Skip to content

Commit

Permalink
Guard Task execution via changed files
Browse files Browse the repository at this point in the history
The new Task in `.tekton/tasks/task-switchboard.yaml` produces a list of
bindings that evaluate to true for a particular pull request as an array
result. Given this result guards can be done, e.g. using when
expressions to limit when a Task on the Pipeline needs to run.
This way we can skip expensive Tasks that are unrelated to the change
done in the pull request.

Similar to work in konflux-ci#1188 and konflux-ci#524, with the distinction that the
PipelineRun is executed, only potentially not in full.
  • Loading branch information
zregvart committed Nov 11, 2024
1 parent 156fddc commit 66a6ffc
Show file tree
Hide file tree
Showing 3 changed files with 98 additions and 3 deletions.
47 changes: 44 additions & 3 deletions .tekton/pull-request.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ metadata:
name: build-definitions-pull-request
annotations:
pipelinesascode.tekton.dev/on-cel-expression: (event == "pull_request" && target_branch == "main" && ( !has(body.pull_request) || !body.pull_request.draft) ) || (event == "push" && target_branch.startsWith("gh-readonly-queue/main/"))
pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/task-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.2/sast-snyk-check.yaml, task/sast-unicode-check/0.1/sast-unicode-check.yaml]"
pipelinesascode.tekton.dev/task: "[task/git-clone/0.1/git-clone.yaml, .tekton/tasks/buildah.yaml, .tekton/tasks/task-lint.yaml, .tekton/tasks/e2e-test.yaml, task/sast-snyk-check/0.2/sast-snyk-check.yaml, task/sast-unicode-check/0.1/sast-unicode-check.yaml, .tekton/tasks/task-switchboard.yaml]"
pipelinesascode.tekton.dev/max-keep-runs: "5"
spec:
params:
Expand Down Expand Up @@ -36,7 +36,26 @@ spec:
value: $(params.revision)
- name: depth
value: "0"
- name: task-switchboard
taskRef:
name: task-switchboard
params:
- name: pr_number
value: "{{ pull_request_number }}"
- name: utils_image
value: quay.io/konflux-ci/pull-request-builds:appstudio-utils-{{revision}}
- expressions:
- tasks := strings.any_prefix_match(input, "task/")
- tasks_pipelines := strings.any_prefix_match(input, ["task/", "pipelines/"])
- e2e_tests := strings.any_prefix_match(input, ["task/", "pipelines/"])
- check_partner_tasks := strings.any_prefix_match(input, "partners/")
runAfter:
- build-appstudio-utils
- name: task-lint-check
when:
- input: "tasks"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
runAfter:
- fetch-repository
taskRef:
Expand Down Expand Up @@ -74,6 +93,10 @@ spec:
- name: source
workspace: workspace
- name: check-partner-tasks
when:
- input: "check_partner_tasks"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
runAfter:
- build-appstudio-utils
taskSpec:
Expand Down Expand Up @@ -125,13 +148,15 @@ spec:
- name: source
workspace: workspace
- name: build-bundles
when:
- input: "tasks_pipelines"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
params:
- name: revision
value: "{{ revision }}"
- name: e2e_test_namespace
value: $(params.e2e_test_namespace)
runAfter:
- build-appstudio-utils
workspaces:
- name: source
workspace: workspace
Expand Down Expand Up @@ -174,6 +199,10 @@ spec:
workspaces:
- name: source
- name: e2e-tests
when:
- input: "e2e_tests"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
params:
- name: e2e_test_namespace
value: $(params.e2e_test_namespace)
Expand All @@ -198,6 +227,10 @@ spec:
# Added a timeout due to https://issues.redhat.com/browse/STONEBLD-2265
timeout: "2h"
- name: check-task-pipeline-repo-existence
when:
- input: "tasks_pipelines"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
runAfter:
- build-bundles
taskSpec:
Expand All @@ -214,6 +247,10 @@ spec:
- name: source
workspace: workspace
- name: ec-task-checks
when:
- input: "tasks_pipelines"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
runAfter:
- fetch-repository
taskRef:
Expand All @@ -222,6 +259,10 @@ spec:
- name: source
workspace: workspace
- name: check-task-migration-md
when:
- input: "tasks"
operator: "in"
values: ["$(tasks.task-switchboard.results.bindings[*])"]
runAfter:
- fetch-repository
taskSpec:
Expand Down
53 changes: 53 additions & 0 deletions .tekton/tasks/task-switchboard.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
apiVersion: tekton.dev/v1
kind: Task
metadata:
name: task-switchboard
labels:
app.kubernetes.io/version: "0.1"
annotations:
tekton.dev/pipelines.minVersion: "0.12.1"
tekton.dev/displayName: Task Switchboard
tekton.dev/platforms: "linux/amd64"
spec:
description: "Computes a set of expressions based on the changed files in the
pipeline, used to determine which tasks to run"
params:
- name: pr_number
type: string
- name: utils_image
type: string
- name: expressions
type: array
results:
- name: bindings
type: array
steps:
- name: list-changed-files
image: $(params.utils_image)
env:
- name: GITHUB_TOKEN
valueFrom:
secretKeyRef:
name: "{{ git_auth_secret }}"
key: "git-provider-token"
args:
- "$(params.expressions[*])"
script: |
#!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
rules="$(mktemp -d)"
trap 'rm -rf "${rules}"' EXIT
for ((i=1; i<=$#; ++i)); do
printf "package rule\n%s" "${!i}" > "${rules}/$i.rego"
done
ec opa check --v1-compatible "${rules}"
printf '%s\n' "$@" \
| ec opa eval --v1-compatible --stdin --format bindings --input \
<(gh pr view "https://github.com/konflux-ci/build-definitions/pull/$(params.pr_number)" --json files --jq '.files.[].path') \
| jq '[to_entries | .[] | select(.value == true) | .key]' \
| tee "$(results.bindings.path)"
1 change: 1 addition & 0 deletions appstudio-utils/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ RUN curl -L https://github.com/tektoncd/cli/releases/download/v0.32.2/tkn_0.32.2
RUN curl -L https://github.com/sigstore/rekor/releases/download/v0.5.0/rekor-cli-linux-amd64 -o /usr/bin/rekor-cli && chmod +x /usr/bin/rekor-cli
RUN curl -L https://github.com/open-policy-agent/conftest/releases/download/v0.32.0/conftest_0.32.0_Linux_x86_64.tar.gz | tar -xz --no-same-owner -C /usr/bin
RUN curl -L https://github.com/enterprise-contract/ec-cli/releases/download/snapshot/ec_linux_amd64 -o /usr/bin/ec && chmod +x /usr/bin/ec && ec version
RUN curl -L https://github.com/cli/cli/releases/download/v2.60.1/gh_2.60.1_linux_amd64.tar.gz | tar -xz -C /usr/bin --wildcards "gh_*/bin/gh" --strip-components=2 --no-same-owner

RUN dnf -y --setopt=tsflags=nodocs install \
git \
Expand Down

0 comments on commit 66a6ffc

Please sign in to comment.