Skip to content

[release-1.36] Update Konflux configurations #3792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
serverless-qe wants to merge 1 commit into
base: release-1.36
Choose a base branch
from
Open

[release-1.36] Update Konflux configurations #3792

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/dependabot-deps.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v6
with:
ref: ${{ github.head_ref }}
path: ./src/github.com/${{ github.repository }}
Expand Down
77 changes: 22 additions & 55 deletions .tekton/bundle-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
creationTimestamp: null
labels:
pipelines.openshift.io/runtime: generic
pipelines.openshift.io/strategy: docker
Expand All @@ -13,20 +12,6 @@ spec:

_Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
- name: IMAGE_URL
value: $(tasks.build-image-index.results.IMAGE_URL)
taskRef:
params:
- name: name
value: show-sbom
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7
- name: kind
value: task
resolver: bundles
params:
- default: "false"
description: Add built image into an OCI image index
Expand Down Expand Up @@ -68,10 +53,6 @@ spec:
path-context
name: dockerfile
type: string
- default: "false"
description: Force rebuild image
name: rebuild
type: string
- default: "false"
description: Skip checks against built image
name: skip-checks
Expand All @@ -81,14 +62,22 @@ spec:
name: hermetic
type: string
- default: ""
description: Build dependencies to be prefetched by Cachi2
description: Build dependencies to be prefetched
name: prefetch-input
type: string
- default: ""
description: Image tag expiration time, time values could be something like 1h,
2d, 3w for hours, days, and weeks, respectively.
name: image-expires-after
type: string
- default: docker
description: The format for the resulting image's mediaType. Valid values are
oci or docker.
name: buildah-format
type: string
- default: "false"
description: Enable cache proxy configuration
name: enable-cache-proxy
- default: []
description: Array of --build-arg values ("arg=value" strings) for buildah
name: build-args
Expand Down Expand Up @@ -152,6 +141,14 @@ spec:
value: $(params.build-args-file)
- name: PRIVILEGED_NESTED
value: $(params.privileged-nested)
- name: SOURCE_URL
value: $(tasks.clone-repository.results.url)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: HTTP_PROXY
value: $(tasks.init.results.http-proxy)
- name: NO_PROXY
value: $(tasks.init.results.no-proxy)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand All @@ -167,11 +164,6 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- name: sast-snyk-check
params:
- name: ARGS
Expand Down Expand Up @@ -249,12 +241,8 @@ spec:
resolver: bundles
- name: init
params:
- name: image-url
value: $(params.output-image)
- name: rebuild
value: $(params.rebuild)
- name: skip-checks
value: $(params.skip-checks)
- name: enable-cache-proxy
value: $(params.enable-cache-proxy)
taskRef:
params:
- name: name
Expand Down Expand Up @@ -285,27 +273,20 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
workspaces:
- name: basic-auth
workspace: git-auth
- name: build-image-index
params:
- name: IMAGE
value: $(params.output-image)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: ALWAYS_BUILD_INDEX
value: $(params.build-image-index)
- name: IMAGES
value:
- $(tasks.build-images.results.IMAGE_REF[*])
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
runAfter:
- build-images
taskRef:
Expand All @@ -317,11 +298,6 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- name: build-source-image
params:
- name: BINARY_IMAGE
Expand All @@ -344,10 +320,6 @@ spec:
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- input: $(params.build-source-image)
operator: in
values:
Expand Down Expand Up @@ -428,11 +400,6 @@ spec:
operator: in
values:
- "false"
matrix:
params:
- name: image-arch
value:
- $(params.build-platforms)
- name: sast-shell-check
params:
- name: image-digest
Expand Down Expand Up @@ -521,7 +488,7 @@ spec:
- name: name
value: rpms-signature-scan
- name: bundle
value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:098297ee2cd66da57c050d88024b6f221f52af847ab36ca36748906de804adcd
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:89c2bfeb95062712a374192a379854526ae77f03296dd5f2f6ed8b24db0555d0
- name: kind
value: task
resolver: bundles
Expand Down
89 changes: 28 additions & 61 deletions .tekton/docker-build.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
creationTimestamp: null
labels:
pipelines.openshift.io/runtime: generic
pipelines.openshift.io/strategy: docker
Expand All @@ -13,20 +12,6 @@ spec:

_Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks.
This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_
finally:
- name: show-sbom
params:
- name: IMAGE_URL
value: $(tasks.build-image-index.results.IMAGE_URL)
taskRef:
params:
- name: name
value: show-sbom
- name: bundle
value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7
- name: kind
value: task
resolver: bundles
params:
- default:
- linux/x86_64
Expand Down Expand Up @@ -73,10 +58,6 @@ spec:
path-context
name: dockerfile
type: string
- default: "false"
description: Force rebuild image
name: rebuild
type: string
- default: "false"
description: Skip checks against built image
name: skip-checks
Expand All @@ -86,7 +67,7 @@ spec:
name: hermetic
type: string
- default: ""
description: Build dependencies to be prefetched by Cachi2
description: Build dependencies to be prefetched
name: prefetch-input
type: string
- default: ""
Expand All @@ -98,6 +79,14 @@ spec:
description: Add built image into an OCI image index
name: build-image-index
type: string
- default: docker
description: The format for the resulting image's mediaType. Valid values are
oci or docker.
name: buildah-format
type: string
- default: "false"
description: Enable cache proxy configuration
name: enable-cache-proxy
- default: []
description: Array of --build-arg values ("arg=value" strings) for buildah
name: build-args
Expand Down Expand Up @@ -202,12 +191,8 @@ spec:
resolver: bundles
- name: init
params:
- name: image-url
value: $(params.output-image)
- name: rebuild
value: $(params.rebuild)
- name: skip-checks
value: $(params.skip-checks)
- name: enable-cache-proxy
value: $(params.enable-cache-proxy)
taskRef:
params:
- name: name
Expand Down Expand Up @@ -238,11 +223,6 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
workspaces:
- name: basic-auth
workspace: git-auth
Expand Down Expand Up @@ -274,6 +254,14 @@ spec:
value: $(params.build-args-file)
- name: PRIVILEGED_NESTED
value: $(params.privileged-nested)
- name: SOURCE_URL
value: $(tasks.clone-repository.results.url)
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
- name: HTTP_PROXY
value: $(tasks.init.results.http-proxy)
- name: NO_PROXY
value: $(tasks.init.results.no-proxy)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
Expand All @@ -291,24 +279,17 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- name: build-image-index
params:
- name: IMAGE
value: $(params.output-image)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: ALWAYS_BUILD_INDEX
value: $(params.build-image-index)
- name: IMAGES
value:
- $(tasks.build-images.results.IMAGE_REF[*])
- name: BUILDAH_FORMAT
value: $(params.buildah-format)
runAfter:
- build-images
taskRef:
Expand All @@ -320,11 +301,6 @@ spec:
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- name: build-source-image
params:
- name: BINARY_IMAGE
Expand All @@ -347,10 +323,6 @@ spec:
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- "true"
- input: $(params.build-source-image)
operator: in
values:
Expand Down Expand Up @@ -404,7 +376,12 @@ spec:
operator: in
values:
- "false"
- name: ecosystem-cert-preflight-checks
- matrix:
params:
- name: platform
value:
- $(params.build-platforms)
name: ecosystem-cert-preflight-checks
params:
- name: image-url
value: $(tasks.build-image-index.results.IMAGE_URL)
Expand All @@ -429,11 +406,6 @@ spec:
- name: image-arch
value:
- $(params.build-platforms)
matrix:
params:
- name: platform
value:
- $(params.build-platforms)
name: clamav-scan
params:
- name: image-digest
Expand All @@ -456,11 +428,6 @@ spec:
operator: in
values:
- "false"
matrix:
params:
- name: image-arch
value:
- $(params.build-platforms)
- name: sast-shell-check
params:
- name: image-digest
Expand Down Expand Up @@ -549,7 +516,7 @@ spec:
- name: name
value: rpms-signature-scan
- name: bundle
value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:098297ee2cd66da57c050d88024b6f221f52af847ab36ca36748906de804adcd
value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:89c2bfeb95062712a374192a379854526ae77f03296dd5f2f6ed8b24db0555d0
- name: kind
value: task
resolver: bundles
Expand Down
Loading
Loading