Skip to content

Commit

Permalink
Switch Pipelines to use Trusted Artifact
Browse files Browse the repository at this point in the history 
This commit changes the push and pull-request Pipelines for the various
components to use Trusted Artifacts stored in the OCI registry.

It also modifies the go-unit-test Task so it can be used via the
Pipeline as Code resolver[1] removing the need to create a Tekton bundle
for it.

[1] https://docs.openshift.com/pipelines/1.11/pac/using-pac-resolver.html

Signed-off-by: Luiz Carvalho <[email protected]>
  • Loading branch information
@lcarva
lcarva committed May 21, 2024
1 parent 2b04e64 commit 15f69b6
Show file tree
Hide file tree
Showing 3 changed files with 90 additions and 101 deletions.
80 changes: 33 additions & 47 deletions .tekton/logsigner-pull-request.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "go.mod".pathChanged() || "go.sum".pathChanged() || ".tekton/logsigner-pull-request.yaml".pathChanged() || "Dockerfile.logsigner.rh".pathChanged() || "cmd/trillian_log_signer/***".pathChanged() || "trigger-konflux-builds.txt".pathChanged() )
pipelinesascode.tekton.dev/task: "[.tekton/trillian-unit-test.yaml]"
creationTimestamp: null
labels:
appstudio.openshift.io/application: trillian
Expand Down Expand Up @@ -162,14 +163,18 @@ spec:
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: ociStorage
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- init
taskRef:
params:
- name: name
value: git-clone
value: git-clone-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:c18dc89b0c35f425a5dd10aa48a7e5177deb6addcc06db99646df17fcdde5a2d
- name: kind
value: task
resolver: bundles
Expand All @@ -179,22 +184,26 @@ spec:
values:
- "true"
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth
- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:fe351ee58ed07d7455b32a01dddecf7512dc56506b6260c17fa9a1b4513d02dc
- name: kind
value: task
resolver: bundles
Expand All @@ -203,9 +212,6 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: build-container
params:
- name: IMAGE
Expand All @@ -222,14 +228,18 @@ spec:
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: buildah
value: buildah-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4fe8b5f597759bce6c71979dec50e07e5831c493f10d7c9035c61a2b87cfa9eb
- name: kind
value: task
resolver: bundles
Expand All @@ -238,23 +248,24 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: build-source-image
params:
- name: BINARY_IMAGE
value: $(params.output-image)
- name: BASE_IMAGES
value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-container
taskRef:
params:
- name: name
value: source-build
value: source-build-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:1f62eaf64a188fcf61f808ad78a15ebf9a8f7f51c644266ad195718b6a2dd372
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:ae12b84e22d77cc1112c03b2182dcc14bb7da6a9fdbebab00be57c725d0ef4cf
- name: kind
value: task
resolver: bundles
Expand All @@ -267,9 +278,6 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: deprecated-base-image-check
params:
- name: BASE_IMAGES_DIGESTS
Expand Down Expand Up @@ -317,14 +325,17 @@ spec:
values:
- "false"
- name: sast-snyk-check
params:
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: sast-snyk-check
value: sast-snyk-check-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:9ec1e2dea3dad0af7f84858eb5b177f1a7244a2bf71e625a429d44ff5a9359ce
- name: kind
value: task
resolver: bundles
Expand All @@ -333,9 +344,6 @@ spec:
operator: in
values:
- "false"
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
Expand Down Expand Up @@ -384,34 +392,12 @@ spec:
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: go-unit-test
- name: bundle
value: quay.io/securesign/trillian-unit-test@sha256:56557b0303473a81a9326c3f64575941879bd1dc2c15360c7a3cee9eb7ad25ad
- name: kind
value: task
resolver: bundles
workspaces:
- name: source
workspace: workspace
name: go-unit-test
workspaces:
- name: workspace
- name: git-auth
optional: true
taskRunTemplate: {}
workspaces:
- name: workspace
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
status: {}
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
Expand Down
80 changes: 33 additions & 47 deletions .tekton/logsigner-push.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ metadata:
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"
pipelinesascode.tekton.dev/task: "[.tekton/trillian-unit-test.yaml]"
creationTimestamp: null
labels:
appstudio.openshift.io/application: trillian
Expand Down Expand Up @@ -159,14 +160,18 @@ spec:
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: ociStorage
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- init
taskRef:
params:
- name: name
value: git-clone
value: git-clone-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:30709df067659a407968154fd39e99763823d8ecfc6b5cd00a55b68818ec94ba
value: quay.io/redhat-appstudio-tekton-catalog/task-git-clone-oci-ta:0.1@sha256:c18dc89b0c35f425a5dd10aa48a7e5177deb6addcc06db99646df17fcdde5a2d
- name: kind
value: task
resolver: bundles
Expand All @@ -176,22 +181,26 @@ spec:
values:
- "true"
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth
- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies
value: prefetch-dependencies-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:c6fdbf404dc61bf8cf8bec5fc4d7fb15f37ba62f1684de0c68bfbad5723c0052
value: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:fe351ee58ed07d7455b32a01dddecf7512dc56506b6260c17fa9a1b4513d02dc
- name: kind
value: task
resolver: bundles
Expand All @@ -200,9 +209,6 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: build-container
params:
- name: IMAGE
Expand All @@ -219,14 +225,18 @@ spec:
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: buildah
value: buildah-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:7e5f19d3aa233b9becf90d1ca01697486dc1acb1f1d6d2a0b8d1a1cc07c66249
value: quay.io/redhat-appstudio-tekton-catalog/task-buildah-oci-ta:0.1@sha256:4fe8b5f597759bce6c71979dec50e07e5831c493f10d7c9035c61a2b87cfa9eb
- name: kind
value: task
resolver: bundles
Expand All @@ -235,23 +245,24 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: build-source-image
params:
- name: BINARY_IMAGE
value: $(params.output-image)
- name: BASE_IMAGES
value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-container
taskRef:
params:
- name: name
value: source-build
value: source-build-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build:0.1@sha256:1f62eaf64a188fcf61f808ad78a15ebf9a8f7f51c644266ad195718b6a2dd372
value: quay.io/redhat-appstudio-tekton-catalog/task-source-build-oci-ta:0.1@sha256:ae12b84e22d77cc1112c03b2182dcc14bb7da6a9fdbebab00be57c725d0ef4cf
- name: kind
value: task
resolver: bundles
Expand All @@ -264,9 +275,6 @@ spec:
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: deprecated-base-image-check
params:
- name: BASE_IMAGES_DIGESTS
Expand Down Expand Up @@ -314,14 +322,17 @@ spec:
values:
- "false"
- name: sast-snyk-check
params:
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: sast-snyk-check
value: sast-snyk-check-oci-ta
- name: bundle
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:b3d2d07394ff983d5f2578c294cd8c4e9428fecc801495feeb929d932c10f740
value: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check-oci-ta:0.1@sha256:9ec1e2dea3dad0af7f84858eb5b177f1a7244a2bf71e625a429d44ff5a9359ce
- name: kind
value: task
resolver: bundles
Expand All @@ -330,9 +341,6 @@ spec:
operator: in
values:
- "false"
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
Expand Down Expand Up @@ -381,34 +389,12 @@ spec:
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: go-unit-test
- name: bundle
value: quay.io/securesign/trillian-unit-test@sha256:56557b0303473a81a9326c3f64575941879bd1dc2c15360c7a3cee9eb7ad25ad
- name: kind
value: task
resolver: bundles
workspaces:
- name: source
workspace: workspace
name: go-unit-test
workspaces:
- name: workspace
- name: git-auth
optional: true
taskRunTemplate: {}
workspaces:
- name: workspace
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
status: {}
- name: git-auth
secret:
secretName: '{{ git_auth_secret }}'
Expand Down
Loading

0 comments on commit 15f69b6

Please sign in to comment.