Skip to content

Instantly share code, notes, and snippets.

@zregvart

zregvart/pipelinerun.yaml

Created November 29, 2022 19:55
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zregvart/f37ae833493e36bce985e25a5c07803a to your computer and use it in GitHub Desktop.
Save zregvart/f37ae833493e36bce985e25a5c07803a to your computer and use it in GitHub Desktop.
Download ZIP
Raw
pipelinerun.yaml
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
annotations:
appstudio.redhat.com/updateComponentOnSuccess: '"false"'
build.appstudio.openshift.io/image: quay.io/hacbs-contract-demo/single-container-app
build.appstudio.openshift.io/repo: https://github.com/jduimovich/single-container-app
chains.tekton.dev/signed: "true"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"tekton.dev/v1beta1","kind":"PipelineRun","metadata":{"annotations":{},"name":"single-container-app-6d22125da60d6857","namespace":"work"},"spec":{"params":[{"name":"git-url","value":"https://github.com/jduimovich/single-container-app"},{"name":"output-image","value":"quay.io/hacbs-contract-demo/single-container-app"},{"name":"dockerfile","value":"Dockerfile"},{"name":"path-context","value":"."},{"name":"hacbs","value":true},{"name":"rebuild","value":true}],"pipelineRef":{"bundle":"quay.io/redhat-appstudio-tekton-catalog/pipeline-hacbs-docker-build:devel","name":"docker-build"},"serviceAccountName":"pipeline","timeout":"1h0m0s","workspaces":[{"name":"workspace","persistentVolumeClaim":{"claimName":"appstudio"},"subPath":"single-container-app/build-2022-11-29T20:39:23+01:00"}]}}
results.tekton.dev/record: work/results/7873a162-4239-49b4-b738-572a5a264381/records/7873a162-4239-49b4-b738-572a5a264381
results.tekton.dev/result: work/results/7873a162-4239-49b4-b738-572a5a264381
creationTimestamp: "2022-11-29T19:39:23Z"
finalizers:
- chains.tekton.dev/pipelinerun
generation: 1
labels:
pipelines.openshift.io/runtime: generic
pipelines.openshift.io/strategy: docker
pipelines.openshift.io/used-by: build-cloud
tekton.dev/pipeline: docker-build
name: single-container-app-6d22125da60d6857
namespace: work
resourceVersion: "1362466"
uid: 7873a162-4239-49b4-b738-572a5a264381
spec:
params:
- name: git-url
value: https://github.com/jduimovich/single-container-app
- name: output-image
value: quay.io/hacbs-contract-demo/single-container-app
- name: dockerfile
value: Dockerfile
- name: path-context
value: .
- name: hacbs
value: "true"
- name: rebuild
value: "true"
pipelineRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/pipeline-hacbs-docker-build:devel
name: docker-build
serviceAccountName: pipeline
timeout: 1h0m0s
workspaces:
- name: workspace
persistentVolumeClaim:
claimName: appstudio
subPath: single-container-app/build-2022-11-29T20:39:23+01:00
status:
completionTime: "2022-11-29T19:41:46Z"
conditions:
- lastTransitionTime: "2022-11-29T19:41:46Z"
message: 'Tasks Completed: 6 (Failed: 1, Cancelled 0), Skipped: 9'
reason: Failed
status: "False"
type: Succeeded
pipelineSpec:
finally:
- name: show-summary
params:
- name: pipeline-run-name
value: single-container-app-6d22125da60d6857
- name: git-url
value: https://github.com/jduimovich/single-container-app
- name: image-url
value: quay.io/hacbs-contract-demo/single-container-app
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-summary:0.1@sha256:59d49758686c141bd26b3c193e52fd23bb47831c2a5d5872388ad6824684735e
kind: Task
name: summary
params:
- description: Source Repository URL
name: git-url
type: string
- default: ""
description: Revision of the Source Repository
name: revision
type: string
- description: Fully Qualified Output Image
name: output-image
type: string
- default: .
description: The path to your source code
name: path-context
type: string
- default: Dockerfile
description: Path to the Dockerfile
name: dockerfile
type: string
- default: "false"
description: Force rebuild image
name: rebuild
type: string
- default: "true"
description: Enable HACBS tasks
name: hacbs
type: string
- default: "false"
description: Java build
name: java
type: string
results:
- description: ""
name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- description: ""
name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
- description: ""
name: CHAINS-GIT_URL
value: $(tasks.clone-repository.results.url)
- description: ""
name: CHAINS-GIT_COMMIT
value: $(tasks.clone-repository.results.commit)
- description: ""
name: JAVA_COMMUNITY_DEPENDENCIES
value: $(tasks.build-container.results.JAVA_COMMUNITY_DEPENDENCIES)
tasks:
- name: appstudio-init
params:
- name: image-url
value: quay.io/hacbs-contract-demo/single-container-app
- name: rebuild
value: "true"
- name: hacbs
value: "true"
- name: pipeline-run-name
value: single-container-app-6d22125da60d6857
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-init:0.1@sha256:aa9c545f70d0618a5d119addedf3136619914c923cb67740283c11219f3f3a1e
kind: Task
name: init
- name: clone-repository
params:
- name: url
value: https://github.com/jduimovich/single-container-app
- name: revision
value: ""
runAfter:
- appstudio-init
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-git-clone:0.1@sha256:c940e53d45fc496970f341a2e0292d2831861c5fb5333fd83bec45bf7e7de4fb
kind: Task
name: git-clone
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- "true"
workspaces:
- name: output
workspace: workspace
- name: basic-auth
workspace: git-auth
- name: appstudio-configure-build
runAfter:
- clone-repository
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-configure-build:0.1@sha256:9f8b5438fda511507e51a0372b4d85892d6f695bd4f54ce067e1c1a1fbc70b30
kind: Task
name: configure-build
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: registry-auth
workspace: registry-auth
- name: prefetch-dependencies
params:
- name: package-type
value: gomod
- name: package-path
value: .
runAfter:
- appstudio-configure-build
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-prefetch-dependencies:0.1@sha256:068c26c173a3c548678c3c5a4095dfa393c815c0a3ab8437ae9ad846ba1f6cf4
kind: Task
name: prefetch-dependencies
when:
- input: $(tasks.clone-repository.results.hermetic-build)
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: build-container
params:
- name: IMAGE
value: quay.io/hacbs-contract-demo/single-container-app
- name: DOCKERFILE
value: Dockerfile
- name: CONTEXT
value: .
- name: BUILD_EXTRA_ARGS
value: $(tasks.appstudio-configure-build.results.buildah-auth-param)
- name: PUSH_EXTRA_ARGS
value: $(tasks.appstudio-configure-build.results.buildah-auth-param)
- name: HERMETIC_BUILD
value: $(tasks.clone-repository.results.hermetic-build)
runAfter:
- prefetch-dependencies
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-buildah:0.1@sha256:0310f911d5686e2906514f56a16ff29e4bdc4c2775ea5473e3d920fd96fdd0ed
kind: Task
name: buildah
when:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- "true"
workspaces:
- name: source
workspace: workspace
- name: sanity-inspect-image
params:
- name: IMAGE_URL
value: quay.io/hacbs-contract-demo/single-container-app
runAfter:
- build-container
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-sanity-inspect-image:0.1@sha256:de97f40b767e6b74eb52130e62736178df7ec80021e7e5f04a9da617666bc8b8
kind: Task
name: sanity-inspect-image
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: sanity-label-check
runAfter:
- sanity-inspect-image
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:3bd4633b70548dd0055068a970322811b3a96a8a5d98d0b483c748d37135a7a5
kind: Task
name: sanity-label-check
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: sanity-optional-label-check
params:
- name: POLICY_NAMESPACE
value: optional_checks
runAfter:
- sanity-inspect-image
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-sanity-label-check:0.1@sha256:3bd4633b70548dd0055068a970322811b3a96a8a5d98d0b483c748d37135a7a5
kind: Task
name: sanity-label-check
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: deprecated-base-image-check
params:
- name: IMAGE_REGISTRY
value: registry.access.redhat.com
- name: IMAGE_REPOSITORY
value: $(tasks.sanity-inspect-image.results.BASE_IMAGE_REPOSITORY)
runAfter:
- sanity-inspect-image
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-deprecated-image-check:0.1@sha256:a7e8f82a7c5c4b2e8bf86338f8aedf44b5606daf591462b9aa5adb35f7df6cac
kind: Task
name: deprecated-image-check
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: sanity-ws
workspace: workspace
- name: get-clair-results
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-get-clair-scan:0.1@sha256:f5259b6194f73e43f8f1d8ec8f7cd7466209fbf8aaf8b8ac4cf653fc54fc6b3b
kind: Task
name: get-clair-scan
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: clair-ws
workspace: workspace
- name: registry-auth
workspace: registry-auth
- name: conftest-clair
runAfter:
- get-clair-results
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-conftest-clair:0.1@sha256:afd12c004c1e4f0a86f117fc1fee85ab19c9f090e281e2e0db0c0c14adecff35
kind: Task
name: conftest-clair
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: conftest-ws
workspace: workspace
- name: sast-snyk-check
runAfter:
- clone-repository
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-sast-snyk-check:0.1@sha256:3da394c1123a31a7a3c38e51dc7035e4f468998f6b160d8873d6e9634b6caa6b
kind: Task
name: sast-snyk-check
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
- name: clamav-scan
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-clamav-scan:0.1@sha256:641d749124ff7d80a67e0890198b211db08be77da074deb0e8f206ebfade19db
kind: Task
name: clamav-scan
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: registry-auth
workspace: registry-auth
- name: sbom-json-check
params:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
bundle: quay.io/redhat-appstudio-tekton-catalog/task-sbom-json-check:0.1@sha256:9d228fedb0429e4ae6f383e9355615823e0684a36ab3c2453a3f3cd56f518944
kind: Task
name: sbom-json-check
when:
- input: "true"
operator: in
values:
- "true"
workspaces:
- name: workspace
workspace: workspace
workspaces:
- name: workspace
- name: registry-auth
optional: true
- name: git-auth
optional: true
skippedTasks:
- name: prefetch-dependencies
reason: PipelineRun was stopping
whenExpressions:
- input: $(tasks.clone-repository.results.hermetic-build)
operator: in
values:
- "true"
- name: build-container
reason: PipelineRun was stopping
whenExpressions:
- input: $(tasks.appstudio-init.results.build)
operator: in
values:
- "true"
- name: sanity-label-check
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: sanity-optional-label-check
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: deprecated-base-image-check
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: get-clair-results
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: conftest-clair
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: clamav-scan
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
- name: sbom-json-check
reason: PipelineRun was stopping
whenExpressions:
- input: "true"
operator: in
values:
- "true"
startTime: "2022-11-29T19:39:23Z"
taskRuns:
single-container-app-6d22125da60d6857-appstudio-configure-build:
pipelineTaskName: appstudio-configure-build
status:
completionTime: "2022-11-29T19:40:40Z"
conditions:
- lastTransitionTime: "2022-11-29T19:40:40Z"
message: All Steps have completed executing
reason: Succeeded
status: "True"
type: Succeeded
podName: single-container-app-6d22125c0e1f1eca73d1d5d9c00bf920c323a8-pod
startTime: "2022-11-29T19:40:33Z"
steps:
- container: step-appstudio-configure-build
imageID: quay.io/redhat-appstudio/appstudio-utils@sha256:e1d7e2bbff7032f078df41ab4d6345ada8474f615c0e93f6268ae9ba48a81b1d
name: appstudio-configure-build
terminated:
containerID: cri-o://d982daead63d92fb349b9f9a6ea0f919d41fe17b2c42119cdff689b5d3459d7b
exitCode: 0
finishedAt: "2022-11-29T19:40:40Z"
message: '[{"key":"buildah-auth-param","value":"--authfile /workspace/source/.dockerconfigjson","type":1},{"key":"registry-auth","value":"/workspace/source/.dockerconfigjson","type":1}]'
reason: Completed
startedAt: "2022-11-29T19:40:40Z"
taskResults:
- name: buildah-auth-param
type: string
value: --authfile /workspace/source/.dockerconfigjson
- name: registry-auth
type: string
value: /workspace/source/.dockerconfigjson
taskSpec:
description: App Studio Configure Build Secrets in Source.
results:
- description: docker config location
name: registry-auth
type: string
- description: pass this to the build optional params to configure secrets
name: buildah-auth-param
type: string
steps:
- image: quay.io/redhat-appstudio/appstudio-utils:4580b3ba3012095ff3981e50b6bbf753d4afd4c3
name: appstudio-configure-build
resources: {}
script: |
#!/usr/bin/env bash
echo "App Studio Configure Build"
DEST=/workspace/source/.dockerconfigjson
AUTH=/workspace/registry-auth/.dockerconfigjson
TMP=$(mktemp)
echo '{}' > $DEST
# Use secrets from serviceAccount
cd /tekton/creds-secrets
for file in $(ls); do
if [ -f "$file/.dockerconfigjson" ]; then
FILES="$FILES $file/.dockerconfigjson"
elif [ -f "$file/.dockercfg" ]; then
# convert format from .dockercfg to .dockerconfigjson
newformat=$(mktemp)
jq '{"auths": .}' $file/.dockercfg > $newformat
FILES="$FILES $newformat"
fi
done
# set highest priority on registry-auth workspace
FILES="$FILES $AUTH"
echo "Looking for Registry Auth Configs"
# Merge secrets into one file
for file in $FILES; do
if [ -f "$file" ]; then
echo "$file found"
jq -M -s '.[0] * .[1]' $DEST $file > $TMP
mv $TMP $DEST
fi
done
chmod 644 $DEST
echo -n $DEST > /tekton/results/registry-auth
echo -n "--authfile $DEST" > /tekton/results/buildah-auth-param
workspaces:
- name: source
- name: registry-auth
optional: true
whenExpressions:
- input: "true"
operator: in
values:
- "true"
single-container-app-6d22125da60d6857-appstudio-init:
pipelineTaskName: appstudio-init
status:
completionTime: "2022-11-29T19:39:51Z"
conditions:
- lastTransitionTime: "2022-11-29T19:39:51Z"
message: All Steps have completed executing
reason: Succeeded
status: "True"
type: Succeeded
podName: single-container-app-6d22125da60d6857-appstudio-init-pod
startTime: "2022-11-29T19:39:40Z"
steps:
- container: step-appstudio-init
imageID: registry.access.redhat.com/ubi8/skopeo@sha256:cc58da50c3842f5f2a4ba8781b60f6052919a5555a000cb4eb18a0bd0241b2b3
name: appstudio-init
terminated:
containerID: cri-o://65c47cb32ba783e13e4a89804ef47a634c7c83f3523655da588656019a4c3bb3
exitCode: 0
finishedAt: "2022-11-29T19:39:50Z"
message: '[{"key":"build","value":"true","type":1}]'
reason: Completed
startedAt: "2022-11-29T19:39:47Z"
- container: step-hacbs-init
imageID: registry.redhat.io/openshift4/ose-cli@sha256:256ee9a1d774aed64d73546db31105b431bfb285084ea5256acf03f411710249
name: hacbs-init
terminated:
containerID: cri-o://51804eb894e22e6e2535996d3ccd3803cd785a13f996f07d9ea29d5895cc7c8c
exitCode: 0
finishedAt: "2022-11-29T19:39:50Z"
message: '[{"key":"build","value":"true","type":1}]'
reason: Completed
startedAt: "2022-11-29T19:39:50Z"
taskResults:
- name: build
type: string
value: "true"
taskSpec:
description: App Studio Initialize Pipeline Task, include flags for rebuild
and auth.
params:
- description: Image URL for testing
name: image-url
type: string
- default: "false"
description: Rebuild the image if exists
name: rebuild
type: string
- default: "false"
description: HACBS workflow
name: hacbs
type: string
- name: pipeline-run-name
type: string
results:
- name: build
type: string
steps:
- image: registry.access.redhat.com/ubi8/skopeo@sha256:cc58da50c3842f5f2a4ba8781b60f6052919a5555a000cb4eb18a0bd0241b2b3
name: appstudio-init
resources: {}
script: |
#!/bin/bash
echo "App Studio Build Initialize: quay.io/hacbs-contract-demo/single-container-app"
echo
echo "Determine if Image Already Exists"
# Build the image when image does not exists or rebuild is set to true
if ! skopeo inspect --no-tags docker://quay.io/hacbs-contract-demo/single-container-app &>/dev/null || [ "true" == "true" ] || [ "true" == "true" ]; then
echo -n "true" > /tekton/results/build
else
echo -n "false" > /tekton/results/build
fi
- image: registry.redhat.io/openshift4/ose-cli:v4.10
name: hacbs-init
resources: {}
script: |
# Create empty secret which is now hardcoded in PaC Pipelinerun template
if ! oc get secret redhat-appstudio-registry-pull-secret &>/dev/null; then
oc create secret generic redhat-appstudio-registry-pull-secret
fi
if [ "true" == "true" ]; then
oc annotate pipelinerun single-container-app-6d22125da60d6857 'appstudio.redhat.com/updateComponentOnSuccess="false"'
fi
single-container-app-6d22125da60d6857-clone-repository:
pipelineTaskName: clone-repository
status:
completionTime: "2022-11-29T19:40:17Z"
conditions:
- lastTransitionTime: "2022-11-29T19:40:17Z"
message: All Steps have completed executing
reason: Succeeded
status: "True"
type: Succeeded
podName: single-container-app-6d22125da60d6857-clone-repository-pod
startTime: "2022-11-29T19:40:06Z"
steps:
- container: step-clone
imageID: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
name: clone
terminated:
containerID: cri-o://524cfb40143b2c0221b30bd1f323d23ce3ec52e9edf27c9aa15a8a8267d056e0
exitCode: 0
finishedAt: "2022-11-29T19:40:17Z"
message: '[{"key":"commit","value":"62c06bf8d6aa1d5d2c1c604303f11efa74180047","type":1},{"key":"url","value":"https://github.com/jduimovich/single-container-app","type":1}]'
reason: Completed
startedAt: "2022-11-29T19:40:16Z"
taskResults:
- name: commit
type: string
value: 62c06bf8d6aa1d5d2c1c604303f11efa74180047
- name: url
type: string
value: https://github.com/jduimovich/single-container-app
taskSpec:
description: |-
These Tasks are Git tasks to work with repositories used by other tasks in your Pipeline.
The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. You can clone into a subdirectory by setting this Task's subdirectory param. This Task also supports sparse checkouts. To perform a sparse checkout, pass a list of comma separated directory patterns to this Task's sparseCheckoutDirectories param.
params:
- description: Repository URL to clone from.
name: url
type: string
- default: ""
description: Revision to checkout. (branch, tag, sha, ref, etc...)
name: revision
type: string
- default: ""
description: Refspec to fetch before checking out revision.
name: refspec
type: string
- default: "true"
description: Initialize and fetch git submodules.
name: submodules
type: string
- default: "1"
description: Perform a shallow clone, fetching only the most recent N
commits.
name: depth
type: string
- default: "true"
description: Set the `http.sslVerify` global git config. Setting this
to `false` is not advised unless you are sure that you trust your git
remote.
name: sslVerify
type: string
- default: ""
description: Subdirectory inside the `output` Workspace to clone the repo
into.
name: subdirectory
type: string
- default: ""
description: Define the directory patterns to match or exclude when performing
a sparse checkout.
name: sparseCheckoutDirectories
type: string
- default: "true"
description: Clean out the contents of the destination directory if it
already exists before cloning.
name: deleteExisting
type: string
- default: ""
description: HTTP proxy server for non-SSL requests.
name: httpProxy
type: string
- default: ""
description: HTTPS proxy server for SSL requests.
name: httpsProxy
type: string
- default: ""
description: Opt out of proxying HTTP/HTTPS requests.
name: noProxy
type: string
- default: "true"
description: Log the commands that are executed during `git-clone`'s operation.
name: verbose
type: string
- default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
description: The image providing the git-init binary that this Task runs.
name: gitInitImage
type: string
- default: /tekton/home
description: |
Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user or have overridden
the gitInitImage param with an image containing custom user configuration.
name: userHome
type: string
results:
- description: The precise commit SHA that was fetched by this Task.
name: commit
type: string
- description: The precise URL that was fetched by this Task.
name: url
type: string
- description: Set to `true` if a hermetic build parameters file was found
in the cloned repo.
name: hermetic-build
type: string
steps:
- env:
- name: HOME
value: /tekton/home
- name: PARAM_URL
value: https://github.com/jduimovich/single-container-app
- name: PARAM_REVISION
- name: PARAM_REFSPEC
- name: PARAM_SUBMODULES
value: "true"
- name: PARAM_DEPTH
value: "1"
- name: PARAM_SSL_VERIFY
value: "true"
- name: PARAM_SUBDIRECTORY
- name: PARAM_DELETE_EXISTING
value: "true"
- name: PARAM_HTTP_PROXY
- name: PARAM_HTTPS_PROXY
- name: PARAM_NO_PROXY
- name: PARAM_VERBOSE
value: "true"
- name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
- name: PARAM_USER_HOME
value: /tekton/home
- name: WORKSPACE_OUTPUT_PATH
value: $(workspaces.output.path)
- name: WORKSPACE_SSH_DIRECTORY_BOUND
value: $(workspaces.ssh-directory.bound)
- name: WORKSPACE_SSH_DIRECTORY_PATH
value: $(workspaces.ssh-directory.path)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
value: $(workspaces.basic-auth.bound)
- name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
value: $(workspaces.basic-auth.path)
image: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:af7dd5b3b1598a980f17d5f5d3d8a4b11ab4f5184677f7f17ad302baa36bd3c1
name: clone
resources: {}
script: |
#!/usr/bin/env sh
set -eu
if [ "${PARAM_VERBOSE}" = "true" ] ; then
set -x
fi
if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
chmod 400 "${PARAM_USER_HOME}/.git-credentials"
chmod 400 "${PARAM_USER_HOME}/.gitconfig"
fi
if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
chmod 700 "${PARAM_USER_HOME}"/.ssh
chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
fi
CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
cleandir() {
# Delete any existing contents of the repo directory if it exists.
#
# We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
# or the root of a mounted volume.
if [ -d "${CHECKOUT_DIR}" ] ; then
# Delete non-hidden files and directories
rm -rf "${CHECKOUT_DIR:?}"/*
# Delete files and directories starting with . but excluding ..
rm -rf "${CHECKOUT_DIR}"/.[!.]*
# Delete files and directories starting with .. plus any other character
rm -rf "${CHECKOUT_DIR}"/..?*
fi
}
if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
cleandir
fi
test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
/ko-app/git-init \
-url="${PARAM_URL}" \
-revision="${PARAM_REVISION}" \
-refspec="${PARAM_REFSPEC}" \
-path="${CHECKOUT_DIR}" \
-sslVerify="${PARAM_SSL_VERIFY}" \
-submodules="${PARAM_SUBMODULES}" \
-depth="${PARAM_DEPTH}" \
-sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
cd "${CHECKOUT_DIR}"
RESULT_SHA="$(git rev-parse HEAD)"
EXIT_CODE="$?"
if [ "${EXIT_CODE}" != 0 ] ; then
exit "${EXIT_CODE}"
fi
printf "%s" "${RESULT_SHA}" > "/tekton/results/commit"
printf "%s" "${PARAM_URL}" > "/tekton/results/url"
if [ -e cachi2.params ]; then
printf "true" > "/tekton/results/hermetic-build"
fi
workspaces:
- description: The git repo will be cloned onto the volume backing this
Workspace.
name: output
- description: |
A .ssh directory with private key, known_hosts, config, etc. Copied to
the user's home before git commands are executed. Used to authenticate
with the git remote when performing the clone. Binding a Secret to this
Workspace is strongly recommended over other volume types.
name: ssh-directory
optional: true
- description: |
A Workspace containing a .gitconfig and .git-credentials file. These
will be copied to the user's home before any git commands are run. Any
other files in this Workspace are ignored. It is strongly recommended
to use ssh-directory over basic-auth whenever possible and to bind a
Secret to this Workspace over other volume types.
name: basic-auth
optional: true
single-container-app-6d22125da60d6857-sanity-inspect-image:
pipelineTaskName: sanity-inspect-image
status:
completionTime: "2022-11-29T19:41:09Z"
conditions:
- lastTransitionTime: "2022-11-29T19:41:09Z"
message: |
"step-inspect-image" exited with code 1 (image: "quay.io/redhat-appstudio/hacbs-test@sha256:017dddd2f4a3cf6c649623e3ed248c8e6ea012b6631d451114cca8de64de9fec"); for logs run: kubectl -n work logs single-container-app-6d22125da60d6857-sanity-inspect-image-pod -c step-inspect-image
reason: Failed
status: "False"
type: Succeeded
podName: single-container-app-6d22125da60d6857-sanity-inspect-image-pod
startTime: "2022-11-29T19:40:54Z"
steps:
- container: step-inspect-image
imageID: quay.io/redhat-appstudio/hacbs-test@sha256:017dddd2f4a3cf6c649623e3ed248c8e6ea012b6631d451114cca8de64de9fec
name: inspect-image
terminated:
containerID: cri-o://03157110a80aa14877651e65ccf5bd59b3ee8e331917ac5998aff5983baac1ca
exitCode: 1
finishedAt: "2022-11-29T19:41:08Z"
reason: Error
startedAt: "2022-11-29T19:41:06Z"
taskSpec:
description: Get manifest data for the source image and its base image to
workspace
params:
- description: the fully qualified image name
name: IMAGE_URL
type: string
results:
- description: Base image the source image is built from
name: BASE_IMAGE
type: string
- description: Base image repository URL
name: BASE_IMAGE_REPOSITORY
type: string
steps:
- image: quay.io/redhat-appstudio/hacbs-test:latest
name: inspect-image
resources: {}
script: |
IMAGE_INSPECT=image_inspect.json
BASE_IMAGE_INSPECT=base_image_inspect.json
RAW_IMAGE_INSPECT=raw_image_inspect.json
echo "Inspecting manifest for source image quay.io/hacbs-contract-demo/single-container-app"
skopeo inspect --no-tags docker://quay.io/hacbs-contract-demo/single-container-app > $IMAGE_INSPECT
skopeo inspect --no-tags --raw docker://quay.io/hacbs-contract-demo/single-container-app > $RAW_IMAGE_INSPECT
echo "Getting base image manifest for source image quay.io/hacbs-contract-demo/single-container-app"
BASE_IMAGE_NAME="$(jq -r ".annotations.\"org.opencontainers.image.base.name\"" $RAW_IMAGE_INSPECT)"
BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $RAW_IMAGE_INSPECT)"
if [ $BASE_IMAGE_NAME == 'null' ]; then
echo "Cannot get base image info from 'annotations'"
echo "Trying to get base image info from 'Labels'"
BASE_IMAGE_NAME="$(jq -r ".Labels.\"org.opencontainers.image.base.name\"" $IMAGE_INSPECT)"
BASE_IMAGE_DIGEST="$(jq -r ".annotations.\"org.opencontainers.image.base.digest\"" $IMAGE_INSPECT)"
if [ "$BASE_IMAGE_NAME" == 'null' ]; then
echo "Cannot get base image info from 'Labels', please check the source image quay.io/hacbs-contract-demo/single-container-app"
exit 0
fi
fi
if [ -z "$BASE_IMAGE_NAME" ]; then
echo "Source image quay.io/hacbs-contract-demo/single-container-app is built from scratch, so there is no base image"
exit 0
fi
BASE_IMAGE="${BASE_IMAGE_NAME%:*}@$BASE_IMAGE_DIGEST"
echo "The base image is $BASE_IMAGE, get its manifest now"
skopeo inspect --no-tags docker://$BASE_IMAGE > $BASE_IMAGE_INSPECT || true
echo "$BASE_IMAGE" | tee /tekton/results/BASE_IMAGE
jq -r ".Name" $BASE_IMAGE_INSPECT | cut -d"/" -f2,3 | tee /tekton/results/BASE_IMAGE_REPOSITORY
securityContext:
capabilities:
add:
- SETFCAP
runAsUser: 0
workingDir: $(workspaces.workspace.path)/hacbs/sanity-inspect-image
workspaces:
- name: workspace
whenExpressions:
- input: "true"
operator: in
values:
- "true"
single-container-app-6d22125da60d6857-sast-snyk-check:
pipelineTaskName: sast-snyk-check
status:
completionTime: "2022-11-29T19:40:41Z"
conditions:
- lastTransitionTime: "2022-11-29T19:40:41Z"
message: All Steps have completed executing
reason: Succeeded
status: "True"
type: Succeeded
podName: single-container-app-6d22125da60d6857-sast-snyk-check-pod
startTime: "2022-11-29T19:40:32Z"
steps:
- container: step-sast-snyk-check
imageID: quay.io/redhat-appstudio/hacbs-test@sha256:dcffec734efe55096f1469bf444d8beea6dc00c80433f3f2018e9ce6a1fc5cfe
name: sast-snyk-check
terminated:
containerID: cri-o://77638e42ab01e28380d5254bff612934e87c1045842c1cadeea49c46022da1d8
exitCode: 0
finishedAt: "2022-11-29T19:40:41Z"
reason: Completed
startedAt: "2022-11-29T19:40:41Z"
taskSpec:
description: Static code security test with snyk
params:
- default: test-team-snyk
name: SHARED_SECRET
type: string
- default: --all-projects --exclude=test*,vendor,deps
description: extra args needs to append
name: ARGS
type: string
results:
- description: Test output
name: HACBS_TEST_OUTPUT
type: string
steps:
- image: quay.io/redhat-appstudio/hacbs-test:feature-sast
name: sast-snyk-check
resources: {}
script: |
#!/usr/bin/env bash
SNYK_TOKEN="$(cat /etc/secrets/snyk_token)"
if [[ -z $SNYK_TOKEN ]]; then
echo "SNYK_TOKEN is empty and a secret 'test-team-snyk' which includes 'snyk_token' need to be created in test-team namespace" | tee stdout.txt
exit 0
fi
export SNYK_TOKEN
SNYK_EXIT_CODE=0
snyk code test --all-projects --exclude=test*,vendor,deps ../.. --sarif-file-output=sast_snyk_check_out.json 1>&2>> stdout.txt || SNYK_EXIT_CODE=$?
test_not_skipped=0
SKIP_MSG="We found 0 supported files"
grep -q "$SKIP_MSG" stdout.txt || test_not_skipped=$?
