diff --git a/.tekton/cosign-pull-request.yaml b/.tekton/cosign-pull-request.yaml index 50a899d8a54..4de0c32c50e 100644 --- a/.tekton/cosign-pull-request.yaml +++ b/.tekton/cosign-pull-request.yaml @@ -8,6 +8,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "Dockerfile.cosign.rh".pathChanged() || ".tekton/cosign-pull-request.yaml".pathChanged() || "cmd/***".pathChanged() || "internal/***".pathChanged() || "pkg/***".pathChanged() || "Build.mak".pathChanged() || "Makefile".pathChanged() || "trigger-konflux-builds.txt".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/cosign-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: cli @@ -50,25 +51,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:abdf426424f1331c27be80ed98a0fbcefb8422767d1724308b9d57b37f977155 - - name: kind - value: task - resolver: bundles params: - description: Source Repository URL name: git-url @@ -159,14 +141,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:9e6c4db5a666ea0e1e747e03d63f46e5617a6b9852c26871f9d50891d778dfa2 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -176,8 +162,6 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies @@ -189,20 +173,12 @@ spec: taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:1b75828f2b7193ec9c567b907fdc0b2c1bb08cca4ab2dfcecbe9ff84f836cfc8 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - name: build-container params: - name: IMAGE @@ -215,18 +191,30 @@ spec: value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -235,21 +223,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:14b91ad9124b722b44222685013faaf9af8ac5b66030d9abeb1c61da3c118cdd + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -262,9 +251,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -315,9 +301,9 @@ spec: taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.2@sha256:479bd0d9aaa7b377ff5f8ad93168d44807455646f2161688637cb2e4e0b990d9 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -326,14 +312,9 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -378,44 +359,21 @@ spec: operator: in values: - "false" - # - name: run-unit-test - # runAfter: - # - prefetch-dependencies - # taskRef: - # params: - # - name: name - # value: go-unit-test - # - name: bundle - # value: quay.io/securesign/cosign-unit-test@sha256:1831f2702e3f124d988dabcde8fd943f73b3d286e7f0c00b87ebe6b89e929ff1 - # - name: kind - # value: task - # resolver: bundles - # workspaces: - # - name: source - # workspace: workspace + - name: run-unit-test + runAfter: + - prefetch-dependencies + taskRef: + name: go-unit-test + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} - # taskRunSpecs: - # - pipelineTaskName: run-unit-test - # serviceAccountName: appstudio-pipeline - # podTemplate: - # imagePullSecrets: - # - name: brew-registry-pull-secret workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/cosign-push.yaml b/.tekton/cosign-push.yaml index 63566d9e212..a70b2cd7cf2 100644 --- a/.tekton/cosign-push.yaml +++ b/.tekton/cosign-push.yaml @@ -7,6 +7,7 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" && ( "Dockerfile.cosign.rh".pathChanged() || ".tekton/cosign-push.yaml".pathChanged() || "cmd/***".pathChanged() || "internal/***".pathChanged() || "pkg/***".pathChanged() || "Build.mak".pathChanged() || "Makefile".pathChanged() || "trigger-konflux-builds.txt".pathChanged() ) + pipelinesascode.tekton.dev/task: "[.tekton/cosign-unit-test.yaml]" creationTimestamp: null labels: appstudio.openshift.io/application: cli @@ -47,25 +48,6 @@ spec: - name: kind value: task resolver: bundles - - name: show-summary - params: - - name: pipelinerun-name - value: $(context.pipelineRun.name) - - name: git-url - value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - - name: image-url - value: $(params.output-image) - - name: build-task-status - value: $(tasks.build-container.status) - taskRef: - params: - - name: name - value: summary - - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.2@sha256:abdf426424f1331c27be80ed98a0fbcefb8422767d1724308b9d57b37f977155 - - name: kind - value: task - resolver: bundles params: - description: Source Repository URL name: git-url @@ -156,14 +138,18 @@ spec: value: $(params.git-url) - name: revision value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name - value: git-clone + value: git-clone-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:9e6c4db5a666ea0e1e747e03d63f46e5617a6b9852c26871f9d50891d778dfa2 + value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:1178a65926b449c3603f7c0ecbb2d9311c0d7f1443c5164e952e7634a1d10142 - name: kind value: task resolver: bundles @@ -173,33 +159,31 @@ spec: values: - "true" workspaces: - - name: output - workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) + - name: hermetic + value: ${params.hermetic} + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name - value: prefetch-dependencies + value: prefetch-dependencies-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:1b75828f2b7193ec9c567b907fdc0b2c1bb08cca4ab2dfcecbe9ff84f836cfc8 + value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:57979e1c289bfe09acb70401f35558a9032e749b398a43fea049c044f9d96afe - name: kind value: task resolver: bundles - when: - - input: $(params.hermetic) - operator: in - values: - - "true" - workspaces: - - name: source - workspace: workspace - name: build-container params: - name: IMAGE @@ -216,14 +200,18 @@ spec: value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah + value: buildah-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:f1aba019735496f9f7a7366b6cef8daa29ac5b36ecfc8a449669d736fb97295a + value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4f5c2eb7dfa89ca286b90ed858b9670324d9e025c07fffff57d6de92840f8f1f - name: kind value: task resolver: bundles @@ -232,21 +220,22 @@ spec: operator: in values: - "true" - workspaces: - - name: source - workspace: workspace - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name - value: source-build + value: source-build-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:14b91ad9124b722b44222685013faaf9af8ac5b66030d9abeb1c61da3c118cdd + value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:9ea6c027a7e025a9a18367b2608f69e824a388807ef8d9f33742a8f9ef387045 - name: kind value: task resolver: bundles @@ -259,9 +248,6 @@ spec: operator: in values: - "true" - workspaces: - - name: workspace - workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -312,9 +298,9 @@ spec: taskRef: params: - name: name - value: sast-snyk-check + value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.2@sha256:479bd0d9aaa7b377ff5f8ad93168d44807455646f2161688637cb2e4e0b990d9 + value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:0b217311aceb2c379a4327002b18edce086ced3806576420a543f5e03a710077 - name: kind value: task resolver: bundles @@ -323,14 +309,9 @@ spec: operator: in values: - "false" - workspaces: - - name: workspace - workspace: workspace params: - - name: image-digest - value: $(tasks.build-container.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: clamav-scan params: - name: image-digest @@ -375,44 +356,21 @@ spec: operator: in values: - "false" - # - name: run-unit-test - # runAfter: - # - prefetch-dependencies - # taskRef: - # params: - # - name: name - # value: go-unit-test - # - name: bundle - # value: quay.io/securesign/cosign-unit-test@sha256:1831f2702e3f124d988dabcde8fd943f73b3d286e7f0c00b87ebe6b89e929ff1 - # - name: kind - # value: task - # resolver: bundles - # workspaces: - # - name: source - # workspace: workspace + - name: run-unit-test + runAfter: + - prefetch-dependencies + taskRef: + name: go-unit-test + params: + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) workspaces: - - name: workspace - name: git-auth optional: true taskRunTemplate: {} - # taskRunSpecs: - # - pipelineTaskName: run-unit-test - # serviceAccountName: appstudio-pipeline - # podTemplate: - # imagePullSecrets: - # - name: brew-registry-pull-secret workspaces: - - name: workspace - volumeClaimTemplate: - metadata: - creationTimestamp: null - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' diff --git a/.tekton/cosign-unit-test.yaml b/.tekton/cosign-unit-test.yaml index 0413eb19097..88c5ba9343d 100644 --- a/.tekton/cosign-unit-test.yaml +++ b/.tekton/cosign-unit-test.yaml @@ -5,16 +5,46 @@ metadata: annotations: tekton.dev/title: "Go Unit Test Task" spec: - workspaces: - - name: source + params: + - description: The trusted artifact URI containing the application source code. + name: SOURCE_ARTIFACT + type: string + - description: The Trusted Artifact URI pointing to the artifact with the prefetched dependencies. + name: CACHI2_ARTIFACT + type: string + default: "" + stepTemplate: + volumeMounts: + - mountPath: /var/workdir + name: workdir + # This path is hard coded in the cachi2.env file. + - mountPath: /cachi2 + name: cachi2 + securityContext: + # This is needed because the different steps in this Task run with different user IDs. + runAsUser: 0 steps: + - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:4e39fb97f4444c2946944482df47b39c5bbc195c54c6560b0647635f553ab23d + name: use-trusted-artifact + args: + - use + - $(params.SOURCE_ARTIFACT)=/var/workdir/source + - $(params.CACHI2_ARTIFACT)=/cachi2 - name: run-tests - image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_1.21@sha256:98a0ff138c536eee98704d6909699ad5d0725a20573e2c510a60ef462b45cce0 - workingDir: $(workspaces.source.path)/source + image: registry.access.redhat.com/ubi9/go-toolset@sha256:1421b69ee4c6d5631174776dc40654051b5183f149213613d74f61a11afaaa94 + workingDir: /var/workdir/source script: | #!/usr/bin/env sh + if [ -f "/cachi2/cachi2.env" ]; then + source "/cachi2/cachi2.env" + fi go mod vendor go test ./... + volumes: + - name: workdir + emptyDir: {} + - name: cachi2 + emptyDir: {} # This file bundles the unit tests for cosign. # If any changes are made to this file, it must be pushed to Quay using the following command: