public
/
bootc-base-images
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'fedora-bootc-tier-x-build' into 'main' 

Initial Konflux build of Fedora tier-x container image

See merge request fedora/bootc/base-images!70
This commit is contained in:
Miguel Martin Villamuelas 2025-02-09 16:26:31 +00:00
parent 7b4e013126 e87ab97760
commit c1d7ec2df1
4 changed files with 634 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
.tekton/fedora-bootc-tier-x-rawhide-pull-request.yaml Normal file
View File

@ -0,0 +1,46 @@
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://gitlab.com/fedora/fedora-bootc/base-images/-/tree/{{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request"
&& target_branch == "main"
io.kubernetes.cri-o.Devices: "/dev/fuse"
creationTimestamp: null
labels:
appstudio.openshift.io/application: fedora-bootc-tier-x-rawhide
appstudio.openshift.io/component: fedora-bootc-tier-x-rawhide
pipelines.appstudio.openshift.io/type: build
name: fedora-bootc-tier-x-rawhide-on-pull-request
namespace: bootc-tenant
spec:
timeouts:
pipeline: 6h0m0s
tasks: 4h0m0s
finally: 2h0m0s
params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: output-image
value: quay.io/konflux-fedora/bootc-tenant/fedora-bootc-tier-x-rawhide:on-pr-{{revision}}
- name: image-expires-after
value: 5d
- name: path-context
value: .
- name: config-file
value: fedora-bootc-config.json
- name: image-file
value: fedora-tier-x.yaml
- name: prefetch-input
value: ""
- name: hermetic
value: false
pipelineRef:
name: ostree-build

45
.tekton/fedora-bootc-tier-x-rawhide-push.yaml Normal file
View File

@ -0,0 +1,45 @@
---
apiVersion: tekton.dev/v1
kind: PipelineRun
metadata:
annotations:
build.appstudio.openshift.io/repo: https://gitlab.com/fedora/fedora-bootc/base-images/-/tree/{{revision}}
build.appstudio.redhat.com/commit_sha: '{{revision}}'
build.appstudio.redhat.com/target_branch: '{{target_branch}}'
pipelinesascode.tekton.dev/max-keep-runs: "3"
pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
== "main"
io.kubernetes.cri-o.Devices: "/dev/fuse"
creationTimestamp: null
labels:
appstudio.openshift.io/application: fedora-bootc-tier-x-rawhide
appstudio.openshift.io/component: fedora-bootc-tier-x-rawhide
pipelines.appstudio.openshift.io/type: build
name: fedora-bootc-tier-x-rawhide-on-push
namespace: bootc-tenant
spec:
timeouts:
pipeline: 6h0m0s
tasks: 4h0m0s
finally: 2h0m0s
params:
- name: git-url
value: '{{source_url}}'
- name: revision
value: '{{revision}}'
- name: output-image
value: quay.io/konflux-fedora/bootc-tenant/fedora-bootc-tier-x-rawhide:{{revision}}
- name: image-expires-after
value: 5d
- name: path-context
value: .
- name: config-file
value: fedora-bootc-config.json
- name: image-file
value: fedora-tier-x.yaml
- name: prefetch-input
value: ""
- name: hermetic
value: false
pipelineRef:
name: ostree-build

538
.tekton/ostree-build.yaml Normal file
View File

@ -0,0 +1,538 @@
---
apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
name: ostree-build
spec:
finally:
- name: show-sbom
params:
- name: IMAGE_URL
value: $(tasks.build-container-amd64.results.IMAGE_URL)
taskRef:
params:
- name: name
value: show-sbom
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0
- name: kind
value: task
resolver: bundles
- name: show-summary
params:
- name: pipelinerun-name
value: $(context.pipelineRun.name)
- name: git-url
value: >-
$(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit)
- name: image-url
value: $(params.output-image)
- name: build-task-status
value: $(tasks.build-container.status)
taskRef:
params:
- name: name
value: summary
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc
- name: kind
value: task
resolver: bundles
params:
- description: Source Repository URL
name: git-url
type: string
- default: ''
description: Revision of the Source Repository
name: revision
type: string
- description: Fully Qualified Output Image
name: output-image
type: string
- default: .
description: >-
Path to the source code of an application's component from where to build image.
name: path-context
type: string
- description: >-
Path to the image file inside the context specified by parameter path-context
name: image-file
type: string
- default: 'false'
description: Force rebuild image
name: rebuild
type: string
- default: 'false'
description: Skip checks against built image
name: skip-checks
type: string
- default: 'true'
description: 'Skip optional checks, set false if you want to run optional checks'
name: skip-optional
type: string
- default: 'true'
description: Execute the build with network isolation
name: hermetic
type: string
- name: prefetch-input
default: |
{"type": "rpm"}
- default: 'true'
description: Enable dev-package-managers in prefetch task
name: prefetch-dev-package-managers-enabled
type: string
- default: 'false'
description: Java build
name: java
type: string
- default: ''
description: >-
Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
name: image-expires-after
- default: 'true'
description: Build a source image.
name: build-source-image
type: string
- name: config-file
description: config file to use for rpm-ostree tool
type: string
default: ''
results:
- description: ''
name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- description: ''
name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
- description: ''
name: CHAINS-GIT_URL
value: $(tasks.clone-repository.results.url)
- description: ''
name: CHAINS-GIT_COMMIT
value: $(tasks.clone-repository.results.commit)
tasks:
- name: init
params:
- name: image-url
value: $(params.output-image)
- name: rebuild
value: $(params.rebuild)
- name: skip-checks
value: $(params.skip-checks)
- name: skip-optional
value: $(params.skip-optional)
- name: pipelinerun-name
value: $(context.pipelineRun.name)
- name: pipelinerun-uid
value: $(context.pipelineRun.uid)
taskRef:
params:
- name: name
value: init
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:0523b51c28375a3f222da91690e22eff11888ebc98a0c73c468af44762265c69
- name: kind
value: task
resolver: bundles
- name: clone-repository
params:
- name: url
value: $(params.git-url)
- name: revision
value: $(params.revision)
- name: ociStorage
value: $(params.output-image).git
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- init
taskRef:
params:
- name: name
value: git-clone-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- 'true'
workspaces:
- name: basic-auth
workspace: git-auth
- name: prefetch-dependencies
params:
- name: input
value: $(params.prefetch-input)
- name: dev-package-managers
value: $(params.prefetch-dev-package-managers-enabled)
- name: SOURCE_ARTIFACT
value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
- name: ociStorage
value: $(params.output-image).prefetch
- name: ociArtifactExpiresAfter
value: $(params.image-expires-after)
runAfter:
- clone-repository
taskRef:
params:
- name: name
value: prefetch-dependencies-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555
- name: kind
value: task
resolver: bundles
- name: build-container-amd64
params:
- name: IMAGE
value: $(params.output-image)-amd64
- name: IMAGE_FILE
value: $(params.image-file)
- name: CONTEXT
value: $(params.path-context)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: BUILDER_IMAGE
value: 'quay.io/centos-bootc/bootc-image-builder:latest'
- name: CONFIG_FILE
value: $(params.config-file)
- name: HERMETIC
value: $(params.hermetic)
- name: PLATFORM
value: linux/amd64
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: rpm-ostree-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:ccf1b44d6fe6ac9a772a4072d6b143d367692f4cd355bfa0f0b73494614eed13
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- 'true'
- name: build-container-arm64
params:
- name: IMAGE
value: $(params.output-image)-arm64
- name: IMAGE_FILE
value: $(params.image-file)
- name: CONTEXT
value: $(params.path-context)
- name: IMAGE_EXPIRES_AFTER
value: $(params.image-expires-after)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: BUILDER_IMAGE
value: 'quay.io/centos-bootc/bootc-image-builder:latest'
- name: CONFIG_FILE
value: $(params.config-file)
- name: HERMETIC
value: $(params.hermetic)
- name: PLATFORM
value: linux/arm64
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- prefetch-dependencies
taskRef:
params:
- name: name
value: rpm-ostree-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- 'true'
# - name: build-container-ppc64le
# params:
# - name: IMAGE
# value: $(params.output-image)-ppc64le
# - name: IMAGE_FILE
# value: $(params.image-file)
# - name: CONTEXT
# value: $(params.path-context)
# - name: IMAGE_EXPIRES_AFTER
# value: $(params.image-expires-after)
# - name: COMMIT_SHA
# value: $(tasks.clone-repository.results.commit)
# - name: BUILDER_IMAGE
# value: 'quay.io/centos-bootc/bootc-image-builder:latest'
# - name: CONFIG_FILE
# value: $(params.config-file)
# - name: HERMETIC
# value: $(params.hermetic)
# - name: PLATFORM
# value: linux/ppc64le
# - name: SOURCE_ARTIFACT
# value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
# - name: CACHI2_ARTIFACT
# value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
# runAfter:
# - prefetch-dependencies
# taskRef:
# params:
# - name: name
# value: rpm-ostree-oci-ta
# - name: bundle
# value: >-
# quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287
# - name: kind
# value: task
# resolver: bundles
# when:
# - input: $(tasks.init.results.build)
# operator: in
# values:
# - 'true'
# - name: build-container-s390x
# params:
# - name: IMAGE
# value: $(params.output-image)-s390x
# - name: IMAGE_FILE
# value: $(params.image-file)
# - name: CONTEXT
# value: $(params.path-context)
# - name: IMAGE_EXPIRES_AFTER
# value: $(params.image-expires-after)
# - name: COMMIT_SHA
# value: $(tasks.clone-repository.results.commit)
# - name: BUILDER_IMAGE
# value: 'quay.io/centos-bootc/bootc-image-builder:latest'
# - name: CONFIG_FILE
# value: $(params.config-file)
# - name: HERMETIC
# value: $(params.hermetic)
# - name: PLATFORM
# value: linux/s390x
# - name: SOURCE_ARTIFACT
# value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
# - name: CACHI2_ARTIFACT
# value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
# runAfter:
# - prefetch-dependencies
# taskRef:
# params:
# - name: name
# value: rpm-ostree-oci-ta
# - name: bundle
# value: >-
# quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287
# - name: kind
# value: task
# resolver: bundles
# when:
# - input: $(tasks.init.results.build)
# operator: in
# values:
# - 'true'
- name: build-container
params:
- name: IMAGE
value: $(params.output-image)
- name: COMMIT_SHA
value: $(tasks.clone-repository.results.commit)
- name: IMAGES
value:
- >-
$(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST)
- >-
$(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST)
# - >-
# $(tasks.build-container-ppc64le.results.IMAGE_URL)@$(tasks.build-container-ppc64le.results.IMAGE_DIGEST)
# - >-
# $(tasks.build-container-s390x.results.IMAGE_URL)@$(tasks.build-container-s390x.results.IMAGE_DIGEST)
runAfter:
- build-container-amd64
- build-container-arm64
# - build-container-ppc64le
# - build-container-s390x
taskRef:
params:
- name: name
value: build-image-manifest
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:70dbecd03c96957b2a8f9137beb450509dbb17a69cc1b544872bc7290e6b7b5f
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- 'true'
- name: build-source-image
params:
- name: BINARY_IMAGE
value: $(params.output-image)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-container
taskRef:
params:
- name: name
value: source-build-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978
- name: kind
value: task
resolver: bundles
when:
- input: $(tasks.init.results.build)
operator: in
values:
- 'true'
- input: $(params.build-source-image)
operator: in
values:
- 'true'
- name: deprecated-base-image-check
params:
- name: IMAGE_URL
value: $(tasks.build-container.results.IMAGE_URL)
- name: IMAGE_DIGEST
value: $(tasks.build-container.results.IMAGE_DIGEST)
taskRef:
params:
- name: name
value: deprecated-image-check
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:5a1a165fa02270f0a947d8a2131ee9d8be0b8e9d34123828c2bef589e504ee84
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- 'false'
- name: clair-scan
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
params:
- name: name
value: clair-scan
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:0a5421111e7092740398691d5bd7c125cc0896f29531d19414bb5724ae41692a
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- 'false'
- name: rpms-signature-scan
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
params:
- name: name
value: rpms-signature-scan
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:60da26522b733e0375ebe996abf4b3b7c41720ae2858f6332945da3b1a9fd87d
- name: kind
value: task
resolver: bundles
- name: sast-snyk-check
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
- name: SOURCE_ARTIFACT
value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
- name: CACHI2_ARTIFACT
value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
runAfter:
- build-container
taskRef:
params:
- name: name
value: sast-snyk-check-oci-ta
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:1119722a2d31b831d1aa336fd8cced0a5016c95466b6b59a58bbf3585735850f
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- 'false'
- name: clamav-scan
timeout: 2h
params:
- name: image-digest
value: $(tasks.build-container.results.IMAGE_DIGEST)
- name: image-url
value: $(tasks.build-container.results.IMAGE_URL)
runAfter:
- build-container
taskRef:
params:
- name: name
value: clamav-scan
- name: bundle
value: >-
quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:6e08cf608240f57442ca5458f3c0dade3558f4f2953be8ea939232f5d5378d58
- name: kind
value: task
resolver: bundles
when:
- input: $(params.skip-checks)
operator: in
values:
- 'false'
workspaces:
- name: git-auth
optional: true

5
fedora-tier-x.yaml
View File

@ -6,3 +6,8 @@ include:
- fedora-generic.yaml - fedora-generic.yaml
- tier-x/manifest.yaml - tier-x/manifest.yaml
- tier-x/kernel.yaml - tier-x/kernel.yaml
releasever: rawhide
repos:
- rawhide