Merge branch 'main' into add-checkton

task/build-vm-image/0.1/build-vm-image.yaml

@@ -26,6 +26,10 @@ spec:
       default: bib.yaml
       type: string
       description: The config file specifying what to build and the builder to build it with
+    - name: CONFIG_TOML_FILE
+      default: ""
+      type: string
+      description: The path for the config.toml file within the source repository
     - default: etc-pki-entitlement
       description: Name of secret which contains the entitlement certificates
       name: ENTITLEMENT_SECRET
@@ -45,6 +49,8 @@ spec:
         value: $(params.OUTPUT_IMAGE)
       - name: BIB_CONFIG_FILE
         value: $(params.BIB_CONFIG_FILE)
+      - name: CONFIG_TOML_FILE
+        value: $(params.CONFIG_TOML_FILE)
       - name: IMAGE_TYPE
         value: $(params.IMAGE_TYPE)
       - name: ENTITLEMENT_SECRET
@@ -148,6 +154,22 @@ spec:
         echo "$BUILD_DIR"
         ssh -v $SSH_ARGS "$SSH_HOST"  mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/tmp" "$BUILD_DIR/tekton-results" "$BUILD_DIR/entitlement"
 
+        if [ ! -n "${CONFIG_TOML_FILE}" ]; then
+          echo "No CONFIG_TOML_FILE specified"
+          export CONFIG_TOML_FILE=config.toml
+          if [ -f /var/workdir/source/config.toml ]; then
+            echo "Using the config.toml file found in the repository root!"
+            echo "  Remove the config.toml file or set params.CONFIG_TOML_FILE to another file to prevent using config.toml."
+          else
+            echo "No config.toml file found. Using an empty configuration."
+            touch /var/workdir/source/$CONFIG_TOML_FILE
+          fi
+        fi
+        echo "Using the following config.toml file $CONFIG_TOML_FILE:"
+        cat /var/workdir/source/$CONFIG_TOML_FILE
+
+
+        rsync -ra "/var/workdir/source/$CONFIG_TOML_FILE" "$SSH_HOST:$BUILD_DIR/config.toml"
         rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
         rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/entitlement/"
 
@@ -175,12 +197,6 @@ spec:
 
         # this quoted heredoc prevents expansions and command substitutions. the env vars are evaluated on the remote vm
         cat >>scripts/script-build.sh <<'REMOTESSHEOF'
-        echo >config.toml <<EOF
-        [[blueprint.customizations.user]]
-        name = "user"
-        password = "pass"
-        groups = ["wheel"]
-        EOF
 
         mkdir output
         echo "PULLING BUILDER IMAGE"
@@ -193,7 +209,7 @@ spec:
         echo -e "IMAGE_TYPE_ARGUMENT = $IMAGE_TYPE_ARGUMENT"
 
         time sudo podman run --authfile=$BUILD_DIR/.docker/config.json --rm -it --privileged --pull=newer --security-opt label=type:unconfined_t \
-          -v $(pwd)/config.toml:/config.toml -v $(pwd)/output:/output \
+          -v $BUILD_DIR/config.toml:/config.toml -v $(pwd)/output:/output \
           -v /var/lib/containers/storage:/var/lib/containers/storage \
           -v $BUILD_DIR/entitlement:/etc/pki/entitlement:Z \
           $BOOTC_BUILDER_IMAGE $IMAGE_TYPE_ARGUMENT --local $TAGGED_AS

task/buildah-oci-ta/0.2/README.md

@@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |name|description|
 |---|---|
 |IMAGE_DIGEST|Digest of the image just built|
+|IMAGE_REF|Image reference of the built image|
 |IMAGE_URL|Image repository where the built image was pushed|
 |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
 |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|

task/buildah-oci-ta/0.2/buildah-oci-ta.yaml

@@ -129,6 +129,8 @@ spec:
   results:
     - name: IMAGE_DIGEST
       description: Digest of the image just built
+    - name: IMAGE_REF
+      description: Image reference of the built image
     - name: IMAGE_URL
       description: Image repository where the built image was pushed
     - name: JAVA_COMMUNITY_DEPENDENCIES
@@ -559,6 +561,10 @@ spec:
 
         cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
         echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+        {
+          echo -n "${IMAGE}@"
+          cat "/var/workdir/image-digest"
+        } >"$(results.IMAGE_REF.path)"
       securityContext:
         capabilities:
           add:

task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml

@@ -130,6 +130,8 @@ spec:
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
+  - description: Image reference of the built image
+    name: IMAGE_REF
   - description: Image repository where the built image was pushed
     name: IMAGE_URL
   - description: The Java dependencies that came from community sources such as Maven
@@ -630,6 +632,10 @@ spec:
 
       cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+      {
+        echo -n "${IMAGE}@"
+        cat "/var/workdir/image-digest"
+      } >"$(results.IMAGE_REF.path)"
     securityContext:
       capabilities:
         add:

task/buildah-remote/0.2/README.md

@@ -0,0 +1,48 @@
+# buildah-remote task
+
+Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.
+In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.
+When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts.
+When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment.
+
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|IMAGE|Reference of the image buildah will produce.||true|
+|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
+|CONTEXT|Path to the directory to use as context.|.|false|
+|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
+|HERMETIC|Determines if build will be executed without network access.|false|false|
+|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
+|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
+|COMMIT_SHA|The image is built from this commit.|""|false|
+|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
+|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false|
+|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
+|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
+|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
+|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false|
+|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false|
+|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
+|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
+|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|
+|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
+|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false|
+|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false|
+|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false|
+|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false|
+|PLATFORM|The platform to build on||true|
+
+## Results
+|name|description|
+|---|---|
+|IMAGE_DIGEST|Digest of the image just built|
+|IMAGE_URL|Image repository where the built image was pushed|
+|IMAGE_REF|Image reference of the built image|
+|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
+|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
+
+## Workspaces
+|name|description|optional|
+|---|---|---|
+|source|Workspace containing the source code to build.|false|

task/buildah-remote/0.2/buildah-remote.yaml

@@ -123,6 +123,8 @@ spec:
     name: IMAGE_DIGEST
   - description: Image repository where the built image was pushed
     name: IMAGE_URL
+  - description: Image reference of the built image
+    name: IMAGE_REF
   - description: The counting of Java components by publisher in JSON format
     name: SBOM_JAVA_COMPONENTS_COUNT
     type: string
@@ -612,6 +614,10 @@ spec:
 
       cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+      {
+        echo -n "${IMAGE}@"
+        cat "$(workspaces.source.path)/image-digest"
+      } > "$(results.IMAGE_REF.path)"
     securityContext:
       capabilities:
         add:

task/buildah/0.2/README.md

@@ -9,11 +9,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |name|description|default value|required|
 |---|---|---|---|
 |IMAGE|Reference of the image buildah will produce.||true|
-|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
 |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
 |CONTEXT|Path to the directory to use as context.|.|false|
 |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
-|DOCKER_AUTH|unused, should be removed in next task version|""|false|
 |HERMETIC|Determines if build will be executed without network access.|false|false|
 |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
 |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
@@ -39,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
 |---|---|
 |IMAGE_DIGEST|Digest of the image just built|
 |IMAGE_URL|Image repository where the built image was pushed|
+|IMAGE_REF|Image reference of the built image|
 |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
 |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
 

task/buildah/0.2/buildah.yaml

@@ -109,6 +109,8 @@ spec:
     name: IMAGE_DIGEST
   - description: Image repository where the built image was pushed
     name: IMAGE_URL
+  - description: Image reference of the built image
+    name: IMAGE_REF
   - name: SBOM_JAVA_COMPONENTS_COUNT
     description: The counting of Java components by publisher in JSON format
     type: string
@@ -509,6 +511,10 @@ spec:
 
       cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+      {
+        echo -n "${IMAGE}@"
+        cat "$(workspaces.source.path)/image-digest"
+      } > "$(results.IMAGE_REF.path)"
 
     securityContext:
       runAsUser: 0

task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml

@@ -13,7 +13,7 @@ spec:
       description: Preflight pass or fail outcome.
   steps:
     - name: check-container
-      image: quay.io/opdev/preflight:stable@sha256:add15669e17a86d807be05671f3c9834161d7af6f41bf4a50969be2da0487fbc
+      image: quay.io/opdev/preflight:stable@sha256:e4707e5f3a61c737c9b5f04d2ebe45675fde2d1c72b65df9152e8a053acd6c61
       args: ["check", "container", "$(params.image-url)"]
       env:
         - name: PFLT_DOCKERCONFIG

task/oci-copy-oci-ta/0.1/README.md

@@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in
 |name|description|
 |---|---|
 |IMAGE_DIGEST|Digest of the artifact just pushed|
+|IMAGE_REF|Image reference of the built image|
 |IMAGE_URL|Repository where the artifact was pushed|
 |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.|
 

task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml

@@ -35,6 +35,8 @@ spec:
   results:
     - name: IMAGE_DIGEST
       description: Digest of the artifact just pushed
+    - name: IMAGE_REF
+      description: Image reference of the built image
     - name: IMAGE_URL
       description: Repository where the artifact was pushed
     - name: SBOM_BLOB_URL
@@ -193,6 +195,7 @@ spec:
         RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
         echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
         echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
+        echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)"
       computeResources:
         limits:
           memory: 1Gi

task/oci-copy/0.1/README.md

@@ -22,6 +22,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste
 |IMAGE_DIGEST|Digest of the image just built|
 |IMAGE_URL|Image repository where the built image was pushed|
 |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.|
+|IMAGE_REF|Image reference of the built image|
 
 ## Workspaces
 |name|description|optional|

task/oci-copy/0.1/oci-copy.yaml

@@ -32,6 +32,8 @@ spec:
       name: IMAGE_URL
     - description: Link to the SBOM blob pushed to the registry.
       name: SBOM_BLOB_URL
+    - name: IMAGE_REF
+      description: Image reference of the built image
   stepTemplate:
     env:
       - name: OCI_COPY_FILE
@@ -178,6 +180,7 @@ spec:
         RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}")
         echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)"
         echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)"
+        echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)"
       volumeMounts:
         - mountPath: /var/lib/containers
           name: varlibcontainers

task/rpm-ostree/0.1/README.md

@@ -0,0 +1,31 @@
+# rpm-ostree task
+
+RPM Ostree
+
+## Parameters
+|name|description|default value|required|
+|---|---|---|---|
+|IMAGE|Reference of the image rpm-ostree will produce.||true|
+|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false|
+|CONTEXT|Path to the directory to use as context.|.|false|
+|IMAGE_FILE|The file to use to build the image||true|
+|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
+|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
+|COMMIT_SHA|The image is built from this commit.|""|false|
+|PLATFORM|The platform to build on||true|
+|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false|
+|HERMETIC|Determines if build will be executed without network access.|false|false|
+
+## Results
+|name|description|
+|---|---|
+|IMAGE_DIGEST|Digest of the image just built|
+|IMAGE_URL|Image repository where the built image was pushed|
+|IMAGE_REF|Image reference of the built image|
+|BASE_IMAGES_DIGESTS|Digests of the base images used for build|
+|SBOM_BLOB_URL|Reference, including digest to the SBOM blob|
+
+## Workspaces
+|name|description|optional|
+|---|---|---|
+|source|Workspace containing the source code to build.|false|

task/rpm-ostree/0.1/rpm-ostree.yaml

@@ -60,6 +60,8 @@ spec:
     name: IMAGE_DIGEST
   - description: Image repository where the built image was pushed
     name: IMAGE_URL
+  - description: Image reference of the built image
+    name: IMAGE_REF
   - description: Digests of the base images used for build
     name: BASE_IMAGES_DIGESTS
   - name: SBOM_BLOB_URL
@@ -260,6 +262,10 @@ spec:
 
       cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+      {
+        echo -n "${IMAGE}@"
+        cat "$(workspaces.source.path)/image-digest"
+      } >"$(results.IMAGE_REF.path)"
 
       # Remove tag from IMAGE while allowing registry to contain a port number.
       sbom_repo="${IMAGE%:*}"

task/s2i-java/0.1/README.md

@@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup
 |PATH_CONTEXT|The location of the path to run s2i from|.|false|
 |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
 |IMAGE|Location of the repo where image has to be pushed||true|
-|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false|
+|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
 |DOCKER_AUTH|unused, should be removed in next task version|""|false|
 |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
+|COMMIT_SHA|The image is built from this commit.|""|false|
 
 ## Results
 |name|description|
 |---|---|
 |IMAGE_DIGEST|Digest of the image just built|
 |IMAGE_URL|Image repository where the built image was pushed|
+|IMAGE_REF|Image reference of the built image|
 |BASE_IMAGES_DIGESTS|Digests of the base images used for build|
 |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
 |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|

task/s2i-java/0.1/s2i-java.yaml

@@ -56,6 +56,8 @@ spec:
     name: IMAGE_DIGEST
   - description: Image repository where the built image was pushed
     name: IMAGE_URL
+  - description: Image reference of the built image
+    name: IMAGE_REF
   - description: Digests of the base images used for build
     name: BASE_IMAGES_DIGESTS
   - name: SBOM_JAVA_COMPONENTS_COUNT
@@ -253,6 +255,10 @@ spec:
         docker://$IMAGE
       cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path)
       echo -n "$IMAGE" | tee $(results.IMAGE_URL.path)
+      {
+        echo -n "${IMAGE}@"
+        cat "$(workspaces.source.path)/image-digest"
+      } > "$(results.IMAGE_REF.path)"
 
     securityContext:
       runAsUser: 0

task/s2i-nodejs/0.1/README.md

@@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container
 ## Parameters
 |name|description|default value|required|
 |---|---|---|---|
-|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false|
+|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false|
 |PATH_CONTEXT|The location of the path to run s2i from.|.|false|
 |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
 |IMAGE|Location of the repo where image has to be pushed||true|
-|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false|
+|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false|
 |DOCKER_AUTH|unused, should be removed in next task version|""|false|
 |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
 |MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false|
+|COMMIT_SHA|The image is built from this commit.|""|false|
 
 ## Results
 |name|description|
 |---|---|
 |IMAGE_DIGEST|Digest of the image just built|
 |IMAGE_URL|Image repository where the built image was pushed|
+|IMAGE_REF|Image reference of the built image|
 |BASE_IMAGES_DIGESTS|Digests of the base images used for build|
 
 ## Workspaces