From d3a7a316ae77a53b12db89a6c4366213d798466d Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 10:33:53 +0100 Subject: [PATCH 01/43] Try whiteout component and app info for collector-slim retag --- .tekton/collector-slim-retag.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index d1fd0469ca0f3..287f4b3ee62a0 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -13,9 +13,9 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: collector-slim-retagged - pipelines.appstudio.openshift.io/type: build +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: collector-slim-retagged +# pipelines.appstudio.openshift.io/type: build name: collector-slim-retagged-on-push namespace: rh-acs-tenant From ea5a4e6c3ea3fcb71183f9bc29c9f74cb55b8e28 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 12:46:53 +0100 Subject: [PATCH 02/43] Try not mess with integration service --- .tekton/retag-pipeline.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index 49f51740c4cd7..49dc81f26dc2e 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -77,26 +77,26 @@ spec: results: - description: "" - name: IMAGE_URL + name: OUR_IMAGE_URL value: $(tasks.retag-image.results.IMAGE_URL) - description: "" - name: IMAGE_DIGEST + name: OUR_IMAGE_DIGEST value: $(tasks.retag-image.results.IMAGE_DIGEST) - # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). - # The values passed here will overwrite the values provided at the time when the input containers were built. - # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to - # 'git+https://github.com/stackrox/stackrox.git'. - # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have - # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 - # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that - # causes problems. - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) +# # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). +# # The values passed here will overwrite the values provided at the time when the input containers were built. +# # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to +# # 'git+https://github.com/stackrox/stackrox.git'. +# # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have +# # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 +# # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that +# # causes problems. +# - description: "" +# name: CHAINS-GIT_URL +# value: $(tasks.clone-repository.results.url) +# - description: "" +# name: CHAINS-GIT_COMMIT +# value: $(tasks.clone-repository.results.commit) workspaces: - name: git-auth From 833b20d5a91f6e95f2b5928a4de995e32af92a0f Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 14:29:31 +0100 Subject: [PATCH 03/43] *DO NOT MERGE*: use a clean version to simulate slim-retagging --- COLLECTOR_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COLLECTOR_VERSION b/COLLECTOR_VERSION index 134822d3eb008..dc747ec988275 100644 --- a/COLLECTOR_VERSION +++ b/COLLECTOR_VERSION @@ -1 +1 @@ -3.20.x-33-gf1748e6301 +3.20.x-32-g4ce04a70f3 From c52136620e55be5b294af52d8aed18d08be22702 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 14:30:14 +0100 Subject: [PATCH 04/43] Prevent collector-full messing up images --- .tekton/collector-full-retag.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml index 2c2a01b220014..c88ed921b48d4 100644 --- a/.tekton/collector-full-retag.yaml +++ b/.tekton/collector-full-retag.yaml @@ -13,9 +13,9 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: collector-full-retagged - pipelines.appstudio.openshift.io/type: build +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: collector-full-retagged +# pipelines.appstudio.openshift.io/type: build name: collector-full-retagged-on-push namespace: rh-acs-tenant From ffb03fa78184f287c9ce919fcc5101256bb48866 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 14:59:17 +0100 Subject: [PATCH 05/43] Try mess up yet another version --- COLLECTOR_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COLLECTOR_VERSION b/COLLECTOR_VERSION index dc747ec988275..4764dfd73de2e 100644 --- a/COLLECTOR_VERSION +++ b/COLLECTOR_VERSION @@ -1 +1 @@ -3.20.x-32-g4ce04a70f3 +3.20.x-34-gc0f32ac789 From 4af8e4f53e2e121aa119aa6f2ccc3f874085a881 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 15:31:47 +0100 Subject: [PATCH 06/43] Try rename pipeline --- .tekton/collector-full-retag.yaml | 2 +- .tekton/collector-slim-retag.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml index c88ed921b48d4..3274425828e01 100644 --- a/.tekton/collector-full-retag.yaml +++ b/.tekton/collector-full-retag.yaml @@ -16,7 +16,7 @@ metadata: # appstudio.openshift.io/application: acs # appstudio.openshift.io/component: collector-full-retagged # pipelines.appstudio.openshift.io/type: build - name: collector-full-retagged-on-push + name: collector-full-retag namespace: rh-acs-tenant spec: diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index 287f4b3ee62a0..ad6317787b559 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -16,7 +16,7 @@ metadata: # appstudio.openshift.io/application: acs # appstudio.openshift.io/component: collector-slim-retagged # pipelines.appstudio.openshift.io/type: build - name: collector-slim-retagged-on-push + name: collector-slim-retag namespace: rh-acs-tenant spec: From a4eea42a513b4f54195e466635b9e284d3bf1844 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 15:32:01 +0100 Subject: [PATCH 07/43] *DO NOT MERGE* disable collector full retag to stop messing up images --- .tekton/collector-full-retag.yaml | 96 +++++++++++++++---------------- 1 file changed, 48 insertions(+), 48 deletions(-) diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml index 3274425828e01..a816dd7da6149 100644 --- a/.tekton/collector-full-retag.yaml +++ b/.tekton/collector-full-retag.yaml @@ -1,48 +1,48 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun - -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) - labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: collector-full-retagged -# pipelines.appstudio.openshift.io/type: build - name: collector-full-retag - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: input-image-repo - value: quay.io/rhacs-eng/collector - - name: input-image-tag-makefile-target - value: collector-tag - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineRef: - name: retag-pipeline - - timeouts: - tasks: 30m - # Reserve time for final tasks to run. - finally: 10m - pipeline: 40m +#apiVersion: tekton.dev/v1 +#kind: PipelineRun +# +#metadata: +# annotations: +# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} +# build.appstudio.redhat.com/commit_sha: '{{revision}}' +# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' +# build.appstudio.redhat.com/target_branch: '{{target_branch}}' +# pipelinesascode.tekton.dev/max-keep-runs: "500" +# # TODO(ROX-21073): re-enable for all PR branches +# pipelinesascode.tekton.dev/on-cel-expression: | +# (event == "push" && target_branch.matches("^(master|release-.*)$")) || +# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) +# labels: +## appstudio.openshift.io/application: acs +## appstudio.openshift.io/component: collector-full-retagged +## pipelines.appstudio.openshift.io/type: build +# name: collector-full-retag +# namespace: rh-acs-tenant +# +#spec: +# +# params: +# - name: git-url +# value: '{{source_url}}' +# - name: revision +# value: '{{revision}}' +# - name: output-image-repo +# value: quay.io/rhacs-eng/collector +# - name: input-image-repo +# value: quay.io/rhacs-eng/collector +# - name: input-image-tag-makefile-target +# value: collector-tag +# +# workspaces: +# - name: git-auth +# secret: +# secretName: '{{ git_auth_secret }}' +# +# pipelineRef: +# name: retag-pipeline +# +# timeouts: +# tasks: 30m +# # Reserve time for final tasks to run. +# finally: 10m +# pipeline: 40m From af79d18d77b8efa9303140c63a1286f89f82dd8e Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 15:35:15 +0100 Subject: [PATCH 08/43] Spoil yet another version --- COLLECTOR_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COLLECTOR_VERSION b/COLLECTOR_VERSION index 4764dfd73de2e..fdff2288fd7cd 100644 --- a/COLLECTOR_VERSION +++ b/COLLECTOR_VERSION @@ -1 +1 @@ -3.20.x-34-gc0f32ac789 +3.20.x-34-g49b40e1a1f From 8f560494cc8537d0fb22b53100b3e43a5ce5eeb8 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 16:18:58 +0100 Subject: [PATCH 09/43] Close out image/digest results --- .tekton/retag-pipeline.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index 49dc81f26dc2e..750d2567897b1 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -76,12 +76,12 @@ spec: type: string results: - - description: "" - name: OUR_IMAGE_URL - value: $(tasks.retag-image.results.IMAGE_URL) - - description: "" - name: OUR_IMAGE_DIGEST - value: $(tasks.retag-image.results.IMAGE_DIGEST) +# - description: "" +# name: OUR_IMAGE_URL +# value: $(tasks.retag-image.results.IMAGE_URL) +# - description: "" +# name: OUR_IMAGE_DIGEST +# value: $(tasks.retag-image.results.IMAGE_DIGEST) # # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). # # The values passed here will overwrite the values provided at the time when the input containers were built. From e7dba278dbefb6c4bc0fb4925218a2f16fa2775b Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 16:25:52 +0100 Subject: [PATCH 10/43] Change to the simplest copy with `skopeo` --- .tekton/retag-image-task.yaml | 42 ++++++++++++++++++----------------- .tekton/retag-pipeline.yaml | 26 +++++++++++----------- 2 files changed, 35 insertions(+), 33 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index a1d48239ec3ea..4a0b5c229fb70 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -51,13 +51,15 @@ spec: echo ">>> Copying image from ${input_url} ..." echo ">>> ... to ${output_url} ..." + skopeo copy --all --retry-times="${SKOPEO_RETRIES}" "docker://${input_url}" "docker://${output_url}" + # cosign copies not just cosign artifacts but also images. It understands and copies index images. # --force argument is needed to prevent the command failing when it runs into (partial) previous copies with # errors like the following. # Error: image "quay.io/rhacs-eng/collector:sha256-4b509fdf27761150a5a5ce519f087bc6d69af9d886a63f67f70b1e293643ea19" already exists. Use `-f` to overwrite - cosign copy --force "${input_url}" "${output_url}" + #cosign copy --force "${input_url}" "${output_url}" - oras cp --recursive "${input_url}" "${output_url}" + #oras cp --recursive "${input_url}" "${output_url}" # NB: cosign and oras don't retry by themselves. TODO: add retries against Quay transient errors. } @@ -88,24 +90,24 @@ spec: echo ">>> Checking if the input image digest ${INPUT_DIGEST} is the same as the output image digest ${OUTPUT_DIGEST} ..." [[ "${INPUT_DIGEST}" == "${OUTPUT_DIGEST}" ]] - # This handles the source image. - # Source image is the one where application source code, source code of its dependencies and base container is - # packaged. Source image is produced for the input image by Konflux if there's task-source-build* in the pipeline. - # While source image is related to the input image semantically and through its tag, there's no enforced link - # between them (unlike cosign or oras artifacts) and it is a _separate, independent_ image, so it must not to be - # confused with the input image itself. - echo ">>> Copying source image ..." - # Tag determination borrowed from - # https://github.com/konflux-ci/release-service-catalog/blob/92dabb8a31c42669ab9b6ccce831487727514059/tasks/push-snapshot/push-snapshot.yaml#L158 - SOURCE_IMAGE_TAG="${INPUT_DIGEST/:/-}.src" - INPUT_SOURCE_IMAGE_URL="$(params.INPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" - OUTPUT_SOURCE_IMAGE_URL="$(params.OUTPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" - if [[ "${INPUT_SOURCE_IMAGE_URL}" == "${OUTPUT_SOURCE_IMAGE_URL}" ]]; then - # This is the case when we retag in the same repo. - echo ">>> The repo and tag of the source image would not change and so the image does not need to be copied." - else - copy_image "${INPUT_SOURCE_IMAGE_URL}" "${OUTPUT_SOURCE_IMAGE_URL}" - fi + # # This handles the source image. + # # Source image is the one where application source code, source code of its dependencies and base container is + # # packaged. Source image is produced for the input image by Konflux if there's task-source-build* in the pipeline. + # # While source image is related to the input image semantically and through its tag, there's no enforced link + # # between them (unlike cosign or oras artifacts) and it is a _separate, independent_ image, so it must not to be + # # confused with the input image itself. + # echo ">>> Copying source image ..." + # # Tag determination borrowed from + # # https://github.com/konflux-ci/release-service-catalog/blob/92dabb8a31c42669ab9b6ccce831487727514059/tasks/push-snapshot/push-snapshot.yaml#L158 + # SOURCE_IMAGE_TAG="${INPUT_DIGEST/:/-}.src" + # INPUT_SOURCE_IMAGE_URL="$(params.INPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" + # OUTPUT_SOURCE_IMAGE_URL="$(params.OUTPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" + # if [[ "${INPUT_SOURCE_IMAGE_URL}" == "${OUTPUT_SOURCE_IMAGE_URL}" ]]; then + # # This is the case when we retag in the same repo. + # echo ">>> The repo and tag of the source image would not change and so the image does not need to be copied." + # else + # copy_image "${INPUT_SOURCE_IMAGE_URL}" "${OUTPUT_SOURCE_IMAGE_URL}" + # fi echo ">>> Done" diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index 750d2567897b1..e2fb81bc857b6 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -26,19 +26,19 @@ spec: value: task resolver: bundles - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.retag-image.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 - - name: kind - value: task - resolver: bundles +# - name: show-sbom +# params: +# - name: IMAGE_URL +# value: $(tasks.retag-image.results.IMAGE_URL) +# taskRef: +# params: +# - name: name +# value: show-sbom +# - name: bundle +# value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 +# - name: kind +# value: task +# resolver: bundles params: - description: Source Repository URL. From ba88f86c9a1f897e8972027974a33fa5a6b8292d Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 16:36:03 +0100 Subject: [PATCH 11/43] Hide results from retag-image task How does Konflux know we pushed something somewhere??????? --- .tekton/retag-image-task.yaml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 4a0b5c229fb70..19997afdfb1dc 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -24,12 +24,12 @@ spec: description: Tag of the output image. type: string results: - - name: IMAGE_DIGEST - description: Digest of the output image (will be the same as of the input one). - - name: IMAGE_URL - description: Image repository and tag of the output image. - - name: IMAGE_REF - description: Image reference of the output image containing both the repository, the tag and the digest. +# - name: IMAGE_DIGEST +# description: Digest of the output image (will be the same as of the input one). +# - name: IMAGE_URL +# description: Image repository and tag of the output image. +# - name: IMAGE_REF +# description: Image reference of the output image containing both the repository, the tag and the digest. steps: - name: retag-image image: quay.io/konflux-ci/release-service-utils:latest@sha256:9cd76aae50cb0806a399959d5de52be9928f132bd86a2e4c3451fa47849c0b7b @@ -111,7 +111,7 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.IMAGE_DIGEST.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.IMAGE_URL.path)"; echo - # build-image-index task provides both tag and the digest in the IMAGE_REF. We follow its example. - echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.IMAGE_REF.path)"; echo + # echo -n "${OUTPUT_DIGEST}" | tee "$(results.IMAGE_DIGEST.path)"; echo + # echo -n "${OUTPUT_URL}" | tee "$(results.IMAGE_URL.path)"; echo + # # build-image-index task provides both tag and the digest in the IMAGE_REF. We follow its example. + # echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.IMAGE_REF.path)"; echo From 0293cf72613e7d4022014f25c97eb8614d29f597 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 16:39:32 +0100 Subject: [PATCH 12/43] Disable scanner retag pipelines --- .tekton/scanner-db-retag.yaml | 96 +++++++++++++++--------------- .tekton/scanner-db-slim-retag.yaml | 96 +++++++++++++++--------------- .tekton/scanner-retag.yaml | 96 +++++++++++++++--------------- .tekton/scanner-slim-retag.yaml | 96 +++++++++++++++--------------- 4 files changed, 192 insertions(+), 192 deletions(-) diff --git a/.tekton/scanner-db-retag.yaml b/.tekton/scanner-db-retag.yaml index f3d182915aa82..517155a94c830 100644 --- a/.tekton/scanner-db-retag.yaml +++ b/.tekton/scanner-db-retag.yaml @@ -1,48 +1,48 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun - -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) - labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: scanner-db-retagged - pipelines.appstudio.openshift.io/type: build - name: scanner-db-retagged-on-push - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/scanner-db - - name: input-image-repo - value: quay.io/rhacs-eng/scanner-db - - name: input-image-tag-makefile-target - value: scanner-tag - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineRef: - name: retag-pipeline - - timeouts: - tasks: 30m - # Reserve time for final tasks to run. - finally: 10m - pipeline: 40m +#apiVersion: tekton.dev/v1 +#kind: PipelineRun +# +#metadata: +# annotations: +# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} +# build.appstudio.redhat.com/commit_sha: '{{revision}}' +# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' +# build.appstudio.redhat.com/target_branch: '{{target_branch}}' +# pipelinesascode.tekton.dev/max-keep-runs: "500" +# # TODO(ROX-21073): re-enable for all PR branches +# pipelinesascode.tekton.dev/on-cel-expression: | +# (event == "push" && target_branch.matches("^(master|release-.*)$")) || +# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) +# labels: +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: scanner-db-retagged +# pipelines.appstudio.openshift.io/type: build +# name: scanner-db-retagged-on-push +# namespace: rh-acs-tenant +# +#spec: +# +# params: +# - name: git-url +# value: '{{source_url}}' +# - name: revision +# value: '{{revision}}' +# - name: output-image-repo +# value: quay.io/rhacs-eng/scanner-db +# - name: input-image-repo +# value: quay.io/rhacs-eng/scanner-db +# - name: input-image-tag-makefile-target +# value: scanner-tag +# +# workspaces: +# - name: git-auth +# secret: +# secretName: '{{ git_auth_secret }}' +# +# pipelineRef: +# name: retag-pipeline +# +# timeouts: +# tasks: 30m +# # Reserve time for final tasks to run. +# finally: 10m +# pipeline: 40m diff --git a/.tekton/scanner-db-slim-retag.yaml b/.tekton/scanner-db-slim-retag.yaml index 0d46415585944..2e9a2b14f43ce 100644 --- a/.tekton/scanner-db-slim-retag.yaml +++ b/.tekton/scanner-db-slim-retag.yaml @@ -1,48 +1,48 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun - -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) - labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: scanner-db-slim-retagged - pipelines.appstudio.openshift.io/type: build - name: scanner-db-slim-retagged-on-push - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/scanner-db-slim - - name: input-image-repo - value: quay.io/rhacs-eng/scanner-db-slim - - name: input-image-tag-makefile-target - value: scanner-tag - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineRef: - name: retag-pipeline - - timeouts: - tasks: 30m - # Reserve time for final tasks to run. - finally: 10m - pipeline: 40m +#apiVersion: tekton.dev/v1 +#kind: PipelineRun +# +#metadata: +# annotations: +# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} +# build.appstudio.redhat.com/commit_sha: '{{revision}}' +# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' +# build.appstudio.redhat.com/target_branch: '{{target_branch}}' +# pipelinesascode.tekton.dev/max-keep-runs: "500" +# # TODO(ROX-21073): re-enable for all PR branches +# pipelinesascode.tekton.dev/on-cel-expression: | +# (event == "push" && target_branch.matches("^(master|release-.*)$")) || +# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) +# labels: +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: scanner-db-slim-retagged +# pipelines.appstudio.openshift.io/type: build +# name: scanner-db-slim-retagged-on-push +# namespace: rh-acs-tenant +# +#spec: +# +# params: +# - name: git-url +# value: '{{source_url}}' +# - name: revision +# value: '{{revision}}' +# - name: output-image-repo +# value: quay.io/rhacs-eng/scanner-db-slim +# - name: input-image-repo +# value: quay.io/rhacs-eng/scanner-db-slim +# - name: input-image-tag-makefile-target +# value: scanner-tag +# +# workspaces: +# - name: git-auth +# secret: +# secretName: '{{ git_auth_secret }}' +# +# pipelineRef: +# name: retag-pipeline +# +# timeouts: +# tasks: 30m +# # Reserve time for final tasks to run. +# finally: 10m +# pipeline: 40m diff --git a/.tekton/scanner-retag.yaml b/.tekton/scanner-retag.yaml index 1c70b5bdef8c1..d4cdc1b290844 100644 --- a/.tekton/scanner-retag.yaml +++ b/.tekton/scanner-retag.yaml @@ -1,48 +1,48 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun - -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) - labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: scanner-retagged - pipelines.appstudio.openshift.io/type: build - name: scanner-retagged-on-push - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/scanner - - name: input-image-repo - value: quay.io/rhacs-eng/scanner - - name: input-image-tag-makefile-target - value: scanner-tag - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineRef: - name: retag-pipeline - - timeouts: - tasks: 30m - # Reserve time for final tasks to run. - finally: 10m - pipeline: 40m +#apiVersion: tekton.dev/v1 +#kind: PipelineRun +# +#metadata: +# annotations: +# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} +# build.appstudio.redhat.com/commit_sha: '{{revision}}' +# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' +# build.appstudio.redhat.com/target_branch: '{{target_branch}}' +# pipelinesascode.tekton.dev/max-keep-runs: "500" +# # TODO(ROX-21073): re-enable for all PR branches +# pipelinesascode.tekton.dev/on-cel-expression: | +# (event == "push" && target_branch.matches("^(master|release-.*)$")) || +# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) +# labels: +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: scanner-retagged +# pipelines.appstudio.openshift.io/type: build +# name: scanner-retagged-on-push +# namespace: rh-acs-tenant +# +#spec: +# +# params: +# - name: git-url +# value: '{{source_url}}' +# - name: revision +# value: '{{revision}}' +# - name: output-image-repo +# value: quay.io/rhacs-eng/scanner +# - name: input-image-repo +# value: quay.io/rhacs-eng/scanner +# - name: input-image-tag-makefile-target +# value: scanner-tag +# +# workspaces: +# - name: git-auth +# secret: +# secretName: '{{ git_auth_secret }}' +# +# pipelineRef: +# name: retag-pipeline +# +# timeouts: +# tasks: 30m +# # Reserve time for final tasks to run. +# finally: 10m +# pipeline: 40m diff --git a/.tekton/scanner-slim-retag.yaml b/.tekton/scanner-slim-retag.yaml index 2ddbd3cf36021..0f069381fc030 100644 --- a/.tekton/scanner-slim-retag.yaml +++ b/.tekton/scanner-slim-retag.yaml @@ -1,48 +1,48 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun - -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/max-keep-runs: "500" - # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: | - (event == "push" && target_branch.matches("^(master|release-.*)$")) || - (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) - labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: scanner-slim-retagged - pipelines.appstudio.openshift.io/type: build - name: scanner-slim-retagged-on-push - namespace: rh-acs-tenant - -spec: - - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/scanner-slim - - name: input-image-repo - value: quay.io/rhacs-eng/scanner-slim - - name: input-image-tag-makefile-target - value: scanner-tag - - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' - - pipelineRef: - name: retag-pipeline - - timeouts: - tasks: 30m - # Reserve time for final tasks to run. - finally: 10m - pipeline: 40m +#apiVersion: tekton.dev/v1 +#kind: PipelineRun +# +#metadata: +# annotations: +# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} +# build.appstudio.redhat.com/commit_sha: '{{revision}}' +# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' +# build.appstudio.redhat.com/target_branch: '{{target_branch}}' +# pipelinesascode.tekton.dev/max-keep-runs: "500" +# # TODO(ROX-21073): re-enable for all PR branches +# pipelinesascode.tekton.dev/on-cel-expression: | +# (event == "push" && target_branch.matches("^(master|release-.*)$")) || +# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) +# labels: +# appstudio.openshift.io/application: acs +# appstudio.openshift.io/component: scanner-slim-retagged +# pipelines.appstudio.openshift.io/type: build +# name: scanner-slim-retagged-on-push +# namespace: rh-acs-tenant +# +#spec: +# +# params: +# - name: git-url +# value: '{{source_url}}' +# - name: revision +# value: '{{revision}}' +# - name: output-image-repo +# value: quay.io/rhacs-eng/scanner-slim +# - name: input-image-repo +# value: quay.io/rhacs-eng/scanner-slim +# - name: input-image-tag-makefile-target +# value: scanner-tag +# +# workspaces: +# - name: git-auth +# secret: +# secretName: '{{ git_auth_secret }}' +# +# pipelineRef: +# name: retag-pipeline +# +# timeouts: +# tasks: 30m +# # Reserve time for final tasks to run. +# finally: 10m +# pipeline: 40m From aed946ddaf15556da68c5a79506bc5d73aceb6ce Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 18:40:13 +0100 Subject: [PATCH 13/43] fixup! Hide results from retag-image task --- .tekton/retag-image-task.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 19997afdfb1dc..585fb652b3930 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -110,8 +110,3 @@ spec: # fi echo ">>> Done" - - # echo -n "${OUTPUT_DIGEST}" | tee "$(results.IMAGE_DIGEST.path)"; echo - # echo -n "${OUTPUT_URL}" | tee "$(results.IMAGE_URL.path)"; echo - # # build-image-index task provides both tag and the digest in the IMAGE_REF. We follow its example. - # echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.IMAGE_REF.path)"; echo From d13a2d213167b28a4c5720a4ec69d75d59c764fc Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 18:49:21 +0100 Subject: [PATCH 14/43] Spoil more versions? --- COLLECTOR_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COLLECTOR_VERSION b/COLLECTOR_VERSION index fdff2288fd7cd..0c1759131522d 100644 --- a/COLLECTOR_VERSION +++ b/COLLECTOR_VERSION @@ -1 +1 @@ -3.20.x-34-g49b40e1a1f +3.20.x-43-gc51915d3bf From bd472655c6a285a774e50cf72160c698b757a5ba Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 18:55:58 +0100 Subject: [PATCH 15/43] Restore more thorough copying --- .tekton/retag-image-task.yaml | 42 +++++++++++++++++------------------ 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 585fb652b3930..6c0df5eff7eb8 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -51,15 +51,15 @@ spec: echo ">>> Copying image from ${input_url} ..." echo ">>> ... to ${output_url} ..." - skopeo copy --all --retry-times="${SKOPEO_RETRIES}" "docker://${input_url}" "docker://${output_url}" + #skopeo copy --all --retry-times="${SKOPEO_RETRIES}" "docker://${input_url}" "docker://${output_url}" # cosign copies not just cosign artifacts but also images. It understands and copies index images. # --force argument is needed to prevent the command failing when it runs into (partial) previous copies with # errors like the following. # Error: image "quay.io/rhacs-eng/collector:sha256-4b509fdf27761150a5a5ce519f087bc6d69af9d886a63f67f70b1e293643ea19" already exists. Use `-f` to overwrite - #cosign copy --force "${input_url}" "${output_url}" + cosign copy --force "${input_url}" "${output_url}" - #oras cp --recursive "${input_url}" "${output_url}" + oras cp --recursive "${input_url}" "${output_url}" # NB: cosign and oras don't retry by themselves. TODO: add retries against Quay transient errors. } @@ -90,23 +90,23 @@ spec: echo ">>> Checking if the input image digest ${INPUT_DIGEST} is the same as the output image digest ${OUTPUT_DIGEST} ..." [[ "${INPUT_DIGEST}" == "${OUTPUT_DIGEST}" ]] - # # This handles the source image. - # # Source image is the one where application source code, source code of its dependencies and base container is - # # packaged. Source image is produced for the input image by Konflux if there's task-source-build* in the pipeline. - # # While source image is related to the input image semantically and through its tag, there's no enforced link - # # between them (unlike cosign or oras artifacts) and it is a _separate, independent_ image, so it must not to be - # # confused with the input image itself. - # echo ">>> Copying source image ..." - # # Tag determination borrowed from - # # https://github.com/konflux-ci/release-service-catalog/blob/92dabb8a31c42669ab9b6ccce831487727514059/tasks/push-snapshot/push-snapshot.yaml#L158 - # SOURCE_IMAGE_TAG="${INPUT_DIGEST/:/-}.src" - # INPUT_SOURCE_IMAGE_URL="$(params.INPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" - # OUTPUT_SOURCE_IMAGE_URL="$(params.OUTPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" - # if [[ "${INPUT_SOURCE_IMAGE_URL}" == "${OUTPUT_SOURCE_IMAGE_URL}" ]]; then - # # This is the case when we retag in the same repo. - # echo ">>> The repo and tag of the source image would not change and so the image does not need to be copied." - # else - # copy_image "${INPUT_SOURCE_IMAGE_URL}" "${OUTPUT_SOURCE_IMAGE_URL}" - # fi + # This handles the source image. + # Source image is the one where application source code, source code of its dependencies and base container is + # packaged. Source image is produced for the input image by Konflux if there's task-source-build* in the pipeline. + # While source image is related to the input image semantically and through its tag, there's no enforced link + # between them (unlike cosign or oras artifacts) and it is a _separate, independent_ image, so it must not to be + # confused with the input image itself. + echo ">>> Copying source image ..." + # Tag determination borrowed from + # https://github.com/konflux-ci/release-service-catalog/blob/92dabb8a31c42669ab9b6ccce831487727514059/tasks/push-snapshot/push-snapshot.yaml#L158 + SOURCE_IMAGE_TAG="${INPUT_DIGEST/:/-}.src" + INPUT_SOURCE_IMAGE_URL="$(params.INPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" + OUTPUT_SOURCE_IMAGE_URL="$(params.OUTPUT_IMAGE_REPO):${SOURCE_IMAGE_TAG}" + if [[ "${INPUT_SOURCE_IMAGE_URL}" == "${OUTPUT_SOURCE_IMAGE_URL}" ]]; then + # This is the case when we retag in the same repo. + echo ">>> The repo and tag of the source image would not change and so the image does not need to be copied." + else + copy_image "${INPUT_SOURCE_IMAGE_URL}" "${OUTPUT_SOURCE_IMAGE_URL}" + fi echo ">>> Done" From 76a3775ca7fbcb9b60749419f8f7f5a071f32a50 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 19:02:46 +0100 Subject: [PATCH 16/43] Try to declare result yet Cos it's nice to see it in UI! --- .tekton/retag-image-task.yaml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 6c0df5eff7eb8..d86b9591f153a 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -24,12 +24,14 @@ spec: description: Tag of the output image. type: string results: + # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here + # - name: IMAGE_DIGEST # description: Digest of the output image (will be the same as of the input one). # - name: IMAGE_URL # description: Image repository and tag of the output image. -# - name: IMAGE_REF -# description: Image reference of the output image containing both the repository, the tag and the digest. + - name: OUTPUT_IMAGE_REF + description: Image reference of the output image containing both the repository, the tag and the digest. steps: - name: retag-image image: quay.io/konflux-ci/release-service-utils:latest@sha256:9cd76aae50cb0806a399959d5de52be9928f132bd86a2e4c3451fa47849c0b7b @@ -110,3 +112,5 @@ spec: fi echo ">>> Done" + + echo -n "{OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 0783cefce34fae7e7ab844f9ec68f39ef30a7f60 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 19:10:52 +0100 Subject: [PATCH 17/43] Properly output url --- .tekton/retag-image-task.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index d86b9591f153a..f64a70a1ee65a 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -113,4 +113,4 @@ spec: echo ">>> Done" - echo -n "{OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo + echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From c36d2205de14a805fcdfa6d5b29e1faa7c7ca998 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 19:23:48 +0100 Subject: [PATCH 18/43] Restore old pipeline name and outputs --- .tekton/collector-slim-retag.yaml | 2 +- .tekton/retag-image-task.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index ad6317787b559..287f4b3ee62a0 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -16,7 +16,7 @@ metadata: # appstudio.openshift.io/application: acs # appstudio.openshift.io/component: collector-slim-retagged # pipelines.appstudio.openshift.io/type: build - name: collector-slim-retag + name: collector-slim-retagged-on-push namespace: rh-acs-tenant spec: diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index f64a70a1ee65a..7b12071658c57 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -30,6 +30,10 @@ spec: # description: Digest of the output image (will be the same as of the input one). # - name: IMAGE_URL # description: Image repository and tag of the output image. + - name: OUTPUT_IMAGE_DIGEST + description: Digest of the output image (will be the same as of the input one). + - name: OUTPUT_IMAGE_URL + description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. steps: @@ -112,5 +116,6 @@ spec: fi echo ">>> Done" - + echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_DIGEST.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.OUTPUT_IMAGE_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 4a404b08ca012092c45c6c6b2c1f8c1e942591b1 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:08:31 +0100 Subject: [PATCH 19/43] Revert "Restore old pipeline name and outputs" This reverts commit 448c4cf62f511cc626d3d0ad91eaa8b1c3c1f532. --- .tekton/collector-slim-retag.yaml | 2 +- .tekton/retag-image-task.yaml | 7 +------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index 287f4b3ee62a0..ad6317787b559 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -16,7 +16,7 @@ metadata: # appstudio.openshift.io/application: acs # appstudio.openshift.io/component: collector-slim-retagged # pipelines.appstudio.openshift.io/type: build - name: collector-slim-retagged-on-push + name: collector-slim-retag namespace: rh-acs-tenant spec: diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 7b12071658c57..f64a70a1ee65a 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -30,10 +30,6 @@ spec: # description: Digest of the output image (will be the same as of the input one). # - name: IMAGE_URL # description: Image repository and tag of the output image. - - name: OUTPUT_IMAGE_DIGEST - description: Digest of the output image (will be the same as of the input one). - - name: OUTPUT_IMAGE_URL - description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. steps: @@ -116,6 +112,5 @@ spec: fi echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_DIGEST.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.OUTPUT_IMAGE_URL.path)"; echo + echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From bbb37ca87f402a00c9a97f95f74d8a4cadbfecd8 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:20:27 +0100 Subject: [PATCH 20/43] Try rename pipeline first --- .tekton/collector-slim-retag.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index ad6317787b559..287f4b3ee62a0 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -16,7 +16,7 @@ metadata: # appstudio.openshift.io/application: acs # appstudio.openshift.io/component: collector-slim-retagged # pipelines.appstudio.openshift.io/type: build - name: collector-slim-retag + name: collector-slim-retagged-on-push namespace: rh-acs-tenant spec: From b49399f0fbf358b1e01b5fbb89253ef3135541eb Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:25:38 +0100 Subject: [PATCH 21/43] Populate results in mysterious way --- .tekton/retag-image-task.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index f64a70a1ee65a..37e550b1efd09 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -26,10 +26,10 @@ spec: results: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here -# - name: IMAGE_DIGEST -# description: Digest of the output image (will be the same as of the input one). -# - name: IMAGE_URL -# description: Image repository and tag of the output image. + - name: OUR_MYSTERIOUS_THING_1 + description: Digest of the output image (will be the same as of the input one). + - name: OUR_MYSTERIOUS_THING_2 + description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. steps: @@ -113,4 +113,6 @@ spec: echo ">>> Done" + echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 45af0d68d797940ee094fe2c725a4674c7409230 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:30:57 +0100 Subject: [PATCH 22/43] Try piss Konflux off with OUTPUT_URL --- .tekton/retag-image-task.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 37e550b1efd09..e751f5170a399 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -28,7 +28,7 @@ spec: - name: OUR_MYSTERIOUS_THING_1 description: Digest of the output image (will be the same as of the input one). - - name: OUR_MYSTERIOUS_THING_2 + - name: OUR_MYSTERIOUS_THING_2_OUTPUT_URL description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -114,5 +114,5 @@ spec: echo ">>> Done" echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2_OUTPUT_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 8dc3f5ff8a76fe83a8596e382947170b9f2bffb0 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:36:20 +0100 Subject: [PATCH 23/43] That should be IMAGE_URL --- .tekton/retag-image-task.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index e751f5170a399..eb8c8482373e2 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -28,7 +28,7 @@ spec: - name: OUR_MYSTERIOUS_THING_1 description: Digest of the output image (will be the same as of the input one). - - name: OUR_MYSTERIOUS_THING_2_OUTPUT_URL + - name: OUR_MYSTERIOUS_THING_2_IMAGE_URL description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -114,5 +114,5 @@ spec: echo ">>> Done" echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2_OUTPUT_URL.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2_IMAGE_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 5c3894c1815351a62a9566df753ff5ce144ce1ef Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:42:40 +0100 Subject: [PATCH 24/43] Now do the IMAGE_DIGEST --- .tekton/retag-image-task.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index eb8c8482373e2..01077f9c6c819 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -26,7 +26,7 @@ spec: results: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here - - name: OUR_MYSTERIOUS_THING_1 + - name: OUR_MYSTERIOUS_THING_1_IMAGE_DIGEST description: Digest of the output image (will be the same as of the input one). - name: OUR_MYSTERIOUS_THING_2_IMAGE_URL description: Image repository and tag of the output image. @@ -113,6 +113,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1_IMAGE_DIGEST.path)"; echo echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2_IMAGE_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 23c58ebfa44bfded0af5d2e677ceb341d1dc8790 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:47:10 +0100 Subject: [PATCH 25/43] Get closer to what failed --- .tekton/retag-image-task.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 01077f9c6c819..416d5ba4acef2 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -26,9 +26,9 @@ spec: results: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here - - name: OUR_MYSTERIOUS_THING_1_IMAGE_DIGEST + - name: OUTPUT_IMAGE_DIGEST description: Digest of the output image (will be the same as of the input one). - - name: OUR_MYSTERIOUS_THING_2_IMAGE_URL + - name: OUTPUT_IMAGE_URL description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -113,6 +113,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUR_MYSTERIOUS_THING_1_IMAGE_DIGEST.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.OUR_MYSTERIOUS_THING_2_IMAGE_URL.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_DIGEST.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.OUTPUT_IMAGE_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From a5117acdb89eef086fe670bd6b6c8e100adde9e3 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:51:56 +0100 Subject: [PATCH 26/43] Try slightly different names now --- .tekton/retag-image-task.yaml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 416d5ba4acef2..65853163ff083 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -25,10 +25,11 @@ spec: type: string results: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here + # OUTPUT_IMAGE_DIGEST, OUTPUT_IMAGE_URL - - name: OUTPUT_IMAGE_DIGEST + - name: RESULTING_IMAGE_DIGEST description: Digest of the output image (will be the same as of the input one). - - name: OUTPUT_IMAGE_URL + - name: RESULTING_IMAGE_URL description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -113,6 +114,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_DIGEST.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.OUTPUT_IMAGE_URL.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_IMAGE_DIGEST.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_IMAGE_URL.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 28f48474fce82ec0288062a75fe82593a134f2df Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 20:56:48 +0100 Subject: [PATCH 27/43] Make it look a tiny bit more like 90s --- .tekton/retag-image-task.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 65853163ff083..53d37ba1d4fa5 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -27,9 +27,9 @@ spec: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here # OUTPUT_IMAGE_DIGEST, OUTPUT_IMAGE_URL - - name: RESULTING_IMAGE_DIGEST + - name: RESULTING_IMAGE_DIGEST_YO description: Digest of the output image (will be the same as of the input one). - - name: RESULTING_IMAGE_URL + - name: RESULTING_IMAGE_URL_YO description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -114,6 +114,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_IMAGE_DIGEST.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_IMAGE_URL.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_IMAGE_DIGEST_YO.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_IMAGE_URL_YO.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From de5fb65515bdd5e83c9fe74ab364b73e9fcfc655 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 21:03:44 +0100 Subject: [PATCH 28/43] Try resolve, need to make progress --- .tekton/retag-image-task.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 53d37ba1d4fa5..1265f88bda1b8 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -27,9 +27,9 @@ spec: # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here # OUTPUT_IMAGE_DIGEST, OUTPUT_IMAGE_URL - - name: RESULTING_IMAGE_DIGEST_YO + - name: DIGEST_HERE description: Digest of the output image (will be the same as of the input one). - - name: RESULTING_IMAGE_URL_YO + - name: URL_HERE description: Image repository and tag of the output image. - name: OUTPUT_IMAGE_REF description: Image reference of the output image containing both the repository, the tag and the digest. @@ -114,6 +114,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_IMAGE_DIGEST_YO.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_IMAGE_URL_YO.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.DIGEST_HERE.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.URL_HERE.path)"; echo echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo From 3fcaed74128cbe6d0c6d0b08a545464460d1dd75 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Tue, 12 Nov 2024 21:08:18 +0100 Subject: [PATCH 29/43] Restore app and component relation --- .tekton/collector-slim-retag.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index 287f4b3ee62a0..d1fd0469ca0f3 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -13,9 +13,9 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: collector-slim-retagged -# pipelines.appstudio.openshift.io/type: build + appstudio.openshift.io/application: acs + appstudio.openshift.io/component: collector-slim-retagged + pipelines.appstudio.openshift.io/type: build name: collector-slim-retagged-on-push namespace: rh-acs-tenant From b6cc44a4b48b1fd79fbadfa97dbeb4568905d15b Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 11:24:25 +0100 Subject: [PATCH 30/43] Restore output IMAGE_ params but not CHAINS_ Let's see what happens. Without IMAGE_, there's a fancy message ``` Snapshot creation status Failed to create snapshot. Error: Missing info IMAGE_URL from pipelinerun collector-slim-retagged-on-push-rf2k2 ``` --- .tekton/retag-pipeline.yaml | 66 ++++++++++++++++++------------------- 1 file changed, 33 insertions(+), 33 deletions(-) diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index e2fb81bc857b6..b80453f026f25 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -26,19 +26,19 @@ spec: value: task resolver: bundles -# - name: show-sbom -# params: -# - name: IMAGE_URL -# value: $(tasks.retag-image.results.IMAGE_URL) -# taskRef: -# params: -# - name: name -# value: show-sbom -# - name: bundle -# value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 -# - name: kind -# value: task -# resolver: bundles + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.retag-image.results.URL_HERE) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 + - name: kind + value: task + resolver: bundles params: - description: Source Repository URL. @@ -76,27 +76,27 @@ spec: type: string results: -# - description: "" -# name: OUR_IMAGE_URL -# value: $(tasks.retag-image.results.IMAGE_URL) -# - description: "" -# name: OUR_IMAGE_DIGEST -# value: $(tasks.retag-image.results.IMAGE_DIGEST) + - description: "" + name: IMAGE_URL + value: $(tasks.retag-image.results.URL_HERE) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.retag-image.results.DIGEST_HERE) -# # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). -# # The values passed here will overwrite the values provided at the time when the input containers were built. -# # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to -# # 'git+https://github.com/stackrox/stackrox.git'. -# # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have -# # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 -# # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that -# # causes problems. -# - description: "" -# name: CHAINS-GIT_URL -# value: $(tasks.clone-repository.results.url) -# - description: "" -# name: CHAINS-GIT_COMMIT -# value: $(tasks.clone-repository.results.commit) + # # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). + # # The values passed here will overwrite the values provided at the time when the input containers were built. + # # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to + # # 'git+https://github.com/stackrox/stackrox.git'. + # # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have + # # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 + # # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that + # # causes problems. + # - description: "" + # name: CHAINS-GIT_URL + # value: $(tasks.clone-repository.results.url) + # - description: "" + # name: CHAINS-GIT_COMMIT + # value: $(tasks.clone-repository.results.commit) workspaces: - name: git-auth From a75e1854638ac36e229434bcebee48566801e39e Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 11:31:10 +0100 Subject: [PATCH 31/43] Restore CHAINS_ things because there's still an error without them ``` Snapshot creation status Failed to create snapshot. Error: Missing info CHAINS-GIT_URL from pipelinerun collector-slim-retagged-on-push-v6sb9 ``` --- .tekton/retag-pipeline.yaml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index b80453f026f25..e4de7b12c64ce 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -83,20 +83,20 @@ spec: name: IMAGE_DIGEST value: $(tasks.retag-image.results.DIGEST_HERE) - # # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). - # # The values passed here will overwrite the values provided at the time when the input containers were built. - # # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to - # # 'git+https://github.com/stackrox/stackrox.git'. - # # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have - # # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 - # # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that - # # causes problems. - # - description: "" - # name: CHAINS-GIT_URL - # value: $(tasks.clone-repository.results.url) - # - description: "" - # name: CHAINS-GIT_COMMIT - # value: $(tasks.clone-repository.results.commit) + # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). + # The values passed here will overwrite the values provided at the time when the input containers were built. + # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to + # 'git+https://github.com/stackrox/stackrox.git'. + # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have + # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 + # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that + # causes problems. + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) workspaces: - name: git-auth From 7d30f4477fbdb239e81c5703bc772a37ac0650af Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 12:27:25 +0100 Subject: [PATCH 32/43] Settle on the final component-less approach for collector-slim --- .tekton/collector-slim-retag.yaml | 5 +---- .tekton/retag-image-task.yaml | 19 ++++++++-------- .tekton/retag-pipeline.yaml | 37 ++----------------------------- 3 files changed, 13 insertions(+), 48 deletions(-) diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/collector-slim-retag.yaml index d1fd0469ca0f3..11b7282c92262 100644 --- a/.tekton/collector-slim-retag.yaml +++ b/.tekton/collector-slim-retag.yaml @@ -13,10 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: - appstudio.openshift.io/application: acs - appstudio.openshift.io/component: collector-slim-retagged - pipelines.appstudio.openshift.io/type: build - name: collector-slim-retagged-on-push + name: retag-collector-slim namespace: rh-acs-tenant spec: diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index 1265f88bda1b8..a59dc1c5864a1 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -24,14 +24,15 @@ spec: description: Tag of the output image. type: string results: - # Names IMAGE_DIGEST, IMAGE_URL and IMAGE_REF must not be used here - # OUTPUT_IMAGE_DIGEST, OUTPUT_IMAGE_URL - - - name: DIGEST_HERE + # Names *IMAGE_DIGEST, *IMAGE_URL must not be declared here. Otherwise, Tekton Chains will overwrite the original + # pipeline information linked to the image with info of the pipeline which executes this task and that pipeline + # doesn't pass EC checks. See https://tekton.dev/docs/chains/slsa-provenance/#image_url--image_digest + # We could skip providing any results here at all, but it's nice to find them in UI for the task. + - name: RESULTING_DIGEST description: Digest of the output image (will be the same as of the input one). - - name: URL_HERE + - name: RESULTING_URL description: Image repository and tag of the output image. - - name: OUTPUT_IMAGE_REF + - name: RESULTING_REF description: Image reference of the output image containing both the repository, the tag and the digest. steps: - name: retag-image @@ -114,6 +115,6 @@ spec: echo ">>> Done" - echo -n "${OUTPUT_DIGEST}" | tee "$(results.DIGEST_HERE.path)"; echo - echo -n "${OUTPUT_URL}" | tee "$(results.URL_HERE.path)"; echo - echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.OUTPUT_IMAGE_REF.path)"; echo + echo -n "${OUTPUT_DIGEST}" | tee "$(results.RESULTING_DIGEST.path)"; echo + echo -n "${OUTPUT_URL}" | tee "$(results.RESULTING_URL.path)"; echo + echo -n "${OUTPUT_URL}@${OUTPUT_DIGEST}" | tee "$(results.RESULTING_REF.path)"; echo diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index e4de7b12c64ce..c46b3f8870005 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -26,20 +26,6 @@ spec: value: task resolver: bundles - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.retag-image.results.URL_HERE) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:52f8b96b96ce4203d4b74d850a85f963125bf8eef0683ea5acdd80818d335a28 - - name: kind - value: task - resolver: bundles - params: - description: Source Repository URL. name: git-url @@ -76,27 +62,8 @@ spec: type: string results: - - description: "" - name: IMAGE_URL - value: $(tasks.retag-image.results.URL_HERE) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.retag-image.results.DIGEST_HERE) - - # CHAINS-GIT_* values will be entered in a Snapshot and into the image attestation data (cosign artifact). - # The values passed here will overwrite the values provided at the time when the input containers were built. - # E.g. the original git url 'git+https://github.com/stackrox/scanner.git' will be changed to - # 'git+https://github.com/stackrox/stackrox.git'. - # It is unclear from searches and inquiries, however, how these values are used and whether the overwriting would have - # any negative effects. E.g. see https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1729697134648409 - # Since figuring the original values is somewhat more laborious, the suggestion is to keep doing what we do until that - # causes problems. - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) + # IMAGE_URL and IMAGE_DIGEST must not be declared here because Tekton Chains will overwrite the original pipeline + # information linked to the image with this pipeline's info, and it will most certainly fail EC checks. workspaces: - name: git-auth From 985d59d8d9d5881d64e3aee28884d92d2ef85059 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 13:28:01 +0100 Subject: [PATCH 33/43] Re-enable collector-full retagging --- .tekton/collector-full-retag.yaml | 93 +++++++++++++++---------------- 1 file changed, 45 insertions(+), 48 deletions(-) diff --git a/.tekton/collector-full-retag.yaml b/.tekton/collector-full-retag.yaml index a816dd7da6149..64bb14b759c4c 100644 --- a/.tekton/collector-full-retag.yaml +++ b/.tekton/collector-full-retag.yaml @@ -1,48 +1,45 @@ -#apiVersion: tekton.dev/v1 -#kind: PipelineRun -# -#metadata: -# annotations: -# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} -# build.appstudio.redhat.com/commit_sha: '{{revision}}' -# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' -# build.appstudio.redhat.com/target_branch: '{{target_branch}}' -# pipelinesascode.tekton.dev/max-keep-runs: "500" -# # TODO(ROX-21073): re-enable for all PR branches -# pipelinesascode.tekton.dev/on-cel-expression: | -# (event == "push" && target_branch.matches("^(master|release-.*)$")) || -# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) -# labels: -## appstudio.openshift.io/application: acs -## appstudio.openshift.io/component: collector-full-retagged -## pipelines.appstudio.openshift.io/type: build -# name: collector-full-retag -# namespace: rh-acs-tenant -# -#spec: -# -# params: -# - name: git-url -# value: '{{source_url}}' -# - name: revision -# value: '{{revision}}' -# - name: output-image-repo -# value: quay.io/rhacs-eng/collector -# - name: input-image-repo -# value: quay.io/rhacs-eng/collector -# - name: input-image-tag-makefile-target -# value: collector-tag -# -# workspaces: -# - name: git-auth -# secret: -# secretName: '{{ git_auth_secret }}' -# -# pipelineRef: -# name: retag-pipeline -# -# timeouts: -# tasks: 30m -# # Reserve time for final tasks to run. -# finally: 10m -# pipeline: 40m +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + name: retag-collector-full + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: input-image-repo + value: quay.io/rhacs-eng/collector + - name: input-image-tag-makefile-target + value: collector-tag + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + timeouts: + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m From 42ba782b69631fdf0f639ad6745960e8072fa632 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 13:28:53 +0100 Subject: [PATCH 34/43] Rename collector retag pipeline files to have them grouped together in the list --- .tekton/{collector-full-retag.yaml => retag-collector-full.yaml} | 0 .tekton/{collector-slim-retag.yaml => retag-collector-slim.yaml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename .tekton/{collector-full-retag.yaml => retag-collector-full.yaml} (100%) rename .tekton/{collector-slim-retag.yaml => retag-collector-slim.yaml} (100%) diff --git a/.tekton/collector-full-retag.yaml b/.tekton/retag-collector-full.yaml similarity index 100% rename from .tekton/collector-full-retag.yaml rename to .tekton/retag-collector-full.yaml diff --git a/.tekton/collector-slim-retag.yaml b/.tekton/retag-collector-slim.yaml similarity index 100% rename from .tekton/collector-slim-retag.yaml rename to .tekton/retag-collector-slim.yaml From 0730618fc549afed4dc51be98fb27ee7c5981807 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 13:32:46 +0100 Subject: [PATCH 35/43] Reformat collector-full back --- .tekton/retag-collector-full.yaml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.tekton/retag-collector-full.yaml b/.tekton/retag-collector-full.yaml index 64bb14b759c4c..7d05614a05970 100644 --- a/.tekton/retag-collector-full.yaml +++ b/.tekton/retag-collector-full.yaml @@ -19,21 +19,21 @@ metadata: spec: params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image-repo - value: quay.io/rhacs-eng/collector - - name: input-image-repo - value: quay.io/rhacs-eng/collector - - name: input-image-tag-makefile-target - value: collector-tag + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/collector + - name: input-image-repo + value: quay.io/rhacs-eng/collector + - name: input-image-tag-makefile-target + value: collector-tag workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' pipelineRef: name: retag-pipeline From 8ffe1165522165d98ab4a9077ffcb71b952d62d1 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 13:35:04 +0100 Subject: [PATCH 36/43] Restore and rename scanner* retagging --- .tekton/scanner-db-retag.yaml | 93 +++++++++++++++--------------- .tekton/scanner-db-slim-retag.yaml | 93 +++++++++++++++--------------- .tekton/scanner-retag.yaml | 93 +++++++++++++++--------------- .tekton/scanner-slim-retag.yaml | 93 +++++++++++++++--------------- 4 files changed, 180 insertions(+), 192 deletions(-) diff --git a/.tekton/scanner-db-retag.yaml b/.tekton/scanner-db-retag.yaml index 517155a94c830..12ec0eed17025 100644 --- a/.tekton/scanner-db-retag.yaml +++ b/.tekton/scanner-db-retag.yaml @@ -1,48 +1,45 @@ -#apiVersion: tekton.dev/v1 -#kind: PipelineRun -# -#metadata: -# annotations: -# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} -# build.appstudio.redhat.com/commit_sha: '{{revision}}' -# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' -# build.appstudio.redhat.com/target_branch: '{{target_branch}}' -# pipelinesascode.tekton.dev/max-keep-runs: "500" -# # TODO(ROX-21073): re-enable for all PR branches -# pipelinesascode.tekton.dev/on-cel-expression: | -# (event == "push" && target_branch.matches("^(master|release-.*)$")) || -# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) -# labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: scanner-db-retagged -# pipelines.appstudio.openshift.io/type: build -# name: scanner-db-retagged-on-push -# namespace: rh-acs-tenant -# -#spec: -# -# params: -# - name: git-url -# value: '{{source_url}}' -# - name: revision -# value: '{{revision}}' -# - name: output-image-repo -# value: quay.io/rhacs-eng/scanner-db -# - name: input-image-repo -# value: quay.io/rhacs-eng/scanner-db -# - name: input-image-tag-makefile-target -# value: scanner-tag -# -# workspaces: -# - name: git-auth -# secret: -# secretName: '{{ git_auth_secret }}' -# -# pipelineRef: -# name: retag-pipeline -# -# timeouts: -# tasks: 30m -# # Reserve time for final tasks to run. -# finally: 10m -# pipeline: 40m +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + name: retag-scanner-db + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/scanner-db + - name: input-image-repo + value: quay.io/rhacs-eng/scanner-db + - name: input-image-tag-makefile-target + value: scanner-tag + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + timeouts: + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m diff --git a/.tekton/scanner-db-slim-retag.yaml b/.tekton/scanner-db-slim-retag.yaml index 2e9a2b14f43ce..5110930f94195 100644 --- a/.tekton/scanner-db-slim-retag.yaml +++ b/.tekton/scanner-db-slim-retag.yaml @@ -1,48 +1,45 @@ -#apiVersion: tekton.dev/v1 -#kind: PipelineRun -# -#metadata: -# annotations: -# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} -# build.appstudio.redhat.com/commit_sha: '{{revision}}' -# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' -# build.appstudio.redhat.com/target_branch: '{{target_branch}}' -# pipelinesascode.tekton.dev/max-keep-runs: "500" -# # TODO(ROX-21073): re-enable for all PR branches -# pipelinesascode.tekton.dev/on-cel-expression: | -# (event == "push" && target_branch.matches("^(master|release-.*)$")) || -# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) -# labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: scanner-db-slim-retagged -# pipelines.appstudio.openshift.io/type: build -# name: scanner-db-slim-retagged-on-push -# namespace: rh-acs-tenant -# -#spec: -# -# params: -# - name: git-url -# value: '{{source_url}}' -# - name: revision -# value: '{{revision}}' -# - name: output-image-repo -# value: quay.io/rhacs-eng/scanner-db-slim -# - name: input-image-repo -# value: quay.io/rhacs-eng/scanner-db-slim -# - name: input-image-tag-makefile-target -# value: scanner-tag -# -# workspaces: -# - name: git-auth -# secret: -# secretName: '{{ git_auth_secret }}' -# -# pipelineRef: -# name: retag-pipeline -# -# timeouts: -# tasks: 30m -# # Reserve time for final tasks to run. -# finally: 10m -# pipeline: 40m +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + name: retag-scanner-db-slim + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/scanner-db-slim + - name: input-image-repo + value: quay.io/rhacs-eng/scanner-db-slim + - name: input-image-tag-makefile-target + value: scanner-tag + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + timeouts: + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m diff --git a/.tekton/scanner-retag.yaml b/.tekton/scanner-retag.yaml index d4cdc1b290844..0c60e11a3b7cd 100644 --- a/.tekton/scanner-retag.yaml +++ b/.tekton/scanner-retag.yaml @@ -1,48 +1,45 @@ -#apiVersion: tekton.dev/v1 -#kind: PipelineRun -# -#metadata: -# annotations: -# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} -# build.appstudio.redhat.com/commit_sha: '{{revision}}' -# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' -# build.appstudio.redhat.com/target_branch: '{{target_branch}}' -# pipelinesascode.tekton.dev/max-keep-runs: "500" -# # TODO(ROX-21073): re-enable for all PR branches -# pipelinesascode.tekton.dev/on-cel-expression: | -# (event == "push" && target_branch.matches("^(master|release-.*)$")) || -# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) -# labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: scanner-retagged -# pipelines.appstudio.openshift.io/type: build -# name: scanner-retagged-on-push -# namespace: rh-acs-tenant -# -#spec: -# -# params: -# - name: git-url -# value: '{{source_url}}' -# - name: revision -# value: '{{revision}}' -# - name: output-image-repo -# value: quay.io/rhacs-eng/scanner -# - name: input-image-repo -# value: quay.io/rhacs-eng/scanner -# - name: input-image-tag-makefile-target -# value: scanner-tag -# -# workspaces: -# - name: git-auth -# secret: -# secretName: '{{ git_auth_secret }}' -# -# pipelineRef: -# name: retag-pipeline -# -# timeouts: -# tasks: 30m -# # Reserve time for final tasks to run. -# finally: 10m -# pipeline: 40m +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + name: retag-scanner + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/scanner + - name: input-image-repo + value: quay.io/rhacs-eng/scanner + - name: input-image-tag-makefile-target + value: scanner-tag + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + timeouts: + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m diff --git a/.tekton/scanner-slim-retag.yaml b/.tekton/scanner-slim-retag.yaml index 0f069381fc030..3d1f96bfddc0c 100644 --- a/.tekton/scanner-slim-retag.yaml +++ b/.tekton/scanner-slim-retag.yaml @@ -1,48 +1,45 @@ -#apiVersion: tekton.dev/v1 -#kind: PipelineRun -# -#metadata: -# annotations: -# build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} -# build.appstudio.redhat.com/commit_sha: '{{revision}}' -# build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' -# build.appstudio.redhat.com/target_branch: '{{target_branch}}' -# pipelinesascode.tekton.dev/max-keep-runs: "500" -# # TODO(ROX-21073): re-enable for all PR branches -# pipelinesascode.tekton.dev/on-cel-expression: | -# (event == "push" && target_branch.matches("^(master|release-.*)$")) || -# (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) -# labels: -# appstudio.openshift.io/application: acs -# appstudio.openshift.io/component: scanner-slim-retagged -# pipelines.appstudio.openshift.io/type: build -# name: scanner-slim-retagged-on-push -# namespace: rh-acs-tenant -# -#spec: -# -# params: -# - name: git-url -# value: '{{source_url}}' -# - name: revision -# value: '{{revision}}' -# - name: output-image-repo -# value: quay.io/rhacs-eng/scanner-slim -# - name: input-image-repo -# value: quay.io/rhacs-eng/scanner-slim -# - name: input-image-tag-makefile-target -# value: scanner-tag -# -# workspaces: -# - name: git-auth -# secret: -# secretName: '{{ git_auth_secret }}' -# -# pipelineRef: -# name: retag-pipeline -# -# timeouts: -# tasks: 30m -# # Reserve time for final tasks to run. -# finally: 10m -# pipeline: 40m +apiVersion: tekton.dev/v1 +kind: PipelineRun + +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/stackrox/stackrox?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "500" + # TODO(ROX-21073): re-enable for all PR branches + pipelinesascode.tekton.dev/on-cel-expression: | + (event == "push" && target_branch.matches("^(master|release-.*)$")) || + (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) + labels: + name: retag-scanner-slim + namespace: rh-acs-tenant + +spec: + + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image-repo + value: quay.io/rhacs-eng/scanner-slim + - name: input-image-repo + value: quay.io/rhacs-eng/scanner-slim + - name: input-image-tag-makefile-target + value: scanner-tag + + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' + + pipelineRef: + name: retag-pipeline + + timeouts: + tasks: 30m + # Reserve time for final tasks to run. + finally: 10m + pipeline: 40m From 8e6c791cf5d2e14b9e09a100267d9c9464e6a1af Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 13:36:00 +0100 Subject: [PATCH 37/43] Rename scanner* retagging files to group them with others --- .../{scanner-db-slim-retag.yaml => retag-scanner-db-slim.yaml} | 0 .tekton/{scanner-db-retag.yaml => retag-scanner-db.yaml} | 0 .tekton/{scanner-slim-retag.yaml => retag-scanner-slim.yaml} | 0 .tekton/{scanner-retag.yaml => retag-scanner.yaml} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename .tekton/{scanner-db-slim-retag.yaml => retag-scanner-db-slim.yaml} (100%) rename .tekton/{scanner-db-retag.yaml => retag-scanner-db.yaml} (100%) rename .tekton/{scanner-slim-retag.yaml => retag-scanner-slim.yaml} (100%) rename .tekton/{scanner-retag.yaml => retag-scanner.yaml} (100%) diff --git a/.tekton/scanner-db-slim-retag.yaml b/.tekton/retag-scanner-db-slim.yaml similarity index 100% rename from .tekton/scanner-db-slim-retag.yaml rename to .tekton/retag-scanner-db-slim.yaml diff --git a/.tekton/scanner-db-retag.yaml b/.tekton/retag-scanner-db.yaml similarity index 100% rename from .tekton/scanner-db-retag.yaml rename to .tekton/retag-scanner-db.yaml diff --git a/.tekton/scanner-slim-retag.yaml b/.tekton/retag-scanner-slim.yaml similarity index 100% rename from .tekton/scanner-slim-retag.yaml rename to .tekton/retag-scanner-slim.yaml diff --git a/.tekton/scanner-retag.yaml b/.tekton/retag-scanner.yaml similarity index 100% rename from .tekton/scanner-retag.yaml rename to .tekton/retag-scanner.yaml From 35d666ac07417f90b8f2bb193b0339e8e7826f1f Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 17:01:26 +0100 Subject: [PATCH 38/43] Remove skopeo command, make pipelinerun's result displayed --- .tekton/retag-image-task.yaml | 2 -- .tekton/retag-pipeline.yaml | 5 +++++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-image-task.yaml b/.tekton/retag-image-task.yaml index a59dc1c5864a1..2e1d0888a7992 100644 --- a/.tekton/retag-image-task.yaml +++ b/.tekton/retag-image-task.yaml @@ -55,8 +55,6 @@ spec: echo ">>> Copying image from ${input_url} ..." echo ">>> ... to ${output_url} ..." - #skopeo copy --all --retry-times="${SKOPEO_RETRIES}" "docker://${input_url}" "docker://${output_url}" - # cosign copies not just cosign artifacts but also images. It understands and copies index images. # --force argument is needed to prevent the command failing when it runs into (partial) previous copies with # errors like the following. diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index c46b3f8870005..41c0c5fd01bf7 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -65,6 +65,11 @@ spec: # IMAGE_URL and IMAGE_DIGEST must not be declared here because Tekton Chains will overwrite the original pipeline # information linked to the image with this pipeline's info, and it will most certainly fail EC checks. + # This resulting parameter is to make retagged image's pull spec conveniently displayed in Konflux UI. + - name: RESULTING_REF + description: Image reference of the output image containing both the repository, the tag and the digest. + value: $(tasks.retag-image.results.RESULTING_REF) + workspaces: - name: git-auth From d9dd2cb8118fcd2aad23a5b7e718344ac3bdc71d Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 17:11:47 +0100 Subject: [PATCH 39/43] **DO NOT MERGE**: bump scanner version to check if we can build cleanly. --- SCANNER_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SCANNER_VERSION b/SCANNER_VERSION index 39696029299e4..ebb021666d970 100644 --- a/SCANNER_VERSION +++ b/SCANNER_VERSION @@ -1 +1 @@ -2.35.x-9-g0dbe068903 +2.35.x-11-g297b8d09d0 From cffed45e60c51f252d23d73823b070fad8d68cf2 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 17:33:42 +0100 Subject: [PATCH 40/43] Revert "**DO NOT MERGE**: bump scanner version" This reverts commit d9dd2cb8118fcd2aad23a5b7e718344ac3bdc71d. --- SCANNER_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SCANNER_VERSION b/SCANNER_VERSION index ebb021666d970..39696029299e4 100644 --- a/SCANNER_VERSION +++ b/SCANNER_VERSION @@ -1 +1 @@ -2.35.x-11-g297b8d09d0 +2.35.x-9-g0dbe068903 From a705f0543a2aa51fb3eafdf150cb4cd38c0548a9 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 17:34:14 +0100 Subject: [PATCH 41/43] Restore the original COLLECTOR_VERSION --- COLLECTOR_VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/COLLECTOR_VERSION b/COLLECTOR_VERSION index 0c1759131522d..134822d3eb008 100644 --- a/COLLECTOR_VERSION +++ b/COLLECTOR_VERSION @@ -1 +1 @@ -3.20.x-43-gc51915d3bf +3.20.x-33-gf1748e6301 From e8e75086d52e29ca5c0de1ceada2f6c1de775cc6 Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Fri, 15 Nov 2024 19:41:36 +0100 Subject: [PATCH 42/43] Fix redirects from GitHub --- .tekton/retag-collector-full.yaml | 1 + .tekton/retag-collector-slim.yaml | 1 + .tekton/retag-scanner-db-slim.yaml | 1 + .tekton/retag-scanner-db.yaml | 1 + .tekton/retag-scanner-slim.yaml | 1 + .tekton/retag-scanner.yaml | 1 + 6 files changed, 6 insertions(+) diff --git a/.tekton/retag-collector-full.yaml b/.tekton/retag-collector-full.yaml index 7d05614a05970..33d2da536ece4 100644 --- a/.tekton/retag-collector-full.yaml +++ b/.tekton/retag-collector-full.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-collector-full namespace: rh-acs-tenant diff --git a/.tekton/retag-collector-slim.yaml b/.tekton/retag-collector-slim.yaml index 11b7282c92262..ac65cc17c59d7 100644 --- a/.tekton/retag-collector-slim.yaml +++ b/.tekton/retag-collector-slim.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-collector-slim namespace: rh-acs-tenant diff --git a/.tekton/retag-scanner-db-slim.yaml b/.tekton/retag-scanner-db-slim.yaml index 5110930f94195..f829a4b1594ad 100644 --- a/.tekton/retag-scanner-db-slim.yaml +++ b/.tekton/retag-scanner-db-slim.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-scanner-db-slim namespace: rh-acs-tenant diff --git a/.tekton/retag-scanner-db.yaml b/.tekton/retag-scanner-db.yaml index 12ec0eed17025..bcb36bf9a0669 100644 --- a/.tekton/retag-scanner-db.yaml +++ b/.tekton/retag-scanner-db.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-scanner-db namespace: rh-acs-tenant diff --git a/.tekton/retag-scanner-slim.yaml b/.tekton/retag-scanner-slim.yaml index 3d1f96bfddc0c..caf0db864a52e 100644 --- a/.tekton/retag-scanner-slim.yaml +++ b/.tekton/retag-scanner-slim.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-scanner-slim namespace: rh-acs-tenant diff --git a/.tekton/retag-scanner.yaml b/.tekton/retag-scanner.yaml index 0c60e11a3b7cd..3de5bb3c9ede6 100644 --- a/.tekton/retag-scanner.yaml +++ b/.tekton/retag-scanner.yaml @@ -13,6 +13,7 @@ metadata: (event == "push" && target_branch.matches("^(master|release-.*)$")) || (event == "pull_request" && (source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build"))) labels: + appstudio.openshift.io/application: acs name: retag-scanner namespace: rh-acs-tenant From fe73f67a51d84101e8006ce93ae646fa32c98e7e Mon Sep 17 00:00:00 2001 From: Misha Sugakov Date: Mon, 18 Nov 2024 10:27:14 +0100 Subject: [PATCH 43/43] Declare more RESULTING_ things on the retag pipeline --- .tekton/retag-pipeline.yaml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.tekton/retag-pipeline.yaml b/.tekton/retag-pipeline.yaml index 41c0c5fd01bf7..9882fb3453cd2 100644 --- a/.tekton/retag-pipeline.yaml +++ b/.tekton/retag-pipeline.yaml @@ -62,10 +62,16 @@ spec: type: string results: - # IMAGE_URL and IMAGE_DIGEST must not be declared here because Tekton Chains will overwrite the original pipeline + # *IMAGE_URL and *IMAGE_DIGEST must not be declared here because Tekton Chains will overwrite the original pipeline # information linked to the image with this pipeline's info, and it will most certainly fail EC checks. - # This resulting parameter is to make retagged image's pull spec conveniently displayed in Konflux UI. + # These result parameters are to make retagged image's info conveniently displayed in Konflux UI. + - name: RESULTING_DIGEST + description: Digest of the output image (will be the same as of the input one). + value: $(tasks.retag-image.results.RESULTING_DIGEST) + - name: RESULTING_URL + description: Image repository and tag of the output image. + value: $(tasks.retag-image.results.RESULTING_URL) - name: RESULTING_REF description: Image reference of the output image containing both the repository, the tag and the digest. value: $(tasks.retag-image.results.RESULTING_REF)