From c5831b5c4e9da29a9eeb9e870cb90dd57ae7eca5 Mon Sep 17 00:00:00 2001 From: Scott Hebert Date: Mon, 27 Jan 2025 11:43:00 -0500 Subject: [PATCH] feat(RELEASE-1387): test pipeline Signed-off-by: Scott Hebert --- .../rh-advisories/rh-advisories-oci-ta.yaml | 206 ++++++++++++++++++ .../managed/apply-mapping/apply-mapping.yaml | 4 + tasks/managed/collect-data/collect-data.yaml | 2 + .../reduce-snapshot/reduce-snapshot.yaml | 15 +- 4 files changed, 226 insertions(+), 1 deletion(-) create mode 100644 pipelines/managed/rh-advisories/rh-advisories-oci-ta.yaml diff --git a/pipelines/managed/rh-advisories/rh-advisories-oci-ta.yaml b/pipelines/managed/rh-advisories/rh-advisories-oci-ta.yaml new file mode 100644 index 000000000..1f79d72a3 --- /dev/null +++ b/pipelines/managed/rh-advisories/rh-advisories-oci-ta.yaml @@ -0,0 +1,206 @@ +--- +apiVersion: tekton.dev/v1 +kind: Pipeline +metadata: + name: rh-advisories + labels: + app.kubernetes.io/version: "1.8.2" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: release +spec: + description: >- + Tekton pipeline to release content to registry.redhat.io and create an advisory + params: + - name: release + type: string + description: + The namespaced name (namespace/name) of the Release custom resource initiating this pipeline execution + - name: releasePlan + type: string + description: The namespaced name (namespace/name) of the releasePlan + - name: releasePlanAdmission + type: string + description: The namespaced name (namespace/name) of the releasePlanAdmission + - name: releaseServiceConfig + type: string + description: The namespaced name (namespace/name) of the releaseServiceConfig + - name: snapshot + type: string + description: The namespaced name (namespace/name) of the snapshot + - name: enterpriseContractPolicy + type: string + description: JSON representation of the EnterpriseContractPolicy + - name: enterpriseContractExtraRuleData + type: string + description: | + Extra rule data to be merged into the policy specified in params.enterpriseContractPolicy. Use syntax + "key1=value1,key2=value2..." + default: "pipeline_intention=release" + - name: enterpriseContractTimeout + type: string + description: Timeout setting for `ec validate` + default: 8h0m0s + - name: enterpriseContractWorkerCount + type: string + description: Number of parallel workers for policy evaluation + default: 4 + - name: postCleanUp + type: string + description: Cleans up workspace after finishing executing the pipeline + default: "true" + - name: verify_ec_task_bundle + type: string + description: The location of the bundle containing the verify-enterprise-contract task + - name: taskGitUrl + type: string + description: The url to the git repo where the release-service-catalog tasks to be used are stored + default: https://github.com/konflux-ci/release-service-catalog.git + - name: taskGitRevision + type: string + description: The revision in the taskGitUrl repo to be used + - name: ociStorage + type: string + default: quay.io/scoheb/trusted-artifacts + workspaces: + - name: release-workspace + tasks: + - name: verify-access-to-resources + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/verify-access-to-resources/verify-access-to-resources.yaml + params: + - name: release + value: $(params.release) + - name: releasePlan + value: $(params.releasePlan) + - name: releasePlanAdmission + value: $(params.releasePlanAdmission) + - name: releaseServiceConfig + value: $(params.releaseServiceConfig) + - name: snapshot + value: $(params.snapshot) + - name: requireInternalServices + value: "true" + - name: ociStorage + value: $(params.ociStorage) + - name: collect-data + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/collect-data/collect-data.yaml + params: + - name: release + value: $(params.release) + - name: releasePlan + value: $(params.releasePlan) + - name: releasePlanAdmission + value: $(params.releasePlanAdmission) + - name: releaseServiceConfig + value: $(params.releaseServiceConfig) + - name: snapshot + value: $(params.snapshot) + - name: subdirectory + value: $(context.pipelineRun.uid) + - name: ociStorage + value: $(params.ociStorage) + workspaces: + - name: data + workspace: release-workspace + runAfter: + - verify-access-to-resources + - name: reduce-snapshot + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/reduce-snapshot/reduce-snapshot.yaml + params: + - name: SNAPSHOT + value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: SINGLE_COMPONENT + value: $(tasks.collect-data.results.singleComponentMode) + - name: SINGLE_COMPONENT_CUSTOM_RESOURCE + value: snapshot/$(tasks.collect-data.results.snapshotName) + - name: SINGLE_COMPONENT_CUSTOM_RESOURCE_NS + value: $(tasks.collect-data.results.snapshotNamespace) + - name: SNAPSHOT_PATH + value: $(workspaces.data.path)/$(tasks.collect-data.results.snapshotSpec) + - name: ociStorage + value: $(params.ociStorage) + - name: SOURCE_DATA_ARTIFACT + value: "$(tasks.collect-data.results.SOURCE_DATA_ARTIFACT)=$(workspaces.data.path)/reduce-snapshot" + workspaces: + - name: data + workspace: release-workspace + runAfter: + - collect-data + - name: extract-requester-from-release + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: hub/kubernetes-actions/kubernetes-actions.yaml + params: + - name: image + value: "quay.io/hacbs-release/cloud-builders-kubectl\ + @sha256:8ab94be8b2b4f3d117f02d868b39540fddd225447abf4014f7ba4765cb39f753" + - name: script + value: | + set -x + + NAMESPACE=$(echo $(params.release) | cut -d '/' -f 1) + NAME=$(echo $(params.release) | cut -d '/' -f 2) + + AUTHOR=$(kubectl get release ${NAME} -n ${NAMESPACE} \ + -o=jsonpath='{.status.attribution.author}' | tee $(results.output-result.path)) + + if [[ ${AUTHOR} == "" ]] ; then exit 1 ; fi + runAfter: + - verify-access-to-resources + - name: apply-mapping + retries: 3 + taskRef: + resolver: "git" + params: + - name: url + value: $(params.taskGitUrl) + - name: revision + value: $(params.taskGitRevision) + - name: pathInRepo + value: tasks/managed/apply-mapping/apply-mapping.yaml + params: + - name: failOnEmptyResult + value: "true" + - name: dataPath + value: "$(tasks.collect-data.results.data)" + - name: snapshotPath + value: "$(tasks.collect-data.results.snapshotSpec)" + - name: ociStorage + value: $(params.ociStorage) + - name: SOURCE_DATA_ARTIFACT + value: "$(tasks.reduce-snapshot.results.SOURCE_DATA_ARTIFACT)=$(workspaces.data.path)" + workspaces: + - name: config + workspace: release-workspace + runAfter: + - reduce-snapshot diff --git a/tasks/managed/apply-mapping/apply-mapping.yaml b/tasks/managed/apply-mapping/apply-mapping.yaml index c5762b518..6a20ef5bb 100644 --- a/tasks/managed/apply-mapping/apply-mapping.yaml +++ b/tasks/managed/apply-mapping/apply-mapping.yaml @@ -50,6 +50,8 @@ spec: env: - name: "ORAS_OPTIONS" value: "--insecure" + - name: "HOME" + value: "/tekton/home" computeResources: {} image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:ff35e09ff5c89e54538b50abae241a765b2b7868f05d62c4835bebf0978f3659 - name: apply-mapping @@ -388,3 +390,5 @@ spec: value: $(params.ociArtifactExpiresAfter) - name: "ORAS_OPTIONS" value: "--insecure" + - name: "HOME" + value: "/tekton/home" diff --git a/tasks/managed/collect-data/collect-data.yaml b/tasks/managed/collect-data/collect-data.yaml index 899e5bf16..e2909c684 100644 --- a/tasks/managed/collect-data/collect-data.yaml +++ b/tasks/managed/collect-data/collect-data.yaml @@ -261,3 +261,5 @@ spec: value: $(params.ociArtifactExpiresAfter) - name: "ORAS_OPTIONS" value: "--insecure" + - name: "HOME" + value: "/tekton/home" diff --git a/tasks/managed/reduce-snapshot/reduce-snapshot.yaml b/tasks/managed/reduce-snapshot/reduce-snapshot.yaml index b96440833..4a3b91ffe 100644 --- a/tasks/managed/reduce-snapshot/reduce-snapshot.yaml +++ b/tasks/managed/reduce-snapshot/reduce-snapshot.yaml @@ -46,13 +46,24 @@ spec: - name: data description: Workspace to save the CR jsons to steps: + - name: check-workspace + image: quay.io/konflux-ci/release-service-utils:e633d51cd41d73e4b3310face21bb980af7a662f + script: | + #!/usr/bin/env bash + set -x + ls -ld "$(workspaces.data.path)" + ls -lR "$(workspaces.data.path)" - name: use-trusted-artifact args: - use - - $(params.SOURCE_DATA_ARTIFACT)=$(workspaces.data.path) + - $(params.SOURCE_DATA_ARTIFACT)=$(workspaces.data.path)/reduce-snapshot env: - name: "ORAS_OPTIONS" value: "--insecure" + - name: "HOME" + value: "/tekton/home" + - name: "DEBUG" + value: "1" computeResources: {} image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:ff35e09ff5c89e54538b50abae241a765b2b7868f05d62c4835bebf0978f3659 - name: reduce @@ -83,3 +94,5 @@ spec: value: $(params.ociArtifactExpiresAfter) - name: "ORAS_OPTIONS" value: "--insecure" + - name: "HOME" + value: "/tekton/home"