diff --git a/.tekton/ansible-ee-pipeline.yaml b/.tekton/ansible-ee-pipeline.yaml index a08a249..080ec77 100644 --- a/.tekton/ansible-ee-pipeline.yaml +++ b/.tekton/ansible-ee-pipeline.yaml @@ -5,13 +5,14 @@ metadata: name: ansible-ee-pipeline annotations: pipelinesascode.tekton.dev/max-keep-runs: "5" - pipelinesascode.tekton.dev/task: "[.tekton/tasks/git-clone.yaml]" + pipelinesascode.tekton.dev/task: "[git-clone, trivy-scanner]" pipelinesascode.tekton.dev/task-1: "[.tekton/tasks/gitleaks.yaml]" pipelinesascode.tekton.dev/task-2: "[.tekton/tasks/ansible-lint.yaml]" pipelinesascode.tekton.dev/task-3: "[.tekton/tasks/ansible-builder-create.yaml]" pipelinesascode.tekton.dev/task-4: "[.tekton/tasks/buildah.yaml]" pipelinesascode.tekton.dev/task-5: "[.tekton/tasks/ansible-ee-sanity-test.yaml]" pipelinesascode.tekton.dev/task-6: "[.tekton/tasks/semantic-release.yaml]" + pipelinesascode.tekton.dev/task-7: "[.tekton/tasks/delete-image-stream.yaml]" pipelinesascode.tekton.dev/on-cel-expression: | event == "pull_request" || event == "push" && target_branch == "main" && "examples/ansible-ee/***".pathChanged() || ".tekton/ansible-ee-pipeline.yaml".pathChanged() spec: @@ -96,8 +97,6 @@ spec: value: "false" - name: IMAGE value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee - - name: TAG - value: v0.1.0 - name: CONTEXT value: "examples/ansible-ee" @@ -112,8 +111,23 @@ spec: params: - name: IMAGE value: image-registry.openshift-image-registry.svc:5000/ansible-tekton-demo/custom-ansible-ee - - name: TAG - value: v0.1.0 + + - name: image-scan + taskRef: + name: trivy-scanner + workspaces: + - name: manifest-dir + workspace: source + runAfter: + - build-image-tag + params: + - name: IMAGE_PATH + value: $(tasks.build-image-tag.results.IMAGE_URL) + - name: ARGS + value: + - "image" + - "--severity HIGH,CRITICAL" + - "--ignore-unfixed" - name: semantic-release when: @@ -131,6 +145,17 @@ spec: - name: source-branch value: "{{ source_branch }}" + finally: + - name: clean-up + taskRef: + name: delete-image-stream + workspaces: + - name: source + workspace: source + params: + - name: IMAGE_STREAM + value: custom-ansible-ee + workspaces: - name: source volumeClaimTemplate: diff --git a/.tekton/tasks/ansible-ee-sanity-test.yaml b/.tekton/tasks/ansible-ee-sanity-test.yaml index 4464b05..86ed076 100644 --- a/.tekton/tasks/ansible-ee-sanity-test.yaml +++ b/.tekton/tasks/ansible-ee-sanity-test.yaml @@ -15,9 +15,6 @@ spec: - name: IMAGE type: string description: The name of the image to be tested. - - name: TAG - type: string - description: Tag of the image tp be tested. - name: CONTEXT type: string description: Path to the directory to use as context. @@ -27,10 +24,9 @@ spec: default: "" workspaces: - name: source - steps: - name: test-image - image: $(params.IMAGE):$(params.TAG) + image: $(params.IMAGE) workingDir: $(workspaces.source.path) script: | #!/usr/bin/env sh diff --git a/.tekton/tasks/buildah.yaml b/.tekton/tasks/buildah.yaml index 84c564a..49509fe 100644 --- a/.tekton/tasks/buildah.yaml +++ b/.tekton/tasks/buildah.yaml @@ -20,9 +20,6 @@ spec: Dockerfile to assemble a container image, then pushes that image to a container registry. params: - - description: Tag of the image buildah will produce. - name: TAG - type: string - description: Name of the image buildah will produce. name: IMAGE type: string @@ -102,16 +99,16 @@ spec: buildah --storage-driver=$(params.STORAGE_DRIVER) bud \ $(params.BUILD_EXTRA_ARGS) --format=$(params.FORMAT) \ --tls-verify=$(params.TLSVERIFY) --no-cache \ - -f $(params.DOCKERFILE) -t "$(params.IMAGE):$(params.TAG)" $(params.CONTEXT) + -f $(params.DOCKERFILE) -t "$(params.IMAGE)" $(params.CONTEXT) [[ "$(params.SKIP_PUSH)" == "true" ]] && echo "Push skipped" && exit 0 buildah --storage-driver=$(params.STORAGE_DRIVER) push \ $(params.PUSH_EXTRA_ARGS) --tls-verify=$(params.TLSVERIFY) \ - --digestfile /tmp/image-digest "$(params.IMAGE):$(params.TAG)" \ - docker://"$(params.IMAGE):$(params.TAG)" + --digestfile /tmp/image-digest "$(params.IMAGE)" \ + docker://"$(params.IMAGE)" cat /tmp/image-digest | tee $(results.IMAGE_DIGEST.path) - echo "$(params.IMAGE):$(params.TAG)" | tee $(results.IMAGE_URL.path) + echo "$(params.IMAGE)" | tee $(results.IMAGE_URL.path) securityContext: capabilities: add: diff --git a/.tekton/tasks/delete-image-stream.yaml b/.tekton/tasks/delete-image-stream.yaml new file mode 100644 index 0000000..5ace12e --- /dev/null +++ b/.tekton/tasks/delete-image-stream.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: tekton.dev/v1beta1 +kind: Task +metadata: + name: delete-image-stream + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.37.4" + tekton.dev/categories: delete image stream +spec: + description: A task for deleting image stream in OpenShift + params: + - name: IMAGE_STREAM + type: string + description: The name of the image stream to be deleted from OpenShift + - name: RUNNER_IMAGE + type: string + description: the OpenShift CLI image used to run the task + default: "registry.redhat.io/openshift4/ose-cli@sha256:92d5e1b7dc2ef38e1c98084d25fb9d65dafa426d476702aed4448f6db752e8bb" + workspaces: + - name: source + steps: + - name: cleanup-image-stream + image: $(params.RUNNER_IMAGE) + workingDir: $(workspaces.source.path) + script: | + #!/usr/bin/env sh + echo "Deleting the image stream:" + oc delete is $(params.IMAGE_STREAM) diff --git a/release.config.js b/release.config.js index dd02d61..a18afe2 100644 --- a/release.config.js +++ b/release.config.js @@ -25,12 +25,5 @@ module.exports = { ], "@semantic-release/git", "@semantic-release/github", - // [ - // "@codedependant/semantic-release-docker", { - // dockerContext: "examples/ansible-ee", - // dockerRegistry: "quay.io", - // dockerImage: "custom-ansible-ee", - // } - // ] ], };