if [[ "$SNYK_EXIT_CODE" -eq 0 ]] || [[ "$SNYK_EXIT_CODE" -eq 1 ]]; then
cat sast_snyk_check_out.json
HACBS_TEST_OUTPUT=$(jq -rce --arg date $(date +%s) \
'{ result: (if (.runs[].results | length > 0) then "FAILURE" else "SUCCESS" end),
timestamp: $date,
namespace: "default",
successes: 0,
note: "",
failures: (.runs[].results | length)
}' sast_snyk_check_out.json || true)
# Log out the failing runs
if [ $(echo $HACBS_TEST_OUTPUT | jq '.failures') -gt 0 ]
then
echo "The sast-snyk-check test fails with the following runs:"
jq '.runs[].results // []|map(.message.text) | unique' sast_snyk_check_out.json
fi
# When the test is skipped, the "SNYK_EXIT_CODE" is 3 and it can also be 3 in some other situation
elif [[ "$test_not_skipped" -eq 0 ]]; then
HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --arg SKIP_MESSAGE "${SKIP_MSG}" --null-input \
'{result: "SKIPPED", note: $SKIP_MESSAGE, timestamp: $date}')
else
echo "The sast-snyk-check test has failed with the following issues:"
cat stdout.txt
HACBS_ERROR_OUTPUT=$(jq -rc --arg date $(date +%s) --null-input \
'{result: "ERROR", timestamp: $date}')
fi
echo "${HACBS_TEST_OUTPUT:-${HACBS_ERROR_OUTPUT}}" | tee /tekton/results/HACBS_TEST_OUTPUT
volumeMounts:
- mountPath: /etc/secrets
name: snyk-secret
readOnly: true
workingDir: $(workspaces.workspace.path)/hacbs/sast-snyk-check
volumes:
- name: snyk-secret
secret:
optional: true
secretName: test-team-snyk
workspaces:
- name: workspace
whenExpressions:
- input: "true"
operator: in
values:
- "true"
single-container-app-6d22125da60d6857-show-summary:
pipelineTaskName: show-summary
status:
completionTime: "2022-11-29T19:41:30Z"
conditions:
- lastTransitionTime: "2022-11-29T19:41:30Z"
message: All Steps have completed executing
reason: Succeeded
status: "True"
type: Succeeded
podName: single-container-app-6d22125da60d6857-show-summary-pod
startTime: "2022-11-29T19:41:21Z"
steps:
- container: step-appstudio-summary
imageID: registry.redhat.io/openshift4/ose-cli@sha256:9a1ca7a36cfdd6c69398b35a7311db662ca7c652e6e8bd440a6331c12f89703a
name: appstudio-summary
terminated:
containerID: cri-o://ee3bf8841d4bb9f74a94021872355ebbbee3d0d90cdd1c200ea30a03f4d7c6e3
exitCode: 0
finishedAt: "2022-11-29T19:41:29Z"
reason: Completed
startedAt: "2022-11-29T19:41:28Z"
taskSpec:
description: App Studio Summary Pipeline Task.
params:
- description: pipeline-run to annotate
name: pipeline-run-name
type: string
- description: Git URL
name: git-url
type: string
- description: Image URL
name: image-url
type: string
steps:
- image: registry.redhat.io/openshift4/ose-cli@sha256:e6b307c51374607294d1756b871d3c702251c396efdd44d4ef8db68e239339d3
name: appstudio-summary
resources: {}
script: |
#!/usr/bin/env bash
echo
echo "App Studio Build Summary:"
echo
echo "Build repository: https://github.com/jduimovich/single-container-app"
echo "Generated Image is in : quay.io/hacbs-contract-demo/single-container-app"
echo
oc annotate pipelinerun single-container-app-6d22125da60d6857 build.appstudio.openshift.io/repo=https://github.com/jduimovich/single-container-app
oc annotate pipelinerun single-container-app-6d22125da60d6857 build.appstudio.openshift.io/image=quay.io/hacbs-contract-demo/single-container-app
echo "Output is in the following annotations:"
echo "Build Repo is in 'build.appstudio.openshift.io/repo' "
echo 'oc get pr single-container-app-6d22125da60d6857 -o jsonpath="{.metadata.annotations.build\.appstudio\.openshift\.io/repo}"'
echo "Build Image is in 'build.appstudio.openshift.io/image' "
echo 'oc get pr single-container-app-6d22125da60d6857 -o jsonpath="{.metadata.annotations.build\.appstudio\.openshift\.io/image}"'
echo End Summary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment