diff --git a/.tekton/central-db-build.yaml b/.tekton/central-db-build.yaml index 4059ebf4a1c6f..f166d43e9a300 100644 --- a/.tekton/central-db-build.yaml +++ b/.tekton/central-db-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: central-db diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml new file mode 100644 index 0000000000000..e901edf13d0bf --- /dev/null +++ b/.tekton/collector-full-retag.yaml @@ -0,0 +1,59 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: collector + pipelines.appstudio.openshift.io/type: build + name: collector-full-retag + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: base-image-repo + value: quay.io/rhacs-eng/collector + - name: base-image-tag-makefile-target + value: collector-tag + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + taskRunSpecs: + + timeouts: + # Retagging pipeline should be quick-ish. + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml new file mode 100644 index 0000000000000..ed4b5f5658369 --- /dev/null +++ b/.tekton/collector-slim-retag.yaml @@ -0,0 +1,59 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: collector + pipelines.appstudio.openshift.io/type: build + name: collector-slim-retag + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{repo_url}}' + - name: image-expires-after + value: '13w' + - name: output-image-repo + value: quay.io/rhacs-eng/collector-slim + - name: base-image-repo + value: quay.io/rhacs-eng/collector + - name: base-image-tag-makefile-target + value: collector-tag + - name: revision + value: '{{revision}}' + - name: rebuild + value: 'true' + - name: clone-depth + value: '0' + - name: clone-fetch-tags + value: 'true' + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + taskRunSpecs: + + timeouts: + # Retagging pipeline should be quick-ish. + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m diff --git a/.tekton/determine-image-tag-task.yaml b/.tekton/determine-image-tag-task.yaml index 69d52c384c910..e22f7fb646507 100644 --- a/.tekton/determine-image-tag-task.yaml +++ b/.tekton/determine-image-tag-task.yaml @@ -19,6 +19,10 @@ spec: description: Directory in which to run 'make' command. type: string default: "." + - name: MAKEFILE_TARGET + description: Makefile target to run. + type: string + default: "tag" results: - name: IMAGE_TAG description: Image Tag determined by custom logic. @@ -45,5 +49,5 @@ spec: dnf -y install git make .konflux/scripts/fail-build-if-git-is-dirty.sh - image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory tag)$(params.TAG_SUFFIX)" + image_tag="$(make -C "$(params.MAKEFILE_DIRECTORY)" --quiet --no-print-directory "$(params.MAKEFILE_TARGET)")$(params.TAG_SUFFIX)" echo -n "$image_tag" | tee "$(results.IMAGE_TAG.path)" diff --git a/.tekton/main-build.yaml b/.tekton/main-build.yaml index c9144bdf1d845..db29d3799c43f 100644 --- a/.tekton/main-build.yaml +++ b/.tekton/main-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: main diff --git a/.tekton/operator-build.yaml b/.tekton/operator-build.yaml index 94e6d52b359f7..1130d1c3dcf9c 100644 --- a/.tekton/operator-build.yaml +++ b/.tekton/operator-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: operator diff --git a/.tekton/operator-bundle-build.yaml b/.tekton/operator-bundle-build.yaml index 3d86396acbe77..4157ee9878be5 100644 --- a/.tekton/operator-bundle-build.yaml +++ b/.tekton/operator-bundle-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: operator-bundle diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml new file mode 100644 index 0000000000000..34e0891bd15cc --- /dev/null +++ b/.tekton/retag-pipeline.yaml @@ -0,0 +1,313 @@ +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: retag-pipeline +spec: + + finally: + - name: slack-notification + params: + - name: message + value: ':x: `{{event_type}}` pipeline for (`$(params.output-image-repo)`, revision <$(params.git-url)/commit/$(params.revision)|$(params.revision)>) has failed.' + - name: key-name + value: 'acs-konflux-notifications' + when: + # Run when any task has Failed + - input: $(tasks.status) + operator: in + values: [ "Failed" ] + taskRef: + params: + - name: name + value: slack-webhook-notification + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-slack-webhook-notification:0.1@sha256:0dfdfd87a8716ff9c20ae3325eff9a5d52ee9c708959c1e93eaedc852621a4d5 + - name: kind + value: task + resolver: bundles + + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-image-manifest.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b + - name: kind + value: task + resolver: bundles + + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Output Image Repository + name: output-image-repo + type: string + - default: "-fast" + description: Suffix that will be appended to the output image tag. + name: output-tag-suffix + type: string + - description: Base (input) Image Repository + name: base-image-repo + type: string + - description: Makefile target to execute in order to determine base (input) image tag. + name: base-image-tag-makefile-target + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "0" + description: Depth of the git clone in number of commits. Use "1" for shallow clone. Use "0" for deep clone, i.e. to fetch all commits. + name: clone-depth + type: string + - default: "true" + description: Fetch tags with git clone + name: clone-fetch-tags + type: string + - default: "1d" + description: This sets the expiration time for intermediate OCI artifacts produced and used during builds after which they can be garbage collected. + name: oci-artifact-expires-after + type: string + + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-manifest.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-manifest.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + + workspaces: + - name: git-auth + + tasks: + + - name: init + params: + - name: image-url + # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.) + # As a workaround, we still provide a unique tag that's based on a revision to this task to comply with its + # expected input. We later actually add this tag on a built image with build-image-manifest-konflux task. + value: $(params.output-image-repo):konflux-$(params.revision) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc + - name: kind + value: task + resolver: bundles + + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: depth + value: $(params.clone-depth) + - name: fetchTags + value: $(params.clone-fetch-tags) + - name: ociStorage + value: $(params.output-image-repo):konflux-$(params.revision).git + - name: ociArtifactExpiresAfter + value: $(params.oci-artifact-expires-after) + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:b03bb5e21665b17ae2f645496013a072b00f1a174024dc1ff41dc626f364c66b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + workspaces: + - name: basic-auth + workspace: git-auth + + - name: determine-output-image-tag + params: + - name: TAG_SUFFIX + value: $(params.output-tag-suffix) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + taskRef: + name: determine-image-tag + + - name: determine-base-image-tag + params: + - name: MAKEFILE_TARGET + value: $(params.base-image-tag-makefile-target) + - name: TAG_SUFFIX + value: $(params.output-tag-suffix) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + taskRef: + name: determine-image-tag + + - name: build-image-manifest + params: + - name: IMAGE + value: $(params.output-image-repo):$(tasks.determine-output-image-tag.results.IMAGE_TAG) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGES + value: + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64 + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64 + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + taskRef: + params: + - name: name + value: build-image-manifest + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + + - name: build-image-manifest-konflux + params: + - name: IMAGE + value: $(params.output-image-repo):konflux-$(params.revision) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGES + value: + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-amd64 + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-s390x + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-ppc64le + - $(params.base-image-repo):$(tasks.determine-base-image-tag.results.IMAGE_TAG)-arm64 + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + taskRef: + params: + - name: name + value: build-image-manifest + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:ff7779cea8cd99c211e690f218fc367fe30374e528bb53507a73c7214be8ce9d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: [ "true" ] + + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-manifest.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-manifest.results.IMAGE_DIGEST) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:d98fa9daf5ee12dfbf00880b83d092d01ce9994d79836548d2f82748bb0c64a2 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-manifest.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-manifest.results.IMAGE_URL) + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:baea4be429cf8d91f7c758378cea42819fe324f25a7f957bf9805409cab6d123 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-manifest.results.IMAGE_URL) + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] + + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-manifest.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-manifest.results.IMAGE_URL) + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:7bb17b937c9342f305468e8a6d0a22493e3ecde58977bd2ffc8b50e2fa234d58 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: [ "false" ] diff --git a/.tekton/roxctl-build.yaml b/.tekton/roxctl-build.yaml index 122a0175e5b59..543685f5136a1 100644 --- a/.tekton/roxctl-build.yaml +++ b/.tekton/roxctl-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: roxctl diff --git a/.tekton/scanner-v4-build.yaml b/.tekton/scanner-v4-build.yaml index 3055d56f39aec..e51b548e02379 100644 --- a/.tekton/scanner-v4-build.yaml +++ b/.tekton/scanner-v4-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: scanner-v4 diff --git a/.tekton/scanner-v4-db-build.yaml b/.tekton/scanner-v4-db-build.yaml index a5fb7db18ebbe..a1b0e0db13d50 100644 --- a/.tekton/scanner-v4-db-build.yaml +++ b/.tekton/scanner-v4-db-build.yaml @@ -10,8 +10,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + (event == "push" && target_branch.matches("^(master|release-.*)$")) labels: appstudio.openshift.io/application: acs appstudio.openshift.io/component: scanner-v4-db