags | ||
params: | ||
- name: IMAGE | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: apply-tags | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:0767c115d4ba4854d106c9cdfabdc1f1298bc2742a3fea4fefbac4b9c5873d6e | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: push-dockerfile | ||
params: | ||
- name: IMAGE | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: IMAGE_DIGEST | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
- name: DOCKERFILE | ||
value: $(params.dockerfile) | ||
- name: CONTEXT | ||
value: $(params.path-context) | ||
- name: SOURCE_ARTIFACT | ||
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: push-dockerfile-oci-ta | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:08ef41d6a98608bd5f1de75d77f015f520911a278d1875e174b88b9d04db2441 | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
- name: rpms-signature-scan | ||
params: | ||
- name: image-url | ||
value: $(tasks.build-image-index.results.IMAGE_URL) | ||
- name: image-digest | ||
value: $(tasks.build-image-index.results.IMAGE_DIGEST) | ||
runAfter: | ||
- build-image-index | ||
taskRef: | ||
params: | ||
- name: name | ||
value: rpms-signature-scan | ||
- name: bundle | ||
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:ec536e55a039052823ba74e07db3175554fb046649671d1fefd776ca064d00ac | ||
- name: kind | ||
value: task | ||
resolver: bundles | ||
when: | ||
- input: $(params.skip-checks) | ||
operator: in | ||
values: | ||
- "false" | ||
workspaces: | ||
- name: git-auth | ||
optional: true | ||
- name: netrc | ||
optional: true | ||
taskRunTemplate: {} | ||
workspaces: | ||
- name: git-auth | ||
secret: | ||
secretName: '{{ git_auth_secret }}' | ||
status: {} |