diff --git a/.tekton/fedora-bootc-tier-x-rawhide-pull-request.yaml b/.tekton/fedora-bootc-tier-x-rawhide-pull-request.yaml new file mode 100644 index 0000000..51a6df7 --- /dev/null +++ b/.tekton/fedora-bootc-tier-x-rawhide-pull-request.yaml @@ -0,0 +1,46 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://gitlab.com/fedora/fedora-bootc/base-images/-/tree/{{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" + && target_branch == "main" + io.kubernetes.cri-o.Devices: "/dev/fuse" + creationTimestamp: null + labels: + appstudio.openshift.io/application: fedora-bootc-tier-x-rawhide + appstudio.openshift.io/component: fedora-bootc-tier-x-rawhide + pipelines.appstudio.openshift.io/type: build + name: fedora-bootc-tier-x-rawhide-on-pull-request + namespace: bootc-tenant +spec: + timeouts: + pipeline: 6h0m0s + tasks: 4h0m0s + finally: 2h0m0s + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/konflux-fedora/bootc-tenant/fedora-bootc-tier-x-rawhide:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: path-context + value: . + - name: config-file + value: fedora-bootc-config.json + - name: image-file + value: fedora-tier-x.yaml + - name: prefetch-input + value: "" + - name: hermetic + value: false + pipelineRef: + name: ostree-build diff --git a/.tekton/fedora-bootc-tier-x-rawhide-push.yaml b/.tekton/fedora-bootc-tier-x-rawhide-push.yaml new file mode 100644 index 0000000..b8d28e0 --- /dev/null +++ b/.tekton/fedora-bootc-tier-x-rawhide-push.yaml @@ -0,0 +1,45 @@ +--- +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://gitlab.com/fedora/fedora-bootc/base-images/-/tree/{{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" + io.kubernetes.cri-o.Devices: "/dev/fuse" + creationTimestamp: null + labels: + appstudio.openshift.io/application: fedora-bootc-tier-x-rawhide + appstudio.openshift.io/component: fedora-bootc-tier-x-rawhide + pipelines.appstudio.openshift.io/type: build + name: fedora-bootc-tier-x-rawhide-on-push + namespace: bootc-tenant +spec: + timeouts: + pipeline: 6h0m0s + tasks: 4h0m0s + finally: 2h0m0s + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/konflux-fedora/bootc-tenant/fedora-bootc-tier-x-rawhide:{{revision}} + - name: image-expires-after + value: 5d + - name: path-context + value: . + - name: config-file + value: fedora-bootc-config.json + - name: image-file + value: fedora-tier-x.yaml + - name: prefetch-input + value: "" + - name: hermetic + value: false + pipelineRef: + name: ostree-build diff --git a/.tekton/ostree-build.yaml b/.tekton/ostree-build.yaml new file mode 100644 index 0000000..0d23b20 --- /dev/null +++ b/.tekton/ostree-build.yaml @@ -0,0 +1,538 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: ostree-build +spec: + finally: + - name: show-sbom + params: + - name: IMAGE_URL + value: $(tasks.build-container-amd64.results.IMAGE_URL) + taskRef: + params: + - name: name + value: show-sbom + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 + - name: kind + value: task + resolver: bundles + - name: show-summary + params: + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: git-url + value: >- + $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) + - name: image-url + value: $(params.output-image) + - name: build-task-status + value: $(tasks.build-container.status) + taskRef: + params: + - name: name + value: summary + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc + - name: kind + value: task + resolver: bundles + params: + - description: Source Repository URL + name: git-url + type: string + - default: '' + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: >- + Path to the source code of an application's component from where to build image. + name: path-context + type: string + - description: >- + Path to the image file inside the context specified by parameter path-context + name: image-file + type: string + - default: 'false' + description: Force rebuild image + name: rebuild + type: string + - default: 'false' + description: Skip checks against built image + name: skip-checks + type: string + - default: 'true' + description: 'Skip optional checks, set false if you want to run optional checks' + name: skip-optional + type: string + - default: 'true' + description: Execute the build with network isolation + name: hermetic + type: string + - name: prefetch-input + default: | + {"type": "rpm"} + - default: 'true' + description: Enable dev-package-managers in prefetch task + name: prefetch-dev-package-managers-enabled + type: string + - default: 'false' + description: Java build + name: java + type: string + - default: '' + description: >- + Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + - default: 'true' + description: Build a source image. + name: build-source-image + type: string + - name: config-file + description: config file to use for rpm-ostree tool + type: string + default: '' + results: + - description: '' + name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - description: '' + name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + - description: '' + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: '' + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + - name: skip-optional + value: $(params.skip-optional) + - name: pipelinerun-name + value: $(context.pipelineRun.name) + - name: pipelinerun-uid + value: $(context.pipelineRun.uid) + taskRef: + params: + - name: name + value: init + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:0523b51c28375a3f222da91690e22eff11888ebc98a0c73c468af44762265c69 + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: dev-package-managers + value: $(params.prefetch-dev-package-managers-enabled) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 + - name: kind + value: task + resolver: bundles + - name: build-container-amd64 + params: + - name: IMAGE + value: $(params.output-image)-amd64 + - name: IMAGE_FILE + value: $(params.image-file) + - name: CONTEXT + value: $(params.path-context) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILDER_IMAGE + value: 'quay.io/centos-bootc/bootc-image-builder:latest' + - name: CONFIG_FILE + value: $(params.config-file) + - name: HERMETIC + value: $(params.hermetic) + - name: PLATFORM + value: linux/amd64 + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: rpm-ostree-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:ccf1b44d6fe6ac9a772a4072d6b143d367692f4cd355bfa0f0b73494614eed13 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-container-arm64 + params: + - name: IMAGE + value: $(params.output-image)-arm64 + - name: IMAGE_FILE + value: $(params.image-file) + - name: CONTEXT + value: $(params.path-context) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILDER_IMAGE + value: 'quay.io/centos-bootc/bootc-image-builder:latest' + - name: CONFIG_FILE + value: $(params.config-file) + - name: HERMETIC + value: $(params.hermetic) + - name: PLATFORM + value: linux/arm64 + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: rpm-ostree-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + # - name: build-container-ppc64le + # params: + # - name: IMAGE + # value: $(params.output-image)-ppc64le + # - name: IMAGE_FILE + # value: $(params.image-file) + # - name: CONTEXT + # value: $(params.path-context) + # - name: IMAGE_EXPIRES_AFTER + # value: $(params.image-expires-after) + # - name: COMMIT_SHA + # value: $(tasks.clone-repository.results.commit) + # - name: BUILDER_IMAGE + # value: 'quay.io/centos-bootc/bootc-image-builder:latest' + # - name: CONFIG_FILE + # value: $(params.config-file) + # - name: HERMETIC + # value: $(params.hermetic) + # - name: PLATFORM + # value: linux/ppc64le + # - name: SOURCE_ARTIFACT + # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + # - name: CACHI2_ARTIFACT + # value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + # runAfter: + # - prefetch-dependencies + # taskRef: + # params: + # - name: name + # value: rpm-ostree-oci-ta + # - name: bundle + # value: >- + # quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 + # - name: kind + # value: task + # resolver: bundles + # when: + # - input: $(tasks.init.results.build) + # operator: in + # values: + # - 'true' + # - name: build-container-s390x + # params: + # - name: IMAGE + # value: $(params.output-image)-s390x + # - name: IMAGE_FILE + # value: $(params.image-file) + # - name: CONTEXT + # value: $(params.path-context) + # - name: IMAGE_EXPIRES_AFTER + # value: $(params.image-expires-after) + # - name: COMMIT_SHA + # value: $(tasks.clone-repository.results.commit) + # - name: BUILDER_IMAGE + # value: 'quay.io/centos-bootc/bootc-image-builder:latest' + # - name: CONFIG_FILE + # value: $(params.config-file) + # - name: HERMETIC + # value: $(params.hermetic) + # - name: PLATFORM + # value: linux/s390x + # - name: SOURCE_ARTIFACT + # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + # - name: CACHI2_ARTIFACT + # value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + # runAfter: + # - prefetch-dependencies + # taskRef: + # params: + # - name: name + # value: rpm-ostree-oci-ta + # - name: bundle + # value: >- + # quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 + # - name: kind + # value: task + # resolver: bundles + # when: + # - input: $(tasks.init.results.build) + # operator: in + # values: + # - 'true' + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGES + value: + - >- + $(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST) + - >- + $(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST) + # - >- + # $(tasks.build-container-ppc64le.results.IMAGE_URL)@$(tasks.build-container-ppc64le.results.IMAGE_DIGEST) + # - >- + # $(tasks.build-container-s390x.results.IMAGE_URL)@$(tasks.build-container-s390x.results.IMAGE_DIGEST) + runAfter: + - build-container-amd64 + - build-container-arm64 + # - build-container-ppc64le + # - build-container-s390x + taskRef: + params: + - name: name + value: build-image-manifest + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:70dbecd03c96957b2a8f9137beb450509dbb17a69cc1b544872bc7290e6b7b5f + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(params.output-image) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-container + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - 'true' + - input: $(params.build-source-image) + operator: in + values: + - 'true' + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-container.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-container.results.IMAGE_DIGEST) + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:5a1a165fa02270f0a947d8a2131ee9d8be0b8e9d34123828c2bef589e504ee84 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:0a5421111e7092740398691d5bd7c125cc0896f29531d19414bb5724ae41692a + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: rpms-signature-scan + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:60da26522b733e0375ebe996abf4b3b7c41720ae2858f6332945da3b1a9fd87d + - name: kind + value: task + resolver: bundles + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-container + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:1119722a2d31b831d1aa336fd8cced0a5016c95466b6b59a58bbf3585735850f + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + - name: clamav-scan + timeout: 2h + params: + - name: image-digest + value: $(tasks.build-container.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-container.results.IMAGE_URL) + runAfter: + - build-container + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: >- + quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:6e08cf608240f57442ca5458f3c0dade3558f4f2953be8ea939232f5d5378d58 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - 'false' + workspaces: + - name: git-auth + optional: true diff --git a/fedora-tier-x.yaml b/fedora-tier-x.yaml index 90a96fd..b3c6865 100644 --- a/fedora-tier-x.yaml +++ b/fedora-tier-x.yaml @@ -6,3 +6,8 @@ include: - fedora-generic.yaml - tier-x/manifest.yaml - tier-x/kernel.yaml + +releasever: rawhide +repos: + - rawhide +