---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
  name: j7s-buildah
  namespace: j7s-ci
spec:
  description: Build and push a container image.
  params:
  - name: registry
    description: Registry to push to.
  - name: name
    description: Name of the image.
  - name: version
    description: Version for the image.
  - name: containerfile
    description: Path of the Containerfile relative to source.
  workspaces:
  - name: source
  - name: cosign-credentials
  steps:
  - name: build
    image: 192.168.1.149:8443/buildah:latest
    workingDir: $(workspaces.source.path)
    script: |
      set -x
      # Login
      buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
      mkdir ~/.sigstore
      cp $(workspaces.cosign-credentials.path)/* ~/.sigstore
      cat <<EOF > ~/.sigstore/param-file.yaml
      privateKeyFile: "$HOME/.sigstore/cosign.key"
      privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
      EOF
      mkdir -p /etc/containers/registries.d/
      cat <<EOF > /etc/containers/registries.d/james-registry.yaml
      docker:
         $(params.registry):
            use-sigstore-attachments: true
      EOF
      # Build
      buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
        -f $(params.containerfile)  -t $(params.name):$(params.version) .
      # Push
      skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):$(params.version)
      skopeo copy --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):latest
      # Indicate results.
      HASH=`skopeo inspect containers-storage:localhost/$(params.name):$(params.version) --format={{.Digest}}`
      cat <<EOF > $(results.image-ARTIFACT_OUTPUTS.path)
      {
         "uri": "$(params.registry)/$(params.name):$(params.version)",
         "digest": "$HASH"
      }
    env:
    - name: USERNAME
      valueFrom:
        secretKeyRef:
          name: registry-login-secret
          key: username
    - name: PASSWORD
      valueFrom:
        secretKeyRef:
          name: registry-login-secret
          key: password
    volumeMounts:
    - name: varlibcontainers
      mountPath: /var/lib/containers
    securityContext:
      privileged: true
  volumes:
  - name: varlibcontainers
    emptyDir: {}
  results:
  - name: image-ARTIFACT_OUTPUTS
    type: object
    properties:
       uri:
          type: string
       digest:
          type: string