feat: add task for updating and pushing image to quay.io with new tag (…

…#14)

.tekton/ansible-ee-pipeline.yaml

@@ -12,9 +12,10 @@ metadata:
     pipelinesascode.tekton.dev/task-4: "[.tekton/tasks/buildah.yaml]"
     pipelinesascode.tekton.dev/task-5: "[.tekton/tasks/ansible-ee-sanity-test.yaml]"
     pipelinesascode.tekton.dev/task-6: "[.tekton/tasks/semantic-release.yaml]"
-    pipelinesascode.tekton.dev/task-7: "[.tekton/tasks/delete-image-stream.yaml]"
+    pipelinesascode.tekton.dev/task-7: "[.tekton/tasks/skopeo-copy.yaml]"
+    pipelinesascode.tekton.dev/task-8: "[.tekton/tasks/delete-image-stream.yaml]"
     pipelinesascode.tekton.dev/on-cel-expression: |
-      event == "pull_request" || event == "push" && target_branch == "main" && "examples/ansible-ee/***".pathChanged() || ".tekton/ansible-ee-pipeline.yaml".pathChanged()
+      (event == "push" || event == "pull_request") && target_branch == "main" && ("ansible-ee/***".pathChanged() || ".tekton/ansible-ee-pipeline.yaml".pathChanged())
 spec:
   params:
     - name: repo_url
@@ -27,7 +28,6 @@ spec:
       - name: revision
     workspaces:
       - name: source
-      - name: quay-credentials
       - name: registry-credentials
     tasks:
       - name: fetch-repository
@@ -80,7 +80,7 @@ spec:
           - name: OUTPUT_FILENAME
             value: Dockerfile
           - name: PATH
-            value: "examples/ansible-ee"
+            value: "ansible-ee"
 
       - name: build-image-tag
         taskRef:
@@ -97,8 +97,10 @@ spec:
             value: "false"
           - name: IMAGE
             value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
+          - name: TAG
+            value: "{{ pull_request_number }}"
           - name: CONTEXT
-            value: "examples/ansible-ee"
+            value: "ansible-ee"
 
       - name: ee-sanity-test
         taskRef:
@@ -111,6 +113,8 @@ spec:
         params:
           - name: IMAGE
             value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
+          - name: TAG
+            value: "{{ pull_request_number }}"
 
       - name: image-scan
         taskRef:
@@ -145,8 +149,48 @@ spec:
           - name: source-branch
             value: "{{ source_branch }}"
 
+      - name: push-image-tag
+        when:
+          - input: "{{ source_branch }}"
+            operator: in
+            values: ["main"]
+        runAfter:
+          - semantic-release
+        taskRef:
+          name: skopeo-copy
+        workspaces:
+          - name: source
+            workspace: source
+        params:
+          - name: srcImageURL
+            value: "docker://$(tasks.build-image-tag.results.IMAGE_URL)"
+          - name: destImageURL
+            value: "docker://quay.io/stbenji/ansible-tekton-demo:$(tasks.semantic-release.results.version)"
+
+      - name: update-image-latest
+        when:
+          - input: "{{ source_branch }}"
+            operator: in
+            values: ["main"]
+        runAfter:
+          - semantic-release
+        taskRef:
+          name: skopeo-copy
+        workspaces:
+          - name: source
+            workspace: source
+        params:
+          - name: srcImageURL
+            value: "docker://$(tasks.build-image-tag.results.IMAGE_URL)"
+          - name: destImageURL
+            value: "docker://quay.io/stbenji/ansible-tekton-demo:latest"
+
     finally:
       - name: clean-up
+        when:
+          - input: "{{ source_branch }}"
+            operator: in
+            values: ["main"]
         taskRef:
           name: delete-image-stream
         workspaces:
@@ -165,9 +209,6 @@ spec:
           resources:
             requests:
               storage: 5Gi
-    - name: quay-credentials
-      secret:
-        secretName: quay-credentials
     - name: registry-credentials
       secret:
         secretName: registry-credentials

.tekton/chains/tekton-chains-config.yaml

@@ -8,7 +8,7 @@ metadata:
     app.kubernetes.io/part-of: tekton-chains
     operator.tekton.dev/operand-name: tektoncd-chains
 data:
-  artifacts.oci.repository: "image-registry.openshift-image-registry.svc:5000"
+  artifacts.oci.repository: "image-registry.openshift-image-registry.svc:5000,quay.io"
   artifacts.oci.storage: "tekton,oci"
   artifacts.pipelinerun.format: slsa/v1
   artifacts.pipelinerun.storage: "tekton,oci"

.tekton/credentials/registry-credentials.example.yaml

@@ -6,6 +6,6 @@ metadata:
     tekton.dev/docker-0: quay.io
     tekton.dev/docker-1: registry.redhat.io
 stringData:
-  config.json: |
+  .dockerconfigjson: |
     {your-auth}
 type: kubernetes.io/dockerconfigjson

.tekton/tasks/ansible-ee-sanity-test.yaml

@@ -12,6 +12,9 @@ metadata:
 spec:
   description: A task for testing the built ansible execution environment.
   params:
+    - name: TAG
+      type: string
+      description: Tag of the image tp be tested.
     - name: IMAGE
       type: string
       description: The name of the image to be tested.
@@ -26,7 +29,13 @@ spec:
     - name: source
   steps:
     - name: test-image
-      image: $(params.IMAGE)
+      image: $(params.IMAGE):$(params.TAG)
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+      env:
+        - name: HOME
+          value: /tekton/home
       workingDir: $(workspaces.source.path)
       script: |
         #!/usr/bin/env sh

.tekton/tasks/buildah.yaml

@@ -20,6 +20,9 @@ spec:
     Dockerfile to assemble a container image, then pushes that image to a
     container registry.
   params:
+    - description: Tag of the image buildah will produce.
+      name: TAG
+      type: string
     - description: Name of the image buildah will produce.
       name: IMAGE
       type: string
@@ -99,16 +102,16 @@ spec:
         buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
           $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
           --tls-verify=$(params.TLSVERIFY) --no-cache \
-          -f $(params.DOCKERFILE) -t "$(params.IMAGE)" $(params.CONTEXT)
+          -f $(params.DOCKERFILE) -t "$(params.IMAGE):$(params.TAG)" $(params.CONTEXT)
 
         [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
 
         buildah --storage-driver=$(params.STORAGE_DRIVER) push \
           $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
-          --digestfile /tmp/image-digest "$(params.IMAGE)" \
-          docker://"$(params.IMAGE)"
+          --digestfile /tmp/image-digest "$(params.IMAGE):$(params.TAG)" \
+          docker://"$(params.IMAGE):$(params.TAG)"
         cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)
-        echo "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
+        echo "$(params.IMAGE):$(params.TAG)" | tee $(results.IMAGE_URL.path)
       securityContext:
         capabilities:
           add:

.tekton/tasks/delete-image-stream.yaml

@@ -24,6 +24,9 @@ spec:
     - name: cleanup-image-stream
       image: $(params.RUNNER_IMAGE)
       workingDir: $(workspaces.source.path)
+      env:
+        - name: HOME
+          value: /tekton/home
       script: |
         #!/usr/bin/env sh
         echo "Deleting the image stream:"

.tekton/tasks/semantic-release.yaml

@@ -23,6 +23,10 @@ spec:
     - name: source-branch
       type: string
       description: the source-branch that semantic-release will run on
+  results:
+    - description: The version to be released
+      name: version
+      type: string
   workspaces:
     - name: source
   steps:
@@ -56,3 +60,4 @@ spec:
         git checkout $(params.source-branch)
         # run the semantic-release
         npx semantic-release --no-ci --branches $(params.source-branch)
+        cat .VERSION | tee $(results.version.path)

.tekton/tasks/skopeo-copy.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: skopeo-copy
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.37.4"
+    tekton.dev/categories: Push image tag
+    tekton.dev/tags: image push
+spec:
+  description: A task for pushing the built ansible execution environment image.
+  params:
+    - name: srcImageURL
+      type: string
+      description: the source image to be copied to the destination registry
+    - name: destImageURL
+      type: string
+      description: the image where the image from source should be copied to
+    - name: srcTLSverify
+      description: Verify the TLS on the src registry endpoint
+      type: string
+      default: "true"
+    - name: destTLSverify
+      description: Verify the TLS on the dest registry endpoint
+      type: string
+      default: "true"
+    - name: skopeoImage
+      description: the skopeo image to be used for the task
+      type: string
+      default: "quay.io/skopeo/stable:v1"
+
+  workspaces:
+    - name: source
+  steps:
+    - name: skopeo-copy
+      env:
+        - name: HOME
+          value: /tekton/home
+        - name: REGISTRY_AUTH_FILE
+          value: $HOME/.docker/config.json
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65532
+      image: $(params.skopeoImage)
+      workingDir: $(workspaces.source.path)
+      script: |
+        #!/bin/sh
+        set -x
+        skopeo copy --src-tls-verify="$(params.srcTLSverify)" --dest-tls-verify="$(params.destTLSverify)" $(params.srcImageURL) $(params.destImageURL)

README.md

@@ -10,6 +10,7 @@ or automation hub, semantic release and SBOM generator.
 - OpenShift 4.13.12
 - Ansible
 - OpenShift Pipelines 1.12.0
+- Semantic Release v22.0.6
 
 ## Setup pre-commit
 
@@ -36,16 +37,15 @@ in `.tekton/pac/` in the corresponding namespace with the correct values.
 
 ## Tekton Pipelines Architecture
 
-There are two `PipelineRun` in `.tekton/`:
+There is one `PipelineRun` in `.tekton/`:
 
 - `ansible-ee-pipeline`
-- `ansible-collection-pipeline`
 
 ### Ansible Execusion Environment Pipeline
 
 There is a basic example for a basic [Ansible execution
 environment](https://docs.ansible.com/automation-controller/latest/html/userguide/execution_environments.html)
-in the `examples/ansible-ee`.
+in the `ansible-ee`.
 The pipeline consists of the tasks showed below:
 
 ![figure](./assets/ansible-ee-pipeline.png)
@@ -64,32 +64,18 @@ updated, as well as the git release. A final cleanup will be executed.
 ### Tekton Chains
 
 In addition, [Tekton Chains](https://tekton.dev/docs/chains/) is used for signing artifacts.
-We used cosign
-`cosign generate-key-pair k8s://ansible-tekton-demo/signing-secrets`
-create a secret where stores registry credentials
-`oc create secret registry-credentials --from-file=.dockerconfigjson --type=kubernetes.io/dockerconfigjson -n $NAMESPACE`
-`oc patch sa pipeline -p "{\"imagePullSecrets\": [{\"name\": \"registry-credentials\"}]}" -n ansible-tekton-demo`
-
-### Ansible Collection Pipeline
 
-There is a basic ansible collection example in the `examples/collections`
+We used cosign
 
-The pipeline consists of the tasks showed below:
+`cosign generate-key-pair k8s://ansible-tekton-demo/signing-secrets`
 
-![figure](./assets/ansible-collection-pipeline.png)
+create a secret where stores registry credentials
 
-Similar to `ansible-ee-pipeline`, after cloning the Git repo, secret scanning,
-and ansible linting on the ansible manifests, a set of tests for the collection
-will be executed. The SBOM and corresponding release version and changelog will
-be generated.
+`oc create secret registry-credentials --from-file=.dockerconfigjson --type=kubernetes.io/dockerconfigjson -n $NAMESPACE`
 
-After the collection passed the test, it will be uploaded to automation
-hub or any other desired artifactory registry. It will be published after human approval
-Finally, a cleanup will be executed.
+`oc patch sa pipeline -p "{\"imagePullSecrets\": [{\"name\": \"registry-credentials\"}]}" -n ansible-tekton-demo`
 
 ## Set up semantic-release
 
 [semantic-release](https://github.com/semantic-release/semantic-release) is used for automating
 the whole package release workflow
-
-[semantic-release-docker](https://github.com/esatterwhite/semantic-release-docker)