feat: add image scan and final cleanup task (#13)

.tekton/ansible-ee-pipeline.yaml

@@ -5,13 +5,14 @@ metadata:
   name: ansible-ee-pipeline
   annotations:
     pipelinesascode.tekton.dev/max-keep-runs: "5"
-    pipelinesascode.tekton.dev/task: "[.tekton/tasks/git-clone.yaml]"
+    pipelinesascode.tekton.dev/task: "[git-clone, trivy-scanner]"
     pipelinesascode.tekton.dev/task-1: "[.tekton/tasks/gitleaks.yaml]"
     pipelinesascode.tekton.dev/task-2: "[.tekton/tasks/ansible-lint.yaml]"
     pipelinesascode.tekton.dev/task-3: "[.tekton/tasks/ansible-builder-create.yaml]"
     pipelinesascode.tekton.dev/task-4: "[.tekton/tasks/buildah.yaml]"
     pipelinesascode.tekton.dev/task-5: "[.tekton/tasks/ansible-ee-sanity-test.yaml]"
     pipelinesascode.tekton.dev/task-6: "[.tekton/tasks/semantic-release.yaml]"
+    pipelinesascode.tekton.dev/task-7: "[.tekton/tasks/delete-image-stream.yaml]"
     pipelinesascode.tekton.dev/on-cel-expression: |
       event == "pull_request" || event == "push" && target_branch == "main" && "examples/ansible-ee/***".pathChanged() || ".tekton/ansible-ee-pipeline.yaml".pathChanged()
 spec:
@@ -96,8 +97,6 @@ spec:
             value: "false"
           - name: IMAGE
             value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
-          - name: TAG
-            value: v0.1.0
           - name: CONTEXT
             value: "examples/ansible-ee"
 
@@ -112,8 +111,23 @@ spec:
         params:
           - name: IMAGE
             value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee
-          - name: TAG
-            value: v0.1.0
+
+      - name: image-scan
+        taskRef:
+          name: trivy-scanner
+        workspaces:
+          - name: manifest-dir
+            workspace: source
+        runAfter:
+          - build-image-tag
+        params:
+          - name: IMAGE_PATH
+            value: $(tasks.build-image-tag.results.IMAGE_URL)
+          - name: ARGS
+            value:
+              - "image"
+              - "--severity HIGH,CRITICAL"
+              - "--ignore-unfixed"
 
       - name: semantic-release
         when:
@@ -131,6 +145,17 @@ spec:
           - name: source-branch
             value: "{{ source_branch }}"
 
+    finally:
+      - name: clean-up
+        taskRef:
+          name: delete-image-stream
+        workspaces:
+          - name: source
+            workspace: source
+        params:
+          - name: IMAGE_STREAM
+            value: custom-ansible-ee
+
   workspaces:
     - name: source
       volumeClaimTemplate:

.tekton/tasks/ansible-ee-sanity-test.yaml

@@ -15,9 +15,6 @@ spec:
     - name: IMAGE
       type: string
       description: The name of the image to be tested.
-    - name: TAG
-      type: string
-      description: Tag of the image tp be tested.
     - name: CONTEXT
       type: string
       description: Path to the directory to use as context.
@@ -27,10 +24,9 @@ spec:
       default: ""
   workspaces:
     - name: source
-
   steps:
     - name: test-image
-      image: $(params.IMAGE):$(params.TAG)
+      image: $(params.IMAGE)
       workingDir: $(workspaces.source.path)
       script: |
         #!/usr/bin/env sh

.tekton/tasks/buildah.yaml

@@ -20,9 +20,6 @@ spec:
     Dockerfile to assemble a container image, then pushes that image to a
     container registry.
   params:
-    - description: Tag of the image buildah will produce.
-      name: TAG
-      type: string
     - description: Name of the image buildah will produce.
       name: IMAGE
       type: string
@@ -102,16 +99,16 @@ spec:
         buildah --storage-driver=$(params.STORAGE_DRIVER) bud \
           $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \
           --tls-verify=$(params.TLSVERIFY) --no-cache \
-          -f $(params.DOCKERFILE) -t "$(params.IMAGE):$(params.TAG)" $(params.CONTEXT)
+          -f $(params.DOCKERFILE) -t "$(params.IMAGE)" $(params.CONTEXT)
 
         [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0
 
         buildah --storage-driver=$(params.STORAGE_DRIVER) push \
           $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \
-          --digestfile /tmp/image-digest "$(params.IMAGE):$(params.TAG)" \
-          docker://"$(params.IMAGE):$(params.TAG)"
+          --digestfile /tmp/image-digest "$(params.IMAGE)" \
+          docker://"$(params.IMAGE)"
         cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path)
-        echo "$(params.IMAGE):$(params.TAG)" | tee $(results.IMAGE_URL.path)
+        echo "$(params.IMAGE)" | tee $(results.IMAGE_URL.path)
       securityContext:
         capabilities:
           add:

.tekton/tasks/delete-image-stream.yaml

@@ -0,0 +1,30 @@
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: delete-image-stream
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.37.4"
+    tekton.dev/categories: delete image stream
+spec:
+  description: A task for deleting image stream in OpenShift
+  params:
+    - name: IMAGE_STREAM
+      type: string
+      description: The name of the image stream to be deleted from OpenShift
+    - name: RUNNER_IMAGE
+      type: string
+      description: the OpenShift CLI image used to run the task
+      default: "registry.redhat.io/openshift4/ose-cli@sha256:92d5e1b7dc2ef38e1c98084d25fb9d65dafa426d476702aed4448f6db752e8bb"
+  workspaces:
+    - name: source
+  steps:
+    - name: cleanup-image-stream
+      image: $(params.RUNNER_IMAGE)
+      workingDir: $(workspaces.source.path)
+      script: |
+        #!/usr/bin/env sh
+        echo "Deleting the image stream:"
+        oc delete is $(params.IMAGE_STREAM)

release.config.js

@@ -25,12 +25,5 @@ module.exports = {
     ],
     "@semantic-release/git",
     "@semantic-release/github",
-    // [
-    //   "@codedependant/semantic-release-docker", {
-    //     dockerContext: "examples/ansible-ee",
-    //     dockerRegistry: "quay.io",
-    //     dockerImage: "custom-ansible-ee",
-    //   }
-    // ]
   ],
 };