stackrox · msugakov · Nov 18, 2024 · Nov 12, 2024 · Nov 12, 2024 · Nov 12, 2024
@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: collector-full-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: collector-full-retagged-on-push
+  name: retag-collector-full
   namespace: rh-acs-tenant
 
 spec:

@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: collector-slim-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: collector-slim-retagged-on-push
+  name: retag-collector-slim
   namespace: rh-acs-tenant
 
 spec:

@@ -24,11 +24,15 @@ spec:
     description: Tag of the output image.
     type: string
   results:
-  - name: IMAGE_DIGEST
+  # Names *IMAGE_DIGEST, *IMAGE_URL must not be declared here. Otherwise, Tekton Chains will overwrite the original
+  # pipeline information linked to the image with info of the pipeline which executes this task and that pipeline
+  # doesn't pass EC checks. See https://tekton.dev/docs/chains/slsa-provenance/#image_url--image_digest
+  # We could skip providing any results here at all, but it's nice to find them in UI for the task.
+  - name: RESULTING_DIGEST
     description: Digest of the output image (will be the same as of the input one).
-  - name: IMAGE_URL
+  - name: RESULTING_URL
     description: Image repository and tag of the output image.
-  - name: IMAGE_REF
+  - name: RESULTING_REF
     description: Image reference of the output image containing both the repository, the tag and the digest.
   steps:
   - name: retag-image
@@ -109,7 +113,6 @@ spec:
 
       echo ">>> Done"
 
-      echo -n "${OUTPUT_DIGEST}" | tee "$(results.IMAGE_DIGEST.path)"; echo
-      echo -n "${OUTPUT_URL}" | tee "$(results.IMAGE_URL.path)"; echo
-      # build-image-index task provides both tag and the digest in the IMAGE_REF. We follow its example.
-      echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.IMAGE_REF.path)"; echo
+      echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_DIGEST.path)"; echo
+      echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_URL.path)"; echo
+      echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.RESULTING_REF.path)"; echo
@@ -26,20 +26,6 @@ spec:
         value: task
       resolver: bundles
 
-  - name: show-sbom
-    params:
-    - name: IMAGE_URL
-      value: $(tasks.retag-image.results.IMAGE_URL)
-    taskRef:
-      params:
-      - name: name
-        value: show-sbom
-      - name: bundle
-        value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28
-      - name: kind
-        value: task
-      resolver: bundles
-
   params:
   - description: Source Repository URL.
     name: git-url
@@ -76,27 +62,19 @@ spec:
     type: string
 
   results:
-  - description: ""
-    name: IMAGE_URL
-    value: $(tasks.retag-image.results.IMAGE_URL)
-  - description: ""
-    name: IMAGE_DIGEST
-    value: $(tasks.retag-image.results.IMAGE_DIGEST)
+  # *IMAGE_URL and *IMAGE_DIGEST must not be declared here because Tekton Chains will overwrite the original pipeline
+  # information linked to the image with this pipeline's info, and it will most certainly fail EC checks.
 
-  # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact).
-  # The values passed here will overwrite the values provided at the time when the input containers were built.
-  # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to
-  # 'git+https://github.com/stackrox/stackrox.git'.
-  # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have
-  # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409
-  # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that
-  # causes problems.
-  - description: ""
-    name: CHAINS-GIT_URL
-    value: $(tasks.clone-repository.results.url)
-  - description: ""
-    name: CHAINS-GIT_COMMIT
-    value: $(tasks.clone-repository.results.commit)
+  # These result parameters are to make retagged image's info conveniently displayed in Konflux UI.
+  - name: RESULTING_DIGEST
+    description: Digest of the output image (will be the same as of the input one).
+    value: $(tasks.retag-image.results.RESULTING_DIGEST)
+  - name: RESULTING_URL
+    description: Image repository and tag of the output image.
+    value: $(tasks.retag-image.results.RESULTING_URL)
+  - name: RESULTING_REF
+    description: Image reference of the output image containing both the repository, the tag and the digest.
+    value: $(tasks.retag-image.results.RESULTING_REF)
 
   workspaces:
   - name: git-auth

@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: scanner-db-slim-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: scanner-db-slim-retagged-on-push
+  name: retag-scanner-db-slim
   namespace: rh-acs-tenant
 
 spec:

@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: scanner-db-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: scanner-db-retagged-on-push
+  name: retag-scanner-db
   namespace: rh-acs-tenant
 
 spec:

@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: scanner-slim-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: scanner-slim-retagged-on-push
+  name: retag-scanner-slim
   namespace: rh-acs-tenant
 
 spec:

@@ -14,9 +14,7 @@ metadata:
       (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build")))
   labels:
     appstudio.openshift.io/application: acs
-    appstudio.openshift.io/component: scanner-retagged
-    pipelines.appstudio.openshift.io/type: build
-  name: scanner-retagged-on-push
+  name: retag-scanner
   namespace: rh-acs-tenant
 
 spec: