--- apiVersion: tekton.dev/v1 kind: Pipeline metadata: name: ostree-build spec: finally: - name: show-sbom params: - name: IMAGE_URL value: $(tasks.build-container-amd64.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:945a7c9066d3e0a95d3fddb7e8a6992e4d632a2a75d8f3a9bd2ff2fef0ec9aa0 - name: kind value: task resolver: bundles - name: show-summary params: - name: pipelinerun-name value: $(context.pipelineRun.name) - name: git-url value: >- $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - name: image-url value: $(params.output-image) - name: build-task-status value: $(tasks.build-container.status) taskRef: params: - name: name value: summary - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:870d9a04d9784840a90b7bf6817cd0d0c4edfcda04b1ba1868cae625a3c3bfcc - name: kind value: task resolver: bundles params: - description: Source Repository URL name: git-url type: string - default: '' description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: >- Path to the source code of an application's component from where to build image. name: path-context type: string - description: >- Path to the image file inside the context specified by parameter path-context name: image-file type: string - default: 'false' description: Force rebuild image name: rebuild type: string - default: 'false' description: Skip checks against built image name: skip-checks type: string - default: 'true' description: 'Skip optional checks, set false if you want to run optional checks' name: skip-optional type: string - default: 'true' description: Execute the build with network isolation name: hermetic type: string - name: prefetch-input default: | {"type": "rpm"} - default: 'true' description: Enable dev-package-managers in prefetch task name: prefetch-dev-package-managers-enabled type: string - default: 'false' description: Java build name: java type: string - default: '' description: >- Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - default: 'true' description: Build a source image. name: build-source-image type: string - name: config-file description: config file to use for rpm-ostree tool type: string default: '' results: - description: '' name: IMAGE_URL value: $(tasks.build-container.results.IMAGE_URL) - description: '' name: IMAGE_DIGEST value: $(tasks.build-container.results.IMAGE_DIGEST) - description: '' name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: '' name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: image-url value: $(params.output-image) - name: rebuild value: $(params.rebuild) - name: skip-checks value: $(params.skip-checks) - name: skip-optional value: $(params.skip-optional) - name: pipelinerun-name value: $(context.pipelineRun.name) - name: pipelinerun-uid value: $(context.pipelineRun.uid) taskRef: params: - name: name value: init - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:0523b51c28375a3f222da91690e22eff11888ebc98a0c73c468af44762265c69 - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name value: git-clone-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:8ab0c7a7ac4a4c59740a24304e17cc64fe8745376d19396c4660fc0e1a957a1b - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' workspaces: - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) - name: dev-package-managers value: $(params.prefetch-dev-package-managers-enabled) - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: $(params.output-image).prefetch - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.1@sha256:3e51d7c477ba00bd0c7de2d8f89269131646d2582e631b9aee91fb4b022d4555 - name: kind value: task resolver: bundles - name: build-container-amd64 params: - name: IMAGE value: $(params.output-image)-amd64 - name: IMAGE_FILE value: $(params.image-file) - name: CONTEXT value: $(params.path-context) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILDER_IMAGE value: 'quay.io/centos-bootc/bootc-image-builder:latest' - name: CONFIG_FILE value: $(params.config-file) - name: HERMETIC value: $(params.hermetic) - name: PLATFORM value: linux/amd64 - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name value: rpm-ostree-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:ccf1b44d6fe6ac9a772a4072d6b143d367692f4cd355bfa0f0b73494614eed13 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-container-arm64 params: - name: IMAGE value: $(params.output-image)-arm64 - name: IMAGE_FILE value: $(params.image-file) - name: CONTEXT value: $(params.path-context) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILDER_IMAGE value: 'quay.io/centos-bootc/bootc-image-builder:latest' - name: CONFIG_FILE value: $(params.config-file) - name: HERMETIC value: $(params.hermetic) - name: PLATFORM value: linux/arm64 - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - prefetch-dependencies taskRef: params: - name: name value: rpm-ostree-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' # - name: build-container-ppc64le # params: # - name: IMAGE # value: $(params.output-image)-ppc64le # - name: IMAGE_FILE # value: $(params.image-file) # - name: CONTEXT # value: $(params.path-context) # - name: IMAGE_EXPIRES_AFTER # value: $(params.image-expires-after) # - name: COMMIT_SHA # value: $(tasks.clone-repository.results.commit) # - name: BUILDER_IMAGE # value: 'quay.io/centos-bootc/bootc-image-builder:latest' # - name: CONFIG_FILE # value: $(params.config-file) # - name: HERMETIC # value: $(params.hermetic) # - name: PLATFORM # value: linux/ppc64le # - name: SOURCE_ARTIFACT # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) # - name: CACHI2_ARTIFACT # value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) # runAfter: # - prefetch-dependencies # taskRef: # params: # - name: name # value: rpm-ostree-oci-ta # - name: bundle # value: >- # quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 # - name: kind # value: task # resolver: bundles # when: # - input: $(tasks.init.results.build) # operator: in # values: # - 'true' # - name: build-container-s390x # params: # - name: IMAGE # value: $(params.output-image)-s390x # - name: IMAGE_FILE # value: $(params.image-file) # - name: CONTEXT # value: $(params.path-context) # - name: IMAGE_EXPIRES_AFTER # value: $(params.image-expires-after) # - name: COMMIT_SHA # value: $(tasks.clone-repository.results.commit) # - name: BUILDER_IMAGE # value: 'quay.io/centos-bootc/bootc-image-builder:latest' # - name: CONFIG_FILE # value: $(params.config-file) # - name: HERMETIC # value: $(params.hermetic) # - name: PLATFORM # value: linux/s390x # - name: SOURCE_ARTIFACT # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) # - name: CACHI2_ARTIFACT # value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) # runAfter: # - prefetch-dependencies # taskRef: # params: # - name: name # value: rpm-ostree-oci-ta # - name: bundle # value: >- # quay.io/konflux-ci/tekton-catalog/task-rpm-ostree-oci-ta:0.2@sha256:f927e4cc7528554c8dd3ad2553b7ba94e664d0b6d373656785aeaa84cce34287 # - name: kind # value: task # resolver: bundles # when: # - input: $(tasks.init.results.build) # operator: in # values: # - 'true' - name: build-container params: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGES value: - >- $(tasks.build-container-amd64.results.IMAGE_URL)@$(tasks.build-container-amd64.results.IMAGE_DIGEST) - >- $(tasks.build-container-arm64.results.IMAGE_URL)@$(tasks.build-container-arm64.results.IMAGE_DIGEST) # - >- # $(tasks.build-container-ppc64le.results.IMAGE_URL)@$(tasks.build-container-ppc64le.results.IMAGE_DIGEST) # - >- # $(tasks.build-container-s390x.results.IMAGE_URL)@$(tasks.build-container-s390x.results.IMAGE_DIGEST) runAfter: - build-container-amd64 - build-container-arm64 # - build-container-ppc64le # - build-container-s390x taskRef: params: - name: name value: build-image-manifest - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-build-image-manifest:0.1@sha256:70dbecd03c96957b2a8f9137beb450509dbb17a69cc1b544872bc7290e6b7b5f - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name value: source-build-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.1@sha256:26278e5373a726594975a9ec2f177a67e3674bbf905d7d317b9ea60ca7993978 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - input: $(params.build-source-image) operator: in values: - 'true' - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-container.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-container.results.IMAGE_DIGEST) taskRef: params: - name: name value: deprecated-image-check - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:5a1a165fa02270f0a947d8a2131ee9d8be0b8e9d34123828c2bef589e504ee84 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: clair-scan params: - name: image-digest value: $(tasks.build-container.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name value: clair-scan - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:0a5421111e7092740398691d5bd7c125cc0896f29531d19414bb5724ae41692a - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: rpms-signature-scan params: - name: image-digest value: $(tasks.build-container.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:60da26522b733e0375ebe996abf4b3b7c41720ae2858f6332945da3b1a9fd87d - name: kind value: task resolver: bundles - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-container.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-container.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-container taskRef: params: - name: name value: sast-snyk-check-oci-ta - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:1119722a2d31b831d1aa336fd8cced0a5016c95466b6b59a58bbf3585735850f - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: clamav-scan timeout: 2h params: - name: image-digest value: $(tasks.build-container.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-container.results.IMAGE_URL) runAfter: - build-container taskRef: params: - name: name value: clamav-scan - name: bundle value: >- quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:6e08cf608240f57442ca5458f3c0dade3558f4f2953be8ea939232f5d5378d58 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' workspaces: - name: git-auth optional: true