Signed provenance for ros-clone.

2023-02-07 08:34:19 -05:00 · 2023-02-07 08:34:19 -05:00 · e09db5ae37
parent 95f543154b
commit e09db5ae37
4 changed files with 101 additions and 0 deletions
--- a/chains/tekton-feature-flags.yaml
+++ b/chains/tekton-feature-flags.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+   name: feature-flags
+   namespace: tekton-pipelines
+data:
+   enable-api-fields: "alpha"
+   enable-provenance-in-status: "true"
--- a/images/Dockerfile_vcs
+++ b/images/Dockerfile_vcs
@ -0,0 +1,10 @@
+FROM docker.io/debian:bullseye-slim
+
+RUN apt update -y && \
+    apt install -y curl
+RUN curl -s https://packagecloud.io/install/repositories/dirk-thomas/vcstool/script.deb.sh | bash
+RUN apt update -y && \
+    apt install -y \
+       git \
+       openssh-client \
+       python3-vcstool
--- a/runs/j7s-ros-clone.yaml
+++ b/runs/j7s-ros-clone.yaml
@ -0,0 +1,27 @@
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  generateName: j7s-ros-clone-
+  namespace: j7s-ci
+spec:
+  taskRef:
+    name: j7s-ros-clone
+  workspaces:
+  - name: output
+    volumeClaimTemplate:
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 0.5Gi
+  - name: ssh-directory
+    secret:
+      secretName: git-credentials
+  params:
+  - name: url
+    value: "ssh://git.jpace121.net:2222/tests/j7s-simple-ws"
+  - name: branch
+    value: "master"
+  - name: repos-file
+    value: source.repos
--- a/tasks/j7s-ros-clone.yaml
+++ b/tasks/j7s-ros-clone.yaml
@ -0,0 +1,56 @@
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: j7s-ros-clone
+  namespace: j7s-ci
+spec:
+  workspaces:
+  - name: output
+  - name: ssh-directory
+  params:
+  - name: url
+  - name: branch
+  - name: repos-file
+  results:
+  - name: workspace-git-commit-ARTIFACT_OUTPUTS
+    type: object
+    properties:
+       uri:
+          type: string
+       digest:
+          type: string
+  - name: vcs-exact-file-ARTIFACT_OUTPUTS
+    type: object
+    properties:
+       uri:
+          type: string
+       digest:
+          type: string
+  steps:
+  - image: 192.168.1.149:8443/vcs:latest
+    script: |
+      set -x
+      cp -r $(workspaces.ssh-directory.path) ~/.ssh
+      chmod 700 ~/.ssh
+      chmod -R 400 ~/.ssh/*
+
+      git clone --single-branch --branch $(params.branch) $(params.url) $(workspaces.output.path)
+      cd $(workspaces.output.path)
+      mkdir src
+      vcs import src < $(params.repos-file)
+
+      # Git hash is really sha1, rehashing to workaround Tekton bug.
+      GITHASH=`git rev-parse HEAD | sha256sum | cut -f 1 -d " "`
+      VCSEXACTHASH=`vcs export --exact ./src | sha256sum | cut -f 1 -d " "`
+      cat <<EOF > $(results.workspace-git-commit-ARTIFACT_OUTPUTS.path)
+      {
+         "uri": "$(params.url)",
+         "digest": "sha256:$GITHASH"
+      }
+      EOF
+      cat <<EOF > $(results.vcs-exact-file-ARTIFACT_OUTPUTS.path)
+      {
+         "uri": "vcs-exact-file",
+         "digest": "sha256:$VCSEXACTHASH"
+      }
+      EOF