Switch Pipelines to use Trusted Artifact

[lcarva]

This commit changes the push and pull-request Pipelines for the various components to use Trusted Artifacts stored in the OCI registry.

It also modifies the go-unit-test Task so it can be used via the Pipeline as Code resolver[1] removing the need to create a Tekton bundle for it.

[1] https://docs.openshift.com/pipelines/1.11/pac/using-pac-resolver.html

Checklist

• I have updated the CHANGELOG.
• I have updated documentation accordingly (including the feature implementation matrix).

[lcarva]

I only made the changes for logsigner. I plan on doing the other two components after we get an initial run here.

[lance]

/ok-to-test

[lcarva]

There are a couple of things left here to make the EC validation pass.

1. Update the policy config to use a newer version of the policy rules.
2. Mark the snyk check TA variant as an informative test: Mark sast-snyk-check TA alternative as informative release-engineering/rhtap-ec-policy#27

With a modified policy config that uses the latest policy rules, and a modified data source for the informative_tests rule data, I only see one violation for the image built from the pull request:

metadata:
  code: cve.cve_blockers
msg: Found 3 CVE vulnerabilities of high security level

That is unrelated. It appears to be the common issue where a CVE has been patched in an RPM, but the parent image has not picked it up yet. (The workaround is to run dnf update in the Dockerfile.)

I'm hoping the two issues above will be addressed by tomorrow.

[lcarva]

/retest

[lcarva]

All set. The only violation left is the CVE one from my previous comment. I'll go ahead and update this PR to also move the other Pipelines to use Trusted Artifacts.

[lcarva]

The redis Pipeline needs this fix: konflux-ci/build-definitions#1043

[lcarva]

Pulled in the changes from #191 to address the CVE issues.

[lcarva]

Moving this out of draft as I believe all the issues I noticed have been addressed.

[bouskaJ]

@lcarva, @lance what needs to be done to get this merged? I did testing on my private Konflux namespace and it seems that this PR also fixes the non-working unit tests (see https://redhat-internal.slack.com/archives/C05G8TKPN7P/p1717009207481019)

[lcarva]

@lcarva, @lance what needs to be done to get this merged? I did testing on my private Konflux namespace and it seems that this PR also fixes the non-working unit tests (see https://redhat-internal.slack.com/archives/C05G8TKPN7P/p1717009207481019)

Given the churn on the files I modified, this PR needs to be rebased quite often. If you guys are happy with the approach from this PR, then I'm happy to rebase it one more time. 😄

[lance]

@lcarva, @lance what needs to be done to get this merged? I did testing on my private Konflux namespace and it seems that this PR also fixes the non-working unit tests (see https://redhat-internal.slack.com/archives/C05G8TKPN7P/p1717009207481019)

Given the churn on the files I modified, this PR needs to be rebased quite often. If you guys are happy with the approach from this PR, then I'm happy to rebase it one more time. 😄

If you don't mind a rebase, that would be great. We do have someone (currently on PTO) assigned to handle this task across all of our repos that run unit tests, but having this as a working and merged example would be helpful! 🙇

[lcarva]

@lance, all green now 😎 PTAL

[lance]

@lcarva thanks for this!

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: lance, lcarva

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment