From e5ac710482d744145dae081cc8021c35288130c4 Mon Sep 17 00:00:00 2001 From: arewm Date: Wed, 17 Jul 2024 11:17:00 -0400 Subject: [PATCH 1/3] Enable users to be able to provide their own config.toml This removes the default configuration (which also removes a default user and password from being injected into all images), instead deferring to the config.toml which is present in the source repository. If an invalid config file is provided, the build will fail. Otherwise, the task will use a config.toml file if it is present in the repository root or it will create an empty config file to use. Signed-off-by: arewm --- task/build-vm-image/0.1/build-vm-image.yaml | 30 ++++++++++++++++----- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/task/build-vm-image/0.1/build-vm-image.yaml b/task/build-vm-image/0.1/build-vm-image.yaml index 1d186fee1d..a756ad2a64 100644 --- a/task/build-vm-image/0.1/build-vm-image.yaml +++ b/task/build-vm-image/0.1/build-vm-image.yaml @@ -26,6 +26,10 @@ spec: default: bib.yaml type: string description: The config file specifying what to build and the builder to build it with + - name: CONFIG_TOML_FILE + default: "" + type: string + description: The path for the config.toml file within the source repository - default: etc-pki-entitlement description: Name of secret which contains the entitlement certificates name: ENTITLEMENT_SECRET @@ -45,6 +49,8 @@ spec: value: $(params.OUTPUT_IMAGE) - name: BIB_CONFIG_FILE value: $(params.BIB_CONFIG_FILE) + - name: CONFIG_TOML_FILE + value: $(params.CONFIG_TOML_FILE) - name: IMAGE_TYPE value: $(params.IMAGE_TYPE) - name: ENTITLEMENT_SECRET @@ -148,6 +154,22 @@ spec: echo "$BUILD_DIR" ssh -v $SSH_ARGS "$SSH_HOST" mkdir -p "$BUILD_DIR/workspaces" "$BUILD_DIR/scripts" "$BUILD_DIR/tmp" "$BUILD_DIR/tekton-results" "$BUILD_DIR/entitlement" + if [ ! -n "${CONFIG_TOML_FILE}" ]; then + echo "No CONFIG_TOML_FILE specified" + export CONFIG_TOML_FILE=config.toml + if [ -f /var/workdir/source/config.toml ]; then + echo "Using the config.toml file found in the repository root!" + echo " Remove the config.toml file or set params.CONFIG_TOML_FILE to another file to prevent using config.toml." + else + echo "No config.toml file found. Using an empty configuration." + touch /var/workdir/source/$CONFIG_TOML_FILE + fi + fi + echo "Using the following config.toml file $CONFIG_TOML_FILE:" + cat /var/workdir/source/$CONFIG_TOML_FILE + + + rsync -ra "/var/workdir/source/$CONFIG_TOML_FILE" "$SSH_HOST:$BUILD_DIR/config.toml" rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/" rsync -ra /entitlement/ "$SSH_HOST:$BUILD_DIR/entitlement/" @@ -175,12 +197,6 @@ spec: # this quoted heredoc prevents expansions and command substitutions. the env vars are evaluated on the remote vm cat >>scripts/script-build.sh <<'REMOTESSHEOF' - echo >config.toml < Date: Mon, 22 Jul 2024 11:52:48 +0200 Subject: [PATCH 2/3] `IMAGE_REF` result from image building Tasks This helps in the reuse of the results when using matrix feature of Tekton. Given that the concatenation of two results from matrix-spawned Tasks is not supported, e.g. $(tasks.build-container-multiarch.results.IMAGE_URL[*])@$(tasks.build-container-multiarch.results.IMAGE_DIGEST[*]) will not expand correctly. This produces the image reference in full in the `IMAGE_REF` result, so the result from the matrix-spawned Tasks can be referenced using: $(tasks.build-container-multiarch.results.IMAGE_REF[*]) Reference: https://issues.redhat.com/browse/EC-654 --- task/buildah-oci-ta/0.2/README.md | 1 + task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 6 +++ .../0.2/buildah-remote-oci-ta.yaml | 6 +++ task/buildah-remote/0.2/README.md | 48 +++++++++++++++++++ task/buildah-remote/0.2/buildah-remote.yaml | 6 +++ task/buildah/0.2/README.md | 3 +- task/buildah/0.2/buildah.yaml | 6 +++ task/oci-copy-oci-ta/0.1/README.md | 1 + task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml | 3 ++ task/oci-copy/0.1/README.md | 1 + task/oci-copy/0.1/oci-copy.yaml | 3 ++ task/rpm-ostree/0.1/README.md | 31 ++++++++++++ task/rpm-ostree/0.1/rpm-ostree.yaml | 6 +++ task/s2i-java/0.1/README.md | 4 +- task/s2i-java/0.1/s2i-java.yaml | 6 +++ task/s2i-nodejs/0.1/README.md | 6 ++- task/s2i-nodejs/0.1/s2i-nodejs.yaml | 6 +++ task/source-build-oci-ta/0.1/README.md | 1 + .../0.1/source-build-oci-ta.yaml | 3 ++ task/source-build/0.1/README.md | 1 + task/source-build/0.1/source-build.yaml | 3 ++ task/tkn-bundle/0.1/README.md | 9 ++-- task/tkn-bundle/0.1/tkn-bundle.yaml | 6 ++- 23 files changed, 156 insertions(+), 10 deletions(-) create mode 100644 task/buildah-remote/0.2/README.md create mode 100644 task/rpm-ostree/0.1/README.md diff --git a/task/buildah-oci-ta/0.2/README.md b/task/buildah-oci-ta/0.2/README.md index 532e96b0c1..bfa06e6cee 100644 --- a/task/buildah-oci-ta/0.2/README.md +++ b/task/buildah-oci-ta/0.2/README.md @@ -38,6 +38,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Image repository where the built image was pushed| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 1551ce3577..952535b8e6 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -129,6 +129,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the image just built + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Image repository where the built image was pushed - name: JAVA_COMMUNITY_DEPENDENCIES @@ -559,6 +561,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml index 45baf3dc00..95acc3aa74 100644 --- a/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml +++ b/task/buildah-remote-oci-ta/0.2/buildah-remote-oci-ta.yaml @@ -130,6 +130,8 @@ spec: results: - description: Digest of the image just built name: IMAGE_DIGEST + - description: Image reference of the built image + name: IMAGE_REF - description: Image repository where the built image was pushed name: IMAGE_URL - description: The Java dependencies that came from community sources such as Maven @@ -630,6 +632,10 @@ spec: cat "/var/workdir"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "/var/workdir/image-digest" + } >"$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah-remote/0.2/README.md b/task/buildah-remote/0.2/README.md new file mode 100644 index 0000000000..71b2baa59b --- /dev/null +++ b/task/buildah-remote/0.2/README.md @@ -0,0 +1,48 @@ +# buildah-remote task + +Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. +In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. +When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. +When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image buildah will produce.||true| +|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| +|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false| +|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false| +|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false| +|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false| +|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| +|ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| +|ADDITIONAL_SECRET|Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET|does-not-exist|false| +|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false| +|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| +|ADD_CAPABILITIES|Comma separated list of extra capabilities to add when running 'buildah build'|""|false| +|SQUASH|Squash all new and previous layers added as a part of this build, as per --squash|false|false| +|STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| +|SKIP_UNUSED_STAGES|Whether to skip stages in Containerfile that seem unused by subsequent stages|true|false| +|PLATFORM|The platform to build on||true| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| +|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/buildah-remote/0.2/buildah-remote.yaml b/task/buildah-remote/0.2/buildah-remote.yaml index 1c405b0103..97db9ded53 100644 --- a/task/buildah-remote/0.2/buildah-remote.yaml +++ b/task/buildah-remote/0.2/buildah-remote.yaml @@ -123,6 +123,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: The counting of Java components by publisher in JSON format name: SBOM_JAVA_COMPONENTS_COUNT type: string @@ -612,6 +614,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: capabilities: add: diff --git a/task/buildah/0.2/README.md b/task/buildah/0.2/README.md index a9da914b81..5dabbe3e4f 100644 --- a/task/buildah/0.2/README.md +++ b/task/buildah/0.2/README.md @@ -9,11 +9,9 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |name|description|default value|required| |---|---|---|---| |IMAGE|Reference of the image buildah will produce.||true| -|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false| |CONTEXT|Path to the directory to use as context.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| -|DOCKER_AUTH|unused, should be removed in next task version|""|false| |HERMETIC|Determines if build will be executed without network access.|false|false| |PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| @@ -39,6 +37,7 @@ When prefetch-dependencies task was activated it is using its artifacts to run b |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index fbca62f1d6..aefbf3757e 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -109,6 +109,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - name: SBOM_JAVA_COMPONENTS_COUNT description: The counting of Java components by publisher in JSON format type: string @@ -509,6 +511,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/oci-copy-oci-ta/0.1/README.md b/task/oci-copy-oci-ta/0.1/README.md index 0067af0fad..65162767f5 100644 --- a/task/oci-copy-oci-ta/0.1/README.md +++ b/task/oci-copy-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Given a file in the user's source directory, copy content from arbitrary urls in |name|description| |---|---| |IMAGE_DIGEST|Digest of the artifact just pushed| +|IMAGE_REF|Image reference of the built image| |IMAGE_URL|Repository where the artifact was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| diff --git a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml index 65f3f65d4d..4450b27fdd 100644 --- a/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml +++ b/task/oci-copy-oci-ta/0.1/oci-copy-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: IMAGE_DIGEST description: Digest of the artifact just pushed + - name: IMAGE_REF + description: Image reference of the built image - name: IMAGE_URL description: Repository where the artifact was pushed - name: SBOM_BLOB_URL @@ -193,6 +195,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" computeResources: limits: memory: 1Gi diff --git a/task/oci-copy/0.1/README.md b/task/oci-copy/0.1/README.md index 8bec2f57ff..ce8b1cef73 100644 --- a/task/oci-copy/0.1/README.md +++ b/task/oci-copy/0.1/README.md @@ -22,6 +22,7 @@ Note: the bearer token secret, if specified, will be sent to **all servers liste |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| |SBOM_BLOB_URL|Link to the SBOM blob pushed to the registry.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/oci-copy/0.1/oci-copy.yaml b/task/oci-copy/0.1/oci-copy.yaml index 58407d9c2f..d6e27d5ea5 100644 --- a/task/oci-copy/0.1/oci-copy.yaml +++ b/task/oci-copy/0.1/oci-copy.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_URL - description: Link to the SBOM blob pushed to the registry. name: SBOM_BLOB_URL + - name: IMAGE_REF + description: Image reference of the built image stepTemplate: env: - name: OCI_COPY_FILE @@ -178,6 +180,7 @@ spec: RESULTING_DIGEST=$(oras resolve --registry-config auth.json "${IMAGE}") echo -n "$RESULTING_DIGEST" | tee "$(results.IMAGE_DIGEST.path)" echo -n "$IMAGE" | tee "$(results.IMAGE_URL.path)" + echo -n "${IMAGE}@${RESULTING_DIGEST}" >"$(results.IMAGE_REF.path)" volumeMounts: - mountPath: /var/lib/containers name: varlibcontainers diff --git a/task/rpm-ostree/0.1/README.md b/task/rpm-ostree/0.1/README.md new file mode 100644 index 0000000000..44b86d3fc0 --- /dev/null +++ b/task/rpm-ostree/0.1/README.md @@ -0,0 +1,31 @@ +# rpm-ostree task + +RPM Ostree + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|IMAGE|Reference of the image rpm-ostree will produce.||true| +|BUILDER_IMAGE|The location of the rpm-ostree builder image.|quay.io/redhat-user-workloads/project-sagano-tenant/ostree-builder/ostree-builder-fedora-38:d124414a81d17f31b1d734236f55272a241703d7|false| +|CONTEXT|Path to the directory to use as context.|.|false| +|IMAGE_FILE|The file to use to build the image||true| +|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| +|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| +|PLATFORM|The platform to build on||true| +|CONFIG_FILE|The relative path of the file used to configure the rpm-ostree tool found in source control. See https://github.com/coreos/rpm-ostree/blob/main/docs/container.md#adding-container-image-configuration|""|false| +|HERMETIC|Determines if build will be executed without network access.|false|false| + +## Results +|name|description| +|---|---| +|IMAGE_DIGEST|Digest of the image just built| +|IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| +|BASE_IMAGES_DIGESTS|Digests of the base images used for build| +|SBOM_BLOB_URL|Reference, including digest to the SBOM blob| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace containing the source code to build.|false| diff --git a/task/rpm-ostree/0.1/rpm-ostree.yaml b/task/rpm-ostree/0.1/rpm-ostree.yaml index b24e79d395..560665af25 100644 --- a/task/rpm-ostree/0.1/rpm-ostree.yaml +++ b/task/rpm-ostree/0.1/rpm-ostree.yaml @@ -60,6 +60,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_BLOB_URL @@ -260,6 +262,10 @@ spec: cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } >"$(results.IMAGE_REF.path)" # Remove tag from IMAGE while allowing registry to contain a port number. sbom_repo="${IMAGE%:*}" diff --git a/task/s2i-java/0.1/README.md b/task/s2i-java/0.1/README.md index 0fa13a1e9a..617012f20d 100644 --- a/task/s2i-java/0.1/README.md +++ b/task/s2i-java/0.1/README.md @@ -12,15 +12,17 @@ When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup |PATH_CONTEXT|The location of the path to run s2i from|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| |SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format| |JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.| diff --git a/task/s2i-java/0.1/s2i-java.yaml b/task/s2i-java/0.1/s2i-java.yaml index aa131be0c3..b55e26c015 100644 --- a/task/s2i-java/0.1/s2i-java.yaml +++ b/task/s2i-java/0.1/s2i-java.yaml @@ -56,6 +56,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS - name: SBOM_JAVA_COMPONENTS_COUNT @@ -253,6 +255,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/s2i-nodejs/0.1/README.md b/task/s2i-nodejs/0.1/README.md index d06149ce66..dca3d57a4d 100644 --- a/task/s2i-nodejs/0.1/README.md +++ b/task/s2i-nodejs/0.1/README.md @@ -7,20 +7,22 @@ In addition it generates a SBOM file, injects the SBOM file into final container ## Parameters |name|description|default value|required| |---|---|---|---| -|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583|false| +|BASE_IMAGE|NodeJS builder image|registry.access.redhat.com/ubi9/nodejs-16:1-75.1669634583@sha256:c17111ec54c7f57f22d03f2abba206b0bdc54dcdfb02d6a8278ce088231eced1|false| |PATH_CONTEXT|The location of the path to run s2i from.|.|false| |TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false| |IMAGE|Location of the repo where image has to be pushed||true| -|BUILDER_IMAGE|The location of the buildah builder image.|registry.access.redhat.com/ubi9/buildah:9.1.0-5@sha256:30eac1803d669d58c033838076a946156e49018e0d4f066d94896f0cc32030af|false| +|BUILDER_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| |DOCKER_AUTH|unused, should be removed in next task version|""|false| |IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false| |MAVEN_MIRROR_URL|The base URL of a mirror used for retrieving artifacts|""|false| +|COMMIT_SHA|The image is built from this commit.|""|false| ## Results |name|description| |---|---| |IMAGE_DIGEST|Digest of the image just built| |IMAGE_URL|Image repository where the built image was pushed| +|IMAGE_REF|Image reference of the built image| |BASE_IMAGES_DIGESTS|Digests of the base images used for build| ## Workspaces diff --git a/task/s2i-nodejs/0.1/s2i-nodejs.yaml b/task/s2i-nodejs/0.1/s2i-nodejs.yaml index c6028fcadf..227a7798f0 100644 --- a/task/s2i-nodejs/0.1/s2i-nodejs.yaml +++ b/task/s2i-nodejs/0.1/s2i-nodejs.yaml @@ -74,6 +74,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF - description: Digests of the base images used for build name: BASE_IMAGES_DIGESTS steps: @@ -221,6 +223,10 @@ spec: docker://$IMAGE cat "$(workspaces.source.path)"/image-digest | tee $(results.IMAGE_DIGEST.path) echo -n "$IMAGE" | tee $(results.IMAGE_URL.path) + { + echo -n "${IMAGE}@" + cat "$(workspaces.source.path)/image-digest" + } > "$(results.IMAGE_REF.path)" securityContext: runAsUser: 0 diff --git a/task/source-build-oci-ta/0.1/README.md b/task/source-build-oci-ta/0.1/README.md index 5f00e17afa..714c9a3018 100644 --- a/task/source-build-oci-ta/0.1/README.md +++ b/task/source-build-oci-ta/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |name|description| |---|---| |BUILD_RESULT|Build result.| +|IMAGE_REF|Image reference of the built image| |SOURCE_IMAGE_DIGEST|The source image digest.| |SOURCE_IMAGE_URL|The source image url.| diff --git a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml index dea325777c..5ca7b44264 100644 --- a/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml +++ b/task/source-build-oci-ta/0.1/source-build-oci-ta.yaml @@ -35,6 +35,8 @@ spec: results: - name: BUILD_RESULT description: Build result. + - name: IMAGE_REF + description: Image reference of the built image - name: SOURCE_IMAGE_DIGEST description: The source image digest. - name: SOURCE_IMAGE_URL @@ -156,6 +158,7 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" computeResources: diff --git a/task/source-build/0.1/README.md b/task/source-build/0.1/README.md index f81fac13aa..148ec06ebe 100644 --- a/task/source-build/0.1/README.md +++ b/task/source-build/0.1/README.md @@ -14,6 +14,7 @@ Source image build. |BUILD_RESULT|Build result.| |SOURCE_IMAGE_URL|The source image url.| |SOURCE_IMAGE_DIGEST|The source image digest.| +|IMAGE_REF|Image reference of the built image| ## Workspaces |name|description|optional| diff --git a/task/source-build/0.1/source-build.yaml b/task/source-build/0.1/source-build.yaml index e24ad9a0ac..15ad65c47f 100644 --- a/task/source-build/0.1/source-build.yaml +++ b/task/source-build/0.1/source-build.yaml @@ -29,6 +29,8 @@ spec: description: The source image url. - name: SOURCE_IMAGE_DIGEST description: The source image digest. + - name: IMAGE_REF + description: Image reference of the built image workspaces: - name: workspace description: The workspace where source code is included. @@ -157,5 +159,6 @@ spec: cat "$RESULT_FILE" | jq -j ".image_url" >"$RESULT_SOURCE_IMAGE_URL" cat "$RESULT_FILE" | jq -j ".image_digest" >"$RESULT_SOURCE_IMAGE_DIGEST" + jq -j '"\(.image_url)@\(.image_digest)"' "${RESULT_FILE}" >"$(results.IMAGE_REF.path)" cp "$RESULT_FILE" "$WS_BUILD_RESULT_FILE" diff --git a/task/tkn-bundle/0.1/README.md b/task/tkn-bundle/0.1/README.md index 09100bea33..2c317a2db5 100644 --- a/task/tkn-bundle/0.1/README.md +++ b/task/tkn-bundle/0.1/README.md @@ -45,7 +45,8 @@ Only the `0.1/tkn-bundle.yaml` file will be included in the bundle. The task emits the following results. -| Name | Example | Description | -|--------------|-------------------------|-----------------------------------------------------------------| -| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | -| IMAGE_DIGEST | abc... | Digest of the image just built | +| Name | Example | Description | +|--------------|---------------------------------------|-----------------------------------------------------------------| +| IMAGE_URL | registry.io/my-task:tag | Image repository where the built image was pushed with tag only | +| IMAGE_DIGEST | abc... | Digest of the image just built | +| IMAGE_REF | registry.io/my-task:tag@sha256:abc... | Image reference of the built image | diff --git a/task/tkn-bundle/0.1/tkn-bundle.yaml b/task/tkn-bundle/0.1/tkn-bundle.yaml index d5f25a8656..7d0dbdf909 100644 --- a/task/tkn-bundle/0.1/tkn-bundle.yaml +++ b/task/tkn-bundle/0.1/tkn-bundle.yaml @@ -32,6 +32,8 @@ spec: name: IMAGE_DIGEST - description: Image repository where the built image was pushed with tag only name: IMAGE_URL + - description: Image reference of the built image + name: IMAGE_REF stepTemplate: env: - name: HOME @@ -134,7 +136,9 @@ spec: $(printf ' -f %s' "${FILES[@]}") \ |tee /proc/self/fd/3)" echo -n "$IMAGE" > $(results.IMAGE_URL.path) - echo -n "${OUT#*Pushed Tekton Bundle to *@}" > $(results.IMAGE_DIGEST.path) + digest="${OUT#*Pushed Tekton Bundle to *@}" + echo -n "${digest}" > $(results.IMAGE_DIGEST.path) + echo -n "${IMAGE}@${digest}" > "$(results.IMAGE_REF.path)" # cleanup task file [[ -f "${TASK_FILE}" ]] && rm -f "${TASK_FILE}" From 641a8113d69c57418919d6f88bcaff1ee6fb5651 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 15 Jul 2024 18:44:57 +0000 Subject: [PATCH 3/3] chore(deps): update quay.io/opdev/preflight:stable docker digest to e4707e5 --- .../0.1/ecosystem-cert-preflight-checks.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml b/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml index 81a31e6255..908515cbc8 100644 --- a/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml +++ b/task/ecosystem-cert-preflight-checks/0.1/ecosystem-cert-preflight-checks.yaml @@ -13,7 +13,7 @@ spec: description: Preflight pass or fail outcome. steps: - name: check-container - image: quay.io/opdev/preflight:stable@sha256:add15669e17a86d807be05671f3c9834161d7af6f41bf4a50969be2da0487fbc + image: quay.io/opdev/preflight:stable@sha256:e4707e5f3a61c737c9b5f04d2ebe45675fde2d1c72b65df9152e8a053acd6c61 args: ["check", "container", "$(params.image-url)"] env: - name: PFLT_DOCKERCONFIG