From 4cde79ab5eba372f81caee7057c1066d8c38b365 Mon Sep 17 00:00:00 2001 From: JasonPowr Date: Mon, 26 Aug 2024 12:44:49 +0100 Subject: [PATCH] ta_pipelines+adding_unit_tests --- .tekton/fetch-tsa-certs-pull-request.yaml | 119 ++++++++---------- .tekton/fetch-tsa-certs-push.yaml | 119 ++++++++---------- .tekton/timestamp-authority-pull-request.yaml | 110 +++++++--------- .tekton/timestamp-authority-push.yaml | 100 ++++++--------- .tekton/tsa-unit-test.yaml | 48 +++++++ 5 files changed, 238 insertions(+), 258 deletions(-) create mode 100644 .tekton/tsa-unit-test.yaml diff --git a/.tekton/fetch-tsa-certs-pull-request.yaml b/.tekton/fetch-tsa-certs-pull-request.yaml index b8fa95c6..90a4ad8a 100644 --- a/.tekton/fetch-tsa-certs-pull-request.yaml +++ b/.tekton/fetch-tsa-certs-pull-request.yaml @@ -8,6 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && (".tekton/fetch-tsa-certs-pull-request.yaml".pathChanged() || "cmd/fetch-tsa-certs".pathChanged() || "pkg".pathChanged() || "Build.mak".pathChanged() || "Dockerfile.fetch_tsa_certs.rh".pathChanged() || "go.mod".pathChanged() || "go.sum".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/tsa-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: cli @@ -48,28 +49,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -167,14 +146,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -184,22 +167,28 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:058a59f72997c9cf1be20978eb6a145d8d4d436c6098f2460bd96766bb363b20 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles @@ -209,8 +198,6 @@ spec: values: - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth - name: netrc @@ -236,14 +223,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -252,21 +243,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -279,9 +271,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -347,19 +336,14 @@ spec: values: - "false" - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:82c42d27c9c59db6cf6c235e89f7b37f5cdfc75d0d361ca0ee91ae703ba72301 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -368,9 +352,13 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -440,39 +428,36 @@ spec: value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: push-dockerfile + value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:92d63edd09636f97961ca18fac14b67935179d2c14b4a4d5f8087c614e8c2bd9 + value: quay.io/redhat-appstudio-tekton-catalog/task-push-dockerfile-oci-ta@sha256:1032dceb2505d0de089ef8185169f6888fb50642ec00933db9f941f41a9f0f43 - name: kind value: task resolver: bundles - workspaces: - - name: workspace - workspace: workspace + - name: run-unit-test + runAfter: + - prefetch-dependencies + taskRef: + name: go-unit-test + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) workspaces: - - name: workspace - name: git-auth optional: true - name: netrc optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/fetch-tsa-certs-push.yaml b/.tekton/fetch-tsa-certs-push.yaml index 60764358..9bb208f6 100644 --- a/.tekton/fetch-tsa-certs-push.yaml +++ b/.tekton/fetch-tsa-certs-push.yaml @@ -7,6 +7,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" && (".tekton/fetch-tsa-certs-push.yaml".pathChanged() || "cmd/fetch-tsa-certs".pathChanged() || "pkg".pathChanged() || "Build.mak".pathChanged() || "Dockerfile.fetch_tsa_certs.rh".pathChanged() || "go.mod".pathChanged() || "go.sum".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/tsa-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: cli @@ -45,28 +46,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -164,14 +143,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -181,22 +164,28 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:058a59f72997c9cf1be20978eb6a145d8d4d436c6098f2460bd96766bb363b20 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles @@ -206,8 +195,6 @@ spec: values: - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth - name: netrc @@ -233,14 +220,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -249,21 +240,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -276,9 +268,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -344,19 +333,14 @@ spec: values: - "false" - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:82c42d27c9c59db6cf6c235e89f7b37f5cdfc75d0d361ca0ee91ae703ba72301 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -365,9 +349,13 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -437,39 +425,36 @@ spec: value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: push-dockerfile + value: push-dockerfile-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:92d63edd09636f97961ca18fac14b67935179d2c14b4a4d5f8087c614e8c2bd9 + value: quay.io/redhat-appstudio-tekton-catalog/task-push-dockerfile-oci-ta@sha256:1032dceb2505d0de089ef8185169f6888fb50642ec00933db9f941f41a9f0f43 - name: kind value: task resolver: bundles - workspaces: - - name: workspace - workspace: workspace + - name: run-unit-test + runAfter: + - prefetch-dependencies + taskRef: + name: go-unit-test + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) workspaces: - - name: workspace - name: git-auth optional: true - name: netrc optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/timestamp-authority-pull-request.yaml b/.tekton/timestamp-authority-pull-request.yaml index 4d7ebd30..e18c862e 100644 --- a/.tekton/timestamp-authority-pull-request.yaml +++ b/.tekton/timestamp-authority-pull-request.yaml @@ -8,6 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && (".tekton/timestamp-authority-pull-request.yaml".pathChanged() || "cmd/timestamp-server".pathChanged() || "pkg".pathChanged() || "Makefile".pathChanged() || "Dockerfile.tsa.rh".pathChanged() || "go.mod".pathChanged() || "go.sum".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/tsa-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: timestamp-authority @@ -48,28 +49,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -167,14 +146,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -184,22 +167,28 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:058a59f72997c9cf1be20978eb6a145d8d4d436c6098f2460bd96766bb363b20 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles @@ -209,8 +198,6 @@ spec: values: - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth - name: build-container @@ -234,14 +221,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -250,21 +241,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -277,9 +269,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -345,19 +334,14 @@ spec: values: - "false" - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:82c42d27c9c59db6cf6c235e89f7b37f5cdfc75d0d361ca0ee91ae703ba72301 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -366,9 +350,13 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -428,23 +416,21 @@ spec: - name: kind value: task resolver: bundles + - name: run-unit-test + runAfter: + - prefetch-dependencies + taskRef: + name: go-unit-test + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/timestamp-authority-push.yaml b/.tekton/timestamp-authority-push.yaml index 9f8981b1..6ff84c06 100644 --- a/.tekton/timestamp-authority-push.yaml +++ b/.tekton/timestamp-authority-push.yaml @@ -7,6 +7,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" && (".tekton/timestamp-authority-push.yaml".pathChanged() || "cmd/timestamp-server".pathChanged() || "pkg".pathChanged() || "Makefile".pathChanged() || "Dockerfile.tsa.rh".pathChanged() || "go.mod".pathChanged() || "go.sum".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/tsa-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: timestamp-authority @@ -45,28 +46,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - - name: kind - value: task - resolver: bundles - workspaces: - - name: workspace - workspace: workspace params: - description: Source Repository URL name: git-url @@ -164,14 +143,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:0bb1be8363557e8e07ec34a3c5daaaaa23c9d533f0bb12f00dc604d00de50814 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -181,22 +164,28 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:058a59f72997c9cf1be20978eb6a145d8d4d436c6098f2460bd96766bb363b20 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles @@ -206,8 +195,6 @@ spec: values: - "" workspaces: - - name: source - workspace: workspace - name: git-basic-auth workspace: git-auth - name: build-container @@ -231,14 +218,18 @@ spec: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -247,21 +238,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -274,9 +266,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -342,19 +331,14 @@ spec: values: - "false" - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:82c42d27c9c59db6cf6c235e89f7b37f5cdfc75d0d361ca0ee91ae703ba72301 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -363,9 +347,13 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -426,22 +414,10 @@ spec: value: task resolver: bundles workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/tsa-unit-test.yaml b/.tekton/tsa-unit-test.yaml new file mode 100644 index 00000000..916f6f09 --- /dev/null +++ b/.tekton/tsa-unit-test.yaml @@ -0,0 +1,48 @@ +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: go-unit-test + annotations: + tekton.dev/title: "Go Unit Test Task" +spec: + params: + - description: The trusted artifact URI containing the application source code. + name: SOURCE_ARTIFACT + type: string + - description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. + name: CACHI2_ARTIFACT + type: string + default: "" + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + # This path is hard coded in the cachi2.env file. + - mountPath: /cachi2 + name: cachi2 + securityContext: + # This is needed because the different steps in this Task run with different user IDs. + runAsUser: 0 + steps: + - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: use-trusted-artifact + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/cachi2 + - name: run-tests + image: registry.access.redhat.com/ubi9/go-toolset@sha256:1421b69ee4c6d5631174776dc40654051b5183f149213613d74f61a11afaaa94 + workingDir: /var/workdir/source + script: | + #!/usr/bin/env sh + if [ -f "/cachi2/cachi2.env" ]; then + source "/cachi2/cachi2.env" + fi + CGO_ENABLED=0 go build -trimpath -o bin/timestamp-cli ./cmd/timestamp-cli + CGO_ENABLED=0 go build -trimpath -o bin/timestamp-server ./cmd/timestamp-server + go test ./... + volumes: + - name: workdir + emptyDir: {} + - name: cachi2 + emptyDir: {}