apiVersion: tekton.dev/v1 kind: PipelineRun metadata: annotations: build.appstudio.openshift.io/repo: https://github.com/osbuild/image-builder-frontend?rev={{revision}} build.appstudio.redhat.com/commit_sha: '{{revision}}' build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" creationTimestamp: null labels: appstudio.openshift.io/application: insights-image-builder appstudio.openshift.io/component: image-builder-frontend pipelines.appstudio.openshift.io/type: build name: image-builder-frontend-on-push namespace: insights-management-tenant spec: params: - name: git-url value: '{{source_url}}' - name: revision value: '{{revision}}' - name: output-image value: quay.io/redhat-user-workloads/insights-management-tenant/insights-image-builder/image-builder-frontend:{{revision}} - name: dockerfile value: Dockerfile - name: path-context value: . pipelineSpec: description: | This pipeline is ideal for building container images from a Containerfile while reducing network traffic. _Uses `buildah` to create a container image. It also optionally creates a source image and runs some build-time tests. EC will flag a violation for [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) if any tasks are added to the pipeline. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:9bfc6b99ef038800fe131d7b45ff3cd4da3a415dd536f7c657b3527b01c4a13b - name: kind value: task resolver: bundles - name: show-summary params: - name: pipelinerun-name value: $(context.pipelineRun.name) - name: git-url value: $(tasks.clone-repository.results.url)?rev=$(tasks.clone-repository.results.commit) - name: image-url value: $(params.output-image) - name: build-task-status value: $(tasks.build-image-index.status) taskRef: params: - name: name value: summary - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-summary:0.2@sha256:d97c04ab42f277b1103eb6f3a053b247849f4f5b3237ea302a8ecada3b24e15b - name: kind value: task resolver: bundles workspaces: - name: workspace workspace: workspace params: - description: Source Repository URL name: git-url type: string - default: "" description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: "false" description: Force rebuild image name: rebuild type: string - default: "false" description: Skip checks against built image name: skip-checks type: string - default: "false" description: Execute the build with network isolation name: hermetic type: string - default: "" description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - default: "" description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after - default: "false" description: Build a source image. name: build-source-image type: string - default: "false" description: Add built image into an OCI image index name: build-image-index type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - default: "" description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file name: build-args-file type: string results: - description: "" name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - description: "" name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: "" name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: image-url value: $(params.output-image) - name: rebuild value: $(params.rebuild) - name: skip-checks value: $(params.skip-checks) taskRef: params: - name: name value: init - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:092c113b614f6551113f17605ae9cb7e822aa704d07f0e37ed209da23ce392cc - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) runAfter: - init taskRef: params: - name: name value: git-clone - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-git-clone:0.1@sha256:2cccdf8729ad4d5adf65e8b66464f8efa1e1c87ba16d343b4a6c621a2a40f7e1 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - "true" workspaces: - name: output workspace: workspace - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies:0.1@sha256:fe7234e3824d1e65d6a7aac352e7a6bbce623d90d8d7da9aceeee108ad2c61be - name: kind value: task resolver: bundles when: - input: $(params.prefetch-input) operator: notin values: - "" workspaces: - name: source workspace: workspace - name: git-basic-auth workspace: git-auth - name: netrc workspace: netrc - name: build-container params: - name: IMAGE value: $(params.output-image) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: HERMETIC value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: - $(params.build-args[*]) - name: BUILD_ARGS_FILE value: $(params.build-args-file) runAfter: - prefetch-dependencies taskRef: params: - name: name value: buildah - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-buildah:0.2@sha256:67f0290a8ad9a147cd28bb06af182b3e4b2b3ef17070196d476d8e2ae4302ecf - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - "true" workspaces: - name: source workspace: workspace - name: build-image-index params: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES value: - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) runAfter: - build-container taskRef: params: - name: name value: build-image-index - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:327d745a58c1589b0ff196ed526d12a8a0a20ae22fd1c9dd1577b850a977dc3b - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - "true" - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) runAfter: - build-image-index taskRef: params: - name: name value: source-build - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-source-build:0.1@sha256:21cb5ebaff7a9216903cf78933dc4ec4dd6283a52636b16590a5f52ceb278269 - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - "true" - input: $(params.build-source-image) operator: in values: - "true" workspaces: - name: workspace workspace: workspace - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.4@sha256:b4f9599f5770ea2e6e4d031224ccc932164c1ecde7f85f68e16e99c98d754003 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:28fee4bf5da87f2388c973d9336086749cad8436003f9a514e22ac99735e056b - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.1@sha256:5131cce0f93d0b728c7bcc0d6cee4c61d4c9f67c6d619c627e41e3c9775b497d - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: sast-snyk-check - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check:0.2@sha256:c1ea706405f9ae146e31baef4abfea49b1e855a75bfc44c33eb0eb29516831b3 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" workspaces: - name: workspace workspace: workspace - name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.1@sha256:1e29eebe916b81b7100138d62db0e03e22d03657274d37041c59cbaca5fdbf7d - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" - name: apply-tags params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:f485e250fb060060892b633c495a3d7e38de1ec105ae1be48608b0401530ab2c - name: kind value: task resolver: bundles - name: push-dockerfile params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) runAfter: - build-image-index taskRef: params: - name: name value: push-dockerfile - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile:0.1@sha256:674e70f7d724aaf1dd631ba9be2998ab0305fb3e0d9ec361351cc5e57bcdd3ec - name: kind value: task resolver: bundles workspaces: - name: workspace workspace: workspace - name: rpms-signature-scan params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:7aa4d3c95e2b963e82fdda392f7cb3d61e3dab035416cf4a3a34e43cf3c9c9b8 - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - "false" workspaces: - name: workspace - name: git-auth optional: true - name: netrc optional: true taskRunTemplate: {} workspaces: - name: workspace volumeClaimTemplate: metadata: creationTimestamp: null spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi status: {} - name: git-auth secret: secretName: '{{ git_auth_secret }}' status: {}