diff --git a/.tekton/docker-build.yaml b/.tekton/docker-build.yaml index 2ab4fd84d..b8a290723 100755 --- a/.tekton/docker-build.yaml +++ b/.tekton/docker-build.yaml @@ -1,7 +1,6 @@ apiVersion: tekton.dev/v1 kind: Pipeline metadata: - creationTimestamp: labels: pipelines.openshift.io/runtime: generic pipelines.openshift.io/strategy: docker @@ -11,29 +10,16 @@ spec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. - _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - - name: kind - value: task - resolver: bundles params: - default: - linux/x86_64 - linux/arm64 - linux/ppc64le - linux/s390x - description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. name: build-platforms type: array - default: --all-projects --org=3e1a4cca-ebfb-495f-b64c-3cc960d566b4 --exclude=test*,vendor,third_party @@ -45,7 +31,8 @@ spec: name: build-source-image type: string - default: "false" - description: 'Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk.' + description: 'Enable in-development package managers. WARNING: the behavior may + change at any time without notice. Use at your own risk.' name: prefetch-input-dev-package-managers - default: [] description: Additional image tags @@ -62,17 +49,15 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - default: "false" description: Skip checks against built image name: skip-checks @@ -82,16 +67,26 @@ spec: name: hermetic type: string - default: "" - description: Build dependencies to be prefetched by Cachi2 + description: Build dependencies to be prefetched name: prefetch-input type: string - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like 1h, + 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after + type: string - default: "true" description: Add built image into an OCI image index name: build-image-index type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args @@ -101,7 +96,8 @@ spec: name: build-args-file type: string - default: "false" - description: Whether to enable privileged mode, should be used only with remote VMs + description: Whether to enable privileged mode, should be used only with remote + VMs name: privileged-nested type: string results: @@ -195,12 +191,8 @@ spec: resolver: bundles - name: init params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) + - name: enable-cache-proxy + value: $(params.enable-cache-proxy) taskRef: params: - name: name @@ -231,11 +223,6 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" workspaces: - name: basic-auth workspace: git-auth @@ -267,6 +254,14 @@ spec: value: $(params.build-args-file) - name: PRIVILEGED_NESTED value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT @@ -284,11 +279,6 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - name: build-image-index params: - name: IMAGE @@ -302,6 +292,8 @@ spec: - name: IMAGES value: - $(tasks.build-images.results.IMAGE_REF[*]) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) runAfter: - build-images taskRef: @@ -313,21 +305,16 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - name: build-source-image params: - name: BINARY_IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - - name: BINARY_IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: @@ -340,10 +327,6 @@ spec: value: task resolver: bundles when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - input: $(params.build-source-image) operator: in values: @@ -370,7 +353,12 @@ spec: operator: in values: - "false" - - name: clair-scan + - matrix: + params: + - name: image-platform + value: + - $(params.build-platforms) + name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) @@ -392,7 +380,12 @@ spec: operator: in values: - "false" - - name: ecosystem-cert-preflight-checks + - matrix: + params: + - name: platform + value: + - $(params.build-platforms) + name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) @@ -412,12 +405,12 @@ spec: operator: in values: - "false" - matrix: + - matrix: params: - - name: platform + - name: image-arch value: - $(params.build-platforms) - - name: clamav-scan + name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) @@ -439,11 +432,6 @@ spec: operator: in values: - "false" - matrix: - params: - - name: image-arch - value: - - $(params.build-platforms) - name: sast-shell-check params: - name: image-digest diff --git a/.tekton/kn-plugin-event-sender-115-pull-request.yaml b/.tekton/kn-plugin-event-sender-115-pull-request.yaml index 130c00a84..1af04f162 100755 --- a/.tekton/kn-plugin-event-sender-115-pull-request.yaml +++ b/.tekton/kn-plugin-event-sender-115-pull-request.yaml @@ -25,7 +25,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic diff --git a/.tekton/kn-plugin-event-sender-115-push.yaml b/.tekton/kn-plugin-event-sender-115-push.yaml index cab89e291..072ebaedf 100755 --- a/.tekton/kn-plugin-event-sender-115-push.yaml +++ b/.tekton/kn-plugin-event-sender-115-push.yaml @@ -24,7 +24,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic @@ -36,7 +36,7 @@ spec: - name: additional-tags value: - $(context.pipelineRun.uid)-{{revision}} - - 1.35.1 + - 1.35.2 - latest - name: prefetch-input value: '[{"path":".","type":"gomod"}]' diff --git a/.tekton/kn-plugin-event-test-eventshub-115-pull-request.yaml b/.tekton/kn-plugin-event-test-eventshub-115-pull-request.yaml index 6092fe5e0..489c28919 100755 --- a/.tekton/kn-plugin-event-test-eventshub-115-pull-request.yaml +++ b/.tekton/kn-plugin-event-test-eventshub-115-pull-request.yaml @@ -25,7 +25,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic diff --git a/.tekton/kn-plugin-event-test-eventshub-115-push.yaml b/.tekton/kn-plugin-event-test-eventshub-115-push.yaml index ca6de5832..f42aa225d 100755 --- a/.tekton/kn-plugin-event-test-eventshub-115-push.yaml +++ b/.tekton/kn-plugin-event-test-eventshub-115-push.yaml @@ -24,7 +24,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic @@ -36,7 +36,7 @@ spec: - name: additional-tags value: - $(context.pipelineRun.uid)-{{revision}} - - 1.35.1 + - 1.35.2 - latest - name: prefetch-input value: '[{"path":".","type":"gomod"}]' diff --git a/.tekton/kn-plugin-event-test-wathola-forwarder-115-pull-request.yaml b/.tekton/kn-plugin-event-test-wathola-forwarder-115-pull-request.yaml index 5eca905aa..3a8bdff2a 100755 --- a/.tekton/kn-plugin-event-test-wathola-forwarder-115-pull-request.yaml +++ b/.tekton/kn-plugin-event-test-wathola-forwarder-115-pull-request.yaml @@ -25,7 +25,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic diff --git a/.tekton/kn-plugin-event-test-wathola-forwarder-115-push.yaml b/.tekton/kn-plugin-event-test-wathola-forwarder-115-push.yaml index 74466d762..09bc0b5fd 100755 --- a/.tekton/kn-plugin-event-test-wathola-forwarder-115-push.yaml +++ b/.tekton/kn-plugin-event-test-wathola-forwarder-115-push.yaml @@ -24,7 +24,7 @@ spec: - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime - - VERSION=1.35.1 + - VERSION=1.35.2 - name: git-url value: '{{source_url}}' - name: hermetic @@ -36,7 +36,7 @@ spec: - name: additional-tags value: - $(context.pipelineRun.uid)-{{revision}} - - 1.35.1 + - 1.35.2 - latest - name: prefetch-input value: '[{"path":".","type":"gomod"}]'