feat: bump sealights versions

konflux-ci · Feb 6, 2025 · 7769867 · 7769867
1 parent f32e498
commit 7769867
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 70 deletions.
diff --git a/.tekton/build-service-pull-request.yaml b/.tekton/build-service-pull-request.yaml
@@ -83,7 +83,8 @@ spec:
       description: Execute the build with network isolation
       name: hermetic
       type: string
-    - default: ""
+    - default: |
+        [{"type": "gomod"}]
       description: Build dependencies to be prefetched by Cachi2
       name: prefetch-input
       type: string
@@ -167,21 +168,49 @@ spec:
       workspaces:
       - name: basic-auth
         workspace: git-auth
+    - name: prefetch-dependencies
+      params:
+      - name: input
+        value: $(params.prefetch-input)
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+      - name: ociStorage
+        value: $(params.output-image).prefetch
+      - name: ociArtifactExpiresAfter
+        value: $(params.image-expires-after)
+      runAfter:
+      - clone-repository
+      taskRef:
+        params:
+        - name: name
+          value: prefetch-dependencies-oci-ta
+        - name: bundle
+          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:8fb092dae7109ac211d8b98413d9bc0c71c14f64644ce239676383576f861a86
+        - name: kind
+          value: task
+        resolver: bundles
+      workspaces:
+      - name: git-basic-auth
+        workspace: git-auth
+      - name: netrc
+        workspace: netrc
     - name: sealights-go-instrumentation
       runAfter:
-        - clone-repository
+        - prefetch-dependencies
       taskRef:
         params:
         - name: name
           value: sealights-go-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-sealights-go-oci-ta:0.1@sha256:3ee87d28065205ee5f1e32ec012cac4b167af6525f7504a9657612e4387d0eae
+          value: quay.io/flacatus/oci@sha256:487b375bc9667380f727f834f4484d54e53d2575edcfc950588fb5ab79554d34
         - name: kind
           value: task
         resolver: bundles
       params:
         - name: SOURCE_ARTIFACT
-          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
         - name: go-version
           value: "1.21.9"
         - name: sealights-secret
@@ -200,64 +229,8 @@ spec:
           value: '{{ target_branch }}'
         - name: oci-storage
           value: $(params.output-image).sealights.git
-    - name: sealights-unit-tests
-      runAfter:
-        - sealights-go-instrumentation
-      taskSpec:
-        volumes:
-          - name: sealights-credentials
-            secret:
-              secretName: sealights-credentials
-          - name: workdir
-            emptyDir: {}
-        stepTemplate:
-          volumeMounts:
-            - mountPath: /var/workdir
-              name: workdir
-            - name: sealights-credentials
-              mountPath: /usr/local/sealights-credentials
-        steps:
-          - name: use-trusted-artifact
-            image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:52f1391e6f1c472fd10bb838f64fae2ed3320c636f536014978a5ddbdfc6b3af
-            args:
-              - use
-              - $(tasks.sealights-go-instrumentation.results.SOURCE_ARTIFACT)=/var/workdir/source
-          - name: unit-tests
-            image: registry.access.redhat.com/ubi8/go-toolset:1.21.9
-            securityContext:
-              runAsUser: 0
-            workingDir: /var/workdir/source
-            script: |
-              #!/bin/bash
-              set -euo pipefail
-              export SEALIGHTS_TOKEN="$(cat /usr/local/sealights-credentials/token)"
-              make test
-    - name: prefetch-dependencies
-      params:
-      - name: input
-        value: $(params.prefetch-input)
-      - name: SOURCE_ARTIFACT
-        value: $(tasks.sealights-go-instrumentation.results.SOURCE_ARTIFACT)
-      - name: ociStorage
-        value: $(params.output-image).prefetch
-      - name: ociArtifactExpiresAfter
-        value: $(params.image-expires-after)
-      runAfter:
-      - sealights-unit-tests
-      taskRef:
-        params:
-        - name: name
-          value: prefetch-dependencies-oci-ta
-        - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:8fb092dae7109ac211d8b98413d9bc0c71c14f64644ce239676383576f861a86
-        - name: kind
-          value: task
-        resolver: bundles
-      workspaces:
-      - name: git-basic-auth
-        workspace: git-auth
-      - name: netrc
-        workspace: netrc
+        - name: debug
+          value: "true"
     - name: build-container
       params:
       - name: IMAGE
@@ -284,7 +257,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       runAfter:
-      - prefetch-dependencies
+      - sealights-go-instrumentation
       taskRef:
         params:
         - name: name

diff --git a/.tekton/build-service-push.yaml b/.tekton/build-service-push.yaml
@@ -172,7 +172,7 @@ spec:
         - name: name
           value: sealights-go-oci-ta
         - name: bundle
-          value: quay.io/konflux-ci/tekton-catalog/task-sealights-go-oci-ta:0.1@sha256:3ee87d28065205ee5f1e32ec012cac4b167af6525f7504a9657612e4387d0eae
+          value: quay.io/konflux-ci/tekton-catalog/task-sealights-go-oci-ta:0.1@sha256:c2040ebcd2ca7e0327fb136ea56bd584acf46aa55277b75b1c1b3199491157c6
         - name: kind
           value: task
         resolver: bundles
@@ -202,7 +202,7 @@ spec:
       - name: ociArtifactExpiresAfter
         value: $(params.image-expires-after)
       runAfter:
-      - sealights-go-instrumentation
+      - clone-repository
       taskRef:
         params:
         - name: name
@@ -284,7 +284,7 @@ spec:
       - name: CACHI2_ARTIFACT
         value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       runAfter:
-      - prefetch-dependencies
+      - sealights-go-instrumentation
       taskRef:
         params:
         - name: name

diff --git a/Dockerfile b/Dockerfile
@@ -3,17 +3,17 @@
 # https://catalog.redhat.com/software/containers/ubi9/go-toolset/61e5c00b4ec9945c18787690
 FROM registry.access.redhat.com/ubi9/go-toolset:1.22.9-1737480393 AS builder
 
-USER root
+USER 1001
 
 # Copy the Go Modules manifests
-COPY go.mod go.mod
-COPY go.sum go.sum
+COPY --chown=1001:0 go.mod go.mod
+COPY --chown=1001:0 go.sum go.sum
 # cache deps before building and copying source so that we don't need to re-download as much
 # and so that source changes don't invalidate our downloaded layer
 RUN go mod download
 
 # Copy the go source
-COPY . .
+COPY --chown=1001:0 . .
 
 # Build
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o manager main.go