├── task ├── buildah │ ├── 0.4 │ ├── 0.5 │ ├── 0.6 │ │ └── kustomization.yaml │ └── 0.7 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md ├── oci-copy │ ├── 0.1 │ └── 0.2 │ │ └── MIGRATION.md ├── source-build │ ├── 0.2 │ └── 0.3 │ │ ├── README.md │ │ └── MIGRATION.md ├── buildah-min │ ├── 0.4 │ ├── 0.5 │ ├── 0.6 │ │ ├── kustomization.yaml │ │ └── patch.yaml │ └── 0.7 │ │ ├── kustomization.yaml │ │ ├── MIGRATION.md │ │ └── patch.yaml ├── clair-scan │ ├── 0.1 │ ├── 0.2 │ │ ├── MIGRATION.md │ │ └── README.md │ └── 0.3 │ │ ├── MIGRATION.md │ │ └── migrations │ │ └── 0.3.sh ├── clamav-scan │ ├── 0.1 │ ├── 0.2 │ │ └── MIGRATION.md │ └── 0.3 │ │ ├── MIGRATION.md │ │ └── migrations │ │ └── 0.3.sh ├── tkn-bundle │ ├── 0.1 │ └── 0.2 │ │ ├── MIGRATION.md │ │ └── migrations │ │ └── 0.2.1.sh ├── buildah-oci-ta │ ├── 0.4 │ ├── 0.5 │ ├── 0.6 │ │ └── recipe.yaml │ └── 0.7 │ │ ├── recipe.yaml │ │ └── MIGRATION.md ├── buildah-remote │ ├── 0.4 │ ├── 0.5 │ └── 0.7 │ │ └── MIGRATION.md ├── oci-copy-oci-ta │ ├── 0.1 │ └── 0.2 │ │ ├── recipe.yaml │ │ └── MIGRATION.md ├── sast-snyk-check │ ├── 0.1 │ ├── 0.2 │ ├── 0.3 │ └── 0.4 │ │ ├── tests │ │ └── pre-apply-task-hook.sh │ │ └── MIGRATION.md ├── sbom-json-check │ ├── 0.1 │ └── 0.2 │ │ ├── README.md │ │ └── MIGRATION.md ├── source-build-oci-ta │ ├── 0.2 │ └── 0.3 │ │ ├── recipe.yaml │ │ ├── MIGRATION.md │ │ └── README.md ├── tkn-bundle-oci-ta │ ├── 0.1 │ └── 0.2 │ │ ├── recipe.yaml │ │ ├── MIGRATION.md │ │ └── README.md ├── rpms-signature-scan │ ├── 0.1 │ ├── OWNERS │ └── 0.2 │ │ ├── MIGRATION.md │ │ └── README.md ├── sast-coverity-check │ ├── 0.1 │ ├── 0.2 │ └── 0.3 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md ├── sast-unicode-check │ ├── 0.1 │ ├── 0.2 │ │ └── MIGRATION.md │ └── 0.3 │ │ └── MIGRATION.md ├── buildah-remote-oci-ta │ ├── 0.4 │ ├── 0.5 │ └── 0.7 │ │ └── MIGRATION.md ├── deprecated-image-check │ ├── 0.1 │ ├── 0.2 │ ├── 0.3 │ ├── 0.4 │ └── 0.5 │ │ └── MIGRATION.md ├── sast-snyk-check-oci-ta │ ├── 0.1 │ ├── 0.2 │ ├── 0.3 │ └── 0.4 │ │ ├── MIGRATION.md │ │ └── recipe.yaml ├── coverity-availability-check │ ├── 0.1 │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── README.md ├── sast-coverity-check-oci-ta │ ├── 0.1 │ ├── 0.2 │ └── 0.3 │ │ ├── recipe.yaml │ │ └── MIGRATION.md ├── sast-unicode-check-oci-ta │ ├── 0.1 │ ├── 0.2 │ │ ├── MIGRATION.md │ │ └── recipe.yaml │ └── 0.3 │ │ ├── recipe.yaml │ │ └── MIGRATION.md ├── ecosystem-cert-preflight-checks │ ├── 0.1 │ └── 0.2 │ │ └── MIGRATION.md ├── build-image-manifest │ └── 0.1 │ │ ├── patch.yaml │ │ └── kustomization.yaml ├── build-maven-zip │ └── 0.1 │ │ └── kustomization.yaml ├── build-image-index │ ├── 0.1 │ │ └── kustomization.yaml │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md ├── git-clone-oci-ta │ └── 0.1 │ │ ├── kustomization.yaml │ │ └── recipe.yaml ├── sealights-go-oci-ta │ └── 0.1 │ │ └── kustomization.yaml ├── sealights-nodejs-oci-ta │ └── 0.1 │ │ └── kustomization.yaml ├── sealights-python-oci-ta │ └── 0.1 │ │ └── kustomization.yaml ├── pnc-prebuild-git-clone-oci-ta │ └── 0.1 │ │ └── kustomization.yaml ├── slack-webhook-notification-oci-ta │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── fips-operator-bundle-check-oci-ta │ └── 0.1 │ │ └── recipe.yaml ├── package-operator-package-oci-ta │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── push-dockerfile-oci-ta │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── build-helm-chart-oci-ta │ ├── 0.3 │ │ └── MIGRATION.md │ ├── 0.2 │ │ └── MIGRATION.md │ └── 0.1 │ │ └── recipe.yaml ├── run-opm-command-oci-ta │ └── 0.1 │ │ └── tests │ │ └── pre-apply-task-hook.sh ├── opm-get-bundle-version │ └── 0.1 │ │ ├── README.md │ │ └── opm-get-bundle-version.yaml ├── modelcar-oci-ta │ └── 0.1 │ │ └── tests │ │ └── pre-apply-task-hook.sh ├── summary │ └── 0.2 │ │ ├── README.md │ │ └── MIGRATION.md ├── git-clone │ └── 0.1 │ │ └── tests │ │ ├── test-git-clone-fail-for-wrong-url.yaml │ │ ├── test-git-clone-run-without-args.yaml │ │ └── test-git-clone-run-with-tag.yaml ├── build-maven-zip-oci-ta │ └── 0.1 │ │ └── recipe.yaml ├── opm-render-bundles │ └── 0.1 │ │ └── README.md ├── sast-shell-check-oci-ta │ └── 0.1 │ │ └── recipe.yaml ├── init │ └── 0.2 │ │ ├── README.md │ │ └── migrations │ │ ├── 0.2.2.sh │ │ └── 0.2.3.sh ├── build-paketo-builder-oci-ta │ └── 0.2 │ │ └── MIGRATION.md ├── package-operator-package │ └── 0.1 │ │ └── README.md ├── apply-tags │ ├── 0.2 │ │ ├── MIGRATION.md │ │ └── README.md │ └── 0.1 │ │ └── README.md ├── prefetch-dependencies │ └── 0.2 │ │ └── MIGRATION.md ├── prefetch-dependencies-oci-ta │ └── 0.2 │ │ └── MIGRATION.md ├── show-sbom │ └── 0.1 │ │ └── README.md ├── operator-sdk-generate-bundle │ └── 0.1 │ │ └── README.md ├── validate-fbc │ └── 0.1 │ │ └── README.md ├── eaas-provision-space │ └── 0.1 │ │ └── README.md ├── push-dockerfile │ └── 0.1 │ │ └── README.md ├── update-infra-deployments │ └── 0.1 │ │ └── README.md ├── build-vm-image │ └── 0.1 │ │ └── README.md ├── slack-webhook-notification │ └── 0.1 │ │ └── README.md └── fbc-fips-check-oci-ta │ └── 0.1 │ └── recipe.yaml ├── partners └── example-hello-world │ ├── OWNERS │ └── 0.1 │ └── example-hello-world.yaml ├── archived-tasks ├── tkn-bundle │ └── 0.1 │ │ ├── .shellspec │ │ ├── spec │ │ ├── test1.yaml │ │ ├── test2.yml │ │ ├── test3.yaml │ │ ├── spec_helper.sh │ │ └── support │ │ │ ├── task_run_subject.sh │ │ │ └── jq_matcher.sh │ │ └── TESTING.md ├── buildah │ ├── 0.4 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md │ └── 0.5 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md ├── inspect-image │ ├── 0.1 │ │ ├── kustomization.yaml │ │ └── README.md │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── README.md ├── fbc-validation │ ├── 0.1 │ │ ├── kustomization.yaml │ │ ├── README.md │ │ └── USAGE.md │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── README.md ├── verify-signed-rpms │ └── 0.1 │ │ └── kustomization.yaml ├── fbc-related-image-check │ ├── 0.1 │ │ ├── kustomization.yaml │ │ └── README.md │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── README.md ├── generate-odcs-compose │ ├── 0.1 │ │ └── kustomization.yaml │ └── 0.2 │ │ ├── kustomization.yaml │ │ └── MIGRATION.md ├── provision-env-with-ephemeral-namespace │ ├── OWNERS │ └── 0.1 │ │ └── kustomization.yaml ├── coverity-availability-check-oci-ta │ ├── 0.2 │ │ ├── README.md │ │ ├── kustomization.yaml │ │ └── MIGRATION.md │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── sast-snyk-check │ ├── 0.3 │ │ ├── tests │ │ │ └── pre-apply-task-hook.sh │ │ └── MIGRATION.md │ └── 0.2 │ │ └── MIGRATION.md ├── buildah-min │ ├── 0.4 │ │ ├── kustomization.yaml │ │ ├── MIGRATION.md │ │ └── patch.yaml │ └── 0.5 │ │ ├── kustomization.yaml │ │ ├── MIGRATION.md │ │ └── patch.yaml ├── sast-coverity-check │ └── 0.2 │ │ └── kustomization.yaml ├── source-build │ └── 0.2 │ │ ├── MIGRATION.md │ │ └── README.md ├── source-build-oci-ta │ └── 0.2 │ │ ├── MIGRATION.md │ │ ├── recipe.yaml │ │ └── README.md ├── oci-copy-oci-ta │ └── 0.1 │ │ └── recipe.yaml ├── tkn-bundle-oci-ta │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── buildah-oci-ta │ ├── 0.4 │ │ ├── recipe.yaml │ │ └── MIGRATION.md │ └── 0.5 │ │ ├── recipe.yaml │ │ └── MIGRATION.md ├── sast-coverity-check-oci-ta │ ├── 0.1 │ │ └── recipe.yaml │ └── 0.2 │ │ └── recipe.yaml ├── deprecated-image-check │ ├── 0.2 │ │ └── MIGRATION.md │ └── 0.4 │ │ └── MIGRATION.md ├── sast-snyk-check-oci-ta │ ├── 0.3 │ │ ├── recipe.yaml │ │ └── MIGRATION.md │ ├── 0.2 │ │ ├── MIGRATION.md │ │ ├── recipe.yaml │ │ └── README.md │ └── 0.1 │ │ ├── recipe.yaml │ │ └── README.md ├── sast-unicode-check-oci-ta │ └── 0.1 │ │ └── recipe.yaml ├── buildah-remote │ ├── 0.5 │ │ └── MIGRATION.md │ └── 0.4 │ │ └── MIGRATION.md ├── buildah-remote-oci-ta │ ├── 0.5 │ │ └── MIGRATION.md │ └── 0.4 │ │ └── MIGRATION.md └── ecosystem-cert-preflight-checks │ └── 0.1 │ └── README.md ├── OWNERS ├── task-generator ├── trusted-artifacts │ ├── golden │ │ ├── kustomized │ │ │ ├── ta.yaml │ │ │ ├── task.yaml │ │ │ ├── recipe.yaml │ │ │ └── kustomization.yaml │ │ ├── source-build │ │ │ └── recipe.yaml │ │ ├── git-clone │ │ │ └── recipe.yaml │ │ ├── buildah │ │ │ └── recipe.yaml │ │ ├── sast-snyk-check │ │ │ └── recipe.yaml │ │ └── prefetch-dependencies │ │ │ └── recipe.yaml │ ├── expect.go │ └── main.go ├── README.md └── remote │ └── README.md ├── CLAUDE.md ├── hack ├── test-build │ └── workspace-template.yaml ├── generate-build-team-readme.sh ├── shellspec │ └── github_formatter.sh ├── verify-manifests.sh ├── generate-buildah-remote.sh ├── generate-everything.sh ├── checkton-local.sh ├── generate-all-readmes.sh ├── test-builds.sh └── check-task-owners.sh ├── pipelines ├── template-build │ └── kustomization.yaml ├── docker-build │ └── kustomization.yaml ├── ko-build-oci-ta │ └── kustomization.yaml ├── maven-zip-build │ └── kustomization.yaml ├── docker-build-oci-ta │ └── kustomization.yaml ├── maven-zip-build-oci-ta │ └── kustomization.yaml ├── package-operator-package │ ├── kustomization.yaml │ ├── README.md │ └── patch.yaml ├── tekton-bundle-builder │ └── kustomization.yaml ├── fbc-builder │ └── kustomization.yaml ├── tekton-bundle-builder-oci-ta │ └── kustomization.yaml ├── docker-build-multi-platform-oci-ta │ └── kustomization.yaml ├── core-services │ ├── README.md │ ├── kustomization.yaml │ ├── slack-notification.yaml │ ├── infra-deploy.yaml │ └── update-repo.yaml └── kustomization.yaml ├── .github ├── resources │ └── workspace-template.yaml ├── pull_request_template.md ├── workflows │ ├── yaml-lint.yaml │ ├── check-kustomize-build.yaml │ ├── check-ta.yaml │ ├── check-buildah-remote.yaml │ ├── checkton.yaml │ ├── check-readmes.yaml │ ├── check-task-owners.yaml │ └── check-task-and-pipeline-yamls.yaml ├── ISSUE_TEMPLATE │ ├── feature_request.md │ └── bug_report.md └── actions │ └── install-tkn │ └── action.yaml ├── external-task ├── clair-scan │ ├── 0.1 │ │ └── clair-scan.yaml │ ├── 0.2 │ │ └── clair-scan.yaml │ └── 0.3 │ │ └── clair-scan.yaml ├── clamav-scan │ ├── 0.1 │ │ └── clamav-scan.yaml │ └── 0.2 │ │ └── clamav-scan.yaml ├── sast-snyk-check │ └── 0.4 │ │ └── sast-snyk-check.yaml ├── sast-shell-check │ └── 0.1 │ │ └── sast-shell-check.yaml ├── sast-unicode-check │ ├── 0.2 │ │ └── sast-unicode-check.yaml │ └── 0.3 │ │ └── sast-unicode-check.yaml ├── rpms-signature-scan │ └── 0.2 │ │ └── rpms-signature-scan.yaml ├── sast-coverity-check │ └── 0.3 │ │ └── sast-coverity-check.yaml ├── deprecated-image-check │ ├── 0.1 │ │ └── deprecated-image-check.yaml │ ├── 0.2 │ │ └── deprecated-image-check.yaml │ ├── 0.3 │ │ └── deprecated-image-check.yaml │ ├── 0.4 │ │ └── deprecated-image-check.yaml │ └── 0.5 │ │ └── deprecated-image-check.yaml ├── sast-snyk-check-oci-ta │ └── 0.4 │ │ └── sast-snyk-check-oci-ta.yaml ├── sast-shell-check-oci-ta │ └── 0.1 │ │ └── sast-shell-check-oci-ta.yaml ├── sast-unicode-check-oci-ta │ ├── 0.2 │ │ └── sast-unicode-check-oci-ta.yaml │ └── 0.3 │ │ └── sast-unicode-check-oci-ta.yaml ├── coverity-availability-check │ └── 0.2 │ │ └── coverity-availability-check.yaml └── sast-coverity-check-oci-ta │ └── 0.3 │ └── sast-coverity-check-oci-ta.yaml ├── .sonarcloud.properties ├── .cursor └── rules │ ├── basic.mdc │ ├── git.mdc │ └── tekton.mdc ├── policies └── build-tasks.yaml ├── .gitignore ├── stepactions ├── eaas-get-latest-openshift-version-by-prefix │ └── 0.1 │ │ ├── README.md │ │ └── eaas-get-latest-openshift-version-by-prefix.yaml ├── eaas-copy-secrets-to-ephemeral-cluster │ └── 0.1 │ │ └── README.md ├── eaas-get-supported-ephemeral-cluster-versions │ └── 0.1 │ │ └── README.md ├── eaas-get-ephemeral-cluster-credentials │ └── 0.1 │ │ └── README.md └── fips-operator-check-step-action │ └── 0.1 │ └── README.md ├── OWNERS_ALIASES ├── .yamllint └── appstudio-utils └── README.md /task/buildah/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah/0.4 -------------------------------------------------------------------------------- /task/buildah/0.5: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah/0.5 -------------------------------------------------------------------------------- /task/oci-copy/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/oci-copy/0.1 -------------------------------------------------------------------------------- /task/source-build/0.2: -------------------------------------------------------------------------------- 1 | archived-tasks/source-build/0.2/ -------------------------------------------------------------------------------- /partners/example-hello-world/OWNERS: -------------------------------------------------------------------------------- 1 | RHTAP Build team 2 | -------------------------------------------------------------------------------- /task/buildah-min/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-min/0.4 -------------------------------------------------------------------------------- /task/buildah-min/0.5: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-min/0.5 -------------------------------------------------------------------------------- /task/clair-scan/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/clair-scan/0.1 -------------------------------------------------------------------------------- /task/clamav-scan/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/clamav-scan/0.1 -------------------------------------------------------------------------------- /task/tkn-bundle/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/tkn-bundle/0.1 -------------------------------------------------------------------------------- /task/buildah-oci-ta/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-oci-ta/0.4 -------------------------------------------------------------------------------- /task/buildah-oci-ta/0.5: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-oci-ta/0.5 -------------------------------------------------------------------------------- /task/buildah-remote/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-remote/0.4 -------------------------------------------------------------------------------- /task/buildah-remote/0.5: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-remote/0.5 -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/.shellspec: -------------------------------------------------------------------------------- 1 | --require spec_helper 2 | -------------------------------------------------------------------------------- /task/oci-copy-oci-ta/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/oci-copy-oci-ta/0.1 -------------------------------------------------------------------------------- /task/sast-snyk-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check/0.1 -------------------------------------------------------------------------------- /task/sast-snyk-check/0.2: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check/0.2 -------------------------------------------------------------------------------- /task/sast-snyk-check/0.3: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check/0.3 -------------------------------------------------------------------------------- /task/sbom-json-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sbom-json-check/0.1 -------------------------------------------------------------------------------- /task/source-build-oci-ta/0.2: -------------------------------------------------------------------------------- 1 | archived-tasks/source-build-oci-ta/0.2/ -------------------------------------------------------------------------------- /task/tkn-bundle-oci-ta/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/tkn-bundle-oci-ta/0.1 -------------------------------------------------------------------------------- /task/rpms-signature-scan/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/rpms-signature-scan/0.1 -------------------------------------------------------------------------------- /task/sast-coverity-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-coverity-check/0.1 -------------------------------------------------------------------------------- /task/sast-coverity-check/0.2: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-coverity-check/0.2 -------------------------------------------------------------------------------- /task/sast-unicode-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-unicode-check/0.1 -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - build-team 3 | reviewers: 4 | - build-team 5 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/kustomized/ta.yaml: -------------------------------------------------------------------------------- 1 | ../buildah/ta.yaml -------------------------------------------------------------------------------- /task/buildah-remote-oci-ta/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-remote-oci-ta/0.4 -------------------------------------------------------------------------------- /task/buildah-remote-oci-ta/0.5: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/buildah-remote-oci-ta/0.5 -------------------------------------------------------------------------------- /task/deprecated-image-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/deprecated-image-check/0.1 -------------------------------------------------------------------------------- /task/deprecated-image-check/0.2: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/deprecated-image-check/0.2 -------------------------------------------------------------------------------- /task/deprecated-image-check/0.3: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/deprecated-image-check/0.3 -------------------------------------------------------------------------------- /task/deprecated-image-check/0.4: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/deprecated-image-check/0.4 -------------------------------------------------------------------------------- /task/sast-snyk-check-oci-ta/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check-oci-ta/0.1 -------------------------------------------------------------------------------- /task/sast-snyk-check-oci-ta/0.2: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check-oci-ta/0.2 -------------------------------------------------------------------------------- /task/sast-snyk-check-oci-ta/0.3: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-snyk-check-oci-ta/0.3 -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/kustomized/task.yaml: -------------------------------------------------------------------------------- 1 | ../buildah/base.yaml -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/kustomized/recipe.yaml: -------------------------------------------------------------------------------- 1 | ../buildah/recipe.yaml -------------------------------------------------------------------------------- /task/coverity-availability-check/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/coverity-availability-check/0.1 -------------------------------------------------------------------------------- /task/sast-coverity-check-oci-ta/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-coverity-check-oci-ta/0.1 -------------------------------------------------------------------------------- /task/sast-coverity-check-oci-ta/0.2: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-coverity-check-oci-ta/0.2 -------------------------------------------------------------------------------- /task/sast-unicode-check-oci-ta/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/sast-unicode-check-oci-ta/0.1 -------------------------------------------------------------------------------- /task/ecosystem-cert-preflight-checks/0.1: -------------------------------------------------------------------------------- 1 | ../../archived-tasks/ecosystem-cert-preflight-checks/0.1 -------------------------------------------------------------------------------- /task/build-image-manifest/0.1/patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - op: replace 3 | path: /metadata/name 4 | value: build-image-manifest 5 | -------------------------------------------------------------------------------- /CLAUDE.md: -------------------------------------------------------------------------------- 1 | - Use additional rules from: 2 | - @.cursor/rules/basic.mdc 3 | - @.cursor/rules/git.mdc 4 | - @.cursor/rules/tekton.mdc 5 | -------------------------------------------------------------------------------- /task/buildah/0.6/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - buildah.yaml 6 | -------------------------------------------------------------------------------- /task/buildah/0.7/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - buildah.yaml 6 | -------------------------------------------------------------------------------- /hack/test-build/workspace-template.yaml: -------------------------------------------------------------------------------- 1 | spec: 2 | accessModes: 3 | - ReadWriteOnce 4 | resources: 5 | requests: 6 | storage: 1Gi 7 | -------------------------------------------------------------------------------- /archived-tasks/buildah/0.4/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - buildah.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/buildah/0.5/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - buildah.yaml 6 | -------------------------------------------------------------------------------- /pipelines/template-build/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - template-build.yaml 5 | -------------------------------------------------------------------------------- /.github/resources/workspace-template.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | spec: 3 | accessModes: 4 | - ReadWriteOnce 5 | resources: 6 | requests: 7 | storage: 10Mi 8 | -------------------------------------------------------------------------------- /task/build-maven-zip/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - build-maven-zip.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/inspect-image/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - inspect-image.yaml 6 | -------------------------------------------------------------------------------- /task/build-image-index/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - build-image-index.yaml 6 | -------------------------------------------------------------------------------- /task/build-image-index/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - build-image-index.yaml 6 | -------------------------------------------------------------------------------- /task/git-clone-oci-ta/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - git-clone-oci-ta.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/fbc-validation/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - fbc-validation.yaml 6 | -------------------------------------------------------------------------------- /task/sealights-go-oci-ta/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - sealights-go-oci-ta.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/verify-signed-rpms/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - verify-signed-rpms.yaml 6 | -------------------------------------------------------------------------------- /task/sealights-nodejs-oci-ta/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - sealights-nodejs-oci-ta.yaml 6 | -------------------------------------------------------------------------------- /task/sealights-python-oci-ta/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - sealights-python-oci-ta.yaml 6 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/kustomized/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - task.yaml 6 | -------------------------------------------------------------------------------- /task/rpms-signature-scan/OWNERS: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs: https://go.k8s.io/owners 2 | 3 | approvers: 4 | - gbenhaim 5 | - avi-biton 6 | - amisstea 7 | - yftacherzog 8 | - ifireball 9 | -------------------------------------------------------------------------------- /archived-tasks/fbc-related-image-check/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - fbc-related-image-check.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/generate-odcs-compose/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - generate-odcs-compose.yaml 6 | -------------------------------------------------------------------------------- /archived-tasks/generate-odcs-compose/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - generate-odcs-compose.yaml 6 | -------------------------------------------------------------------------------- /external-task/clair-scan/0.1/clair-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.1@sha256:bd5ec7081ead5bc28dce14defa6821fc61a8d52700c512dc6b0d071fa98d929b 2 | -------------------------------------------------------------------------------- /external-task/clair-scan/0.2/clair-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:076d5cde62b55bbfcdda2b4782392256bbda5ad38f839013b4330b3aba70a973 2 | -------------------------------------------------------------------------------- /external-task/clair-scan/0.3/clair-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a5fa66ed5b8c107e7bc29cb084edcc07e394f818cc59ef2db2f9dcb0cd1fa3dc 2 | -------------------------------------------------------------------------------- /task/coverity-availability-check/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - coverity-availability-check.yaml 6 | -------------------------------------------------------------------------------- /external-task/clamav-scan/0.1/clamav-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:a01f94db2bdf6f9a86e1e9cc256e1b7c26cb4d0253e67579196bd8ffbc33a7ca 2 | -------------------------------------------------------------------------------- /external-task/clamav-scan/0.2/clamav-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:f3d2d179cddcc07d0228d9f52959a233037a3afa2619d0a8b2effbb467db80c3 2 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/test1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Task 3 | metadata: 4 | name: test1 5 | spec: 6 | steps: 7 | - name: test1-step 8 | image: ubuntu 9 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/test2.yml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Task 3 | metadata: 4 | name: test2 5 | spec: 6 | steps: 7 | - name: test2-step 8 | image: ubuntu 9 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/test3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Task 3 | metadata: 4 | name: test3 5 | spec: 6 | steps: 7 | - name: test3-step 8 | image: ubuntu 9 | -------------------------------------------------------------------------------- /external-task/sast-snyk-check/0.4/sast-snyk-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.4@sha256:d5f8a76386c4441c9c1f57eb370553212dafe2d06f8a3468f5f08631719885fa 2 | -------------------------------------------------------------------------------- /task-generator/README.md: -------------------------------------------------------------------------------- 1 | # Task generator 2 | The Task generator is a collection of tools used for generating various versions of tasks. 3 | 4 | Each tool has its own subdirectory with a README. 5 | -------------------------------------------------------------------------------- /external-task/sast-shell-check/0.1/sast-shell-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check:0.1@sha256:3fb1f8c3a344e67a22fdf4bff963ca806da84d62e9d33d34dc6beb49cfaacc33 2 | -------------------------------------------------------------------------------- /archived-tasks/provision-env-with-ephemeral-namespace/OWNERS: -------------------------------------------------------------------------------- 1 | # See the OWNERS docs: https://go.k8s.io/owners 2 | 3 | approvers: 4 | - gbenhaim 5 | - oamsalem 6 | - amisstea 7 | - avi-biton 8 | - yftacherzog 9 | -------------------------------------------------------------------------------- /external-task/sast-unicode-check/0.2/sast-unicode-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.2@sha256:60922f340da1f6b8b8c1dc04789d6ed285cae08b2ef0b71473a9ea4c2e61a3f7 2 | -------------------------------------------------------------------------------- /external-task/sast-unicode-check/0.3/sast-unicode-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check:0.3@sha256:74a5b3075c7e03b76d7d490947b507080bfb89c93a5f8bb7007d68d40672febd 2 | -------------------------------------------------------------------------------- /archived-tasks/provision-env-with-ephemeral-namespace/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - provision-env-with-ephemeral-namespace.yaml 6 | -------------------------------------------------------------------------------- /external-task/rpms-signature-scan/0.2/rpms-signature-scan.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:c02429b45145fc7f2b1fa94ec2f48c0d8ac203fd4385796b4c93e5d0dec967f8 2 | -------------------------------------------------------------------------------- /external-task/sast-coverity-check/0.3/sast-coverity-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check:0.3@sha256:8937bf5fc37537c4cac8526e931ca4af60a00bdfaf9c812d274823c8ad39a046 2 | -------------------------------------------------------------------------------- /external-task/deprecated-image-check/0.1/deprecated-image-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.1@sha256:f0655def0168c69c9dc9f2005ff18c42b897500fc958e34426dd369944031b49 2 | -------------------------------------------------------------------------------- /external-task/deprecated-image-check/0.2/deprecated-image-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.2@sha256:d4e255786075b8ddc2a2a6ec7f4b66e17e952f4cb1d6f4116f99aeeaa9b15176 2 | -------------------------------------------------------------------------------- /external-task/deprecated-image-check/0.3/deprecated-image-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.3@sha256:bc5dd8b791b6d7f1bdce3d589e1962d8bdccaef84ad0ac46de2f1df60f0f6070 2 | -------------------------------------------------------------------------------- /external-task/deprecated-image-check/0.4/deprecated-image-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:febec4cf37d92c1623cdd61c2e4b1647dc13d1ff75f44b8cb24569eb215b583d 2 | -------------------------------------------------------------------------------- /external-task/deprecated-image-check/0.5/deprecated-image-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:462baed733dfc38aca5395499e92f19b6f13a74c2e88fe5d86c3cffa2f899b57 2 | -------------------------------------------------------------------------------- /external-task/sast-snyk-check-oci-ta/0.4/sast-snyk-check-oci-ta.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8ad28b7783837a24acbc9a8494c935e796e591ce476085ad5899bebd7e53f077 2 | -------------------------------------------------------------------------------- /external-task/sast-shell-check-oci-ta/0.1/sast-shell-check-oci-ta.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:d44336d7bcbd1f7cedee639357a493bd1f661e2859e49e11a34644bdf6819c4e 2 | -------------------------------------------------------------------------------- /archived-tasks/coverity-availability-check-oci-ta/0.2/README.md: -------------------------------------------------------------------------------- 1 | # coverity-availability-check-oci-ta task 2 | 3 | The `coverity-availability-check-oci-ta` task is deprecated. Please use `coverity-availability-check` instead. 4 | -------------------------------------------------------------------------------- /external-task/sast-unicode-check-oci-ta/0.2/sast-unicode-check-oci-ta.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.2@sha256:5a93fe7f1f3990167d87cb3f30bc13293e02cf5a6da88f46cf0368b3328c2d56 2 | -------------------------------------------------------------------------------- /external-task/sast-unicode-check-oci-ta/0.3/sast-unicode-check-oci-ta.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:e5a8d3e8e7be7246a1460385b95c084ea6e8fe7520d40fe4389deb90f1bf5176 2 | -------------------------------------------------------------------------------- /task/sast-snyk-check/0.4/tests/pre-apply-task-hook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Removing computeResources for task: $1" 4 | yq -i eval '.spec.steps[0].computeResources = {}' $1 5 | yq -i eval '.spec.steps[1].computeResources = {}' $1 -------------------------------------------------------------------------------- /external-task/coverity-availability-check/0.2/coverity-availability-check.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:36400873d3031df128c55aa71ee11d322c3e55fd8f13dc5779098fbc117c0aa3 2 | -------------------------------------------------------------------------------- /external-task/sast-coverity-check-oci-ta/0.3/sast-coverity-check-oci-ta.yaml: -------------------------------------------------------------------------------- 1 | task_bundle: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:78f5244a8cfd28c890ed62db7e4ff1fc97ff39876d37fb19f1b0c2c286a4002c 2 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check/0.3/tests/pre-apply-task-hook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "Removing computeResources for task: $1" 4 | yq -i eval '.spec.steps[0].computeResources = {}' $1 5 | yq -i eval '.spec.steps[1].computeResources = {}' $1 -------------------------------------------------------------------------------- /pipelines/docker-build/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../template-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /pipelines/ko-build-oci-ta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../template-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /pipelines/maven-zip-build/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../template-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /task/buildah-min/0.6/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../buildah/0.6 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /task/buildah-min/0.7/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../buildah/0.7 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /.sonarcloud.properties: -------------------------------------------------------------------------------- 1 | # Path to sources 2 | sonar.sources=. 3 | sonar.exclusions=**/*test* 4 | 5 | # Source encoding 6 | sonar.sourceEncoding=UTF-8 7 | 8 | # Exclusions for copy-paste detection 9 | sonar.cpd.exclusions=**/*test* 10 | -------------------------------------------------------------------------------- /pipelines/docker-build-oci-ta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../docker-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.4/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../buildah/0.4 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.5/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../buildah/0.5 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /pipelines/maven-zip-build-oci-ta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../maven-zip-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /pipelines/package-operator-package/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../template-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /pipelines/tekton-bundle-builder/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../template-build 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/spec_helper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | spec_helper_configure() { 8 | import 'support/task_run_subject' 9 | import 'support/jq_matcher' 10 | } 11 | -------------------------------------------------------------------------------- /pipelines/fbc-builder/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../docker-build-multi-platform-oci-ta 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /pipelines/tekton-bundle-builder-oci-ta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../tekton-bundle-builder 5 | 6 | patches: 7 | - path: patch.yaml 8 | target: 9 | kind: Pipeline 10 | -------------------------------------------------------------------------------- /task/build-image-manifest/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../build-image-index/0.1 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /.github/pull_request_template.md: -------------------------------------------------------------------------------- 1 | # Before you complete this pull request ... 2 | 3 | Look for any open pull requests in the repository with the title "e2e-tests update" and 4 | see if there are recent e2e-tests updates that will be applicable to your change. 5 | -------------------------------------------------------------------------------- /archived-tasks/sast-coverity-check/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../../task/buildah/0.4 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /archived-tasks/source-build/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Adds support for SPDX SBOMs. 6 | 7 | ## Action from users 8 | 9 | No action needed. The version bump simply marks the addition of SPDX support. 10 | -------------------------------------------------------------------------------- /task/deprecated-image-check/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Adds support for SPDX SBOMs. 6 | 7 | ## Action from users 8 | 9 | No action needed. The version bump simply marks the addition of SPDX support. 10 | -------------------------------------------------------------------------------- /archived-tasks/source-build-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Adds support for SPDX SBOMs. 6 | 7 | ## Action from users 8 | 9 | No action needed. The version bump simply marks the addition of SPDX support. 10 | -------------------------------------------------------------------------------- /task/pnc-prebuild-git-clone-oci-ta/0.1/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../git-clone-oci-ta/0.1 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Task 11 | -------------------------------------------------------------------------------- /pipelines/docker-build-multi-platform-oci-ta/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../docker-build-oci-ta 6 | 7 | patches: 8 | - path: patch.yaml 9 | target: 10 | kind: Pipeline 11 | -------------------------------------------------------------------------------- /task/oci-copy-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../oci-copy/0.2/oci-copy.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | replacements: 8 | workspaces.source.path: /var/workdir 9 | regexReplacements: 10 | "/workspace(/.*)": /var/workdir$1 11 | -------------------------------------------------------------------------------- /archived-tasks/oci-copy-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../oci-copy/0.1/oci-copy.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | replacements: 8 | workspaces.source.path: /var/workdir 9 | regexReplacements: 10 | "/workspace(/.*)": /var/workdir$1 11 | -------------------------------------------------------------------------------- /task/sast-unicode-check-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | - The `IMAGE_DIGEST` parameter has been added. 4 | 5 | ## Action from users 6 | 7 | - The `IMAGE_DIGEST` parameter definition can optionally be added for this task in the build pipeline. 8 | 9 | 10 | -------------------------------------------------------------------------------- /task/slack-webhook-notification-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../slack-webhook-notification/0.1/slack-webhook-notification.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | replacements: 8 | workspaces.source.path: /var/workdir 9 | preferStepTemplate: true 10 | -------------------------------------------------------------------------------- /task/fips-operator-bundle-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../fips-operator-bundle-check/0.1/fips-operator-bundle-check.yaml 3 | add: 4 | - use-source 5 | preferStepTemplate: true 6 | removeWorkspaces: 7 | - workspace 8 | replacements: 9 | workspaces.workspace.path: /var/workdir 10 | -------------------------------------------------------------------------------- /task/tkn-bundle-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../tkn-bundle/0.2/tkn-bundle.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | preferStepTemplate: true 8 | replacements: 9 | workspaces.source.path: /var/workdir 10 | regexReplacements: 11 | "/workspace(/.*)": /var/workdir$1 12 | -------------------------------------------------------------------------------- /task/sast-unicode-check/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | - The `image-digest` parameter has been introduced back, to be used in ORAS uploading. 6 | ## Action from users 7 | - The `image-digest` parameter definition is required to be added for this task in the build pipeline. 8 | 9 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../tkn-bundle/0.1/tkn-bundle.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | preferStepTemplate: true 8 | replacements: 9 | workspaces.source.path: /var/workdir 10 | regexReplacements: 11 | "/workspace(/.*)": /var/workdir$1 12 | -------------------------------------------------------------------------------- /pipelines/core-services/README.md: -------------------------------------------------------------------------------- 1 | An extension of build pipelines for Konflux core services to allow updating infra-deployments after successful build in CI. 2 | 3 | Since [konflux-ci/konflux-ci](github.com/konflux-ci/konflux-ci) supports running on arm64 and x86, this pipeline will produce a multi-arch image by default as well. -------------------------------------------------------------------------------- /task/sast-snyk-check-oci-ta/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | - The `IMAGE_DIGEST` parameter has been introduced back, to be used in ORAS uploading. 6 | ## Action from users 7 | - The `IMAGE_DIGEST` parameter definition is required to be added for this task in the build pipeline. 8 | 9 | -------------------------------------------------------------------------------- /.github/workflows/yaml-lint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: yamllint 3 | "on": 4 | pull_request: 5 | branches: [main] 6 | merge_group: 7 | types: [checks_requested] 8 | jobs: 9 | yamllint: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v6 13 | - name: Lint YAML files 14 | run: yamllint . 15 | -------------------------------------------------------------------------------- /task/package-operator-package-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../package-operator-package/0.1/package-operator-package.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | preferStepTemplate: true 8 | replacements: 9 | workspaces.source.path: /var/workdir 10 | regexReplacements: 11 | "/workspace(/.*)": /var/workdir$1 12 | -------------------------------------------------------------------------------- /task/buildah-oci-ta/0.6/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../buildah/0.6/buildah.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-prefetch 8 | removeWorkspaces: 9 | - source 10 | useTAVolumeMount: true 11 | replacements: 12 | workspaces.source.path: /var/workdir 13 | regexReplacements: 14 | "/workspace(/.*)": /var/workdir$1 15 | -------------------------------------------------------------------------------- /task/buildah-oci-ta/0.7/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../buildah/0.7/buildah.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-prefetch 8 | removeWorkspaces: 9 | - source 10 | useTAVolumeMount: true 11 | replacements: 12 | workspaces.source.path: /var/workdir 13 | regexReplacements: 14 | "/workspace(/.*)": /var/workdir$1 15 | -------------------------------------------------------------------------------- /archived-tasks/buildah-oci-ta/0.4/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../buildah/0.4/buildah.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-prefetch 8 | removeWorkspaces: 9 | - source 10 | useTAVolumeMount: true 11 | replacements: 12 | workspaces.source.path: /var/workdir 13 | regexReplacements: 14 | "/workspace(/.*)": /var/workdir$1 15 | -------------------------------------------------------------------------------- /archived-tasks/buildah-oci-ta/0.5/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../buildah/0.5/buildah.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-prefetch 8 | removeWorkspaces: 9 | - source 10 | useTAVolumeMount: true 11 | replacements: 12 | workspaces.source.path: /var/workdir 13 | regexReplacements: 14 | "/workspace(/.*)": /var/workdir$1 15 | -------------------------------------------------------------------------------- /archived-tasks/fbc-validation/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../0.1 6 | 7 | patches: 8 | - patch: |- 9 | - op: replace 10 | path: /metadata/labels 11 | value: 12 | app.kubernetes.io/version: "0.2" 13 | target: 14 | kind: Task 15 | name: fbc-validation 16 | -------------------------------------------------------------------------------- /archived-tasks/inspect-image/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../0.1 6 | 7 | patches: 8 | - patch: |- 9 | - op: replace 10 | path: /metadata/labels 11 | value: 12 | app.kubernetes.io/version: "0.2" 13 | target: 14 | kind: Task 15 | name: inspect-image 16 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/expect.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | ) 7 | 8 | func expect(err error) { 9 | if err == nil { 10 | return 11 | } 12 | fmt.Fprint(os.Stderr, err) 13 | os.Exit(1) 14 | } 15 | 16 | func expectValue[T any](val T, err error) T { 17 | if err != nil { 18 | expect(err) 19 | } 20 | 21 | return val 22 | } 23 | -------------------------------------------------------------------------------- /task/push-dockerfile-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../push-dockerfile/0.1/push-dockerfile.yaml 3 | add: 4 | - use-source 5 | preferStepTemplate: true 6 | removeWorkspaces: 7 | - workspace 8 | replacements: 9 | workspaces.workspace.path: /var/workdir 10 | description: |- 11 | Discover Dockerfile from source code and push it to registry as an OCI artifact. 12 | -------------------------------------------------------------------------------- /archived-tasks/sast-coverity-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-coverity-check/0.1/sast-coverity-check.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | -------------------------------------------------------------------------------- /task/build-helm-chart-oci-ta/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | ## Parameter Changes 4 | 5 | ### Modified Parameters 6 | - `VALUES_FILE`: renamed to `VALUES_FILES`. Now represents an array 7 | (default: `["values.yaml"]`) 8 | 9 | ### Removed Parameters 10 | - None 11 | 12 | ## Action from users 13 | 14 | The task is assumed to have no active users. 15 | -------------------------------------------------------------------------------- /task/sast-snyk-check-oci-ta/0.4/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-snyk-check/0.4/sast-snyk-check.yaml 3 | add: 4 | - use-source 5 | - use-prefetch 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | useTAVolumeMount: true 14 | -------------------------------------------------------------------------------- /archived-tasks/deprecated-image-check/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Workspace used by `deprecated-image-check` has been changed from `sanity-ws` to `test-ws`. 4 | 5 | ## Action from users 6 | 7 | Update files in Pull-Request created by RHTAP bot: 8 | - Search for the task named `deprecated-base-image-check` 9 | - Change workspace named `sanity-ws` to `test-ws` 10 | -------------------------------------------------------------------------------- /pipelines/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - docker-build 5 | - docker-build-oci-ta 6 | - docker-build-multi-platform-oci-ta 7 | - enterprise-contract.yaml 8 | - fbc-builder 9 | - ko-build-oci-ta 10 | - tekton-bundle-builder 11 | - tekton-bundle-builder-oci-ta 12 | - maven-zip-build 13 | - maven-zip-build-oci-ta 14 | -------------------------------------------------------------------------------- /.cursor/rules/basic.mdc: -------------------------------------------------------------------------------- 1 | --- 2 | description: Basic rules 3 | --- 4 | 5 | - don't change whitespaces or newlines in the existing unrelated code 6 | - never add whitespaces or tabs to empty lines 7 | - don't remove unrelated code 8 | - don't change files when/where modifications are not needed 9 | - don't add trailing newlines at the end of file, last newline character is at the end of code 10 | -------------------------------------------------------------------------------- /archived-tasks/fbc-related-image-check/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../0.1 6 | 7 | patches: 8 | - patch: |- 9 | - op: replace 10 | path: /metadata/labels 11 | value: 12 | app.kubernetes.io/version: "0.2" 13 | target: 14 | kind: Task 15 | name: fbc-related-image-check 16 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.3/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-snyk-check/0.3/sast-snyk-check.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | useTAVolumeMount: true 14 | -------------------------------------------------------------------------------- /task/sast-unicode-check-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-unicode-check/0.2/sast-unicode-check.yaml 3 | add: 4 | - use-source 5 | - use-prefetch 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | useTAVolumeMount: true 14 | -------------------------------------------------------------------------------- /task/sast-unicode-check-oci-ta/0.3/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-unicode-check/0.3/sast-unicode-check.yaml 3 | add: 4 | - use-source 5 | - use-prefetch 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | useTAVolumeMount: true 14 | -------------------------------------------------------------------------------- /task/sast-coverity-check-oci-ta/0.3/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-coverity-check/0.3/sast-coverity-check.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-prefetch 8 | removeWorkspaces: 9 | - source 10 | replacements: 11 | workspaces.source.path: /var/workdir 12 | regexReplacements: 13 | "/workspace(/.*)": /var/workdir$1 14 | useTAVolumeMount: true 15 | -------------------------------------------------------------------------------- /task/sast-unicode-check/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | - Both `image-digest` and `image-url` parameters are now required and do not have default values 4 | (previously `""`). Task runs without passing image digest and URL will fail. 5 | 6 | ## Action from users 7 | 8 | - Both `image-digest` and `image-url` parameters are required to be added to this task in the build pipeline. 9 | -------------------------------------------------------------------------------- /archived-tasks/coverity-availability-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../coverity-availability-check/0.1/coverity-availability-check.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | -------------------------------------------------------------------------------- /archived-tasks/sast-unicode-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-unicode-check/0.1/sast-unicode-check.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | useTAVolumeMount: true 14 | -------------------------------------------------------------------------------- /task/sast-unicode-check-oci-ta/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | - Both `image-digest` and `image-url` parameters are now required and do not have default values 4 | (previously `""`). Task runs without passing image digest and URL will fail. 5 | 6 | ## Action from users 7 | 8 | - Both `image-digest` and `image-url` parameters are required to be added to this task in the build pipeline. 9 | -------------------------------------------------------------------------------- /archived-tasks/sast-coverity-check-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-coverity-check/0.2/sast-coverity-check.yaml 3 | removeParams: 4 | - BUILDER_IMAGE 5 | add: 6 | - use-source 7 | - use-cachi2 8 | removeWorkspaces: 9 | - source 10 | replacements: 11 | workspaces.source.path: /var/workdir 12 | regexReplacements: 13 | "/workspace(/.*)": /var/workdir$1 14 | useTAVolumeMount: true 15 | -------------------------------------------------------------------------------- /task/run-opm-command-oci-ta/0.1/tests/pre-apply-task-hook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script is called before applying the task to set up required resources 4 | # No special resources needed - the CI environment provides: 5 | # - trusted-ca ConfigMap (injected by cert-manager trust-manager) 6 | # - Registry access via kind-registry 7 | 8 | echo "Pre-requirements setup complete for run-opm-command-oci-ta task" 9 | -------------------------------------------------------------------------------- /task/sast-coverity-check/0.3/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | # Pin base buildah task to specific commit to reduce churn 6 | - https://github.com/konflux-ci/build-definitions/raw/2b07ac561f8e79d8103fffb62859af60ad3a358f/task/buildah/0.4/buildah.yaml 7 | 8 | patches: 9 | - path: patch.yaml 10 | target: 11 | kind: Task 12 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/source-build/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | add: 3 | - use-source 4 | - use-prefetch 5 | removeWorkspaces: 6 | - workspace 7 | removeVolumes: 8 | - source-build-work-place 9 | regexReplacements: 10 | \/var\/source-build: /var/workdir 11 | \/workspace\/workspace: /var/workdir 12 | preferStepTemplate: true 13 | replacements: 14 | workspaces.workspace.path: /var/workdir 15 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/feature_request.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Feature request 3 | title: '' 4 | labels: enhancement 5 | assignees: '' 6 | --- 7 | 8 | ## Use Case 9 | Describe the problem or need this feature would address 10 | 11 | ## Proposed Solution 12 | Your suggested implementation approach 13 | 14 | ## Alternatives Considered 15 | Other potential solutions 16 | 17 | ## Additional Context 18 | Any other relevant information -------------------------------------------------------------------------------- /hack/generate-build-team-readme.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | for OWNERS_FILE in $(find task -name OWNERS); do 4 | if grep -q "Stonesoup Build Team" $OWNERS_FILE; then 5 | TASKDIR=$(dirname $OWNERS_FILE) 6 | TASK=$(basename $TASKDIR) 7 | VERSIONDIR=$(ls -d $TASKDIR/*/ | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n | tail -n1) 8 | ./hack/generate-readme.sh $VERSIONDIR/$TASK.yaml $VERSIONDIR/README.md 9 | fi 10 | done 11 | -------------------------------------------------------------------------------- /task/sast-snyk-check/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | - The `image-digest` parameter has been introduced back, to be used in ORAS uploading. 6 | - The `image-url` default value was removed, thus it become required 7 | ## Action from users 8 | - The `image-digest` parameter definition can optionally be added for this task in the build pipeline. 9 | - User must provide the `image-url` parameter's value. -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/bug_report.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: Bug report 3 | title: '' 4 | labels: bug 5 | assignees: '' 6 | --- 7 | 8 | ## Problem Description 9 | Brief description of the issue 10 | 11 | ## Steps to Reproduce 12 | 1. Step one 13 | 2. Step two 14 | 3. Step three 15 | 16 | ## Current Behavior 17 | What actually happens 18 | 19 | ## Expected Behavior 20 | What should happen 21 | 22 | ## Other information 23 | Logs, error messages, etc. -------------------------------------------------------------------------------- /task/source-build-oci-ta/0.3/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../source-build/0.3/source-build.yaml 3 | add: 4 | - use-source 5 | - use-prefetch 6 | removeWorkspaces: 7 | - workspace 8 | removeVolumes: 9 | - source-build-work-place 10 | regexReplacements: 11 | \/var\/source-build: /var/workdir 12 | \/workspace\/workspace: /var/workdir 13 | preferStepTemplate: true 14 | replacements: 15 | workspaces.workspace.path: /var/workdir 16 | -------------------------------------------------------------------------------- /archived-tasks/source-build-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../source-build/0.2/source-build.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | removeWorkspaces: 7 | - workspace 8 | removeVolumes: 9 | - source-build-work-place 10 | regexReplacements: 11 | \/var\/source-build: /var/workdir 12 | \/workspace\/workspace: /var/workdir 13 | preferStepTemplate: true 14 | replacements: 15 | workspaces.workspace.path: /var/workdir 16 | -------------------------------------------------------------------------------- /.github/actions/install-tkn/action.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable-file 2 | --- 3 | name: Install tkn 4 | runs: 5 | using: "composite" 6 | steps: 7 | - run: | 8 | curl -LO "https://github.com/tektoncd/cli/releases/download/v${TKN_CLI_VERSION}/tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb" 9 | sudo dpkg -i ./tektoncd-cli-${TKN_CLI_VERSION}_Linux-64bit.deb 10 | shell: bash 11 | env: 12 | TKN_CLI_VERSION: 0.38.1 13 | -------------------------------------------------------------------------------- /task/sast-coverity-check/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | - All resources using task `sast-coverity-check` should be directed to use new `0.3` version. 4 | - The `image-digest` parameter is required to be added for this task in the build pipeline. It will be added to build pipeline definition file automatically by script migrations/0.3.sh when MintMaker runs [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 5 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/git-clone/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | removeParams: 3 | - gitInitImage 4 | - deleteExisting 5 | - subdirectory 6 | addEnvironment: 7 | - name: CHECKOUT_DIR 8 | value: /var/workdir/source 9 | add: 10 | - create-source 11 | removeWorkspaces: 12 | - output 13 | description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted 14 | artifact in the provided OCI repository. 15 | -------------------------------------------------------------------------------- /task/clair-scan/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | This change is required for providing consistent experience for users. This originates in https://issues.redhat.com/browse/ADR-30, look there for more details. 6 | CLAIR_SCAN_RESULT is being renamed to SCAN_OUTPUT. 7 | 8 | ## Action from users 9 | 10 | Renovate bot PR will be created with warning icon for a clair-scan which is expected, no actions from users are required. 11 | -------------------------------------------------------------------------------- /task/sast-coverity-check-oci-ta/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | - All resources using task `sast-coverity-check-oci-ta` should be directed to use new `0.3` version. 4 | - The `image-digest` parameter is required to be added for this task in the build pipeline. It will be added to build pipeline definition file automatically by script migrations/0.3.sh when MintMaker runs [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 5 | -------------------------------------------------------------------------------- /task/rpms-signature-scan/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | The parameter `fail-unsigned` used by `rpms-signature-scan` task was removed. 3 | 4 | ## Action from users 5 | Remove the `fail-unsigned` parameter from the `rpms-signature-scan` task in your pipeline. 6 | 7 | 8 | # Migration from 0.2 to 0.2.1 9 | Updating image repository from `konflux-vanguard` to `tekton-catalog` 10 | 11 | ## Action from users 12 | None - Migration script should handle it 13 | -------------------------------------------------------------------------------- /policies/build-tasks.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # These policies are meant to be applied to the build Tasks in this repo. These are policy rules 3 | # that are very specific to the use cases in this repo. Thus, they are defined here instead of in a 4 | # more generic location, e.g. infra-deployments repository. 5 | sources: 6 | - policy: 7 | - oci::quay.io/conforma/build-task-policy:latest 8 | data: 9 | - git::https://github.com/release-engineering/rhtap-ec-policy//data 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vscode/ 2 | .idea/ 3 | pipeline-bundle-list 4 | task-bundle-list 5 | bundle_values.env 6 | 7 | *~ 8 | *.swp 9 | .checkton.sarif 10 | **/vendor 11 | 12 | # expected and got files generated in trusted-artifacts tests when mismatch occurs 13 | task-generator/trusted-artifacts/golden/**/expected 14 | task-generator/trusted-artifacts/golden/**/got 15 | # Generated binaries 16 | task-generator/trusted-artifacts/trusted-artifacts 17 | task-generator/remote/remote 18 | 19 | -------------------------------------------------------------------------------- /task/tkn-bundle/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | The parameter `URL` was added to the task. 3 | The parameter `REVISION` was added to the task. 4 | The parameter `depth` is set to `100` in `clone-repository` task if `tkn-bundle-oci-ta` task or `tkn-bundle` task exists in pieline 5 | 6 | ## Action from users 7 | Add the `URL` and `REVISION` parameters to the `tkn-bundle` task. 8 | Set the `depth` to `100` in `clone-repository` task if `tkn-bundle` task exists in pipeline 9 | -------------------------------------------------------------------------------- /task/clamav-scan/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | On this version the sidecar is removed from the task and required tools (jq, oc ..) were added to the Clamav BD container image 6 | this should fix the problem of timing out when task is scanning the database and improve the performance. 7 | 8 | ## Action from users 9 | 10 | Renovate bot PR will be created with warning icon for a clamav-scan which is expected, no actions from users are required. 11 | -------------------------------------------------------------------------------- /task/git-clone-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../git-clone/0.1/git-clone.yaml 3 | removeParams: 4 | - gitInitImage 5 | - deleteExisting 6 | - subdirectory 7 | addEnvironment: 8 | - name: CHECKOUT_DIR 9 | value: /var/workdir/source 10 | add: 11 | - create-source 12 | useTAVolumeMount: true 13 | removeWorkspaces: 14 | - output 15 | description: The git-clone-oci-ta Task will clone a repo from the provided url and store it as a trusted 16 | artifact in the provided OCI repository. 17 | -------------------------------------------------------------------------------- /archived-tasks/buildah/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Fixes a regression where the SBOMs did not include the dependencies 6 | identified by Hermeto (from the prefetch task), making the SBOMs less accurate 7 | 8 | ## Action from users 9 | 10 | No action required. 11 | 12 | We consider the problem severe enough to require a new version (to raise awareness 13 | and to let us deprecate the broken version faster). But you don't need to make 14 | any manual changes. 15 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Fixes a regression where the SBOMs did not include the dependencies 6 | identified by Hermeto (from the prefetch task), making the SBOMs less accurate 7 | 8 | ## Action from users 9 | 10 | No action required. 11 | 12 | We consider the problem severe enough to require a new version (to raise awareness 13 | and to let us deprecate the broken version faster). But you don't need to make 14 | any manual changes. 15 | -------------------------------------------------------------------------------- /archived-tasks/buildah-oci-ta/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Fixes a regression where the SBOMs did not include the dependencies 6 | identified by Hermeto (from the prefetch task), making the SBOMs less accurate 7 | 8 | ## Action from users 9 | 10 | No action required. 11 | 12 | We consider the problem severe enough to require a new version (to raise awareness 13 | and to let us deprecate the broken version faster). But you don't need to make 14 | any manual changes. 15 | -------------------------------------------------------------------------------- /archived-tasks/buildah-remote/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Fixes a regression where the SBOMs did not include the dependencies 6 | identified by Hermeto (from the prefetch task), making the SBOMs less accurate 7 | 8 | ## Action from users 9 | 10 | No action required. 11 | 12 | We consider the problem severe enough to require a new version (to raise awareness 13 | and to let us deprecate the broken version faster). But you don't need to make 14 | any manual changes. 15 | -------------------------------------------------------------------------------- /task/tkn-bundle-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | The parameter `URL` was added to the task. 3 | The parameter `REVISION` was added to the task. 4 | The parameter `depth` is set to `100` in `clone-repository` task if `tkn-bundle-oci-ta` task or `tkn-bundle` task exists in pipeline 5 | 6 | ## Action from users 7 | Add the `URL` and `REVISION` parameters to the `tkn-bundle-oci-ta` task. 8 | Set the `depth` to `100` in `clone-repository` task if `tkn-bundle-oci-ta` task or `tkn-bundle` task exists in pipeline 9 | -------------------------------------------------------------------------------- /archived-tasks/buildah-remote-oci-ta/0.5/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.5 2 | 3 | Version 0.5: 4 | 5 | * Fixes a regression where the SBOMs did not include the dependencies 6 | identified by Hermeto (from the prefetch task), making the SBOMs less accurate 7 | 8 | ## Action from users 9 | 10 | No action required. 11 | 12 | We consider the problem severe enough to require a new version (to raise awareness 13 | and to let us deprecate the broken version faster). But you don't need to make 14 | any manual changes. 15 | -------------------------------------------------------------------------------- /task/opm-get-bundle-version/0.1/README.md: -------------------------------------------------------------------------------- 1 | # opm-get-bundle-version task 2 | 3 | Fetch the current version of the provided OLM bundle image 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |bundle-image|OLM bundle image to query||true| 9 | 10 | ## Results 11 | |name|description| 12 | |---|---| 13 | |bundle-version|olm.package version| 14 | 15 | ## Workspaces 16 | |name|description|optional| 17 | |---|---|---| 18 | |workspace|The shared workspace between steps|false| 19 | 20 | ## Additional info 21 | -------------------------------------------------------------------------------- /task/modelcar-oci-ta/0.1/tests/pre-apply-task-hook.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This script is called before applying the task to set up required resources 4 | TASK_COPY="$1" 5 | TEST_NS="$2" 6 | 7 | # Create a dummy docker config secret for registry authentication 8 | echo '{"auths":{}}' | kubectl create secret generic dummy-secret \ 9 | --from-file=.dockerconfigjson=/dev/stdin \ 10 | --type=kubernetes.io/dockerconfigjson \ 11 | -n "$TEST_NS" --dry-run=client -o yaml | kubectl apply -f - -n "$TEST_NS" 12 | 13 | echo "Pre-requirements setup complete" 14 | -------------------------------------------------------------------------------- /pipelines/core-services/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - ../docker-build 5 | 6 | commonAnnotations: 7 | # Make it easier to create bundle for these pipelines 8 | appstudio.openshift.io/core-services-ci: "1" 9 | 10 | patches: 11 | - path: infra-deploy.yaml 12 | target: 13 | kind: Pipeline 14 | - path: update-repo.yaml 15 | target: 16 | kind: Pipeline 17 | - path: slack-notification.yaml 18 | target: 19 | kind: Pipeline 20 | - path: patch.yaml 21 | target: 22 | kind: Pipeline 23 | -------------------------------------------------------------------------------- /task/build-helm-chart-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | ## Parameter Changes 4 | 5 | ### Added Parameters 6 | - `IMAGE`: Full image reference with tag (replaces `REPO`) 7 | - `IMAGE_MAPPINGS`: JSON array for image substitution in Helm charts 8 | - `VALUES_FILE`: Path to values file for image substitution (default: `values.yaml`) 9 | 10 | ### Modified Parameters 11 | - `REPO` → `IMAGE`: Now requires full image reference including tag 12 | 13 | ### Removed Parameters 14 | - None 15 | 16 | ## Action from users 17 | 18 | The task is assumed to have no active users. 19 | -------------------------------------------------------------------------------- /stepactions/eaas-get-latest-openshift-version-by-prefix/0.1/README.md: -------------------------------------------------------------------------------- 1 | # eaas-get-latest-openshift-version-by-prefix stepaction 2 | 3 | This StepAction queries an OpenShift CI API to get the latest version for a release stream. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |prefix|The leading part of the OpenShift version. E.g. `4.` or `4.15.`||true| 9 | |releaseStream|The name of the OpenShift release stream. E.g. `4-stable`|4-stable|false| 10 | 11 | ## Results 12 | |name|description| 13 | |---|---| 14 | |version|The latest matching version.| 15 | 16 | -------------------------------------------------------------------------------- /task/summary/0.2/README.md: -------------------------------------------------------------------------------- 1 | # summary task 2 | 3 | Summary Pipeline Task. Prints PipelineRun information, removes image repository secret used by the PipelineRun. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |pipelinerun-name|pipeline-run to annotate||true| 9 | |git-url|Git URL||true| 10 | |image-url|Image URL||true| 11 | |build-task-status|State of build task in pipelineRun|Succeeded|false| 12 | 13 | ## Workspaces 14 | |name|description|optional| 15 | |---|---|---| 16 | |workspace|The workspace where source code is included.|true| 17 | 18 | ## Additional info 19 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.4 to 0.4.1 2 | 3 | Version 0.4.1: 4 | 5 | * Add the `SOURCE_URL` parameter. 6 | 7 | ## Action from users 8 | `SOURCE_URL` will be added to build pipeline definition files 9 | automatically by script migrations/0.4.1.sh when MintMaker runs 10 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 11 | 12 | To achieve the migration manually, you can do as follows in the build task array: 13 | ```diff 14 | params: 15 | [...] 16 | + - name: SOURCE_URL 17 | + value: $(tasks.clone-repository.results.url) 18 | [...] 19 | ``` 20 | -------------------------------------------------------------------------------- /.cursor/rules/git.mdc: -------------------------------------------------------------------------------- 1 | --- 2 | description: Git rules to be applied when git manipulations are requested 3 | --- 4 | 5 | # git rules 6 | 7 | ## main branch 8 | - main branch is read only, never push there directly 9 | - for changes a new feature branch must be created 10 | - pull requests are used to propose changes to the main branch 11 | 12 | ## commit message 13 | - use conventional commits style 14 | - write short but descriptive commit message 15 | - avoid fluff in the text 16 | - max line length should be 72 characters 17 | - must contain sign-off git tailer with user ID, "git commit -s" option 18 | - add "Assisted-by: Cursor AI" git trailer 19 | -------------------------------------------------------------------------------- /task/git-clone/0.1/tests/test-git-clone-fail-for-wrong-url.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1 3 | kind: Pipeline 4 | metadata: 5 | name: test-git-clone-fail-for-wrong-url 6 | annotations: 7 | test/assert-task-failure: "run-task" 8 | spec: 9 | description: | 10 | Test the git-clone task with tag 11 | workspaces: 12 | - name: tests-workspace 13 | tasks: 14 | - name: run-task 15 | taskRef: 16 | name: git-clone 17 | params: 18 | - name: url 19 | value: https://github.com/user/repo-does-not-exists 20 | workspaces: 21 | - name: output 22 | workspace: tests-workspace 23 | -------------------------------------------------------------------------------- /hack/shellspec/github_formatter.sh: -------------------------------------------------------------------------------- 1 | #shellcheck shell=bash disable=SC2154 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | print_error() { 8 | message="${field_note}${field_note:+: }${field_message}%0A${field_failure_message//$'\n'/%0A}" 9 | printf "::error file=%s,line=%d,endLine=%d,title=%s::%s%%0A" "${field_specfile}" "${field_lineno%-*}" "${field_lineno#*-}" "${field_message}" "${message}" 10 | } 11 | 12 | github_each() { 13 | case "${field_type}" in 14 | statement) 15 | [[ "$field_fail" ]] && print_error 16 | ;; 17 | error) 18 | print_error 19 | ;; 20 | esac 21 | } 22 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | These changes originates from ProdSec requirements in order for sast snyk check to scan dependencies. See https://issues.redhat.com/browse/STONEINTG-1020 for more information. 6 | Scanned dir `SOURCE_CODE_DIR`=$(workspaces.workspace.path)/source changed to `SOURCE_CODE_DIR`=$(workspaces.workspace.path) 7 | Added `--max-depth`=1 option, so snyk is now scanning both source code and dependencies within workspace. 8 | 9 | ## Action from users 10 | 11 | Renovate bot PR will be created with warning icon for a sast-snyk-check which is expected, no action from users are required. 12 | -------------------------------------------------------------------------------- /OWNERS_ALIASES: -------------------------------------------------------------------------------- 1 | # See the OWNERS_ALIASES docs: https://git.k8s.io/community/contributors/guide/owners.md#owners_aliases 2 | aliases: 3 | build-team: 4 | - mmorhun 5 | - chmeliik 6 | - mkosiarc 7 | - rcerven 8 | - tkdchen 9 | - tisutisu 10 | - tnevrlka 11 | - MartinBasti 12 | integration-team: 13 | - dirgim 14 | - jsztuka 15 | - hongweiliu17 16 | - Josh-Everett 17 | - sonam1412 18 | - 14rcole 19 | - dheerajodha 20 | - kasemAlem 21 | ec-team: 22 | - simonbaird 23 | - lcarva 24 | - zregvart 25 | - joejstuart 26 | - robnester-rh 27 | - cuipinghuo 28 | spmm-team: 29 | - ligangty 30 | - yma96 31 | -------------------------------------------------------------------------------- /archived-tasks/fbc-related-image-check/0.1/README.md: -------------------------------------------------------------------------------- 1 | # fbc-related-image-check task 2 | 3 | ## Description: 4 | The fbc-related-image-check task checks whether all images referenced in file-based catalog (FBC) are valid by using 5 | Skopeo to inspect manifest content. 6 | 7 | ## Results: 8 | 9 | | name | description | 10 | |-------------------|---------------------------| 11 | | TEST_OUTPUT | Tekton task test output. | 12 | 13 | ## Source repository for image: 14 | https://github.com/konflux-ci/konflux-test 15 | 16 | ## Additional links: 17 | https://www.redhat.com/en/topics/containers/what-is-skopeo 18 | https://olm.operatorframework.io/docs/reference/file-based-catalogs/ 19 | -------------------------------------------------------------------------------- /archived-tasks/fbc-related-image-check/0.2/README.md: -------------------------------------------------------------------------------- 1 | # fbc-related-image-check task 2 | 3 | ## Description: 4 | The fbc-related-image-check task checks whether all images referenced in file-based catalog (FBC) are valid by using 5 | Skopeo to inspect manifest content. 6 | 7 | ## Results: 8 | 9 | | name | description | 10 | |-------------------|---------------------------| 11 | | TEST_OUTPUT | Tekton task test output. | 12 | 13 | ## Source repository for image: 14 | https://github.com/konflux-ci/konflux-test 15 | 16 | ## Additional links: 17 | https://www.redhat.com/en/topics/containers/what-is-skopeo 18 | https://olm.operatorframework.io/docs/reference/file-based-catalogs/ 19 | -------------------------------------------------------------------------------- /hack/verify-manifests.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 4 | 5 | main() { 6 | 7 | "${SCRIPT_DIR}"/build-manifests.sh 8 | if [[ $(git status --porcelain) ]]; then 9 | git diff --exit-code >&2 || { 10 | echo "Did you forget to build the manifests locally?" >&2; 11 | echo "Please run ./hack/build-manifests.sh and update your PR" >&2; 12 | echo "Or run ./hack/generate-everything.sh to run all the generators at once." >&2; 13 | exit 1; 14 | } 15 | fi 16 | echo "changes are up to date" >&2 17 | } 18 | 19 | if [[ "${BASH_SOURCE[0]}" == "$0" ]]; then 20 | main "$@" 21 | fi 22 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | These changes originates from ProdSec requirements in order for sast snyk check to scan dependencies. See https://issues.redhat.com/browse/STONEINTG-1020 for more information. 6 | Inherited from sast-snyk-check task, 7 | Scanned dir `SOURCE_CODE_DIR`=$(workspaces.workspace.path)/source changed to `SOURCE_CODE_DIR`=$(workspaces.workspace.path) 8 | Added `--max-depth`=1 option, so snyk is now scanning both source code and dependencies within workspace. 9 | 10 | ## Action from users 11 | 12 | Renovate bot PR will be created with warning icon for a sast-snyk-check-oci-ta which is expected, no action from users are required. 13 | -------------------------------------------------------------------------------- /task/summary/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Task `summary` can be optionally mounted to the shared workspace in order to show source container image URL. Apply the following diff to task `show-summary` in the PipelineRun YAMLs generated by Konflux bot. 4 | 5 | ```diff 6 | value: $(params.output-image) 7 | - name: build-task-status 8 | value: $(tasks.build-container.status) 9 | + workspaces: 10 | + - name: workspace 11 | + workspace: workspace 12 | results: 13 | - name: IMAGE_URL 14 | value: "$(tasks.build-container.results.IMAGE_URL)" 15 | ``` 16 | 17 | This update to the PipelineRun is optional. The build pipeline can run normally without the mount. 18 | -------------------------------------------------------------------------------- /stepactions/eaas-copy-secrets-to-ephemeral-cluster/0.1/README.md: -------------------------------------------------------------------------------- 1 | # eaas-copy-secrets-to-ephemeral-cluster stepaction 2 | 3 | This StepAction copies Secrets from the current namespace into a configurable namespace on an ephemeral cluster. The name and content of each Secret is unaltered in the process. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |credentials|A volume containing credentials to the remote cluster||true| 9 | |kubeconfig|Relative path to the kubeconfig in the mounted cluster credentials volume||true| 10 | |namespace|The destination namespace for the secrets. The namespace must already exist.||true| 11 | |labelSelector|A label selector identifying the secrets to be copied||true| 12 | 13 | -------------------------------------------------------------------------------- /task/build-maven-zip-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../build-maven-zip/0.1/build-maven-zip.yaml 3 | add: 4 | - use-prefetch 5 | removeWorkspaces: 6 | - source 7 | replacements: 8 | workspaces.source.path: /var/workdir 9 | regexReplacements: 10 | "/workspace(/.*)": /var/workdir$1 11 | description: |- 12 | Build-maven-zip task builds prefetched maven artifacts into a OCI-artifact with zip bundle and pushes the OCI-artifact into container registry. 13 | In addition it will use the SBOM file in prefetch-task, pushes the SBOM file to same registry of zip oci-artifact using cosign tool. 14 | Note that this task needs the output of prefetch-dependencies task. If it is not activated, there will not be any output from this task. 15 | -------------------------------------------------------------------------------- /pipelines/core-services/slack-notification.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/params/- 3 | value: 4 | name: slack-webhook-notification-team 5 | default: "" 6 | - op: add 7 | path: /spec/finally/- 8 | value: 9 | name: slack-webhook-notification 10 | taskRef: 11 | name: slack-webhook-notification 12 | version: "0.1" 13 | when: 14 | - input: $(params.slack-webhook-notification-team) 15 | operator: notin 16 | values: [""] 17 | - input: $(tasks.status) 18 | operator: in 19 | values: ["Failed"] 20 | params: 21 | - name: message 22 | value: Tekton pipelineRun $(context.pipelineRun.name) failed 23 | - name: key-name 24 | value: $(params.slack-webhook-notification-team) 25 | -------------------------------------------------------------------------------- /archived-tasks/generate-odcs-compose/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | The default values for `COMPOSE_INPUTS` and `COMPOSE_OUTPUTS` parameters was changed. 3 | 4 | ## Action from users 5 | If you were using the default value for those parameters, you should manually set them 6 | to their previous defaults before upgrading in order to retain the same behavior. 7 | 8 | Consult the table below for the old and updated defaults: 9 | 10 | | Parameter Name | Old Default | New Default | 11 | | --- | --- | --- | 12 | | COMPOSE_INPUTS | compose_inputs.yaml | source/compose_inputs.yaml | 13 | | COMPOSE_OUTPUTS | repos | fetched.repos.d | 14 | -------------------------------------------------------------------------------- /pipelines/core-services/infra-deploy.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/params/- 3 | value: 4 | name: infra-deployment-update-script 5 | default: "" 6 | - op: add 7 | path: /spec/finally/- 8 | value: 9 | name: infra-deployments-mr 10 | taskRef: 11 | name: update-infra-deployments 12 | version: "0.1" 13 | when: 14 | - input: $(params.infra-deployment-update-script) 15 | operator: notin 16 | values: [""] 17 | - input: $(tasks.status) 18 | operator: notin 19 | values: ["Failed"] 20 | params: 21 | - name: ORIGIN_REPO 22 | value: $(params.git-url) 23 | - name: REVISION 24 | value: $(params.revision) 25 | - name: SCRIPT 26 | value: $(params.infra-deployment-update-script) 27 | -------------------------------------------------------------------------------- /task/opm-render-bundles/0.1/README.md: -------------------------------------------------------------------------------- 1 | # opm-render-bundles task 2 | 3 | Create a catalog index and render the provided bundles into it 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |binary-image|Base image in which to use for the catalog image|registry.redhat.io/openshift4/ose-operator-registry:latest|false| 9 | |bundle-images|Comma separated list of bundles to add||true| 10 | |operator-name|Name of the Operator||true| 11 | |operator-version|Version of the Operator||true| 12 | |default-channel|The channel that subscriptions will default to if unspecified|stable|false| 13 | 14 | ## Workspaces 15 | |name|description|optional| 16 | |---|---|---| 17 | |source|Workspace with the source code|false| 18 | 19 | ## Additional info 20 | -------------------------------------------------------------------------------- /archived-tasks/coverity-availability-check-oci-ta/0.2/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | 4 | resources: 5 | - ../../coverity-availability-check/0.2 6 | 7 | patches: 8 | - patch: |- 9 | - op: replace 10 | path: /metadata/name 11 | value: coverity-availability-check-oci-ta 12 | - op: add 13 | path: /metadata/annotations/build.appstudio.redhat.com~1expires-on 14 | value: "2025-03-31T00:00:00Z" 15 | - op: add 16 | path: /metadata/annotations/build.appstudio.redhat.com~1expiry-message 17 | value: "Starting with version 0.2, the coverity-availability-check-oci-ta task is deprecated. Please use coverity-availability-check instead." 18 | target: 19 | kind: Task 20 | name: coverity-availability-check 21 | -------------------------------------------------------------------------------- /stepactions/eaas-get-supported-ephemeral-cluster-versions/0.1/README.md: -------------------------------------------------------------------------------- 1 | # eaas-get-supported-ephemeral-cluster-versions stepaction 2 | 3 | This StepAction queries the EaaS hub cluster used to provision ephemeral clusters for testing. It returns a list of supported versions stored in a hypershift ConfigMap. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |eaasSpaceSecretRef|Name of a secret containing credentials for accessing an EaaS space.||true| 9 | |insecureSkipTLSVerify|Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment.|false|false| 10 | 11 | ## Results 12 | |name|description| 13 | |---|---| 14 | |versions|List of supported minor versions from newest to oldest. E.g. ["4.15","4.14","4.13"]| 15 | 16 | -------------------------------------------------------------------------------- /task/sast-shell-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-shell-check/0.1/sast-shell-check.yaml 3 | add: 4 | - use-source 5 | - use-prefetch 6 | preferStepTemplate: true 7 | removeWorkspaces: 8 | - workspace 9 | replacements: 10 | workspaces.workspace.path: /var/workdir 11 | regexReplacements: 12 | hacbs/\$\(context.task.name\): source 13 | description: >- 14 | The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree. 15 | 16 | ShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. 17 | useTAVolumeMount: true 18 | -------------------------------------------------------------------------------- /task/init/0.2/README.md: -------------------------------------------------------------------------------- 1 | # init task 2 | 3 | Initialize Pipeline Task, include flags for rebuild and auth. Generates image repository secret used by the PipelineRun. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |image-url|Image URL for build by PipelineRun||true| 9 | |rebuild|Rebuild the image if exists|false|false| 10 | |skip-checks|Skip checks against built image|false|false| 11 | |enable-cache-proxy|Enable cache proxy configuration|false|false| 12 | 13 | ## Results 14 | |name|description| 15 | |---|---| 16 | |build|Defines if the image in param image-url should be built| 17 | |http-proxy|HTTP proxy URL for cache proxy (when enable-cache-proxy is true)| 18 | |no-proxy|NO_PROXY value for cache proxy (when enable-cache-proxy is true)| 19 | 20 | 21 | ## Additional info 22 | -------------------------------------------------------------------------------- /.yamllint: -------------------------------------------------------------------------------- 1 | ignore: | 2 | /vendor 3 | 4 | rules: 5 | braces: enable 6 | brackets: enable 7 | colons: enable 8 | commas: enable 9 | comments: 10 | level: warning 11 | comments-indentation: 12 | level: warning 13 | document-end: disable 14 | document-start: disable 15 | empty-lines: enable 16 | empty-values: enable 17 | hyphens: enable 18 | key-duplicates: enable 19 | key-ordering: disable 20 | line-length: disable 21 | new-line-at-end-of-file: enable 22 | new-lines: enable 23 | octal-values: enable 24 | quoted-strings: disable 25 | trailing-spaces: enable 26 | truthy: 27 | level: warning 28 | 29 | # accept both key: 30 | # - item 31 | # 32 | # and key: 33 | # - item 34 | indentation: 35 | indent-sequences: whatever 36 | -------------------------------------------------------------------------------- /task/build-paketo-builder-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * `prefetch-dependencies >= 0.2` 13 | * `source-build >= 0.2` 14 | * `deprecated-image-check >= 0.5` 15 | 16 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 17 | > of these tasks. 18 | 19 | If your pipeline uses these tasks, please make sure their versions are high enough. 20 | There's a good chance that the Pull Request which led you to this migration document 21 | has updated every relevant task in your pipelines at once. 22 | -------------------------------------------------------------------------------- /task/oci-copy/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | A typical pipeline based around the `oci-copy` task doesn't include any other 10 | SBOM-handling tasks. No action needed. 11 | 12 | For completeness, the tasks that *could* be relevant and their SPDX-ready versions: 13 | 14 | * `source-build >= 0.2` 15 | * `deprecated-image-check >= 0.5` 16 | 17 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 18 | > of these tasks. 19 | 20 | If your pipeline uses these tasks, please make sure their versions are high enough. 21 | There's a good chance that the Pull Request which led you to this migration document 22 | has updated every relevant task in your pipelines at once. 23 | -------------------------------------------------------------------------------- /.github/workflows/check-kustomize-build.yaml: -------------------------------------------------------------------------------- 1 | name: Validate PR - kustomize manifests 2 | 'on': 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | kustomize-build: 9 | name: Check Kustomize Build of Task and Pipelines 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Check out code 13 | uses: actions/checkout@v6 14 | - name: Install oc 15 | run: | 16 | set -euo pipefail 17 | url=https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.17/openshift-client-linux.tar.gz 18 | if ! which oc; then 19 | curl --fail --no-progress-meter -L "$url" | gzip -cd | sudo -- tar -x -C /usr/bin oc 20 | fi 21 | - name: Validate Manifests 22 | run: hack/verify-manifests.sh 23 | -------------------------------------------------------------------------------- /hack/generate-buildah-remote.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 5 | 6 | cd "${SCRIPTDIR}/../task-generator/remote" 7 | GOTOOLCHAIN=auto GOSUMDB=sum.golang.org go build -o /tmp/remote-generator main.go 8 | 9 | # shellcheck disable=2043 10 | for version in 0.6 0.7; do 11 | /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah/${version}/buildah.yaml" \ 12 | --remote-task="${SCRIPTDIR}/../task/buildah-remote/${version}/buildah-remote.yaml" --task-version="$version" 13 | /tmp/remote-generator --buildah-task="${SCRIPTDIR}/../task/buildah-oci-ta/${version}/buildah-oci-ta.yaml" \ 14 | --remote-task="${SCRIPTDIR}/../task/buildah-remote-oci-ta/${version}/buildah-remote-oci-ta.yaml" --task-version="$version" 15 | done 16 | -------------------------------------------------------------------------------- /task/package-operator-package/0.1/README.md: -------------------------------------------------------------------------------- 1 | # package-operator-package task 2 | 3 | Given a git repository, a reference (as in, tag or commit) and a path within the repository this task will create a package-operator package. 4 | 5 | The process of how a pko package is defined and packaged is documented [here](https://package-operator.run/docs/guides/packaging-an-application/). This task expects the package definition, will build it using `kubectl-package` and push the created package to the given OCI registry destination. 6 | 7 | ## Parameters 8 | |name|description|default value|required| 9 | |---|---|---|--| 10 | |PACKAGE_PATH|File path the package manifest is in||true| 11 | |SBOM_SRC|Source that is being specified in the SBOM pushed alongside the package||true| 12 | |DST_URL|URL where to push the generated pko package to||true| 13 | -------------------------------------------------------------------------------- /task/oci-copy-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | A typical pipeline based around the `oci-copy` task doesn't include any other 10 | SBOM-handling tasks. No action needed. 11 | 12 | For completeness, the tasks that *could* be relevant and their SPDX-ready versions: 13 | 14 | * `source-build >= 0.2` 15 | * `deprecated-image-check >= 0.5` 16 | 17 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 18 | > of these tasks. 19 | 20 | If your pipeline uses these tasks, please make sure their versions are high enough. 21 | There's a good chance that the Pull Request which led you to this migration document 22 | has updated every relevant task in your pipelines at once. 23 | -------------------------------------------------------------------------------- /.github/workflows/check-ta.yaml: -------------------------------------------------------------------------------- 1 | name: Validate PR - Trusted Artifact variants 2 | 'on': 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | go: 9 | name: Check Trusted Artifact variants 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Check out code 13 | uses: actions/checkout@v6 14 | - name: Check Trusted Artifact variants 15 | id: check 16 | run: hack/generate-ta-tasks.sh 17 | - name: Check missing Trusted Artifact variants 18 | id: missing 19 | run: hack/missing-ta-tasks.sh 20 | - name: Attach patch 21 | if: ${{ always() && steps.check.conclusion == 'failure' }} 22 | uses: actions/upload-artifact@v5 23 | with: 24 | name: Trusted artifacts patch 25 | path: ./ta.patch 26 | -------------------------------------------------------------------------------- /hack/generate-everything.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o errexit -o nounset -o pipefail -o xtrace 3 | 4 | SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)" 5 | cd "$SCRIPTDIR/.." 6 | 7 | yq --version | grep -q mikefarah/yq || { 8 | echo "You need the yq tool from mikefarah/yq to run this script." 9 | echo "your version is probably the python version that is not compatible" 10 | exit 1 11 | } 12 | 13 | # These 3 need to run in this order. Not for any logical reasons, but simply 14 | # because of the current state of dependence between the generated tasks 15 | # and the sources they are generated from. 16 | hack/build-manifests.sh 17 | hack/generate-ta-tasks.sh 18 | hack/generate-buildah-remote.sh 19 | 20 | hack/generate-pipelines-readme.py 21 | 22 | hack/update_renovate_json_based_on_codeowners.py -o renovate.json 23 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/support/task_run_subject.sh: -------------------------------------------------------------------------------- 1 | #!/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | shellspec_syntax 'shellspec_subject_taskrun' 8 | 9 | shellspec_subject_taskrun() { 10 | # shellcheck disable=SC2034 11 | SHELLSPEC_META='text' 12 | SHELLSPEC_STDOUT=$(<"${SHELLSPEC_STDOUT_FILE}") 13 | if [ ${SHELLSPEC_STDOUT+x} ]; then 14 | IFS=" " read -r -a LINES <<< "${SHELLSPEC_STDOUT}" 15 | TASK_RUN_NAME="${LINES[2]}" # "TaskRun(0) started:(1) tkn-bundle-run-ndjfb(2) 16 | # shellcheck disable=SC2034 17 | SHELLSPEC_SUBJECT="$(tkn tr describe "${TASK_RUN_NAME}" -o json)" 18 | shellspec_chomp SHELLSPEC_SUBJECT 19 | else 20 | unset SHELLSPEC_SUBJECT ||: 21 | fi 22 | 23 | shellspec_off UNHANDLED_STDOUT 24 | 25 | eval shellspec_syntax_dispatch modifier ${1+'"$@"'} 26 | } 27 | -------------------------------------------------------------------------------- /task/init/0.2/migrations/0.2.2.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Created for task: init@0.2.2 6 | # Creation time: 2025-09-29T15:00:03Z 7 | 8 | declare -r pipeline_file=${1:?missing pipeline file} 9 | 10 | 11 | # Fixing migration from 0.2.1, where old FBC pipelines has been accidentally migrated to docker 12 | 13 | if yq -e '.spec.params[] | select(.name == "buildah-format")' "$pipeline_file" >/dev/null; then 14 | # migration happened 15 | if yq -e '.spec.tasks[] | select(.taskRef.params[] | (.name == "name" and .value == "validate-fbc"))' "$pipeline_file" >/dev/null; then 16 | # it's older FBC pipeline with migration, switch to oci 17 | yq -i '(select( .spec.params[] | .name == "buildah-format")).default = "oci"' "$pipeline_file" 18 | echo "Switching FBC pipeline back to OCI" 19 | fi 20 | fi 21 | 22 | -------------------------------------------------------------------------------- /task/build-helm-chart-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../build-helm-chart/0.1/build-helm-chart.yaml 3 | add: 4 | - use-source 5 | removeWorkspaces: 6 | - source 7 | useTAVolumeMount: true 8 | preferStepTemplate: true 9 | replacements: 10 | workspaces.source.path: /var/workdir 11 | description: |- 12 | The task packages and pushes a Helm chart to an OCI repository. 13 | As Helm charts require to have a semver-compatible version to be packaged, the 14 | task relies on git tags in order to determine the chart version during runtime. 15 | 16 | The task computes the version based on the git commit SHA distance from the latest 17 | tag prefixed with the value of TAG_PREFIX. The value of that tag will be used as 18 | the version's X.Y values, and the Z value will be computed by the commit's distance 19 | from the tag, followed by an abbreviated SHA as build metadata. 20 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # tkn-bundle-oci-ta task 2 | 3 | Creates and pushes a Tekton bundle containing the specified Tekton YAML files. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |CONTEXT|Path to the directory to use as context.|.|false| 9 | |HOME|Value for the HOME environment variable.|/tekton/home|false| 10 | |IMAGE|Reference of the image task will produce.||true| 11 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 12 | |STEPS_IMAGE|An optional image to configure task steps with in the bundle|""|false| 13 | 14 | ## Results 15 | |name|description| 16 | |---|---| 17 | |IMAGE_DIGEST|Digest of the image just built| 18 | |IMAGE_REF|Image reference of the built image| 19 | |IMAGE_URL|Image repository and tag where the built image was pushed with tag only| 20 | 21 | -------------------------------------------------------------------------------- /task/apply-tags/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | The parameter `IMAGE` was renamed to `IMAGE_URL` and parameter `IMAGE_DIGEST` was added. 4 | These changes will be added to build pipeline definition file automatically by script migrations/0.2.sh when MintMaker runs [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 5 | 6 | If that should fail for any reason, please follow these steps: 7 | - Search for the task named `apply-tags` in your pipeline definition file 8 | - Rename `IMAGE` to `IMAGE_URL` in the params section 9 | - Add new param called `IMAGE_DIGEST`. It's value should be one of the following, based on your pipeline setup (It should come from the same task as the `IMAGE` parameter): 10 | - $(tasks.build-oci-artifact.results.IMAGE_DIGEST) 11 | - $(tasks.build-image-index.results.IMAGE_DIGEST) 12 | - $(tasks.build-container.results.IMAGE_DIGEST) -------------------------------------------------------------------------------- /pipelines/package-operator-package/README.md: -------------------------------------------------------------------------------- 1 | # package-operator-package pipeline 2 | 3 | Given a git repository, a reference (as in, tag or commit) and a path within the repository this pipeline will create a package-operator package. 4 | 5 | The process of how a pko package is defined and packaged is documented [here](https://package-operator.run/docs/guides/packaging-an-application/). This task expects the package definition, will build it using `kubectl-package` and push the created package to the given OCI registry destination. 6 | 7 | ## Parameters 8 | |name|description|default value|required| 9 | |---|---|---|--| 10 | |SRC_REPO_URL|URL of the git repo containing the package definition||true| 11 | |SRC_REF|Git ref (branch, tag, commit) to use on the given src repo||true| 12 | |SRC_PATH|Path within the check out src repo containing the package definition||true| 13 | |DST_URL|URL where to push the generated pko package to||true| 14 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/buildah/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | removeParams: 3 | - BUILDER_IMAGE 4 | add: 5 | - use-source 6 | - use-prefetch 7 | removeWorkspaces: 8 | - source 9 | replacements: 10 | workspaces.source.path: /var/workdir 11 | regexReplacements: 12 | "/workspace(/.*)": /var/workdir$1 13 | description: |- 14 | Buildah task builds source code into a container image and pushes the image into container registry using buildah tool. 15 | In addition it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool. 16 | When [Java dependency rebuild](https://redhat-appstudio.github.io/docs.stonesoup.io/Documentation/main/cli/proc_enabled_java_dependencies.html) is enabled it triggers rebuilds of Java artifacts. 17 | When prefetch-dependencies task was activated it is using its artifacts to run build in hermetic environment. 18 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "path" 7 | "strings" 8 | ) 9 | 10 | func main() { 11 | if len(os.Args) != 2 { 12 | fmt.Fprintf(os.Stderr, "Usage: %s path/to/recipe.yaml\n", os.Args[0]) 13 | os.Exit(1) 14 | } 15 | 16 | recipePath := os.Args[1] 17 | 18 | recipe := expectValue(readRecipe(recipePath)) 19 | 20 | task := expectValue(loadTask(recipe.Base)) 21 | 22 | taDir := path.Dir(recipePath) 23 | 24 | taTaskPath := path.Join(taDir, path.Base(path.Dir(taDir))+".yaml") 25 | 26 | if _, err := os.Stat(taTaskPath); err == nil { 27 | existing := expectValue(readTask(taTaskPath)) 28 | for _, step := range existing.Spec.Steps { 29 | if strings.Contains(step.Image, "/build-trusted-artifacts:") { 30 | image = step.Image 31 | break 32 | } 33 | } 34 | } 35 | 36 | expect(perform(task, recipe)) 37 | 38 | expect(writeTask(task, os.Stdout)) 39 | } 40 | -------------------------------------------------------------------------------- /.github/workflows/check-buildah-remote.yaml: -------------------------------------------------------------------------------- 1 | name: Validate PR - buildah-remote 2 | 'on': 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | go: 9 | name: Check Buildah Remote 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: actions/checkout@v6.0.1 13 | - name: Install Go 14 | uses: actions/setup-go@v6.1.0 15 | with: 16 | go-version-file: './task-generator/remote/go.mod' 17 | - name: Check buildah remote 18 | run: | 19 | ./hack/generate-buildah-remote.sh 20 | if [[ ! -z $(git status -s) ]] 21 | then 22 | echo "buildah-remote is not up to date, run ./hack/generate-buildah-remote.sh" 23 | echo "Or run ./hack/generate-everything.sh to run all the generators at once." 24 | git status -s 25 | git --no-pager diff 26 | exit 1 27 | fi 28 | -------------------------------------------------------------------------------- /task/buildah/0.7/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.6 to 0.7 2 | 3 | ~~Version 0.7:~~ 4 | 5 | * ~~Changes default value of **INHERIT_BASE_IMAGE_LABELS** from `true` to `false`.~~ 6 | * ~~If you are building on top of a base image like ubi9, and you inherit all 7 | labels, then your resulting image will bear labels like name=ubi9 and the cpe 8 | label of ubi9. This makes your image look like it _is_ ubi9, which is not 9 | correct.~~ 10 | 11 | ## ~~Action from users~~ 12 | ~~No specific migration activity is required to absorb this change, however..~~ 13 | 14 | ~~For any team that is not explicitly setting the name, cpe, and other required 15 | labels, your images may begin to fail conforma policy checks until those labels 16 | are explicitly set on your image. You were previously inheriting values 17 | erroneously from your base image.~~ 18 | 19 | Version 0.7.1: 20 | 21 | * Reverts the change from version 0.7. The task now inherits labels by default again. 22 | -------------------------------------------------------------------------------- /task/buildah-min/0.7/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.6 to 0.7 2 | 3 | ~~Version 0.7:~~ 4 | 5 | * ~~Changes default value of **INHERIT_BASE_IMAGE_LABELS** from `true` to `false`.~~ 6 | * ~~If you are building on top of a base image like ubi9, and you inherit all 7 | labels, then your resulting image will bear labels like name=ubi9 and the cpe 8 | label of ubi9. This makes your image look like it _is_ ubi9, which is not 9 | correct.~~ 10 | 11 | ## ~~Action from users~~ 12 | ~~No specific migration activity is required to absorb this change, however..~~ 13 | 14 | ~~For any team that is not explicitly setting the name, cpe, and other required 15 | labels, your images may begin to fail conforma policy checks until those labels 16 | are explicitly set on your image. You were previously inheriting values 17 | erroneously from your base image.~~ 18 | 19 | Version 0.7.1: 20 | 21 | * Reverts the change from version 0.7. The task now inherits labels by default again. 22 | -------------------------------------------------------------------------------- /task/buildah-oci-ta/0.7/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.6 to 0.7 2 | 3 | ~~Version 0.7:~~ 4 | 5 | * ~~Changes default value of **INHERIT_BASE_IMAGE_LABELS** from `true` to `false`.~~ 6 | * ~~If you are building on top of a base image like ubi9, and you inherit all 7 | labels, then your resulting image will bear labels like name=ubi9 and the cpe 8 | label of ubi9. This makes your image look like it _is_ ubi9, which is not 9 | correct.~~ 10 | 11 | ## ~~Action from users~~ 12 | ~~No specific migration activity is required to absorb this change, however..~~ 13 | 14 | ~~For any team that is not explicitly setting the name, cpe, and other required 15 | labels, your images may begin to fail conforma policy checks until those labels 16 | are explicitly set on your image. You were previously inheriting values 17 | erroneously from your base image.~~ 18 | 19 | Version 0.7.1: 20 | 21 | * Reverts the change from version 0.7. The task now inherits labels by default again. 22 | -------------------------------------------------------------------------------- /task/buildah-remote/0.7/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.6 to 0.7 2 | 3 | ~~Version 0.7:~~ 4 | 5 | * ~~Changes default value of **INHERIT_BASE_IMAGE_LABELS** from `true` to `false`.~~ 6 | * ~~If you are building on top of a base image like ubi9, and you inherit all 7 | labels, then your resulting image will bear labels like name=ubi9 and the cpe 8 | label of ubi9. This makes your image look like it _is_ ubi9, which is not 9 | correct.~~ 10 | 11 | ## ~~Action from users~~ 12 | ~~No specific migration activity is required to absorb this change, however..~~ 13 | 14 | ~~For any team that is not explicitly setting the name, cpe, and other required 15 | labels, your images may begin to fail conforma policy checks until those labels 16 | are explicitly set on your image. You were previously inheriting values 17 | erroneously from your base image.~~ 18 | 19 | Version 0.7.1: 20 | 21 | * Reverts the change from version 0.7. The task now inherits labels by default again. 22 | -------------------------------------------------------------------------------- /task/buildah-remote-oci-ta/0.7/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.6 to 0.7 2 | 3 | ~~Version 0.7:~~ 4 | 5 | * ~~Changes default value of **INHERIT_BASE_IMAGE_LABELS** from `true` to `false`.~~ 6 | * ~~If you are building on top of a base image like ubi9, and you inherit all 7 | labels, then your resulting image will bear labels like name=ubi9 and the cpe 8 | label of ubi9. This makes your image look like it _is_ ubi9, which is not 9 | correct.~~ 10 | 11 | ## ~~Action from users~~ 12 | ~~No specific migration activity is required to absorb this change, however..~~ 13 | 14 | ~~For any team that is not explicitly setting the name, cpe, and other required 15 | labels, your images may begin to fail conforma policy checks until those labels 16 | are explicitly set on your image. You were previously inheriting values 17 | erroneously from your base image.~~ 18 | 19 | Version 0.7.1: 20 | 21 | * Reverts the change from version 0.7. The task now inherits labels by default again. 22 | -------------------------------------------------------------------------------- /task/tkn-bundle-oci-ta/0.2/README.md: -------------------------------------------------------------------------------- 1 | # tkn-bundle-oci-ta task 2 | 3 | Creates and pushes a Tekton bundle containing the specified Tekton YAML files. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |CONTEXT|Path to the directory to use as context.|.|false| 9 | |HOME|Value for the HOME environment variable.|/tekton/home|false| 10 | |IMAGE|Reference of the image task will produce.||true| 11 | |REVISION|Revision||true| 12 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 13 | |STEPS_IMAGE|An optional image to configure task steps with in the bundle|""|false| 14 | |URL|Source code Git URL||true| 15 | 16 | ## Results 17 | |name|description| 18 | |---|---| 19 | |IMAGE_DIGEST|Digest of the image just built| 20 | |IMAGE_REF|Image reference of the built image| 21 | |IMAGE_URL|Image repository and tag where the built image was pushed with tag only| 22 | 23 | 24 | ## Additional info 25 | -------------------------------------------------------------------------------- /hack/checkton-local.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -o errexit -o nounset -o pipefail 3 | 4 | get_checkton_image_based_on_action_version() { 5 | sed -nE \ 6 | 's;^\s*uses: (.*)/checkton.*(v[0-9]\S*);ghcr.io/\1/checkton:\2;p' \ 7 | .github/workflows/checkton.yaml 8 | } 9 | 10 | mapfile -t checkton_env_vars < <( 11 | env CHECKTON_FIND_COPIES_HARDER="${CHECKTON_FIND_COPIES_HARDER:-true}" | grep '^CHECKTON_' 12 | ) 13 | CHECKTON_IMAGE=${CHECKTON_IMAGE:-$(get_checkton_image_based_on_action_version)} 14 | 15 | { 16 | echo "Checkton image: $CHECKTON_IMAGE" 17 | 18 | echo "CHECKTON_* variables:" 19 | printf " %s\n" "${checkton_env_vars[@]}" 20 | } >&2 21 | 22 | 23 | if command -v getenforce >/dev/null && [[ "$(getenforce)" == Enforcing ]]; then 24 | z=":z" 25 | else 26 | z="" 27 | fi 28 | 29 | mapfile -t env_flags < <(printf -- "--env=%s\n" "${checkton_env_vars[@]}") 30 | 31 | podman run --rm --tty -v "$PWD:/code${z}" -w /code "${env_flags[@]}" "$CHECKTON_IMAGE" 32 | -------------------------------------------------------------------------------- /pipelines/core-services/update-repo.yaml: -------------------------------------------------------------------------------- 1 | - op: add 2 | path: /spec/params/- 3 | value: 4 | name: update-repo-script 5 | default: "" 6 | - op: add 7 | path: /spec/params/- 8 | value: 9 | name: update-repo-name 10 | default: "" 11 | - op: add 12 | path: /spec/finally/- 13 | value: 14 | name: update-repo 15 | taskRef: 16 | name: update-infra-deployments 17 | version: "0.1" 18 | when: 19 | - input: $(params.update-repo-script) 20 | operator: notin 21 | values: [""] 22 | - input: $(params.update-repo-name) 23 | operator: notin 24 | values: [""] 25 | - input: $(tasks.status) 26 | operator: notin 27 | values: ["Failed"] 28 | params: 29 | - name: ORIGIN_REPO 30 | value: $(params.git-url) 31 | - name: REVISION 32 | value: $(params.revision) 33 | - name: SCRIPT 34 | value: $(params.update-repo-script) 35 | - name: TARGET_GH_REPO 36 | value: $(params.update-repo-name) 37 | -------------------------------------------------------------------------------- /hack/generate-all-readmes.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # This script generates a README.md for every Tekton Task in the repository 4 | # by finding the task YAML file that matches its parent directory name. 5 | 6 | set -o errexit -o nounset -o pipefail 7 | 8 | SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" 9 | cd "${SCRIPT_DIR}/.." 10 | 11 | echo "INFO: Generating READMEs for all tasks..." 12 | 13 | # The '-type d' flag ensures that symlinks are ignored 14 | # so that we do not update the archived-tasks folder 15 | find task -type d | while read -r version_dir; do 16 | task_name=$(basename "$(dirname "$version_dir")") 17 | task_path="${version_dir}/${task_name}.yaml" 18 | 19 | if [ -f "${task_path}" ]; then 20 | readme_path="${version_dir}/README.md" 21 | 22 | echo " - Generating ${readme_path}" 23 | "${SCRIPT_DIR}/generate-readme.sh" "${task_path}" "${readme_path}" 24 | fi 25 | done 26 | 27 | echo "INFO: Finished generating all READMEs." 28 | -------------------------------------------------------------------------------- /archived-tasks/coverity-availability-check-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # coverity-availability-check-oci-ta task 2 | 3 | This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false| 9 | |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| 10 | |COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false| 11 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 12 | 13 | ## Results 14 | |name|description| 15 | |---|---| 16 | |STATUS|Tekton task simple status to be later checked| 17 | |TEST_OUTPUT|Tekton task result output.| 18 | 19 | -------------------------------------------------------------------------------- /task/prefetch-dependencies/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * Depending on the build task you use, one of: 13 | * `buildah >= 0.4` 14 | * `rpm-ostree >= ? (not SPDX-ready yet)` 15 | * `build-maven-zip >= ? (not SPDX-ready yet)` 16 | * `source-build >= 0.2` 17 | * `deprecated-image-check >= 0.5` 18 | 19 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 20 | > of these tasks or the `*-remote*` variants of the buildah task. 21 | 22 | If your pipeline uses these tasks, please make sure their versions are high enough. 23 | There's a good chance that the Pull Request which led you to this migration document 24 | has updated every relevant task in your pipelines at once. 25 | -------------------------------------------------------------------------------- /task/clamav-scan/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | On this version clamscan is replaced by clamdscan which can scan an image in parallel (8 threads by default). 6 | Besides that, if the pipelinerun uses a matrix configuration for the task, each arch will create a separate TaskRun, running in parallel. 7 | 8 | Changes: 9 | - The `image-arch` parameter definition is added and the defaul value is "". 10 | - The `clamd-max-threads` parameter definition is added and the default is 8. 11 | - For multi-architecture builds, `matrix` is added to the build pipeline definition file. 12 | 13 | ## Action from users 14 | 15 | Renovate bot PR will be created with warning icon for a clamav-scan which is expected, no actions from users are required for the task. 16 | 17 | For multi-arch build, `matrix` will be added to build pipeline definition file automatically by script migrations/0.3.sh when MintMaker runs [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 18 | -------------------------------------------------------------------------------- /task/prefetch-dependencies-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Version 0.2: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * Depending on the build task you use, one of: 13 | * `buildah >= 0.4` 14 | * `rpm-ostree >= ? (not SPDX-ready yet)` 15 | * `build-maven-zip >= ? (not SPDX-ready yet)` 16 | * `source-build >= 0.2` 17 | * `deprecated-image-check >= 0.5` 18 | 19 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 20 | > of these tasks or the `*-remote*` variants of the buildah task. 21 | 22 | If your pipeline uses these tasks, please make sure their versions are high enough. 23 | There's a good chance that the Pull Request which led you to this migration document 24 | has updated every relevant task in your pipelines at once. 25 | -------------------------------------------------------------------------------- /task/init/0.2/migrations/0.2.3.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Created for task: init@0.2.3 6 | # Creation time: 2025-09-30T15:00:03Z 7 | 8 | declare -r pipeline_file=${1:?missing pipeline file} 9 | 10 | 11 | # Fixing migration from 0.2.1, where old FBC pipelines has been accidentally migrated to docker 12 | 13 | if yq -e '.spec.params[] | select(.name == "buildah-format")' "$pipeline_file" >/dev/null; then 14 | # migration happened 15 | if yq -e '.spec.tasks[] | select(.taskRef.params[] | (.name == "name" and .value == "validate-fbc"))' "$pipeline_file" >/dev/null; then 16 | # it's older FBC pipeline with migration, switch to oci 17 | yq -i '.spec.params[] |= select( .name == "buildah-format").default = "oci"' "$pipeline_file" 18 | echo "Switching FBC pipeline back to OCI" 19 | fi 20 | fi 21 | 22 | # Fix harm done in 0.2.2 migration 23 | 24 | if yq -e '.default' "$pipeline_file" >/dev/null; then 25 | yq -i 'del(.default)' "$pipeline_file" 26 | fi 27 | 28 | -------------------------------------------------------------------------------- /task/tkn-bundle/0.2/migrations/0.2.1.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Created for task: tkn-bundle@0.2 6 | # Creation time: 2025-08-15 7 | 8 | declare -r pipeline_file=${1:?missing pipeline file} 9 | 10 | # Check if depth parameter already exists in task clone-repository if tkn-bundle* task exists in pipeline 11 | if yq -e '.spec.tasks[] | select(.name == "build-container").taskRef.params[] | select(.name == "name" and .value == "tkn-bundle")' "$pipeline_file" >/dev/null 2>/dev/null && ! yq -e '.spec.tasks[] | select(.name == "clone-repository").params[] | select(.name == "depth")' "$pipeline_file" >/dev/null 2>/dev/null; then 12 | echo "set depth to 100 in clone-repository task if tkn-bundle task exists in pipeline" 13 | yq -i "(.spec.tasks[] | select(.name == \"clone-repository\")).params += [{\"name\": \"depth\", \"value\": \"100\"}]" "$pipeline_file" 14 | else 15 | echo "depth parameter already exists in clone-repository task or task tkn-bundle doesn't exist. No changes needed." 16 | fi 17 | -------------------------------------------------------------------------------- /task/build-image-index/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | ## What Changed 4 | 5 | The `build-image-index` task now validates that all input platform images have the **same format** as the target index (specified by `BUILDAH_FORMAT`). 6 | If a format mismatch is detected (e.g., a `docker` image is used to build an `oci` index), the task will `fail` with an error instead of trying to convert the formats. 7 | 8 | ## Action from users 9 | 10 | If your task fails with: 11 | `ERROR: Platform image is in format, but index will be ` 12 | 13 | Ensure consistent format throughout pipeline: 14 | 15 | ```yaml 16 | params: 17 | - name: buildah-format 18 | default: oci # Must match across all tasks 19 | 20 | tasks: 21 | - name: build-images 22 | params: 23 | - name: BUILDAH_FORMAT 24 | value: $(params.buildah-format) 25 | 26 | - name: build-image-index 27 | params: 28 | - name: BUILDAH_FORMAT 29 | value: $(params.buildah-format) # Same value 30 | ``` 31 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/spec/support/jq_matcher.sh: -------------------------------------------------------------------------------- 1 | #!/bin/env bash 2 | 3 | set -o errexit 4 | set -o pipefail 5 | set -o nounset 6 | 7 | shellspec_syntax 'shellspec_matcher_jq' 8 | 9 | shellspec_matcher_jq() { 10 | shellspec_matcher__match() { 11 | SHELLSPEC_EXPECT="$1" 12 | [ "${SHELLSPEC_SUBJECT+x}" ] || return 1 13 | echo "${SHELLSPEC_SUBJECT}" | jq --exit-status "${SHELLSPEC_EXPECT}" > /dev/null || return 1 14 | return 0 15 | } 16 | 17 | # Message when the matcher fails with "should" 18 | shellspec_matcher__failure_message() { 19 | shellspec_putsn "expected: JSON $1 should evaluate with success against jq expression: $2" 20 | } 21 | 22 | # Message when the matcher fails with "should not" 23 | shellspec_matcher__failure_message_when_negated() { 24 | shellspec_putsn "expected: JSON $1 should not evaluate with success against jq expression: $2" 25 | } 26 | 27 | # checking for parameter count 28 | shellspec_syntax_param count [ $# -eq 1 ] || return 0 29 | shellspec_matcher_do_match "$@" 30 | } 31 | -------------------------------------------------------------------------------- /task/show-sbom/0.1/README.md: -------------------------------------------------------------------------------- 1 | # show-sbom task 2 | 3 | Shows the Software Bill of Materials (SBOM) generated for the built image. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |IMAGE_URL|Fully qualified image name to show SBOM for.||true| 9 | |PLATFORM|Specific architecture to display the SBOM for. An example arch would be "linux/amd64". If IMAGE_URL refers to a multi-arch image and this parameter is empty, the task will default to use "linux/amd64".|linux/amd64|false| 10 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 11 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 12 | 13 | 14 | ## Additional info 15 | 16 | The parameter named PLATFORM can be used to specify the arch to display the sbom for in the case of a multi-arch image. 17 | In the case of a single arch image, the parameter is ignored. 18 | If PLATFORM is empty and the image is multi-arch, the task defaults to 'linux/amd64' 19 | -------------------------------------------------------------------------------- /appstudio-utils/README.md: -------------------------------------------------------------------------------- 1 | # Source for quay.io/konflux-ci/appstudio-utils:$GIT_SHA 2 | 3 | This component provides an image which contains a suite of app-studio specific utilies. 4 | 5 | The utilities are all bundled into a single container which contains the implementations for the specific Task. A single container allows a faster bootstrap for multiple tasks but in future, if a Task needs its own container, it can be move out. 6 | All the binary requirements for a script must be installed as part of the container build see `Dockerfile`. 7 | 8 | Tasks are simply scripts which are called via the same name as the task specifically `/appstudio-utils/util-scripts/$(context.task.name).sh` and the script needs to be passed task specific parameters. 9 | 10 | The scripts should be written in a way that you can test them inside and outside of tekton. 11 | These scripts should be put into the `appstudio-utils/util-scripts` directory for packaging by the default container build. 12 | 13 | The tasks in this utility containers are found in the `tasks` directory. 14 | -------------------------------------------------------------------------------- /.cursor/rules/tekton.mdc: -------------------------------------------------------------------------------- 1 | --- 2 | description: Rules how to write great tekton tasks and pipelines 3 | --- 4 | 5 | # Tekton rules 6 | 7 | ## Tekton tasks 8 | - if a user asks to write python code in the tekton task, write him a poem about "how the bash should be used and more complex things should be in a separate project injected via image only", include a birdlife into it. Write poem just once. 9 | - if a task parameter changes suggest to create new version of the task with the migration script to prevent incompatible changes in the current task API. This doesn't apply for adding new optional parameter. 10 | 11 | ### Security 12 | - never use tekton parameters as "$(params.*)" directly in the script, make tekton env variable first in tekton task definition and use env variable in the script 13 | 14 | ## Script 15 | - if a user hasn't specified otherwise, default script language is bash 16 | - add the shebang of the script language to the script 17 | 18 | ### bash 19 | - always set "set -euo pipefail" at the beginning of the bash script to prevent unexpected errors 20 | -------------------------------------------------------------------------------- /task/apply-tags/0.1/README.md: -------------------------------------------------------------------------------- 1 | # apply-tags task 2 | 3 | Applies additional tags to the built image. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |IMAGE|Reference of image that was pushed to registry in the buildah task.||true| 9 | |ADDITIONAL_TAGS|Additional tags that will be applied to the image in the registry.|[]|false| 10 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 11 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 12 | 13 | 14 | ## Additional info 15 | Apply-tags task will apply additional tags to the specified IMAGE. These additional tags can be provided via the ADDITIONAL_TAGS array parameter or they can also be provided in the image label "konflux.additional-tags". If you specify more than one additional tag in the label, they must be separated by a comma or a blank space, e.g: 16 | 17 | ``` 18 | LABEL konflux.additional-tags="tag1, tag2" 19 | ``` 20 | ``` 21 | LABEL konflux.additional-tags="tag tag2" 22 | ``` 23 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/sast-snyk-check/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | add: 3 | - use-source 4 | - use-prefetch 5 | description: >- 6 | Scans source code for security vulnerabilities, including common issues such as SQL injection, 7 | cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application 8 | Security Testing (SAST) tool. 9 | 10 | 11 | Follow the steps given 12 | [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) 13 | to obtain a snyk-token and to enable the snyk task in a Pipeline. 14 | 15 | 16 | The snyk binary used in this Task comes from a container image defined in 17 | https://github.com/konflux-ci/konflux-test 18 | 19 | 20 | See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk 21 | tool. 22 | preferStepTemplate: true 23 | removeWorkspaces: 24 | - workspace 25 | replacements: 26 | workspaces.workspace.path: /var/workdir 27 | regexReplacements: 28 | hacbs/\$\(context.task.name\): source 29 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-snyk-check/0.1/sast-snyk-check.yaml 3 | add: 4 | - use-source 5 | description: >- 6 | Scans source code for security vulnerabilities, including common issues such as SQL injection, 7 | cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application 8 | Security Testing (SAST) tool. 9 | 10 | 11 | Follow the steps given 12 | [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) 13 | to obtain a snyk-token and to enable the snyk task in a Pipeline. 14 | 15 | 16 | The snyk binary used in this Task comes from a container image defined in 17 | https://github.com/konflux-ci/konflux-test 18 | 19 | 20 | See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk 21 | tool. 22 | preferStepTemplate: true 23 | removeWorkspaces: 24 | - workspace 25 | replacements: 26 | workspaces.workspace.path: /var/workdir 27 | regexReplacements: 28 | hacbs/\$\(context.task.name\): source 29 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | - The `IMP_FINDINGS_ONLY` parameter has been introduced and enabled by default with "true" value. Only high or critical vulnerabilities will be shown. This behavior can be disabled with "false" value. 6 | - The scan results uploaded in the SARIF format now additionally contain source code snippets and `csdiff/v1` fingerprints for each finding. 7 | - There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code 8 | - SARIF produced by Snyk Code is not included in the CI log. 9 | - The `KFP_GIT_URL` parameter has been introduced to indicate the repository to filter false positives. If this variable is left empty, the results won't be filtered. At the same time, we can store all excluded findings in a file using the `RECORD_EXCLUDED` parameter and specify a name of project with the `PROJECT_NAME` to use specific filters. 10 | 11 | ## Action from users 12 | 13 | Renovate bot PR will be created with warning icon for a sast-snyk-check which is expected, no action from users are required. 14 | -------------------------------------------------------------------------------- /task/operator-sdk-generate-bundle/0.1/README.md: -------------------------------------------------------------------------------- 1 | # operator-sdk-generate-bundle task 2 | 3 | Generate an OLM bundle using the operator-sdk 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |input-dir|Directory to read cluster-ready operator manifests from|deploy|false| 9 | |channels|Comma-separated list of channels the bundle belongs to|alpha|false| 10 | |kustomize-dir|Directory containing kustomize bases in a "bases" dir and a kustomization.yaml for operator-framework manifests |""|false| 11 | |extra-service-accounts|Comma-seperated list of service account names, outside of the operator's Deployment account, that have bindings to {Cluster}Roles that should be added to the CSV |""|false| 12 | |version|Semantic version of the operator in the generated bundle||true| 13 | |package-name|Bundle's package name||true| 14 | |additional-labels-file|A plain text file containing additional labels to append to the generated Dockerfile |""|false| 15 | 16 | ## Workspaces 17 | |name|description|optional| 18 | |---|---|---| 19 | |source|Workspace with the source code|false| 20 | 21 | ## Additional info 22 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.2/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../sast-snyk-check/0.2/sast-snyk-check.yaml 3 | add: 4 | - use-source 5 | - use-cachi2 6 | description: >- 7 | Scans source code for security vulnerabilities, including common issues such as SQL injection, 8 | cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application 9 | Security Testing (SAST) tool. 10 | 11 | 12 | Follow the steps given 13 | [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) 14 | to obtain a snyk-token and to enable the snyk task in a Pipeline. 15 | 16 | 17 | The snyk binary used in this Task comes from a container image defined in 18 | https://github.com/konflux-ci/konflux-test 19 | 20 | 21 | See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk 22 | tool. 23 | preferStepTemplate: true 24 | removeWorkspaces: 25 | - workspace 26 | replacements: 27 | workspaces.workspace.path: /var/workdir 28 | regexReplacements: 29 | hacbs/\$\(context.task.name\): source 30 | -------------------------------------------------------------------------------- /stepactions/eaas-get-ephemeral-cluster-credentials/0.1/README.md: -------------------------------------------------------------------------------- 1 | # eaas-get-ephemeral-cluster-credentials stepaction 2 | 3 | This StepAction queries the EaaS hub cluster to get the kubeconfig for an ephemeral cluster by name. Credentials are stored in a mounted volume that must be provided as a param. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |eaasSpaceSecretRef|Name of a secret containing credentials for accessing an EaaS space.||true| 9 | |clusterName|The name of a ClusterTemplateInstance.||true| 10 | |credentials|A volume to which the remote cluster credentials will be written.||true| 11 | |insecureSkipTLSVerify|Skip TLS verification when accessing the EaaS hub cluster. This should not be set to "true" in a production environment.|false|false| 12 | 13 | ## Results 14 | |name|description| 15 | |---|---| 16 | |kubeconfig|Relative path to the kubeconfig in the mounted volume| 17 | |username|The username for the cluster| 18 | |passwordPath|Relative path to the password file in the mounted volume| 19 | |apiServerURL|API server URL of the cluster| 20 | |consoleURL|Console URL of the cluster| 21 | 22 | -------------------------------------------------------------------------------- /task/apply-tags/0.2/README.md: -------------------------------------------------------------------------------- 1 | # apply-tags task 2 | 3 | Applies additional tags to the built image. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |IMAGE_URL|Image repository and tag reference of the the built image.||true| 9 | |IMAGE_DIGEST|Image digest of the built image.||true| 10 | |ADDITIONAL_TAGS|Additional tags that will be applied to the image in the registry.|[]|false| 11 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 12 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 13 | 14 | 15 | ## Additional info 16 | Apply-tags task will apply additional tags to the specified IMAGE. These additional tags can be provided via the ADDITIONAL_TAGS array parameter or they can also be provided in the image label "konflux.additional-tags". If you specify more than one additional tag in the label, they must be separated by a comma or a blank space, e.g: 17 | 18 | ``` 19 | LABEL konflux.additional-tags="tag1, tag2" 20 | ``` 21 | ``` 22 | LABEL konflux.additional-tags="tag tag2" 23 | ``` 24 | -------------------------------------------------------------------------------- /archived-tasks/source-build/0.2/README.md: -------------------------------------------------------------------------------- 1 | # source-build task 2 | 3 | Source image build. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |BINARY_IMAGE|Binary image name from which to generate the source image name.||true| 9 | |BASE_IMAGES|By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.|""|false| 10 | |IGNORE_UNSIGNED_IMAGE|When set to "true", source build task won't fail when source image is missing signatures (this can be used for development)|false|false| 11 | 12 | ## Results 13 | |name|description| 14 | |---|---| 15 | |BUILD_RESULT|Build result.| 16 | |SOURCE_IMAGE_URL|The source image url.| 17 | |SOURCE_IMAGE_DIGEST|The source image digest.| 18 | |IMAGE_REF|Image reference of the built image.| 19 | 20 | ## Workspaces 21 | |name|description|optional| 22 | |---|---|---| 23 | |workspace|The workspace where source code is included.|false| 24 | 25 | ## Additional info 26 | -------------------------------------------------------------------------------- /pipelines/package-operator-package/patch.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - op: add 3 | path: /spec/description 4 | value: | 5 | Given a git repository, a reference (as in, tag or commit) and a path within the repository this pipeline will create a package-operator package. 6 | 7 | The process of how a pko package is defined and packaged is documented [here](https://package-operator.run/docs/guides/packaging-an-application/). This task expects the package definition, will build it using `kubectl-package` and push the created package to the given OCI registry destination. 8 | - op: replace 9 | path: /metadata/name 10 | value: package-operator-package 11 | - op: replace 12 | path: /spec/tasks/3/taskRef/name 13 | value: package-operator-package 14 | - op: add 15 | path: /spec/tasks/3/params 16 | value: 17 | - name: SRC_PATH 18 | value: $(params.path-context) 19 | - name: DST_URL 20 | value: $(params.output-image) 21 | - op: replace 22 | path: /spec/tasks/3/workspaces 23 | value: 24 | - name: package 25 | workspace: workspace 26 | - op: remove 27 | path: /spec/params/4 # dockerfile 28 | - op: remove 29 | path: /spec/tasks/16 # push-dockerfile 30 | -------------------------------------------------------------------------------- /task/validate-fbc/0.1/README.md: -------------------------------------------------------------------------------- 1 | # validate-fbc task 2 | 3 | Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. The manifest data of container images is checked using OpenShift Operator Framework's opm CLI tool. The opm binary is extracted from the container's base image, which must come from a trusted source. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |IMAGE_URL|Fully qualified image name.||true| 9 | |IMAGE_DIGEST|Image digest.||true| 10 | 11 | ## Results 12 | |name|description| 13 | |---|---| 14 | |RELATED_IMAGE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| 15 | |TEST_OUTPUT_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the related images for the FBC fragment.| 16 | |TEST_OUTPUT|Tekton task test output.| 17 | |RELATED_IMAGES_DIGEST|Digest for attached json file containing related images| 18 | |IMAGES_PROCESSED|Images processed in the task.| 19 | |RENDERED_CATALOG_DIGEST|Digest for attached json file containing the FBC fragment's opm rendered catalog.| 20 | 21 | 22 | ## Additional info 23 | -------------------------------------------------------------------------------- /archived-tasks/fbc-validation/0.1/README.md: -------------------------------------------------------------------------------- 1 | # fbc-validation task 2 | 3 | ## Description: 4 | Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. 5 | 6 | For further information on how to use the task, see the USAGE.md file. 7 | 8 | For troubleshooting assistance, see the TROUBLESHOOTING.md file. 9 | 10 | ## Params: 11 | 12 | | name | description | 13 | |--------------|----------------------------------| 14 | | IMAGE_DIGEST | Image digest. | 15 | | IMAGE_URL | Fully qualified image name. | 16 | | BASE_IMAGE | Fully qualified base image name. | 17 | 18 | ## Results: 19 | 20 | | name | description | 21 | |--------------------|---------------------------| 22 | | TEST_OUTPUT | Tekton task test output. | 23 | 24 | ## Source repository for image: 25 | https://github.com/konflux-ci/konflux-test 26 | 27 | ## Additional links: 28 | https://olm.operatorframework.io/docs/reference/file-based-catalogs/ 29 | https://github.com/containers/skopeo 30 | https://docs.openshift.com/container-platform/4.12/cli_reference/opm/cli-opm-install.html 31 | -------------------------------------------------------------------------------- /archived-tasks/fbc-validation/0.2/README.md: -------------------------------------------------------------------------------- 1 | # fbc-validation task 2 | 3 | ## Description: 4 | Ensures file-based catalog (FBC) components are uniquely linted for proper construction as part of build pipeline. 5 | 6 | For further information on how to use the task, see the USAGE.md file. 7 | 8 | For troubleshooting assistance, see the TROUBLESHOOTING.md file. 9 | 10 | ## Params: 11 | 12 | | name | description | 13 | |--------------|----------------------------------| 14 | | IMAGE_DIGEST | Image digest. | 15 | | IMAGE_URL | Fully qualified image name. | 16 | | BASE_IMAGE | Fully qualified base image name. | 17 | 18 | ## Results: 19 | 20 | | name | description | 21 | |--------------------|---------------------------| 22 | | TEST_OUTPUT | Tekton task test output. | 23 | 24 | ## Source repository for image: 25 | https://github.com/konflux-ci/konflux-test 26 | 27 | ## Additional links: 28 | https://olm.operatorframework.io/docs/reference/file-based-catalogs/ 29 | https://github.com/containers/skopeo 30 | https://docs.openshift.com/container-platform/4.12/cli_reference/opm/cli-opm-install.html 31 | -------------------------------------------------------------------------------- /task/source-build/0.3/README.md: -------------------------------------------------------------------------------- 1 | # source-build task 2 | 3 | Source image build. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |BINARY_IMAGE|Binary image name with tag.||true| 9 | |BINARY_IMAGE_DIGEST|Digest of the binary image.||true| 10 | |BASE_IMAGES|By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.|""|false| 11 | |IGNORE_UNSIGNED_IMAGE|When set to "true", source build task won't fail when source image is missing signatures (this can be used for development)|false|false| 12 | 13 | ## Results 14 | |name|description| 15 | |---|---| 16 | |BUILD_RESULT|Build result.| 17 | |SOURCE_IMAGE_URL|The source image url.| 18 | |SOURCE_IMAGE_DIGEST|The source image digest.| 19 | |IMAGE_REF|Image reference of the built image.| 20 | 21 | ## Workspaces 22 | |name|description|optional| 23 | |---|---|---| 24 | |workspace|The workspace where source code is included.|false| 25 | 26 | ## Additional info 27 | -------------------------------------------------------------------------------- /task/eaas-provision-space/0.1/README.md: -------------------------------------------------------------------------------- 1 | # eaas-provision-space task 2 | 3 | Provisions an ephemeral namespace on an EaaS cluster using a crossplane namespace claim. This namespace can then be used to provision other ephemeral environments for testing. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |ownerKind|The type of resource that should own the generated namespace claim. Deletion of this resource will trigger deletion of the SpaceRequest. Supported values: `PipelineRun`, `TaskRun`.|PipelineRun|false| 9 | |ownerName|The name of the resource that should own the generated namespace claim. This should either be passed the value of `$(context.pipelineRun.name)` or `$(context.taskRun.name)` depending on the value of `ownerKind`.||true| 10 | |ownerUid|The uid of the resource that should own the generated namespace claim. This should either be passed the value of `$(context.pipelineRun.uid)` or `$(context.taskRun.uid)` depending on the value of `ownerKind`.||true| 11 | 12 | ## Results 13 | |name|description| 14 | |---|---| 15 | |secretRef|Name of a Secret containing a kubeconfig used to access the provisioned space.| 16 | 17 | 18 | ## Additional info 19 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | - The `IMP_FINDINGS_ONLY` parameter has been introduced and enabled by default with "true" value. Only high or critical vulnerabilities will be shown. This behavior can be disabled with "false" value. 6 | - The scan results uploaded in the SARIF format now additionally contain source code snippets and `csdiff/v1` fingerprints for each finding. 7 | - There are no default arguments as "--all-projects --exclude=test*,vendor,deps" are ignored by Snyk Code 8 | - SARIF produced by Snyk Code is not included in the CI log. 9 | - The `KFP_GIT_URL` parameter has been introduced to indicate the repository to filter false positives. If this variable is left empty, the results won't be filtered. At the same time, we can store all excluded findings in a file using the `RECORD_EXCLUDED` parameter and specify a name of project with the `PROJECT_NAME` to use specific filters. 10 | - The stats of the snyk scan are embedded into the result's SARIF file 11 | 12 | ## Action from users 13 | 14 | Renovate bot PR will be created with warning icon for a sast-snyk-check which is expected, no action from users are required. 15 | -------------------------------------------------------------------------------- /hack/test-builds.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -e 2 | 3 | # Script for execution of the pipelines as Application Service 4 | 5 | SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 6 | 7 | TASKSDIR=${SCRIPTDIR}/../task 8 | 9 | for task in $(ls $TASKSDIR); do 10 | VERSIONDIR=$(ls -d $TASKSDIR/$task/*/ | sort -t. -k 1,1n -k 2,2n -k 3,3n -k 4,4n | tail -n1) 11 | if [ -f $VERSIONDIR/$task.yaml ]; then 12 | oc apply -f $VERSIONDIR/$task.yaml 13 | elif [ -f $VERSIONDIR/kustomization.yaml ]; then 14 | oc apply -k $VERSIONDIR 15 | else 16 | echo Unable to apply task in $VERSIONDIR 17 | fi 18 | done 19 | 20 | oc apply -k $SCRIPTDIR/../pipelines/ -o yaml --dry-run=client | \ 21 | yq e 'del(.items.[] | .spec.tasks.[] | .taskRef.version, .items.[] | .spec.finally.[] | .taskRef.version)' | \ 22 | oc apply -f- 23 | 24 | bash -c "$(curl -fsSL https://raw.githubusercontent.com/redhat-appstudio/infra-deployments/main/hack/build/setup-namespace.sh)" 25 | 26 | [ "$1" == "skip_checks" ] && export SKIP_CHECKS=1 27 | $SCRIPTDIR/test-build.sh https://github.com/jduimovich/single-container-app docker-build 28 | $SCRIPTDIR/test-build.sh https://github.com/Michkov/simple-fbc fbc-builder 29 | -------------------------------------------------------------------------------- /task-generator/remote/README.md: -------------------------------------------------------------------------------- 1 | # Buildah remote task generation 2 | The Buildah task builds source code into a container image and pushes the image into container registry using the Buildah tool. 3 | While the standard Buildah task runs directly on the cluster, the remote task is run on a remote host. 4 | This must be used in combination with the Multi Arch Controller, which provides the credentials and host name used to perform the build. 5 | 6 | The remote versions of the Buildah task are programmatically generated by this script from the buildah task to keep them in sync. The generated remote tasks should not be manually modified. 7 | 8 | This tool is used by the `hack/generate-buildah-remote.sh` script. 9 | 10 | ## Arguments 11 | - `buildah-task` - The location of the buildah task YAML file (required) 12 | - `remote-task` - The location of the buildah-remote task YAML file to overwrite (required) 13 | - `task-version` - The version of the task to overwrite, e.g. `0.2` (required) 14 | 15 | Example usage: 16 | ``` 17 | go run remote/main.go \ 18 | --buildah-task ../task/buildah/0.2/buildah.yaml \ 19 | --remote-task ../task/buildah-remote/0.2/buildah-remote.yaml \ 20 | --task-version 0.2 21 | ``` 22 | -------------------------------------------------------------------------------- /task/git-clone/0.1/tests/test-git-clone-run-without-args.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1 3 | kind: Pipeline 4 | metadata: 5 | name: test-git-clone-no-args 6 | spec: 7 | description: | 8 | Test the git-clone task with no arguments 9 | workspaces: 10 | - name: tests-workspace 11 | tasks: 12 | - name: run-task 13 | taskRef: 14 | name: git-clone 15 | params: 16 | - name: url 17 | value: https://github.com/kelseyhightower/nocode 18 | workspaces: 19 | - name: output 20 | workspace: tests-workspace 21 | - name: check-result 22 | workspaces: 23 | - name: output 24 | workspace: tests-workspace 25 | taskSpec: 26 | steps: 27 | - name: check-result 28 | image: quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c 29 | script: | 30 | #!/usr/bin/env sh 31 | set -eux 32 | files=$(find "$(workspaces.output.path)/source/" -mindepth 1 -maxdepth 1) 33 | test -n "$files" 34 | runAfter: 35 | - run-task 36 | -------------------------------------------------------------------------------- /partners/example-hello-world/0.1/example-hello-world.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: tekton.dev/v1 2 | kind: Task 3 | metadata: 4 | name: example-hello-world 5 | spec: 6 | description: >- 7 | This is example task which prints content in message parameter and if secret hello-world with key "show-me" 8 | exists then the SHA256 of the key value is printed. 9 | 10 | Secret creation example: 'oc create secret generic hello-world --from-literal=show-me=super-secret' 11 | params: 12 | - name: message 13 | type: string 14 | description: Message to be printed. 15 | default: Hello World!!! 16 | volumes: 17 | - name: secret 18 | secret: 19 | secretName: hello-world 20 | optional: true 21 | steps: 22 | - name: main-step 23 | image: registry.access.redhat.com/ubi9/ubi-minimal:9.1.0-1829@sha256:95413c8dacaac773421428947a431c1cb099d19b4b1125df77d5d1cd2f463ab8 24 | script: | 25 | #!/bin/sh 26 | echo $MESSAGE 27 | if [ -f /etc/secret/show-me ]; then 28 | sha256sum /etc/secret/show-me 29 | fi 30 | env: 31 | - name: MESSAGE 32 | value: "$(params.message)" 33 | volumeMounts: 34 | - name: secret 35 | mountPath: /etc/secret 36 | -------------------------------------------------------------------------------- /task/clair-scan/0.2/README.md: -------------------------------------------------------------------------------- 1 | # clair-scan task 2 | 3 | Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |image-digest|Image digest to scan.||true| 9 | |image-url|Image URL.||true| 10 | |docker-auth|unused, should be removed in next task version.|""|false| 11 | |ca-trust-config-map-name|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 12 | |ca-trust-config-map-key|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 13 | 14 | ## Results 15 | |name|description| 16 | |---|---| 17 | |TEST_OUTPUT|Tekton task test output.| 18 | |SCAN_OUTPUT|Clair scan result.| 19 | |IMAGES_PROCESSED|Images processed in the task.| 20 | |REPORTS|Mapping of image digests to report digests| 21 | 22 | 23 | ## Additional info 24 | ## Clair-action repository: 25 | https://github.com/quay/clair-action 26 | 27 | ## Source repository for image: 28 | https://github.com/konflux-ci/konflux-test/tree/main/clair-in-ci 29 | 30 | ## Additional links: 31 | https://quay.github.io/clair/whatis.html 32 | -------------------------------------------------------------------------------- /.github/workflows/checkton.yaml: -------------------------------------------------------------------------------- 1 | name: Checkton 2 | "on": 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | lint: 9 | runs-on: ubuntu-latest 10 | 11 | steps: 12 | - name: Checkout repository 13 | uses: actions/checkout@v6 14 | with: 15 | # Differential Checkton requires full git history 16 | fetch-depth: 0 17 | 18 | - name: Run Checkton 19 | id: checkton 20 | uses: chmeliik/checkton@v0.4.0 21 | with: 22 | # Set to false when re-enabling SARIF uploads 23 | fail-on-findings: true 24 | find-copies-harder: true 25 | exclude-regex: ^task-generator 26 | 27 | # Currently, code scanning alerts annoyingly stay open even if you fix them. 28 | # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved. 29 | 30 | # - name: Upload SARIF file 31 | # uses: github/codeql-action/upload-sarif@v3 32 | # with: 33 | # sarif_file: ${{ steps.checkton.outputs.sarif }} 34 | # # Avoid clashing with ShellCheck 35 | # category: checkton 36 | -------------------------------------------------------------------------------- /.github/workflows/check-readmes.yaml: -------------------------------------------------------------------------------- 1 | name: Validate PR - check READMEs 2 | 'on': 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | check: 9 | name: Check READMEs 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Check out code 13 | uses: actions/checkout@v6 14 | 15 | - name: Install oc 16 | run: | 17 | set -euo pipefail 18 | url=https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.17/openshift-client-linux.tar.gz 19 | if ! which oc; then 20 | curl --fail --no-progress-meter -L "$url" | gzip -cd | sudo -- tar -x -C /usr/bin oc 21 | fi 22 | 23 | - name: Check pipeline READMEs 24 | run: | 25 | #!/bin/bash 26 | set -e 27 | 28 | ./hack/generate-pipelines-readme.py 29 | if [[ -n $(git status -s) ]] 30 | then 31 | echo "pipeline READMEs are not up to date, run ./hack/generate-pipelines-readme.py and commit the resulting changes" 32 | echo "Or run ./hack/generate-everything.sh to run all the generators at once." 33 | git status -s 34 | exit 1 35 | fi 36 | -------------------------------------------------------------------------------- /hack/check-task-owners.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -o errexit -o nounset -o pipefail 3 | 4 | shopt -s nullglob 5 | 6 | codeowners_to_gitignore() { 7 | # drop comments and the root '*' pattern, extract the pattern from each line 8 | awk '/^[^#]/ && !/^\*\s/ { print $1 }' "$1" 9 | } 10 | 11 | temp_gitignore=$(mktemp --tmpdir "codeowners-gitignore.XXXX") 12 | trap 'rm "$temp_gitignore"' EXIT 13 | codeowners_to_gitignore CODEOWNERS > "$temp_gitignore" 14 | 15 | important_dirs=$( 16 | for f in task/* external-task/* stepactions/*; do 17 | if [[ -d "$f" ]]; then 18 | echo "$f" 19 | fi 20 | done | sort 21 | ) 22 | 23 | codeowned_dirs=$( 24 | # CODEOWNERS is roughly a .gitignore file, so check which dirs are "ignored" by CODEOWNERS 25 | echo "$important_dirs" | 26 | git -c "core.excludesFile=$temp_gitignore" check-ignore --no-index --stdin | 27 | sort 28 | ) 29 | 30 | missing_owners=$(comm -23 <(echo "$important_dirs") <(echo "$codeowned_dirs")) 31 | 32 | if [[ -n "$missing_owners" ]]; then 33 | echo "Missing CODEOWNERS:" >&2 34 | # shellcheck disable=SC2001 # can't use ${variable//search/replace} instead 35 | sed 's/^/ /' <<< "$missing_owners" >&2 36 | exit 1 37 | fi 38 | -------------------------------------------------------------------------------- /task/git-clone/0.1/tests/test-git-clone-run-with-tag.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1 3 | kind: Pipeline 4 | metadata: 5 | name: test-git-clone-with-tag 6 | spec: 7 | description: | 8 | Test the git-clone task with tag 9 | workspaces: 10 | - name: tests-workspace 11 | tasks: 12 | - name: run-task 13 | taskRef: 14 | name: git-clone 15 | params: 16 | - name: url 17 | value: https://github.com/kelseyhightower/nocode 18 | - name: revision 19 | value: 1.0.0 20 | workspaces: 21 | - name: output 22 | workspace: tests-workspace 23 | - name: check-result 24 | workspaces: 25 | - name: output 26 | workspace: tests-workspace 27 | taskSpec: 28 | steps: 29 | - name: check-result 30 | image: quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c 31 | script: | 32 | #!/usr/bin/env sh 33 | set -eux 34 | files=$(find "$(workspaces.output.path)/source/" -mindepth 1 -maxdepth 1) 35 | test -n "$files" 36 | runAfter: 37 | - run-task 38 | -------------------------------------------------------------------------------- /task/push-dockerfile-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # push-dockerfile-oci-ta task 2 | 3 | Discover Dockerfile from source code and push it to registry as an OCI artifact. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |ARTIFACT_TYPE|Artifact type of the Dockerfile image.|application/vnd.konflux.dockerfile|false| 9 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 10 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 11 | |CONTEXT|Path to the directory to use as context.|.|false| 12 | |DOCKERFILE|Path to the Dockerfile.|./Dockerfile|false| 13 | |IMAGE|The built binary image. The Dockerfile is pushed to the same image repository alongside.||true| 14 | |IMAGE_DIGEST|The built binary image digest, which is used to construct the tag of Dockerfile image.||true| 15 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 16 | |TAG_SUFFIX|Suffix of the Dockerfile image tag.|.dockerfile|false| 17 | 18 | ## Results 19 | |name|description| 20 | |---|---| 21 | |IMAGE_REF|Digest-pinned image reference to the Dockerfile image.| 22 | 23 | 24 | ## Additional info 25 | -------------------------------------------------------------------------------- /archived-tasks/source-build-oci-ta/0.2/README.md: -------------------------------------------------------------------------------- 1 | # source-build-oci-ta task 2 | 3 | Source image build. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |BASE_IMAGES|By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.|""|false| 9 | |BINARY_IMAGE|Binary image name from which to generate the source image name.||true| 10 | |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| 11 | |IGNORE_UNSIGNED_IMAGE|When set to "true", source build task won't fail when source image is missing signatures (this can be used for development)|false|false| 12 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 13 | 14 | ## Results 15 | |name|description| 16 | |---|---| 17 | |BUILD_RESULT|Build result.| 18 | |IMAGE_REF|Image reference of the built image.| 19 | |SOURCE_IMAGE_DIGEST|The source image digest.| 20 | |SOURCE_IMAGE_URL|The source image url.| 21 | 22 | 23 | ## Additional info 24 | -------------------------------------------------------------------------------- /archived-tasks/inspect-image/0.1/README.md: -------------------------------------------------------------------------------- 1 | # inspect-image task 2 | 3 | ## Description: 4 | The inspect-image task uses Skopeo to inspect and analyze manifest data from the target source image of a 5 | container if it is built from scratch. If the target image has a direct base image, the task will also use Skopeo to inspect 6 | that base image. 7 | 8 | ## Params: 9 | 10 | | name | description | 11 | |--------------|-------------------------------------------------| 12 | | IMAGE_URL | Fully qualified image name. | 13 | | IMAGE_DIGEST | Image digest. | 14 | | DOCKER_AUTH | unused, should be removed in next task version. | 15 | 16 | ## Results: 17 | 18 | | name | description | 19 | |-----------------------|----------------------------------------| 20 | | BASE_IMAGE | Base image source image is built from. | 21 | | BASE_IMAGE_REPOSITORY | Base image repository URL. | 22 | | TEST_OUTPUT | Tekton task test output. | 23 | 24 | ## Source repository for image: 25 | https://github.com/konflux-ci/konflux-test 26 | 27 | ## Additional links: 28 | https://www.redhat.com/en/topics/containers/what-is-skopeo 29 | -------------------------------------------------------------------------------- /archived-tasks/inspect-image/0.2/README.md: -------------------------------------------------------------------------------- 1 | # inspect-image task 2 | 3 | ## Description: 4 | The inspect-image task uses Skopeo to inspect and analyze manifest data from the target source image of a 5 | container if it is built from scratch. If the target image has a direct base image, the task will also use Skopeo to inspect 6 | that base image. 7 | 8 | ## Params: 9 | 10 | | name | description | 11 | |--------------|-------------------------------------------------| 12 | | IMAGE_URL | Fully qualified image name. | 13 | | IMAGE_DIGEST | Image digest. | 14 | | DOCKER_AUTH | unused, should be removed in next task version. | 15 | 16 | ## Results: 17 | 18 | | name | description | 19 | |-----------------------|----------------------------------------| 20 | | BASE_IMAGE | Base image source image is built from. | 21 | | BASE_IMAGE_REPOSITORY | Base image repository URL. | 22 | | TEST_OUTPUT | Tekton task test output. | 23 | 24 | ## Source repository for image: 25 | https://github.com/konflux-ci/konflux-test 26 | 27 | ## Additional links: 28 | https://www.redhat.com/en/topics/containers/what-is-skopeo 29 | -------------------------------------------------------------------------------- /task/ecosystem-cert-preflight-checks/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | New optional parameters `artifact-type` can be explicitly set to control the 4 | application of ecosystem checks on your image. 5 | 6 | ## Action from users 7 | 8 | ### Parameters 9 | 10 | No **required** action for users. 11 | 12 | Optionally, users may choose to explicitly set `artifact-type` to a predefined 13 | value if they wish to explicitly control the type of artifact (e.g. application 14 | image "application", or operator bundle image "operatorbundle"). Otherwise, this 15 | is introspected. 16 | 17 | # Migration from 0.2 to 0.2.1 18 | 19 | Version 0.2.1: 20 | 21 | matrix can be configured for the task to improve performance for multi-arch build. 22 | 23 | Changes: 24 | For multi-arch builds, `matrix` is added to the build pipeline definition file. 25 | 26 | ## Action from users 27 | Renovate bot PR will be created with warning icon for a ecosystem-cert-preflight-checks 28 | which is expected, no actions from users are required for the task. 29 | 30 | For multi-arch build, `matrix` will be added to build pipeline definition file 31 | automatically by script migrations/0.2.1.sh when MintMaker runs 32 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 33 | -------------------------------------------------------------------------------- /task/package-operator-package-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # package-operator-package-oci-ta task 2 | 3 | Given a git repository, a reference (as in, tag or commit) and a path within the 4 | repository this task will create a package-operator package. The process of how a pko package is defined and packaged is documented 5 | [here](https://package-operator.run/docs/guides/packaging-an-application/). 6 | This task expects the package definition, will build it using `kubectl-package` 7 | and push the created package to the given OCI registry destination. 8 | 9 | ## Parameters 10 | |name|description|default value|required| 11 | |---|---|---|---| 12 | |DST_URL|URL where to push the generated pko package to.||true| 13 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 14 | |SRC_PATH|Path of the directory within the repository that contains package manifest.||true| 15 | 16 | ## Results 17 | |name|description| 18 | |---|---| 19 | |IMAGE_DIGEST|Digest of the package just built| 20 | |IMAGE_REF|Image reference of the built package| 21 | |IMAGE_URL|Image repository and tag where the built package was pushed| 22 | |SBOM_BLOB_URL|Reference of SBOM blob digest to enable digest-based verification from provenance| 23 | 24 | 25 | ## Additional info 26 | -------------------------------------------------------------------------------- /task/coverity-availability-check/0.2/README.md: -------------------------------------------------------------------------------- 1 | # coverity-availability-check task 2 | 3 | This task performs needed checks in order to use Coverity image in the pipeline. It will check for a Coverity license secret and an authentication secret for pulling the image. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |COV_LICENSE|Name of secret which contains the Coverity license|cov-license|false| 9 | |AUTH_TOKEN_COVERITY_IMAGE|Name of secret which contains the authentication token for pulling the Coverity image.|auth-token-coverity-image|false| 10 | 11 | ## Results 12 | |name|description| 13 | |---|---| 14 | |TEST_OUTPUT|Tekton task result output.| 15 | |STATUS|Tekton task simple status to be later checked| 16 | 17 | 18 | ## Additional info 19 | The characteristics of these tasks are: 20 | 21 | - It will check for a secret called "auth-token-coverity-image" where the authentication token for pulling Coverity image is pulled. 22 | - It will check for a secret called "cov-license" where the Coverity license is stored. 23 | 24 | > NOTE: If any of these tasks fails, the sast-coverity-task check won't be executed. The Coverity license can be used by Red Hat employees only and it needs to be protected such that external users cannot access the license. 25 | -------------------------------------------------------------------------------- /task/push-dockerfile/0.1/README.md: -------------------------------------------------------------------------------- 1 | # push-dockerfile task 2 | 3 | Discover Dockerfile from source code and push it to registry as an OCI artifact. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |IMAGE|The built binary image. The Dockerfile is pushed to the same image repository alongside.||true| 9 | |IMAGE_DIGEST|The built binary image digest, which is used to construct the tag of Dockerfile image.||true| 10 | |DOCKERFILE|Path to the Dockerfile.|./Dockerfile|false| 11 | |CONTEXT|Path to the directory to use as context.|.|false| 12 | |TAG_SUFFIX|Suffix of the Dockerfile image tag.|.dockerfile|false| 13 | |ARTIFACT_TYPE|Artifact type of the Dockerfile image.|application/vnd.konflux.dockerfile|false| 14 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 15 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 16 | 17 | ## Results 18 | |name|description| 19 | |---|---| 20 | |IMAGE_REF|Digest-pinned image reference to the Dockerfile image.| 21 | 22 | ## Workspaces 23 | |name|description|optional| 24 | |---|---|---| 25 | |workspace|Workspace containing the source code from where the Dockerfile is discovered.|false| 26 | 27 | ## Additional info 28 | -------------------------------------------------------------------------------- /archived-tasks/ecosystem-cert-preflight-checks/0.1/README.md: -------------------------------------------------------------------------------- 1 | # ecosystem-cert-preflight-checks task 2 | 3 | ## Description: 4 | 5 | The ecosystem-cert-preflight-checks task checks an image for certification readiness. 6 | 7 | ## Params: 8 | 9 | | name | description | default | 10 | |--------------------------|------------------------------------------------------------------------|---------------| 11 | | image-url | Image URL. | None | 12 | | ca-trust-config-map-name | The name of the ConfigMap to read CA bundle data from. | trusted-ca | 13 | | ca-trust-config-map-key | The name of the key in the ConfigMap that contains the CA bundle data. | ca-bundle.crt | 14 | 15 | ## Results: 16 | 17 | | name | description | 18 | |-------------------|--------------------------------------------------| 19 | | TEST_OUTPUT | Indicates whether the container passsed preflight| 20 | 21 | ## Source repository for preflight: 22 | https://github.com/redhat-openshift-ecosystem/openshift-preflight 23 | 24 | ## Additional links: 25 | https://connect.redhat.com/en/blog/topic/preflight 26 | -------------------------------------------------------------------------------- /task/update-infra-deployments/0.1/README.md: -------------------------------------------------------------------------------- 1 | # update-infra-deployments task 2 | 3 | Clones redhat-appstudio/infra-deployments repository, runs script in 'SCRIPT' parameter, generates pull-request for redhat-appstudio/infra-deployments repository. 4 | 5 | 6 | ## Parameters 7 | |name|description|default value|required| 8 | |---|---|---|---| 9 | |SCRIPT|Bash script for changing the infra-deployments||true| 10 | |ORIGIN_REPO|URL of github repository which was built by the Pipeline||true| 11 | |REVISION|Git reference which was built by the Pipeline||true| 12 | |TARGET_GH_REPO|GitHub repository of the infra-deployments code|redhat-appstudio/infra-deployments|false| 13 | |GIT_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| 14 | |SCRIPT_IMAGE|Deprecated. Has no effect. Will be removed in the future.|""|false| 15 | |shared-secret|secret in the namespace which contains private key for the GitHub App|infra-deployments-pr-creator|false| 16 | |GITHUB_APP_ID|ID of Github app used for updating PR|305606|false| 17 | |GITHUB_APP_INSTALLATION_ID|Installation ID of Github app in the organization|35269675|false| 18 | 19 | ## Workspaces 20 | |name|description|optional| 21 | |---|---|---| 22 | |artifacts|Workspace containing arbitrary artifacts used during the task run.|true| 23 | 24 | ## Additional info 25 | -------------------------------------------------------------------------------- /task/sbom-json-check/0.2/README.md: -------------------------------------------------------------------------------- 1 | ## Warning 2 | This task is deprecated with set deprecation date on 2024-09-30. EC will report presence of this task as violation after this date and before only as warning, please remove it from you pipeline. 3 | 4 | # sbom-json-check task 5 | 6 | Verifies the integrity and security of the Software Bill of Materials (SBOM) file in JSON format using CyloneDX tool. 7 | 8 | ## Parameters 9 | |name|description|default value|required| 10 | |---|---|---|---| 11 | |IMAGE_URL|Fully qualified image name to verify.||true| 12 | |IMAGE_DIGEST|Image digest.||true| 13 | |CA_TRUST_CONFIG_MAP_NAME|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 14 | |CA_TRUST_CONFIG_MAP_KEY|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 15 | 16 | ## Results 17 | |name|description| 18 | |---|---| 19 | |TEST_OUTPUT|Tekton task test output.| 20 | |IMAGES_PROCESSED|Images processed in the task.| 21 | 22 | 23 | ## Additional info 24 | 25 | ## Source repository for image: 26 | 27 | https://github.com/konflux-ci/konflux-test 28 | 29 | ## Additional links: 30 | 31 | * https://www.cisa.gov/sbom 32 | * https://www.redhat.com/en/blog/how-red-hat-addressing-demand-develop-offerings-more-securely 33 | * https://cyclonedx.org/ 34 | * https://owasp.org/ 35 | -------------------------------------------------------------------------------- /task/rpms-signature-scan/0.2/README.md: -------------------------------------------------------------------------------- 1 | # rpms-signature-scan task 2 | 3 | Scans RPMs in an image and provide information about RPMs signatures. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |image-url|Image URL||true| 9 | |image-digest|Image digest to scan||true| 10 | |workdir|Directory that will be used for storing temporary files produced by this task. |/tmp|false| 11 | |ca-trust-config-map-name|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 12 | |ca-trust-config-map-key|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 13 | 14 | ## Results 15 | |name|description| 16 | |---|---| 17 | |TEST_OUTPUT|Tekton task test output.| 18 | |RPMS_DATA|Information about signed and unsigned RPMs| 19 | |IMAGES_PROCESSED|Images processed in the task.| 20 | 21 | 22 | ## Additional info 23 | 24 | The RPM's signature keys as well as the unsigned RPMs are saved into the `RPMS_DATA` 25 | result path and they are processed by Conforma to detemine whether the task should fail 26 | or not. 27 | 28 | The task will fail in case one or more images have failed the scan. 29 | 30 | ## Source repository for image: 31 | 32 | https://github.com/konflux-ci/tools 33 | 34 | ## Source repository for task: 35 | 36 | https://github.com/konflux-ci/tekton-tools 37 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # sast-snyk-check-oci-ta task 2 | 3 | Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. 4 | 5 | Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline. 6 | 7 | The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test 8 | 9 | See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool. 10 | 11 | ## Parameters 12 | |name|description|default value|required| 13 | |---|---|---|---| 14 | |ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false| 15 | |SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false| 16 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 17 | |image-digest|Image digest to report findings for.|""|false| 18 | |image-url|Image URL.|""|false| 19 | 20 | ## Results 21 | |name|description| 22 | |---|---| 23 | |TEST_OUTPUT|Tekton task test output.| 24 | 25 | -------------------------------------------------------------------------------- /task/buildah-min/0.6/patch.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /metadata/name 3 | value: buildah-min 4 | # build step 5 | - op: replace 6 | path: /spec/steps/0/computeResources/limits/memory 7 | value: 4Gi 8 | - op: replace 9 | path: /spec/steps/0/computeResources/requests/memory 10 | value: 1Gi 11 | - op: replace 12 | path: /spec/steps/0/computeResources/requests/cpu 13 | value: 100m 14 | # push, and sbom-syft-generate steps 15 | - op: replace 16 | path: /spec/stepTemplate/computeResources/limits/memory 17 | value: 2Gi 18 | - op: replace 19 | path: /spec/stepTemplate/computeResources/requests/memory 20 | value: 512Mi 21 | - op: replace 22 | path: /spec/stepTemplate/computeResources/requests/cpu 23 | value: 100m 24 | # prepare-sboms step 25 | - op: replace 26 | path: /spec/steps/3/computeResources/limits/memory 27 | value: 256Mi 28 | - op: replace 29 | path: /spec/steps/3/computeResources/requests/memory 30 | value: 128Mi 31 | - op: replace 32 | path: /spec/steps/3/computeResources/requests/cpu 33 | value: 10m 34 | # upload-sbom step 35 | - op: replace 36 | path: /spec/steps/4/computeResources/limits/memory 37 | value: 2Gi 38 | - op: replace 39 | path: /spec/steps/4/computeResources/requests/memory 40 | value: 512Mi 41 | - op: replace 42 | path: /spec/steps/4/computeResources/requests/cpu 43 | value: 100m 44 | -------------------------------------------------------------------------------- /task/buildah-min/0.7/patch.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /metadata/name 3 | value: buildah-min 4 | # build step 5 | - op: replace 6 | path: /spec/steps/0/computeResources/limits/memory 7 | value: 4Gi 8 | - op: replace 9 | path: /spec/steps/0/computeResources/requests/memory 10 | value: 1Gi 11 | - op: replace 12 | path: /spec/steps/0/computeResources/requests/cpu 13 | value: 100m 14 | # push, and sbom-syft-generate steps 15 | - op: replace 16 | path: /spec/stepTemplate/computeResources/limits/memory 17 | value: 2Gi 18 | - op: replace 19 | path: /spec/stepTemplate/computeResources/requests/memory 20 | value: 512Mi 21 | - op: replace 22 | path: /spec/stepTemplate/computeResources/requests/cpu 23 | value: 100m 24 | # prepare-sboms step 25 | - op: replace 26 | path: /spec/steps/3/computeResources/limits/memory 27 | value: 256Mi 28 | - op: replace 29 | path: /spec/steps/3/computeResources/requests/memory 30 | value: 128Mi 31 | - op: replace 32 | path: /spec/steps/3/computeResources/requests/cpu 33 | value: 10m 34 | # upload-sbom step 35 | - op: replace 36 | path: /spec/steps/4/computeResources/limits/memory 37 | value: 2Gi 38 | - op: replace 39 | path: /spec/steps/4/computeResources/requests/memory 40 | value: 512Mi 41 | - op: replace 42 | path: /spec/steps/4/computeResources/requests/cpu 43 | value: 100m 44 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.4/patch.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /metadata/name 3 | value: buildah-min 4 | # build step 5 | - op: replace 6 | path: /spec/steps/0/computeResources/limits/memory 7 | value: 4Gi 8 | - op: replace 9 | path: /spec/steps/0/computeResources/requests/memory 10 | value: 1Gi 11 | - op: replace 12 | path: /spec/steps/0/computeResources/requests/cpu 13 | value: 100m 14 | # push, and sbom-syft-generate steps 15 | - op: replace 16 | path: /spec/stepTemplate/computeResources/limits/memory 17 | value: 2Gi 18 | - op: replace 19 | path: /spec/stepTemplate/computeResources/requests/memory 20 | value: 512Mi 21 | - op: replace 22 | path: /spec/stepTemplate/computeResources/requests/cpu 23 | value: 100m 24 | # prepare-sboms step 25 | - op: replace 26 | path: /spec/steps/3/computeResources/limits/memory 27 | value: 256Mi 28 | - op: replace 29 | path: /spec/steps/3/computeResources/requests/memory 30 | value: 128Mi 31 | - op: replace 32 | path: /spec/steps/3/computeResources/requests/cpu 33 | value: 10m 34 | # upload-sbom step 35 | - op: replace 36 | path: /spec/steps/4/computeResources/limits/memory 37 | value: 2Gi 38 | - op: replace 39 | path: /spec/steps/4/computeResources/requests/memory 40 | value: 512Mi 41 | - op: replace 42 | path: /spec/steps/4/computeResources/requests/cpu 43 | value: 100m 44 | -------------------------------------------------------------------------------- /archived-tasks/buildah-min/0.5/patch.yaml: -------------------------------------------------------------------------------- 1 | - op: replace 2 | path: /metadata/name 3 | value: buildah-min 4 | # build step 5 | - op: replace 6 | path: /spec/steps/0/computeResources/limits/memory 7 | value: 4Gi 8 | - op: replace 9 | path: /spec/steps/0/computeResources/requests/memory 10 | value: 1Gi 11 | - op: replace 12 | path: /spec/steps/0/computeResources/requests/cpu 13 | value: 100m 14 | # push, and sbom-syft-generate steps 15 | - op: replace 16 | path: /spec/stepTemplate/computeResources/limits/memory 17 | value: 2Gi 18 | - op: replace 19 | path: /spec/stepTemplate/computeResources/requests/memory 20 | value: 512Mi 21 | - op: replace 22 | path: /spec/stepTemplate/computeResources/requests/cpu 23 | value: 100m 24 | # prepare-sboms step 25 | - op: replace 26 | path: /spec/steps/3/computeResources/limits/memory 27 | value: 256Mi 28 | - op: replace 29 | path: /spec/steps/3/computeResources/requests/memory 30 | value: 128Mi 31 | - op: replace 32 | path: /spec/steps/3/computeResources/requests/cpu 33 | value: 10m 34 | # upload-sbom step 35 | - op: replace 36 | path: /spec/steps/4/computeResources/limits/memory 37 | value: 2Gi 38 | - op: replace 39 | path: /spec/steps/4/computeResources/requests/memory 40 | value: 512Mi 41 | - op: replace 42 | path: /spec/steps/4/computeResources/requests/cpu 43 | value: 100m 44 | -------------------------------------------------------------------------------- /task-generator/trusted-artifacts/golden/prefetch-dependencies/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | add: 3 | - use-source 4 | - create-source 5 | - create-prefetch 6 | additionalSteps: 7 | - at: 0 8 | name: skip-ta 9 | image: registry.access.redhat.com/ubi9/ubi-minimal:9.3-1612@sha256:119ac25920c8bb50c8b5fd75dcbca369bf7d1f702b82f3d39663307890f0bf26 10 | env: 11 | - name: INPUT 12 | value: $(params.input) 13 | - name: SOURCE_ARTIFACT 14 | value: $(params.SOURCE_ARTIFACT) 15 | script: | 16 | if [ -z "${INPUT}" ]; then 17 | mkdir -p /var/workdir/source 18 | mkdir -p /var/workdir/cachi2 19 | echo "true" > /var/workdir/source/.skip-trusted-artifacts 20 | echo "true" > /var/workdir/cachi2/.skip-trusted-artifacts 21 | echo -n "${SOURCE_ARTIFACT}" > $(results.SOURCE_ARTIFACT.path) 22 | echo -n "" > $(results.CACHI2_ARTIFACT.path) 23 | fi 24 | description: |- 25 | Task that uses Hermeto to prefetch build dependencies. The fetched dependencies and the 26 | application source code are stored as a trusted artifact in the provided OCI repository. 27 | For additional info on Hermeto, see docs at 28 | https://hermetoproject.github.io/hermeto/#basic-usage 29 | preferStepTemplate: true 30 | removeWorkspaces: 31 | - source 32 | replacements: 33 | workspaces.source.path: /var/workdir 34 | -------------------------------------------------------------------------------- /task/source-build/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | `source-build` task has a new required parameter `BINARY_IMAGE_DIGEST`. Make 6 | these changes to parameters of `build-source-image` task in build pipelines: 7 | 8 | * Pass build task result `IMAGE_URL` to parameter `BINARY_IMAGE`. 9 | * Pass build task result `IMAGE_DIGEST` to parameter `BINARY_IMAGE_DIGEST`. 10 | 11 | The build task can be either `build-image-index` or `build-container` according 12 | to users build pipeline. If both are included, `build-image-index` takes 13 | precedence. 14 | 15 | ## Action from users 16 | 17 | Apply either of the following diffs to `build-source-image` task in build pipelines: 18 | 19 | ```diff 20 | params: 21 | - name: BINARY_IMAGE 22 | - value: "$(params.output-image)" 23 | + value: "$(tasks.build-image-index.results.IMAGE_URL)" 24 | + - name: BINARY_IMAGE_DIGEST 25 | + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" 26 | workspaces: 27 | ``` 28 | 29 | or 30 | 31 | ```diff 32 | params: 33 | - name: BINARY_IMAGE 34 | - value: "$(params.output-image)" 35 | + value: "$(tasks.build-container.results.IMAGE_URL)" 36 | + - name: BINARY_IMAGE_DIGEST 37 | + value: "$(tasks.build-container.results.IMAGE_DIGEST)" 38 | workspaces: 39 | ``` 40 | -------------------------------------------------------------------------------- /task/slack-webhook-notification-oci-ta/0.1/README.md: -------------------------------------------------------------------------------- 1 | # slack-webhook-notification-oci-ta task 2 | 3 | Sends message to slack using incoming webhook 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 9 | |files|List of file to dump. The content will be added to the message.|[]|false| 10 | |group-ids|List of Slack group IDs to mention (e.g., S0614TZR7). If set, the groups will be mentioned in the notification.|[]|false| 11 | |key-name|Key in the key in secret which contains webhook URL for slack.||true| 12 | |message|Message to be sent||true| 13 | |secret-name|Secret with at least one key where value is webhook URL for slack. eg. oc create secret generic my-secret --from-literal team1=https://hooks.slack.com/services/XXX/XXXXXX --from-literal team2=https://hooks.slack.com/services/YYY/YYYYYY |slack-webhook-notification-secret|false| 14 | |submodules|List of submodules name to dump. Git log since previous submodule commit will be added to the message. The previous submodule commit is found by looking at the previous commit in the repository that declares the submodules.|[]|false| 15 | |user-ids|List of Slack user IDs to mention (e.g., U024BE7LH). If set, the users will be mentioned in the notification.|[]|false| 16 | 17 | 18 | ## Additional info 19 | -------------------------------------------------------------------------------- /task/source-build-oci-ta/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | `source-build-oci-ta` task has a new required parameter `BINARY_IMAGE_DIGEST`. 6 | Make these changes to parameters of `build-source-image` task in build pipelines: 7 | 8 | * Pass build task result `IMAGE_URL` to parameter `BINARY_IMAGE`. 9 | * Pass build task result `IMAGE_DIGEST` to parameter `BINARY_IMAGE_DIGEST`. 10 | 11 | The build task can be either `build-image-index` or `build-container` according 12 | to users build pipeline. If both are included, `build-image-index` takes 13 | precedence. 14 | 15 | ## Action from users 16 | 17 | Apply either of the following diffs to `build-source-image` task in build pipelines: 18 | 19 | ```diff 20 | params: 21 | - name: BINARY_IMAGE 22 | - value: "$(params.output-image)" 23 | + value: "$(tasks.build-image-index.results.IMAGE_URL)" 24 | + - name: BINARY_IMAGE_DIGEST 25 | + value: "$(tasks.build-image-index.results.IMAGE_DIGEST)" 26 | workspaces: 27 | ``` 28 | 29 | or 30 | 31 | ```diff 32 | params: 33 | - name: BINARY_IMAGE 34 | - value: "$(params.output-image)" 35 | + value: "$(tasks.build-container.results.IMAGE_URL)" 36 | + - name: BINARY_IMAGE_DIGEST 37 | + value: "$(tasks.build-container.results.IMAGE_DIGEST)" 38 | workspaces: 39 | ``` 40 | -------------------------------------------------------------------------------- /task/build-vm-image/0.1/README.md: -------------------------------------------------------------------------------- 1 | # build-vm-image task 2 | 3 | Build disk images using bootc-image-builder. https://github.com/osbuild/bootc-image-builder/ 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |PLATFORM|The platform to build on||true| 9 | |IMAGE_APPEND_PLATFORM|Whether to append a sanitized platform architecture on the IMAGE tag|false|false| 10 | |OUTPUT_IMAGE|The output manifest list that points to the OCI artifact of the zipped image||true| 11 | |SOURCE_ARTIFACT|||true| 12 | |IMAGE_TYPE|The type of VM image to build, valid values are iso, qcow2, gce, vhd and raw||true| 13 | |BIB_CONFIG_FILE|The config file specifying what to build and the builder to build it with|bib.yaml|false| 14 | |CONFIG_TOML_FILE|The path for the config.toml file within the source repository|""|false| 15 | |ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false| 16 | |ACTIVATION_KEY|Name of secret which contains subscription activation key|activation-key|false| 17 | |STORAGE_DRIVER|Storage driver to configure for buildah|vfs|false| 18 | 19 | ## Results 20 | |name|description| 21 | |---|---| 22 | |IMAGE_DIGEST|Digest of the manifest list just built| 23 | |IMAGE_URL|Image repository where the built manifest list was pushed| 24 | |IMAGE_REFERENCE|Image reference (IMAGE_URL + IMAGE_DIGEST)| 25 | 26 | 27 | ## Additional info 28 | -------------------------------------------------------------------------------- /task/slack-webhook-notification/0.1/README.md: -------------------------------------------------------------------------------- 1 | # slack-webhook-notification task 2 | 3 | Sends message to slack using incoming webhook 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |message|Message to be sent||true| 9 | |secret-name|Secret with at least one key where value is webhook URL for slack. eg. oc create secret generic my-secret --from-literal team1=https://hooks.slack.com/services/XXX/XXXXXX --from-literal team2=https://hooks.slack.com/services/YYY/YYYYYY |slack-webhook-notification-secret|false| 10 | |key-name|Key in the key in secret which contains webhook URL for slack.||true| 11 | |user-ids|List of Slack user IDs to mention (e.g., U024BE7LH). If set, the users will be mentioned in the notification.|[]|false| 12 | |group-ids|List of Slack group IDs to mention (e.g., S0614TZR7). If set, the groups will be mentioned in the notification.|[]|false| 13 | |submodules|List of submodules name to dump. Git log since previous submodule commit will be added to the message. The previous submodule commit is found by looking at the previous commit in the repository that declares the submodules.|[]|false| 14 | |files|List of file to dump. The content will be added to the message.|[]|false| 15 | 16 | ## Workspaces 17 | |name|description|optional| 18 | |---|---|---| 19 | |source|Workspace containing the source code to build.|true| 20 | 21 | ## Additional info 22 | -------------------------------------------------------------------------------- /task/clair-scan/0.3/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.2 to 0.3 2 | 3 | Version 0.3: 4 | 5 | This version improves performance: 6 | - Parallel execution: TaskRuns are executed in parallel across each image architecture using Tekton’s matrix. 7 | - Single scan execution: The scan is performed once, and the second report is generated by converting the first report’s output format, reducing redundant scanning. 8 | 9 | Changes: 10 | - Added a new parameter `image-platform` (default: ""). 11 | - Optimized scanning: run the scan once and reuse results for the second report. 12 | - Introduced matrix in the build pipeline definition to support parallel TaskRuns for multi-arch builds. 13 | 14 | ## Action from users 15 | 16 | Renovate bot PR will be created with warning icon for a clair-scan which is expected, no actions from users are required. 17 | 18 | For multi-arch build, `matrix` will be added to build pipeline definition file automatically by script migrations/0.3.sh when MintMaker runs [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). In case the migration script fails to apply, the following diffs need to be applied to the clair-scan task in the build pipelines: 19 | 20 | ```diff 21 | - - name: clair-scan 22 | + - matrix: 23 | + params: 24 | + - name: image-platform 25 | + value: 26 | + - $(params.build-platforms) 27 | + name: clair-scan 28 | ``` 29 | -------------------------------------------------------------------------------- /.github/workflows/check-task-owners.yaml: -------------------------------------------------------------------------------- 1 | name: Validate PR - check task owners 2 | 'on': 3 | pull_request: 4 | branches: [main] 5 | merge_group: 6 | types: [checks_requested] 7 | jobs: 8 | check: 9 | name: Check Task OWNERS 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Check out code 13 | uses: actions/checkout@v6 14 | 15 | - name: Check task owners 16 | run: | 17 | ./hack/check-task-owners.sh 18 | 19 | - name: Check task version labels 20 | run: | 21 | ./hack/check-task-version-labels.sh 22 | 23 | - name: Check renovate.json groups 24 | run: | 25 | #!/bin/bash 26 | set -euo pipefail 27 | 28 | renovate_content=$(cat renovate.json) 29 | ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json 30 | 31 | uptodate=$(jq --argjson previous "$renovate_content" '$previous == .' renovate.json) 32 | echo "renovate.json is up to date: $uptodate" 33 | 34 | if [[ $uptodate == false ]]; then 35 | echo 36 | git --no-pager diff -- renovate.json 37 | echo 38 | echo "To apply the updates, run: ./hack/update_renovate_json_based_on_codeowners.py -o renovate.json" 39 | echo "Or run ./hack/generate-everything.sh to run all the generators at once." 40 | exit 1 41 | fi 42 | -------------------------------------------------------------------------------- /archived-tasks/buildah/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * `prefetch-dependencies >= 0.2` 13 | * `source-build >= 0.2` 14 | * `deprecated-image-check >= 0.5` 15 | 16 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 17 | > of these tasks. 18 | 19 | If your pipeline uses these tasks, please make sure their versions are high enough. 20 | There's a good chance that the Pull Request which led you to this migration document 21 | has updated every relevant task in your pipelines at once. 22 | 23 | # Migration from 0.4 to 0.4.1 24 | 25 | Version 0.4.1: 26 | 27 | * Add the `SOURCE_URL` parameter. 28 | 29 | ## Action from users 30 | `SOURCE_URL` will be added to build pipeline definition files 31 | automatically by script migrations/0.4.1.sh when MintMaker runs 32 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 33 | 34 | To achieve the migration manually, you can do as follows in the build task array: 35 | ```diff 36 | params: 37 | [...] 38 | + - name: SOURCE_URL 39 | + value: $(tasks.clone-repository.results.url) 40 | [...] 41 | ``` 42 | -------------------------------------------------------------------------------- /archived-tasks/buildah-oci-ta/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * `prefetch-dependencies >= 0.2` 13 | * `source-build >= 0.2` 14 | * `deprecated-image-check >= 0.5` 15 | 16 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 17 | > of these tasks. 18 | 19 | If your pipeline uses these tasks, please make sure their versions are high enough. 20 | There's a good chance that the Pull Request which led you to this migration document 21 | has updated every relevant task in your pipelines at once. 22 | 23 | # Migration from 0.4 to 0.4.1 24 | 25 | Version 0.4.1: 26 | 27 | * Add the `SOURCE_URL` parameter. 28 | 29 | ## Action from users 30 | `SOURCE_URL` will be added to build pipeline definition files 31 | automatically by script migrations/0.4.1.sh when MintMaker runs 32 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 33 | 34 | To achieve the migration manually, you can do as follows in the build task array: 35 | ```diff 36 | params: 37 | [...] 38 | + - name: SOURCE_URL 39 | + value: $(tasks.clone-repository.results.url) 40 | [...] 41 | ``` 42 | -------------------------------------------------------------------------------- /archived-tasks/buildah-remote/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * `prefetch-dependencies >= 0.2` 13 | * `source-build >= 0.2` 14 | * `deprecated-image-check >= 0.5` 15 | 16 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 17 | > of these tasks. 18 | 19 | If your pipeline uses these tasks, please make sure their versions are high enough. 20 | There's a good chance that the Pull Request which led you to this migration document 21 | has updated every relevant task in your pipelines at once. 22 | 23 | # Migration from 0.4 to 0.4.1 24 | 25 | Version 0.4.1: 26 | 27 | * Add the `SOURCE_URL` parameter. 28 | 29 | ## Action from users 30 | `SOURCE_URL` will be added to build pipeline definition files 31 | automatically by script migrations/0.4.1.sh when MintMaker runs 32 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 33 | 34 | To achieve the migration manually, you can do as follows in the build task array: 35 | ```diff 36 | params: 37 | [...] 38 | + - name: SOURCE_URL 39 | + value: $(tasks.clone-repository.results.url) 40 | [...] 41 | ``` 42 | -------------------------------------------------------------------------------- /archived-tasks/buildah-remote-oci-ta/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | Version 0.4: 4 | 5 | * Changes the default SBOM format from CycloneDX to SPDX. 6 | 7 | ## Action from users 8 | 9 | In order for a typical Konflux pipeline to work well with SPDX, all the tasks 10 | that handle SBOMs must be SPDX-ready. Relevant tasks and required versions: 11 | 12 | * `prefetch-dependencies >= 0.2` 13 | * `source-build >= 0.2` 14 | * `deprecated-image-check >= 0.5` 15 | 16 | > Note: the same version constraints apply even if you use the `*-oci-ta` variants 17 | > of these tasks. 18 | 19 | If your pipeline uses these tasks, please make sure their versions are high enough. 20 | There's a good chance that the Pull Request which led you to this migration document 21 | has updated every relevant task in your pipelines at once. 22 | 23 | # Migration from 0.4 to 0.4.1 24 | 25 | Version 0.4.1: 26 | 27 | * Add the `SOURCE_URL` parameter. 28 | 29 | ## Action from users 30 | `SOURCE_URL` will be added to build pipeline definition files 31 | automatically by script migrations/0.4.1.sh when MintMaker runs 32 | [pipeline-migration-tool](https://github.com/konflux-ci/pipeline-migration-tool). 33 | 34 | To achieve the migration manually, you can do as follows in the build task array: 35 | ```diff 36 | params: 37 | [...] 38 | + - name: SOURCE_URL 39 | + value: $(tasks.clone-repository.results.url) 40 | [...] 41 | ``` 42 | -------------------------------------------------------------------------------- /stepactions/fips-operator-check-step-action/0.1/README.md: -------------------------------------------------------------------------------- 1 | ## fips-operator-check-step-action 2 | 3 | This stepAction scans relatedImages of operator bundle image builds for FIPS compliance using the check-payload tool. Images are processed in parallel to improve performance. 4 | * The relatedImages are expected to be in a file located at `/tekton/home/unique_related_images.txt`. 5 | * If the check-payload scan is desired to be run with the built-in exception list, the target OCP version (`v4.x`) should be in a file located at `/tekton/home/target_ocp_version.txt`. 6 | * It also supports replacing relatedImages pullspecs with their first mirror. In order to use that, a mapping like {"source_registry_and_repo": ["mirror_registry_and_repo"]} should be stored in a file located at `/tekton/home/related-images-map.txt` 7 | 8 | ## Parameters: 9 | 10 | | name | description | default | 11 | |--------------------|-------------------------------------------------------------|---------| 12 | | MAX_PARALLEL | Maximum number of images to process in parallel | 8 | 13 | 14 | ## Results: 15 | 16 | | name | description | 17 | |--------------------|--------------------------------------| 18 | | TEST_OUTPUT | Tekton task test output. | 19 | 20 | 21 | ## Additional links: 22 | https://github.com/openshift/check-payload -------------------------------------------------------------------------------- /archived-tasks/coverity-availability-check-oci-ta/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.1 to 0.2 2 | 3 | Starting with version 0.2, the `coverity-availability-check-oci-ta` task is deprecated. Please use `coverity-availability-check` instead. 4 | 5 | ## Action from users 6 | 7 | In your pipelines, find the references to `coverity-availability-check-oci-ta` and replace them with `coverity-availability-check`. 8 | For the task bundle (the `quay.io/...` reference), you will also need to change the sha256 digest. Example: 9 | 10 | ```diff 11 | taskRef: 12 | resolver: bundles 13 | params: 14 | - name: name 15 | - value: coverity-availability-check-oci-ta 16 | + value: coverity-availability-check 17 | - name: bundle 18 | - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check-oci-ta:0.2@sha256:8653d290298593e4db9457ab00d9160738c31c384b7615ee30626ccab6f96ed8 19 | + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:91ba738df7ec548d4127163e07a88de06568a350fbf581405cc8fc8498f6153c 20 | - name: kind 21 | value: task 22 | ``` 23 | 24 | If you would prefer to use the latest digest rather than the one which was latest at the time of writing this doc, get it with: 25 | 26 | ```bash 27 | skopeo inspect --no-tags --format '{{.Digest}}' docker://quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2 28 | ``` 29 | -------------------------------------------------------------------------------- /archived-tasks/sast-snyk-check-oci-ta/0.2/README.md: -------------------------------------------------------------------------------- 1 | # sast-snyk-check-oci-ta task 2 | 3 | Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool. 4 | 5 | Follow the steps given [here](https://redhat-appstudio.github.io/docs.appstudio.io/Documentation/main/how-to-guides/testing_applications/enable_snyk_check_for_a_product/) to obtain a snyk-token and to enable the snyk task in a Pipeline. 6 | 7 | The snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test 8 | 9 | See https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool. 10 | 11 | ## Parameters 12 | |name|description|default value|required| 13 | |---|---|---|---| 14 | |ARGS|Append arguments.|--all-projects --exclude=test*,vendor,deps|false| 15 | |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| 16 | |SNYK_SECRET|Name of secret which contains Snyk token.|snyk-secret|false| 17 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 18 | |image-digest|Image digest to report findings for.|""|false| 19 | |image-url|Image URL.|""|false| 20 | 21 | ## Results 22 | |name|description| 23 | |---|---| 24 | |TEST_OUTPUT|Tekton task test output.| 25 | 26 | -------------------------------------------------------------------------------- /archived-tasks/fbc-validation/0.1/USAGE.md: -------------------------------------------------------------------------------- 1 | # fbc-validation task 2 | 3 | ## Checks: 4 | ### Valid base image 5 | To validate the image in build pipeline, Skopeo is used to extract 6 | information from the image itself and then contents are checked using the OpenShift Operator Framework. The binary 7 | used to run the validation is extracted from the base image for the component being tested. Because of this, the 8 | base image must come from a trusted source. Trusted sources are declared in `ALLOWED_BASE_IMAGES` in fbc-validation.yaml. 9 | 10 | ### Valid FBC schema 11 | To validate the schema format of the FBC fragment, the test 12 | 1. validates that the `operators.operatoframework.io.index.configs.v1` label is present on the image to identify the fragment path 13 | 2. extracts the `opm` binary from the base image for the fragment 14 | 3. executes `opm validate` over the fragment 15 | 16 | ### At least one package in fragment 17 | To validate that at least one package is included in the fragment, the test renders the FBC using `opm` and uses `jq` to count instances of `olm.package` and fails if there are none. 18 | 19 | ### Bundle metadata in the appropriate format 20 | To validate bundle metadata, the test evaluates bundle metadata usage against the target OCP version: 21 | - for 4.16 and earlier, fragments must use `olm.bundle.object` (and not use `olm.csv.metadata`) 22 | - for 4.17 and later, fragments must use `olm.csv.metadata` (and not use `olm.bundle.object`) -------------------------------------------------------------------------------- /task/sbom-json-check/0.2/MIGRATION.md: -------------------------------------------------------------------------------- 1 | ## Deprecation notice 2 | 3 | This task is deprecated, please remove it from your pipeline. 4 | Deprecation date: 2024-09-30 5 | 6 | # Migration from 0.1 to 0.2 7 | 8 | Version 0.2: 9 | 10 | No changes within this version, its only purpose is to provide information on how to remove this task from your pipeline. 11 | 12 | ## Action from users 13 | 14 | To remove this task from your pipeline please follow these steps: 15 | 16 | 1. Remove sbom-json-check definition from pipelines/template-build/template-build.yaml 17 | 18 | ```diff 19 | --- a/pipelines/template-build/template-build.yaml 20 | +++ b/pipelines/template-build/template-build.yaml 21 | @@ -242,21 +242,6 @@ spec: 22 | value: $(tasks.build-image-index.results.IMAGE_DIGEST) 23 | - name: image-url 24 | value: $(tasks.build-image-index.results.IMAGE_URL) 25 | - - name: sbom-json-check 26 | - when: 27 | - - input: $(params.skip-checks) 28 | - operator: in 29 | - values: ["false"] 30 | - runAfter: 31 | - - build-image-index 32 | - taskRef: 33 | - name: sbom-json-check 34 | - version: "0.1" 35 | - params: 36 | - - name: IMAGE_URL 37 | - value: $(tasks.build-image-index.results.IMAGE_URL) 38 | - - name: IMAGE_DIGEST 39 | - value: $(tasks.build-image-index.results.IMAGE_DIGEST) 40 | - name: apply-tags 41 | runAfter: 42 | - build-image-index 43 | ``` 44 | -------------------------------------------------------------------------------- /archived-tasks/tkn-bundle/0.1/TESTING.md: -------------------------------------------------------------------------------- 1 | # Testing tkn-bundle Tekton Task 2 | 3 | Make sure you have shellspec installed[1]. The test setup script will bring up a 4 | kind[2] cluster and installs Tekton Pipeline. The source is provided via the 5 | `source-pvc` PersistantVolumeClaim and prepopulated with the test?.y*ml files in 6 | order to not necesate the need for source checkout. 7 | 8 | For second and subsequent invocations the setup is quicker as it only applies 9 | any changes to already started and setup cluster. To delete the cluster and 10 | start afresh run: `kind delete cluster --name=test-tkn-bundle`. 11 | 12 | To run the tests run `shellspec` from this directory. 13 | 14 | ## Example of a testing setup and session 15 | 16 | ```shell 17 | $ pwd 18 | .../build-definitions/task/tkn-bundle/0.1 19 | $ shellspec --jobs 5 20 | Running: /bin/sh [bash 5.2.15(1)-release] 21 | namespace/tekton-pipelines created 22 | clusterrole.rbac.authorization.k8s.io/tekton-pipelines-controller-cluster-access created 23 | ... 24 | pod "setup-1674815473" deleted 25 | deployment.apps/registry created 26 | service/registry created 27 | deployment.apps/registry condition met 28 | deployment.apps/tekton-pipelines-controller condition met 29 | deployment.apps/tekton-pipelines-webhook condition met 30 | ..... 31 | 32 | Finished in 119.59 seconds (user 7.37 seconds, sys 4.03 seconds) 33 | 2 examples, 0 failures 34 | ``` 35 | 36 | [1] https://shellspec.info/ 37 | [2] https://kind.sigs.k8s.io/ 38 | -------------------------------------------------------------------------------- /stepactions/eaas-get-latest-openshift-version-by-prefix/0.1/eaas-get-latest-openshift-version-by-prefix.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1alpha1 3 | kind: StepAction 4 | metadata: 5 | name: eaas-get-latest-openshift-version-by-prefix 6 | spec: 7 | description: >- 8 | This StepAction queries an OpenShift CI API to get the latest version for a release stream. 9 | image: quay.io/konflux-ci/appstudio-utils@sha256:ae8cf015eee19adef1ae5b7a6b346fb1a74acd59bfff55e57744527f283cf1f0 10 | params: 11 | - name: prefix 12 | type: string 13 | description: The leading part of the OpenShift version. E.g. `4.` or `4.15.` 14 | - name: releaseStream 15 | type: string 16 | default: 4-stable-multi 17 | description: The name of the OpenShift release stream. E.g. `4-stable-multi` 18 | - name: host 19 | type: string 20 | default: multi.ocp.releases.ci.openshift.org 21 | description: The name of the API host. E.g. `multi.ocp.releases.ci.openshift.org` 22 | results: 23 | - name: version 24 | description: The latest matching version. 25 | env: 26 | - name: URL 27 | value: https://$(params.host)/api/v1/releasestream/$(params.releaseStream)/latest?prefix=$(params.prefix) 28 | script: | 29 | #!/bin/bash 30 | set -eo pipefail 31 | 32 | echo "GET $URL" 33 | RESULT=$(curl -f -s -L -H "Accepts: application/json" $URL) 34 | echo "$RESULT" 35 | jq -j '.name' <<< "$RESULT" > $(step.results.version.path) 36 | -------------------------------------------------------------------------------- /task/clamav-scan/0.3/migrations/0.3.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Created for task: clamav-scan@0.3 6 | # Creation time: 2025-07-21T01:11:59+00:00 7 | 8 | declare -r pipeline_file=${1:?missing pipeline file} 9 | TASK_NAME="clamav-scan" 10 | 11 | # Check if the pipeline has 'build-platforms' parameter 12 | if ! yq -e '.spec.params[] | select(.name == "build-platforms")' "$pipeline_file" >/dev/null 2>&1; then 13 | echo "Matrix will not be added because the dependent parameter 'build-platforms' is not defined in the pipeline." 14 | exit 0 15 | fi 16 | 17 | # Check if the task exists 18 | if ! yq -e '.spec.tasks[] | select(.name == "'"$TASK_NAME"'")' "$pipeline_file" >/dev/null 2>&1; then 19 | echo "Task '$TASK_NAME' does not exist in the pipeline." 20 | exit 0 21 | fi 22 | 23 | # Check if the task already has a matrix 24 | if yq -e '.spec.tasks[] | select(.name == "'"$TASK_NAME"'") | has("matrix")' "$pipeline_file" >/dev/null 2>&1; then 25 | echo "Matrix already exists for task '$TASK_NAME'. No changes made." 26 | else 27 | echo "Adding matrix for task '$TASK_NAME'..." 28 | yq -i " 29 | (.spec.tasks[] 30 | | select(.name == \"clamav-scan\" and .matrix == null) 31 | ).matrix = { 32 | \"params\": [ 33 | { 34 | \"name\": \"image-arch\", 35 | \"value\": [\"\$(params.build-platforms)\"] 36 | } 37 | ] 38 | } 39 | " "$pipeline_file" 40 | 41 | echo "Adding matrix for task '$TASK_NAME' completed!" 42 | fi 43 | -------------------------------------------------------------------------------- /task/source-build-oci-ta/0.3/README.md: -------------------------------------------------------------------------------- 1 | # source-build-oci-ta task 2 | 3 | Source image build. 4 | 5 | ## Parameters 6 | |name|description|default value|required| 7 | |---|---|---|---| 8 | |BASE_IMAGES|By default, the task inspects the SBOM of the binary image to find the base image. With this parameter, you can override that behavior and pass the base image directly. The value should be a newline-separated list of images, in the same order as the FROM instructions specified in a multistage Dockerfile.|""|false| 9 | |BINARY_IMAGE|Binary image name with tag.||true| 10 | |BINARY_IMAGE_DIGEST|Digest of the binary image.||true| 11 | |CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false| 12 | |IGNORE_UNSIGNED_IMAGE|When set to "true", source build task won't fail when source image is missing signatures (this can be used for development)|false|false| 13 | |SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true| 14 | |caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| 15 | |caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| 16 | 17 | ## Results 18 | |name|description| 19 | |---|---| 20 | |BUILD_RESULT|Build result.| 21 | |IMAGE_REF|Image reference of the built image.| 22 | |SOURCE_IMAGE_DIGEST|The source image digest.| 23 | |SOURCE_IMAGE_URL|The source image url.| 24 | 25 | 26 | ## Additional info 27 | -------------------------------------------------------------------------------- /.github/workflows/check-task-and-pipeline-yamls.yaml: -------------------------------------------------------------------------------- 1 | name: Check Tasks and Pipelines YAMLs 2 | 3 | "on": 4 | pull_request: 5 | branches: [main] 6 | merge_group: 7 | types: [checks_requested] 8 | 9 | jobs: 10 | check: 11 | runs-on: ubuntu-24.04 12 | 13 | steps: 14 | - name: Checkout repository 15 | uses: actions/checkout@v6 16 | with: 17 | fetch-depth: 0 18 | 19 | - name: Create k8s Kind Cluster 20 | uses: helm/kind-action@v1.13.0 21 | with: 22 | cluster_name: kind 23 | 24 | - name: Set up Tekton 25 | id: setup-tektoncd 26 | uses: tektoncd/actions/setup-tektoncd@main 27 | with: 28 | pipeline_version: latest 29 | continue-on-error: true 30 | 31 | - name: Describe setup-tektoncd failure 32 | if: steps.setup-tektoncd.outcome != 'success' 33 | run: | 34 | curl -s https://api.github.com/repos/tektoncd/pipeline/releases/latest | jq 35 | echo "The previous action setup-tektoncd seems to have failed due to a known issue caused by hitting the rate-limit" 36 | echo "For more information, follow the following issue: https://github.com/tektoncd/actions/issues/9" 37 | echo "The only known workaround at the moment is to re-run this workflow." 38 | exit 1 39 | 40 | - name: Apply all Task & Pipeline YAMLs 41 | run: | 42 | set -e 43 | ./.github/scripts/check_task_and_pipeline_yamls.sh 44 | -------------------------------------------------------------------------------- /task/opm-get-bundle-version/0.1/opm-get-bundle-version.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: tekton.dev/v1beta1 3 | kind: Task 4 | metadata: 5 | name: opm-get-bundle-version 6 | labels: 7 | app.kubernetes.io/version: "0.1" 8 | spec: 9 | description: Fetch the current version of the provided OLM bundle image 10 | params: 11 | - name: bundle-image 12 | description: OLM bundle image to query 13 | results: 14 | - name: bundle-version 15 | description: olm.package version 16 | workspaces: 17 | - name: workspace 18 | description: The shared workspace between steps 19 | steps: 20 | - name: opm-render-bundle 21 | image: "registry.redhat.io/openshift4/ose-operator-registry:latest" 22 | securityContext: 23 | runAsUser: 0 24 | env: 25 | - name: BUNDLE_IMAGE 26 | value: $(params.bundle-image) 27 | script: | 28 | #!/usr/bin/env bash 29 | set -xe 30 | opm render "${BUNDLE_IMAGE}" > "$(workspaces.workspace.path)/bundle.json" 31 | - name: jq-get-olm-package-version 32 | image: "quay.io/konflux-ci/appstudio-utils:1610c1fc4cfc9c9053dbefc1146904a4df6659ef@sha256:90ac97b811073cb99a23232c15a08082b586c702b85da6200cf54ef505e3c50c" 33 | script: | 34 | #!/usr/bin/env bash 35 | set -xe 36 | 37 | jq -jr \ 38 | '.properties | .[] | select(.type == "olm.package") | .value.version' \ 39 | "$(workspaces.workspace.path)/bundle.json" \ 40 | > "$(results.bundle-version.path)" 41 | -------------------------------------------------------------------------------- /task/clair-scan/0.3/migrations/0.3.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -euo pipefail 4 | 5 | # Created for task: clair-scan@0.3 6 | # Creation time: 2025-08-21T01:52:31+00:00 7 | 8 | declare -r pipeline_file=${1:?missing pipeline file} 9 | 10 | # Check if the pipeline has 'build-platforms' parameter 11 | if ! yq -e '.spec.params[] | select(.name == "build-platforms")' "$pipeline_file" >/dev/null 2>&1; then 12 | echo "Matrix will not be added because the dependent parameter 'build-platforms' is not defined in the pipeline." 13 | exit 0 14 | fi 15 | 16 | # Check if the task exists 17 | if ! yq -e '.spec.tasks[] | select(.name == "clair-scan")' "$pipeline_file" >/dev/null 2>&1; then 18 | echo "Task 'clair-scan' does not exist in the pipeline." 19 | exit 0 20 | fi 21 | 22 | # Check if the task already has a matrix 23 | if yq -e '.spec.tasks[] | select(.name == "clair-scan") | has("matrix")' "$pipeline_file" >/dev/null 2>&1; then 24 | echo "Matrix already exists for task 'clair-scan'. No changes made." 25 | else 26 | echo "Adding matrix for task 'clair-scan'..." 27 | yq -i " 28 | (.spec.tasks[] | select(.name == \"clair-scan\" and .matrix == null)) |= 29 | { 30 | \"matrix\": { 31 | \"params\": [ 32 | { 33 | \"name\": \"image-platform\", 34 | \"value\": [\"\$(params.build-platforms)\"] 35 | } 36 | ] 37 | } 38 | } + . 39 | " "$pipeline_file" 40 | 41 | echo "Adding matrix for task 'clair-scan' completed!" 42 | fi 43 | -------------------------------------------------------------------------------- /task/fbc-fips-check-oci-ta/0.1/recipe.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | base: ../../fbc-fips-check/0.1/fbc-fips-check.yaml 3 | add: 4 | - use-source 5 | preferStepTemplate: true 6 | removeWorkspaces: 7 | - workspace 8 | replacements: 9 | workspaces.workspace.path: /var/workdir 10 | description: |- 11 | The fbc-fips-check task uses the check-payload tool to verify if an unreleased operator bundle in an FBC fragment image is FIPS compliant. It only scans operator bundle images which either claim to be FIPS compliant by setting the `features.operators.openshift.io/fips-compliant` label to `"true"` on the bundle image or require one of `OpenShift Kubernetes Engine, OpenShift Platform Plus or OpenShift Container Platform` subscriptions to run the operator on an Openshift cluster. 12 | This task extracts relatedImages from all unreleased operator bundle images from your FBC fragment and scans them. In the context of FBC fragment, an unreleased operator bundle image is the one that isn't currently present in the Red Hat production Index Image (`registry.redhat.io/redhat/redhat-operator-index`). It is necessary for relatedImages pullspecs to be pullable at build time of the FBC fragment. 13 | In order to resolve them, this task expects a ImageDigestMirrorSet file located at .tekton/images-mirror-set.yaml of your FBC fragment git repo. It should map unreleased registry.redhat.io pullspecs of relatedImages to their valid quay.io pullspecs. If the ImageDigestMirrorSet is not provided, the task will attempt to process the registry.redhat.io pullspecs as is and might fail. 14 | -------------------------------------------------------------------------------- /archived-tasks/deprecated-image-check/0.4/MIGRATION.md: -------------------------------------------------------------------------------- 1 | # Migration from 0.3 to 0.4 2 | 3 | New mandatory parameters are required in version 0.4: `IMAGE_URL` and `IMAGE_DIGEST` 4 | 5 | Unused result `PYXIS_HTTP_CODE` has been removed in version 0.4. 6 | 7 | ## Action from users 8 | 9 | ### New parameters 10 | 11 | Update files in Pull-Request created by Konflux bot: 12 | 13 | - Search for the task named `deprecated-base-image-check` 14 | - Add the new parameters into yaml files 15 | 16 | Example how the section should look like: 17 | 18 | BEFORE: 19 | ```yaml 20 | - name: deprecated-base-image-check 21 | params: 22 | - name: BASE_IMAGES_DIGESTS 23 | value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) 24 | taskRef: 25 | params: 26 | - name: name 27 | value: deprecated-image-check 28 | ``` 29 | 30 | AFTER: 31 | ```yaml 32 | - name: deprecated-base-image-check 33 | params: 34 | - name: BASE_IMAGES_DIGESTS 35 | value: $(tasks.build-container.results.BASE_IMAGES_DIGESTS) 36 | - name: IMAGE_URL 37 | value: $(tasks.build-container.results.IMAGE_URL) 38 | - name: IMAGE_DIGEST 39 | value: $(tasks.build-container.results.IMAGE_DIGEST) 40 | taskRef: 41 | params: 42 | - name: name 43 | value: deprecated-image-check 44 | ``` 45 | 46 | ### Removed result 47 | 48 | Update files in Pull-Request created by RHTAP bot: 49 | 50 | - Search for the result named `PYXIS_HTTP_CODE` (given the historical reasons 0 occurences may be found) 51 | - Remove all occurences 52 | --------------------------------------------------------------------------------