Skip to content

Instantly share code, notes, and snippets.

@zregvart

zregvart/pipelinerun.yaml

Created November 30, 2022 19:11
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zregvart/2bd7a33d4ff80ea511906fde45a0e2fe to your computer and use it in GitHub Desktop.
Save zregvart/2bd7a33d4ff80ea511906fde45a0e2fe to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pipelinerun.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
generateName: test-component-baqi-
annotations:
appstudio.redhat.com/updateComponentOnSuccess: '"false"'
build.appstudio.openshift.io/image: 'quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216'
build.appstudio.openshift.io/repo: 'https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git'
chains.tekton.dev/signed: 'true'
deletionTimestamp: '2022-11-30T19:08:12Z'
resourceVersion: '1444968133'
name: test-component-baqi-9b299
uid: f64fae34-540f-428c-b12e-1d4c222d45a1
deletionGracePeriodSeconds: 0
creationTimestamp: '2022-11-30T19:06:48Z'
generation: 2
managedFields:
- apiVersion: tekton.dev/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:generateName': {}
'f:labels':
.: {}
'f:appstudio.openshift.io/application': {}
'f:appstudio.openshift.io/component': {}
'f:build.appstudio.openshift.io/build': {}
'f:build.appstudio.openshift.io/type': {}
'f:build.appstudio.openshift.io/version': {}
'f:pipelines.appstudio.openshift.io/type': {}
'f:ownerReferences':
.: {}
'k:{"uid":"e38349c6-d59d-434e-8acb-929ff9b5fafa"}': {}
'f:spec':
.: {}
'f:params': {}
'f:pipelineRef':
.: {}
'f:bundle': {}
'f:name': {}
'f:podTemplate':
.: {}
'f:imagePullSecrets': {}
'f:workspaces': {}
manager: manager
operation: Update
time: '2022-11-30T19:06:48Z'
- apiVersion: tekton.dev/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:labels':
'f:pipelines.openshift.io/runtime': {}
'f:pipelines.openshift.io/strategy': {}
'f:pipelines.openshift.io/used-by': {}
'f:tekton.dev/pipeline': {}
manager: Go-http-client
operation: Update
time: '2022-11-30T19:06:51Z'
- apiVersion: tekton.dev/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
.: {}
'f:appstudio.redhat.com/updateComponentOnSuccess': {}
'f:build.appstudio.openshift.io/image': {}
'f:build.appstudio.openshift.io/repo': {}
manager: kubectl-annotate
operation: Update
time: '2022-11-30T19:08:04Z'
- apiVersion: tekton.dev/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:pipelineSpec':
.: {}
'f:finally': {}
'f:params': {}
'f:results': {}
'f:tasks': {}
'f:workspaces': {}
'f:skippedTasks': {}
'f:startTime': {}
'f:taskRuns':
.: {}
'f:test-component-baqi-9b299-appstudio-configure-build':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskResults': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:results': {}
'f:steps': {}
'f:workspaces': {}
'f:whenExpressions': {}
'f:test-component-baqi-9b299-appstudio-init':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskResults': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:params': {}
'f:results': {}
'f:steps': {}
'f:test-component-baqi-9b299-clone-repository':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskResults': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:params': {}
'f:results': {}
'f:steps': {}
'f:workspaces': {}
'f:whenExpressions': {}
'f:test-component-baqi-9b299-sanity-inspect-image':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:params': {}
'f:results': {}
'f:steps': {}
'f:workspaces': {}
'f:test-component-baqi-9b299-sast-snyk-check':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:params': {}
'f:results': {}
'f:steps': {}
'f:volumes': {}
'f:workspaces': {}
'f:whenExpressions': {}
'f:test-component-baqi-9b299-show-summary':
.: {}
'f:pipelineTaskName': {}
'f:status':
.: {}
'f:completionTime': {}
'f:conditions': {}
'f:podName': {}
'f:startTime': {}
'f:steps': {}
'f:taskSpec':
.: {}
'f:description': {}
'f:params': {}
'f:steps': {}
manager: Go-http-client
operation: Update
subresource: status
time: '2022-11-30T19:08:06Z'
- apiVersion: tekton.dev/v1beta1
fieldsType: FieldsV1
fieldsV1:
'f:metadata':
'f:annotations':
'f:chains.tekton.dev/signed': {}
'f:finalizers':
.: {}
'v:"chains.tekton.dev/pipelinerun"': {}
manager: controller
operation: Update
time: '2022-11-30T19:08:06Z'
namespace: build-templates-e2e
ownerReferences:
- apiVersion: appstudio.redhat.com/v1alpha1
kind: Component
name: test-component-baqi
uid: e38349c6-d59d-434e-8acb-929ff9b5fafa
finalizers:
- chains.tekton.dev/pipelinerun
labels:
appstudio.openshift.io/component: test-component-baqi
pipelines.openshift.io/runtime: generic
pipelines.openshift.io/strategy: docker
tekton.dev/pipeline: docker-build
pipelines.openshift.io/used-by: build-cloud
build.appstudio.openshift.io/build: 'true'
appstudio.openshift.io/application: test-app-jhvt
build.appstudio.openshift.io/type: build
pipelines.appstudio.openshift.io/type: build
build.appstudio.openshift.io/version: '0.1'
spec:
params:
- name: git-url
value: 'https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git'
- name: output-image
value: 'quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216'
- name: dockerfile
value: docker/Dockerfile
- name: path-context
value: .
pipelineRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:docker-build-e62a7e2eda4287ccf35cf748f3882cb33ac7ef67
name: docker-build
podTemplate:
imagePullSecrets:
- name: redhat-appstudio-registry-pull-secret
serviceAccountName: pipeline
timeout: 1h0m0s
workspaces:
- name: workspace
volumeClaimTemplate:
metadata:
creationTimestamp: null
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
status: {}
- name: registry-auth
secret:
secretName: redhat-appstudio-registry-pull-secret
status:
completionTime: '2022-11-30T19:08:08Z'
conditions:
- lastTransitionTime: '2022-11-30T19:08:08Z'
message: 'Tasks Completed: 6 (Failed: 1, Cancelled 0), Skipped: 9'
reason: Failed
status: 'False'
type: Succeeded
pipelineSpec:
finally:
- name: show-summary
params:
- name: pipeline-run-name
value: test-component-baqi-9b299
- name: git-url
value: >-
https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git
- name: image-url
value: >-
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:summary-0.1@sha256:59d49758686c141bd26b3c193e52fd23bb47831c2a5d5872388ad6824684735e
kind: Task
name: summary
params:
- description: Source Repository URL
name: git-url
type: string
- default: ''
description: Revision of the Source Repository
name: revision
type: string
- description: Fully Qualified Output Image
name: output-image
type: string
- default: .
description: The path to your source code
name: path-context
type: string
- default: Dockerfile
description: Path to the Dockerfile
name: dockerfile
type: string
- default: 'false'
description: Force rebuild image
name: rebuild
type: string
- default: 'true'
description: Enable HACBS tasks
name: hacbs
type: string
- default: 'false'
description: Java build
name: java
type: string
results:
- description: ''
name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- description: ''
name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
- description: ''
name: CHAINS-GIT_URL
value: $(tasks.clone-repository.results.url)
- description: ''
name: CHAINS-GIT_COMMIT
value: $(tasks.clone-repository.results.commit)
- description: ''
name: JAVA_COMMUNITY_DEPENDENCIES
value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
tasks:
- name: appstudio-init
params:
- name: image-url
value: >-
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
- name: rebuild
value: 'false'
- name: hacbs
value: 'true'
- name: pipeline-run-name
value: test-component-baqi-9b299
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:init-0.1@sha256:aa9c545f70d0618a5d119addedf3136619914c923cb67740283c11219f3f3a1e
kind: Task
name: init
- name: clone-repository
params:
- name: url
value: >-
https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git
- name: revision
value: ''
runAfter:
- appstudio-init
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:git-clone-0.1@sha256:c940e53d45fc496970f341a2e0292d2831861c5fb5333fd83bec45bf7e7de4fb
kind: Task
name: git-clone
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- 'true'
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth
- name: appstudio-configure-build
runAfter:
- clone-repository
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:configure-build-0.1@sha256:9f8b5438fda511507e51a0372b4d85892d6f695bd4f54ce067e1c1a1fbc70b30
kind: Task
name: configure-build
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- 'true'
workspaces:
- name: source
workspace: workspace
- name: registry-auth
workspace: registry-auth
- name: prefetch-dependencies
params:
- name: package-type
value: gomod
- name: package-path
value: .
runAfter:
- appstudio-configure-build
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:prefetch-dependencies-0.1@sha256:068c26c173a3c548678c3c5a4095dfa393c815c0a3ab8437ae9ad846ba1f6cf4
kind: Task
name: prefetch-dependencies
when:
- input: $(tasks.clone-repository.results.hermetic-build)
operator: in
values:
- 'true'
workspaces:
- name: source
workspace: workspace
- name: build-container
params:
- name: IMAGE
value: >-
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
- name: DOCKERFILE
value: docker/Dockerfile
- name: CONTEXT
value: .
- name: BUILD_EXTRA_ARGS
value: $(tasks.appstudio-configure-build.results.buildah-auth-param)
- name: PUSH_EXTRA_ARGS
value: $(tasks.appstudio-configure-build.results.buildah-auth-param)
- name: HERMETIC_BUILD
value: $(tasks.clone-repository.results.hermetic-build)
runAfter:
- prefetch-dependencies
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:buildah-0.1@sha256:0310f911d5686e2906514f56a16ff29e4bdc4c2775ea5473e3d920fd96fdd0ed
kind: Task
name: buildah
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- 'true'
workspaces:
- name: source
workspace: workspace
- name: sanity-inspect-image
params:
- name: IMAGE_URL
value: >-
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
runAfter:
- build-container
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:sanity-inspect-image-0.1@sha256:55e65b26163670e5eaaf8c7a5f967d351ef744a2655be11fa13e1354c4bd7535
kind: Task
name: sanity-inspect-image
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: workspace
workspace: workspace
- name: sanity-label-check
runAfter:
- sanity-inspect-image
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:sanity-label-check-0.1@sha256:3bd4633b70548dd0055068a970322811b3a96a8a5d98d0b483c748d37135a7a5
kind: Task
name: sanity-label-check
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: workspace
workspace: workspace
- name: sanity-optional-label-check
params:
- name: POLICY_NAMESPACE
value: optional_checks
runAfter:
- sanity-inspect-image
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:sanity-label-check-0.1@sha256:3bd4633b70548dd0055068a970322811b3a96a8a5d98d0b483c748d37135a7a5
kind: Task
name: sanity-label-check
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: workspace
workspace: workspace
- name: deprecated-base-image-check
params:
- name: IMAGE_REGISTRY
value: registry.access.redhat.com
- name: IMAGE_REPOSITORY
value: $(tasks.sanity-inspect-image.results.BASE_IMAGE_REPOSITORY)
runAfter:
- sanity-inspect-image
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:deprecated-image-check-0.1@sha256:a7e8f82a7c5c4b2e8bf86338f8aedf44b5606daf591462b9aa5adb35f7df6cac
kind: Task
name: deprecated-image-check
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: sanity-ws
workspace: workspace
- name: get-clair-results
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:get-clair-scan-0.1@sha256:f5259b6194f73e43f8f1d8ec8f7cd7466209fbf8aaf8b8ac4cf653fc54fc6b3b
kind: Task
name: get-clair-scan
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: clair-ws
workspace: workspace
- name: registry-auth
workspace: registry-auth
- name: conftest-clair
runAfter:
- get-clair-results
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:conftest-clair-0.1@sha256:afd12c004c1e4f0a86f117fc1fee85ab19c9f090e281e2e0db0c0c14adecff35
kind: Task
name: conftest-clair
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: conftest-ws
workspace: workspace
- name: sast-snyk-check
runAfter:
- clone-repository
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:sast-snyk-check-0.1@sha256:3da394c1123a31a7a3c38e51dc7035e4f468998f6b160d8873d6e9634b6caa6b
kind: Task
name: sast-snyk-check
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:clamav-scan-0.1@sha256:641d749124ff7d80a67e0890198b211db08be77da074deb0e8f206ebfade19db
kind: Task
name: clamav-scan
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: registry-auth
workspace: registry-auth
- name: sbom-json-check
params:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: >-
quay.io/redhat-appstudio-tekton-catalog/pull-request-builds:sbom-json-check-0.1@sha256:9d228fedb0429e4ae6f383e9355615823e0684a36ab3c2453a3f3cd56f518944
kind: Task
name: sbom-json-check
when:
- input: 'true'
operator: in
values:
- 'true'
workspaces:
- name: workspace
workspace: workspace
workspaces:
- name: workspace
- name: registry-auth
optional: true
- name: git-auth
optional: true
skippedTasks:
- name: prefetch-dependencies
reason: PipelineRun was stopping
whenExpressions:
- input: $(tasks.clone-repository.results.hermetic-build)
operator: in
values:
- 'true'
- name: build-container
reason: PipelineRun was stopping
whenExpressions:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- 'true'
- name: sanity-label-check
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: sanity-optional-label-check
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: deprecated-base-image-check
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: get-clair-results
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: conftest-clair
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: clamav-scan
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
- name: sbom-json-check
reason: PipelineRun was stopping
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
startTime: '2022-11-30T19:06:48Z'
taskRuns:
test-component-baqi-9b299-appstudio-configure-build:
pipelineTaskName: appstudio-configure-build
status:
completionTime: '2022-11-30T19:07:33Z'
conditions:
- lastTransitionTime: '2022-11-30T19:07:33Z'
message: All Steps have completed executing
reason: Succeeded
status: 'True'
type: Succeeded
podName: test-component-baqi-9b299-appstudio-configure-build-pod
startTime: '2022-11-30T19:07:16Z'
steps:
- container: step-appstudio-configure-build
imageID: >-
quay.io/redhat-appstudio/appstudio-utils@sha256:e1d7e2bbff7032f078df41ab4d6345ada8474f615c0e93f6268ae9ba48a81b1d
name: appstudio-configure-build
terminated:
containerID: >-
cri-o://ae24845a4219db526ab3e535b4e4133d943e886568d218265a77f0c36e97b747
exitCode: 0
finishedAt: '2022-11-30T19:07:33Z'
message: >-
[{"key":"buildah-auth-param","value":"--authfile
/workspace/source/.dockerconfigjson","type":1},{"key":"registry-auth","value":"/workspace/source/.dockerconfigjson","type":1}]
reason: Completed
startedAt: '2022-11-30T19:07:33Z'
taskResults:
- name: buildah-auth-param
type: string
value: '--authfile /workspace/source/.dockerconfigjson'
- name: registry-auth
type: string
value: /workspace/source/.dockerconfigjson
taskSpec:
description: App Studio Configure Build Secrets in Source.
results:
- description: docker config location
name: registry-auth
type: string
- description: pass this to the build optional params to configure secrets
name: buildah-auth-param
type: string
steps:
- image: >-
quay.io/redhat-appstudio/appstudio-utils:4580b3ba3012095ff3981e50b6bbf753d4afd4c3
name: appstudio-configure-build
resources: {}
script: >
#!/usr/bin/env bash
echo "App Studio Configure Build"
DEST=/workspace/source/.dockerconfigjson
AUTH=/workspace/registry-auth/.dockerconfigjson
TMP=$(mktemp)
echo '{}' > $DEST
# Use secrets from serviceAccount
cd /tekton/creds-secrets
for file in $(ls); do
if [ -f "$file/.dockerconfigjson" ]; then
FILES="$FILES $file/.dockerconfigjson"
elif [ -f "$file/.dockercfg" ]; then
# convert format from .dockercfg to .dockerconfigjson
newformat=$(mktemp)
jq '{"auths": .}' $file/.dockercfg > $newformat
FILES="$FILES $newformat"
fi
done
# set highest priority on registry-auth workspace
FILES="$FILES $AUTH"
echo "Looking for Registry Auth Configs"
# Merge secrets into one file
for file in $FILES; do
if [ -f "$file" ]; then
echo "$file found"
jq -M -s '.[0] * .[1]' $DEST $file > $TMP
mv $TMP $DEST
fi
done
chmod 644 $DEST
echo -n $DEST > /tekton/results/registry-auth
echo -n "--authfile $DEST" >
/tekton/results/buildah-auth-param
workspaces:
- name: source
- name: registry-auth
optional: true
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
test-component-baqi-9b299-appstudio-init:
pipelineTaskName: appstudio-init
status:
completionTime: '2022-11-30T19:06:58Z'
conditions:
- lastTransitionTime: '2022-11-30T19:06:58Z'
message: All Steps have completed executing
reason: Succeeded
status: 'True'
type: Succeeded
podName: test-component-baqi-9b299-appstudio-init-pod
startTime: '2022-11-30T19:06:51Z'
steps:
- container: step-appstudio-init
imageID: >-
registry.access.redhat.com/ubi8/skopeo@sha256:cc58da50c3842f5f2a4ba8781b60f6052919a5555a000cb4eb18a0bd0241b2b3
name: appstudio-init
terminated:
containerID: >-
cri-o://e7e05856f3bfb2cd0b0979ea03731b853877495c6b22cbb7013984492dc4dec5
exitCode: 0
finishedAt: '2022-11-30T19:06:58Z'
message: '[{"key":"build","value":"true","type":1}]'
reason: Completed
startedAt: '2022-11-30T19:06:57Z'
- container: step-hacbs-init
imageID: >-
registry.redhat.io/openshift4/ose-cli@sha256:256ee9a1d774aed64d73546db31105b431bfb285084ea5256acf03f411710249
name: hacbs-init
terminated:
containerID: >-
cri-o://283c96df1c7cf807828c37f8f7ff9be776dcc5892b7fb992bc3f41d801db6dd4
exitCode: 0
finishedAt: '2022-11-30T19:06:58Z'
message: '[{"key":"build","value":"true","type":1}]'
reason: Completed
startedAt: '2022-11-30T19:06:58Z'
taskResults:
- name: build
type: string
value: 'true'
taskSpec:
description: >-
App Studio Initialize Pipeline Task, include flags for rebuild and
auth.
params:
- description: Image URL for testing
name: image-url
type: string
- default: 'false'
description: Rebuild the image if exists
name: rebuild
type: string
- default: 'false'
description: HACBS workflow
name: hacbs
type: string
- name: pipeline-run-name
type: string
results:
- name: build
type: string
steps:
- image: >-
registry.access.redhat.com/ubi8/skopeo@sha256:cc58da50c3842f5f2a4ba8781b60f6052919a5555a000cb4eb18a0bd0241b2b3
name: appstudio-init
resources: {}
script: >
#!/bin/bash
echo "App Studio Build Initialize:
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216"
echo
echo "Determine if Image Already Exists"
# Build the image when image does not exists or rebuild is set
to true
if ! skopeo inspect --no-tags
docker://quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
&>/dev/null || [ "false" == "true" ] || [ "true" == "true" ];
then
echo -n "true" > /tekton/results/build
else
echo -n "false" > /tekton/results/build
fi
- image: 'registry.redhat.io/openshift4/ose-cli:v4.10'
name: hacbs-init
resources: {}
script: >
# Create empty secret which is now hardcoded in PaC Pipelinerun
template
if ! oc get secret redhat-appstudio-registry-pull-secret
&>/dev/null; then
oc create secret generic redhat-appstudio-registry-pull-secret
fi
if [ "true" == "true" ]; then
oc annotate pipelinerun test-component-baqi-9b299 'appstudio.redhat.com/updateComponentOnSuccess="false"'
fi
test-component-baqi-9b299-clone-repository:
pipelineTaskName: clone-repository
status:
completionTime: '2022-11-30T19:07:12Z'
conditions:
- lastTransitionTime: '2022-11-30T19:07:12Z'
message: All Steps have completed executing
reason: Succeeded
status: 'True'
type: Succeeded
podName: test-component-baqi-9b299-clone-repository-pod
startTime: '2022-11-30T19:07:03Z'
steps:
- container: step-clone
imageID: >-
registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
name: clone
terminated:
containerID: >-
cri-o://164276483ea48f87a26d6e3594fc07ef95f4e813a0159c77859fbbfbb2065b6d
exitCode: 0
finishedAt: '2022-11-30T19:07:12Z'
message: >-
[{"key":"commit","value":"87d97d16b352ad651b8bcc2bdf682c969771a20e","type":1},{"key":"url","value":"https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git","type":1}]
reason: Completed
startedAt: '2022-11-30T19:07:11Z'
taskResults:
- name: commit
type: string
value: 87d97d16b352ad651b8bcc2bdf682c969771a20e
- name: url
type: string
value: >-
https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git
taskSpec:
description: >-
These Tasks are Git tasks to work with repositories used by other
tasks in your Pipeline.
The git-clone Task will clone a repo from the provided url into the
output Workspace. By default the repo will be cloned into the root
of your Workspace. You can clone into a subdirectory by setting this
Task's subdirectory param. This Task also supports sparse checkouts.
To perform a sparse checkout, pass a list of comma separated
directory patterns to this Task's sparseCheckoutDirectories param.
params:
- description: Repository URL to clone from.
name: url
type: string
- default: ''
description: 'Revision to checkout. (branch, tag, sha, ref, etc...)'
name: revision
type: string
- default: ''
description: Refspec to fetch before checking out revision.
name: refspec
type: string
- default: 'true'
description: Initialize and fetch git submodules.
name: submodules
type: string
- default: '1'
description: >-
Perform a shallow clone, fetching only the most recent N
commits.
name: depth
type: string
- default: 'true'
description: >-
Set the `http.sslVerify` global git config. Setting this to
`false` is not advised unless you are sure that you trust your
git remote.
name: sslVerify
type: string
- default: ''
description: >-
Subdirectory inside the `output` Workspace to clone the repo
into.
name: subdirectory
type: string
- default: ''
description: >-
Define the directory patterns to match or exclude when
performing a sparse checkout.
name: sparseCheckoutDirectories
type: string
- default: 'true'
description: >-
Clean out the contents of the destination directory if it
already exists before cloning.
name: deleteExisting
type: string
- default: ''
description: HTTP proxy server for non-SSL requests.
name: httpProxy
type: string
- default: ''
description: HTTPS proxy server for SSL requests.
name: httpsProxy
type: string
- default: ''
description: Opt out of proxying HTTP/HTTPS requests.
name: noProxy
type: string
- default: 'true'
description: >-
Log the commands that are executed during `git-clone`'s
operation.
name: verbose
type: string
- default: >-
registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
description: The image providing the git-init binary that this Task runs.
name: gitInitImage
type: string
- default: /tekton/home
description: >
Absolute path to the user's home directory. Set this explicitly
if you are running the image as a non-root user or have
overridden
the gitInitImage param with an image containing custom user
configuration.
name: userHome
type: string
results:
- description: The precise commit SHA that was fetched by this Task.
name: commit
type: string
- description: The precise URL that was fetched by this Task.
name: url
type: string
- description: >-
Set to `true` if a hermetic build parameters file was found in
the cloned repo.
name: hermetic-build
type: string
steps:
- env:
- name: HOME
value: /tekton/home
- name: PARAM_URL
value: >-
https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git
- name: PARAM_REVISION
- name: PARAM_REFSPEC
- name: PARAM_SUBMODULES
value: 'true'
- name: PARAM_DEPTH
value: '1'
- name: PARAM_SSL_VERIFY
value: 'true'
- name: PARAM_SUBDIRECTORY
- name: PARAM_DELETE_EXISTING
value: 'true'
- name: PARAM_HTTP_PROXY
- name: PARAM_HTTPS_PROXY
- name: PARAM_NO_PROXY
- name: PARAM_VERBOSE
value: 'true'
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
- name: PARAM_USER_HOME
value: /tekton/home
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
image: >-
registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
name: clone
resources: {}
script: >
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir
fi
test -z "${PARAM_HTTP_PROXY}" || export
HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export
HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export
NO_PROXY="${PARAM_NO_PROXY}"
/ko-app/git-init \
-url="${PARAM_URL}" \
-revision="${PARAM_REVISION}" \
-refspec="${PARAM_REFSPEC}" \
-path="${CHECKOUT_DIR}" \
-sslVerify="${PARAM_SSL_VERIFY}" \
-submodules="${PARAM_SUBMODULES}" \
-depth="${PARAM_DEPTH}" \
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
cd "${CHECKOUT_DIR}"
RESULT_SHA="$(git rev-parse HEAD)"
EXIT_CODE="$?"
if [ "${EXIT_CODE}" != 0 ] ; then
exit "${EXIT_CODE}"
fi
printf "%s" "${RESULT_SHA}" > "/tekton/results/commit"
printf "%s" "${PARAM_URL}" > "/tekton/results/url"
if [ -e cachi2.params ]; then
printf "true" > "/tekton/results/hermetic-build"
fi
workspaces:
- description: >-
The git repo will be cloned onto the volume backing this
Workspace.
name: output
- description: >
A .ssh directory with private key, known_hosts, config, etc.
Copied to
the user's home before git commands are executed. Used to
authenticate
with the git remote when performing the clone. Binding a Secret
to this
Workspace is strongly recommended over other volume types.
name: ssh-directory
optional: true
- description: >
A Workspace containing a .gitconfig and .git-credentials file.
These
will be copied to the user's home before any git commands are
run. Any
other files in this Workspace are ignored. It is strongly
recommended
to use ssh-directory over basic-auth whenever possible and to
bind a
Secret to this Workspace over other volume types.
name: basic-auth
optional: true
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
test-component-baqi-9b299-sanity-inspect-image:
pipelineTaskName: sanity-inspect-image
status:
completionTime: '2022-11-30T19:07:55Z'
conditions:
- lastTransitionTime: '2022-11-30T19:07:55Z'
message: >
"step-inspect-image" exited with code 1 (image:
"quay.io/redhat-appstudio/hacbs-test@sha256:017dddd2f4a3cf6c649623e3ed248c8e6ea012b6631d451114cca8de64de9fec");
for logs run: kubectl -n build-templates-e2e logs
test-component-baqi-9b299-sanity-inspect-image-pod -c
step-inspect-image
reason: Failed
status: 'False'
type: Succeeded
podName: test-component-baqi-9b299-sanity-inspect-image-pod
startTime: '2022-11-30T19:07:36Z'
steps:
- container: step-inspect-image
imageID: >-
quay.io/redhat-appstudio/hacbs-test@sha256:017dddd2f4a3cf6c649623e3ed248c8e6ea012b6631d451114cca8de64de9fec
name: inspect-image
terminated:
containerID: >-
cri-o://b522b82d7fe67c4489afa0e9890a794bbd73bb55d8d9fc5799b6296a0c29cd9d
exitCode: 1
finishedAt: '2022-11-30T19:07:54Z'
reason: Error
startedAt: '2022-11-30T19:07:54Z'
taskSpec:
description: >-
Get manifest data for the source image and its base image to
workspace
params:
- description: the fully qualified image name
name: IMAGE_URL
type: string
results:
- description: Base image the source image is built from
name: BASE_IMAGE
type: string
- description: Base image repository URL
name: BASE_IMAGE_REPOSITORY
type: string
steps:
- image: 'quay.io/redhat-appstudio/hacbs-test:latest'
name: inspect-image
resources: {}
script: >
IMAGE_INSPECT=image_inspect.json
BASE_IMAGE_INSPECT=base_image_inspect.json
RAW_IMAGE_INSPECT=raw_image_inspect.json
echo "Inspecting manifest for source image
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216"
skopeo inspect --no-tags
docker://quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
> $IMAGE_INSPECT
skopeo inspect --no-tags --raw
docker://quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
> $RAW_IMAGE_INSPECT
echo "Getting base image manifest for source image
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216"
BASE_IMAGE_NAME="$(jq -r
".annotations.\"org.opencontainers.image.base.name\""
$RAW_IMAGE_INSPECT)"
BASE_IMAGE_DIGEST="$(jq -r
".annotations.\"org.opencontainers.image.base.digest\""
$RAW_IMAGE_INSPECT)"
if [ $BASE_IMAGE_NAME == 'null' ]; then
echo "Cannot get base image info from 'annotations'"
echo "Trying to get base image info from 'Labels'"
BASE_IMAGE_NAME="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" $IMAGE_INSPECT)"
BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $IMAGE_INSPECT)"
if [ "$BASE_IMAGE_NAME" == 'null' ]; then
echo "Cannot get base image info from 'Labels', please check the source image quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216"
exit 0
fi
fi
if [ -z "$BASE_IMAGE_NAME" ]; then
echo "Source image quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216 is built from scratch, so there is no base image"
exit 0
fi
BASE_IMAGE="${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST"
echo "The base image is $BASE_IMAGE, get its manifest now"
skopeo inspect --no-tags docker://$BASE_IMAGE >
$BASE_IMAGE_INSPECT || true
echo -n "$BASE_IMAGE" | tee /tekton/results/BASE_IMAGE
BASE_IMAGE_REPOSITORY="$(jq -r '.Name | sub("[^/]+/"; "") |
sub("[:@].*"; "")' "$BASE_IMAGE_INSPECT")"
echo -n "$BASE_IMAGE_REPOSITORY" | tee
/tekton/results/BASE_IMAGE_REPOSITORY
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
workingDir: $(workspaces.workspace.path)/hacbs/sanity-inspect-image
workspaces:
- name: workspace
test-component-baqi-9b299-sast-snyk-check:
pipelineTaskName: sast-snyk-check
status:
completionTime: '2022-11-30T19:07:34Z'
conditions:
- lastTransitionTime: '2022-11-30T19:07:34Z'
message: All Steps have completed executing
reason: Succeeded
status: 'True'
type: Succeeded
podName: test-component-baqi-9b299-sast-snyk-check-pod
startTime: '2022-11-30T19:07:16Z'
steps:
- container: step-sast-snyk-check
imageID: >-
quay.io/redhat-appstudio/hacbs-test@sha256:dcffec734efe55096f1469bf444d8beea6dc00c80433f3f2018e9ce6a1fc5cfe
name: sast-snyk-check
terminated:
containerID: >-
cri-o://6a9789380373f08755cb0657b870e6d13389dfd73e6f614fdcbf860e6c000a82
exitCode: 0
finishedAt: '2022-11-30T19:07:33Z'
reason: Completed
startedAt: '2022-11-30T19:07:33Z'
taskSpec:
description: Static code security test with snyk
params:
- default: test-team-snyk
name: SHARED_SECRET
type: string
- default: '--all-projects --exclude=test*,vendor,deps'
description: extra args needs to append
name: ARGS
type: string
results:
- description: Test output
name: HACBS_TEST_OUTPUT
type: string
steps:
- image: 'quay.io/redhat-appstudio/hacbs-test:feature-sast'
name: sast-snyk-check
resources: {}
script: >
#!/usr/bin/env bash
SNYK_TOKEN="$(cat /etc/secrets/snyk_token)"
if [[ -z $SNYK_TOKEN ]]; then
echo "SNYK_TOKEN is empty and a secret 'test-team-snyk' which includes 'snyk_token' need to be created in test-team namespace" | tee stdout.txt
exit 0
fi
export SNYK_TOKEN
SNYK_EXIT_CODE=0
snyk code test --all-projects --exclude=test*,vendor,deps ../..
--sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt
|| SNYK_EXIT_CODE=$?
test_not_skipped=0
SKIP_MSG="We found 0 supported files"
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$?
if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1
]]; then
cat sast_snyk_check_out.json
HACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \
'{ result: (if (.runs[].results | length > 0) then "FAILURE" else "SUCCESS" end),
timestamp: $date,
namespace: "default",
successes: 0,
note: "",
failures: (.runs[].results | length)
}' sast_snyk_check_out.json || true)
# Log out the failing runs
if [ $(echo $HACBS_TEST_OUTPUT | jq '.failures') -gt 0 ]
then
echo "The sast-snyk-check test fails with the following runs:"
jq '.runs[].results // []|map(.message.text) | unique' sast_snyk_check_out.json
fi
# When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can
also be 3 in some other situation
elif [[ "$test_not_skipped" -eq 0 ]]; then
HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg SKIP_MESSAGE "${SKIP_MSG}" --null-input \
'{result: "SKIPPED", note: $SKIP_MESSAGE, timestamp: $date}')
else
echo "The sast-snyk-check test has failed with the following issues:"
cat stdout.txt
HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --null-input \
'{result: "ERROR", timestamp: $date}')
fi
echo "${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}" | tee
/tekton/results/HACBS_TEST_OUTPUT
volumeMounts:
- mountPath: /etc/secrets
name: snyk-secret
readOnly: true
workingDir: $(workspaces.workspace.path)/hacbs/sast-snyk-check
volumes:
- name: snyk-secret
secret:
optional: true
secretName: test-team-snyk
workspaces:
- name: workspace
whenExpressions:
- input: 'true'
operator: in
values:
- 'true'
test-component-baqi-9b299-show-summary:
pipelineTaskName: show-summary
status:
completionTime: '2022-11-30T19:08:04Z'
conditions:
- lastTransitionTime: '2022-11-30T19:08:04Z'
message: All Steps have completed executing
reason: Succeeded
status: 'True'
type: Succeeded
podName: test-component-baqi-9b299-show-summary-pod
startTime: '2022-11-30T19:07:57Z'
steps:
- container: step-appstudio-summary
imageID: >-
registry.redhat.io/openshift4/ose-cli@sha256:9a1ca7a36cfdd6c69398b35a7311db662ca7c652e6e8bd440a6331c12f89703a
name: appstudio-summary
terminated:
containerID: >-
cri-o://de6e01caa1be38758afd703b2301f3c870f3ebdfaec34f3fc36d5faeab49f63d
exitCode: 0
finishedAt: '2022-11-30T19:08:04Z'
reason: Completed
startedAt: '2022-11-30T19:08:04Z'
taskSpec:
description: App Studio Summary Pipeline Task.
params:
- description: pipeline-run to annotate
name: pipeline-run-name
type: string
- description: Git URL
name: git-url
type: string
- description: Image URL
name: image-url
type: string
steps:
- image: >-
registry.redhat.io/openshift4/ose-cli@sha256:e6b307c51374607294d1756b871d3c702251c396efdd44d4ef8db68e239339d3
name: appstudio-summary
resources: {}
script: >
#!/usr/bin/env bash
echo
echo "App Studio Build Summary:"
echo
echo "Build repository:
https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git"
echo "Generated Image is in :
quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216"
echo
oc annotate pipelinerun test-component-baqi-9b299
build.appstudio.openshift.io/repo=https://github.com/redhat-appstudio-qe/devfile-sample-python-basic.git
oc annotate pipelinerun test-component-baqi-9b299
build.appstudio.openshift.io/image=quay.io/redhat-appstudio/test-images:40b546fe076e448e83d0412a632bc216
echo "Output is in the following annotations:"
echo "Build Repo is in 'build.appstudio.openshift.io/repo' "
echo 'oc get pr test-component-baqi-9b299 -o
jsonpath="{.metadata.annotations.build\.appstudio\.openshift\.io/repo}"'
echo "Build Image is in 'build.appstudio.openshift.io/image' "
echo 'oc get pr test-component-baqi-9b299 -o
jsonpath="{.metadata.annotations.build\.appstudio\.openshift\.io/image}"'
echo End Summary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment