From e1045725711198e448ec6ec6d292a26876384359 Mon Sep 17 00:00:00 2001 From: red-hat-konflux Date: Thu, 25 Sep 2025 11:01:44 +0000 Subject: [PATCH 01/22] Red Hat Konflux update agent-helm-build Signed-off-by: red-hat-konflux --- .tekton/agent-helm-build-pull-request.yaml | 597 +++++++++++++++++++++ .tekton/agent-helm-build-push.yaml | 594 ++++++++++++++++++++ 2 files changed, 1191 insertions(+) create mode 100644 .tekton/agent-helm-build-pull-request.yaml create mode 100644 .tekton/agent-helm-build-push.yaml diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml new file mode 100644 index 000000000..9576993d6 --- /dev/null +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -0,0 +1,597 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-pull-request.yaml".pathChanged() + ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: test-argocd-agent-helmchart + appstudio.openshift.io/component: agent-helm-build + pipelines.appstudio.openshift.io/type: build + name: agent-helm-build-on-pull-request + namespace: rh-openshift-gitops-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{revision}} + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: sources/argocd-agent + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.5@sha256:fdd3f39c8ea97de0d77bcde160704dbd33fdcb9cd235836927bbb170aaefb80f + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b0d6cb28a23f20db4f5cf78ed78ae3a91b9a5adfe989696ed0bbc63840a485b6 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-agent-helm-build + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml new file mode 100644 index 000000000..953f3733f --- /dev/null +++ b/.tekton/agent-helm-build-push.yaml @@ -0,0 +1,594 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "false" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch + == "main" && ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-push.yaml".pathChanged() + ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: test-argocd-agent-helmchart + appstudio.openshift.io/component: agent-helm-build + pipelines.appstudio.openshift.io/type: build + name: agent-helm-build-on-push + namespace: rh-openshift-gitops-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:{{revision}} + - name: dockerfile + value: Dockerfile + - name: path-context + value: sources/argocd-agent + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + - name: build-container + params: + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: PRIVILEGED_NESTED + value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: buildah-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.5@sha256:fdd3f39c8ea97de0d77bcde160704dbd33fdcb9cd235836927bbb170aaefb80f + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + runAfter: + - build-container + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b0d6cb28a23f20db4f5cf78ed78ae3a91b9a5adfe989696ed0bbc63840a485b6 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-agent-helm-build + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From c25d9bd35056c21a56a0c201e534b58511f836dd Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 9 Oct 2025 15:38:26 +0530 Subject: [PATCH 02/22] update pipeline to use build-helm-chart chart Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 86 ++++++------------- .../argocd-agent-agent/downstream-values.yaml | 38 ++++++++ .../argocd-agent-agent/pr-redhat-values.yaml | 38 ++++++++ .../argocd-agent-agent/update-values-file.sh | 20 +++++ 4 files changed, 124 insertions(+), 58 deletions(-) create mode 100644 helm-chart/argocd-agent-agent/downstream-values.yaml create mode 100644 helm-chart/argocd-agent-agent/pr-redhat-values.yaml create mode 100644 helm-chart/argocd-agent-agent/update-values-file.sh diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 9576993d6..24f2af6b8 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -9,7 +9,11 @@ metadata: pipelinesascode.tekton.dev/cancel-in-progress: "true" pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" && ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-pull-request.yaml".pathChanged() + == "main" && + ( + "sources/argocd-agent/***".pathChanged() || + ".tekton/agent-helm-build-pull-request.yaml".pathChanged() || + "helm-chart/***.pathChanged()" ) creationTimestamp: null labels: @@ -25,7 +29,9 @@ spec: - name: revision value: '{{revision}}' - name: output-image - value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{revision}} + value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{pull_request_number}}-{{revision}} + - name: target_branch + value: '{{target_branch}}' - name: image-expires-after value: 5d - name: dockerfile @@ -101,6 +107,10 @@ spec: VMs name: privileged-nested type: string + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: CHART_CONTEXT + type: string results: - description: "" name: IMAGE_URL @@ -187,43 +197,29 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - name: build-helm-chart params: + - name: CHART_CONTEXT + value: $(params.chart-context) - name: IMAGE value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PRIVILEGED_NESTED - value: $(params.privileged-nested) - - name: SOURCE_URL - value: $(tasks.clone-repository.results.url) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: RELEASE_BRANCH + value: $(params.target_branch) + - name: VALUES_FILES + value: + - "pr-values.yaml" runAfter: - prefetch-dependencies taskRef: params: - name: name - value: buildah-oci-ta + value: build-helm-chart-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.5@sha256:fdd3f39c8ea97de0d77bcde160704dbd33fdcb9cd235836927bbb170aaefb80f + value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db - name: kind value: task resolver: bundles @@ -232,6 +228,10 @@ spec: operator: in values: - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" - name: build-image-index params: - name: IMAGE @@ -244,9 +244,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) runAfter: - - build-container + - build-helm-chart taskRef: params: - name: name @@ -261,36 +261,6 @@ spec: operator: in values: - "true" - - name: build-source-image - params: - - name: BINARY_IMAGE - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: BINARY_IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: source-build-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b0d6cb28a23f20db4f5cf78ed78ae3a91b9a5adfe989696ed0bbc63840a485b6 - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL diff --git a/helm-chart/argocd-agent-agent/downstream-values.yaml b/helm-chart/argocd-agent-agent/downstream-values.yaml new file mode 100644 index 000000000..9e070d722 --- /dev/null +++ b/helm-chart/argocd-agent-agent/downstream-values.yaml @@ -0,0 +1,38 @@ +# Default values for argocd-agent-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Override Namespace to deploy your agent +namespaceOverride: "" + +# Secret names for argo-agent deployment +tlsSecretName: "argocd-agent-client-tls" +userPasswordSecretName: "argocd-agent-agent-userpass" +image: "registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8" +imageTag: "sha256:d17069d475959a5fca31dc4cd2c2dce4f3d895f2c2b97906261791674a889079" + +# config-map to config parameters for argocd-agent +agentMode: "autonomous" +auth: "mtls:any" +logLevel: "info" +server: "principal.server.address.com" +serverPort: "443" +metricsPort: "8181" +tlsClientInSecure: "false" +healthzPort: "8002" +redisAddress: "argocd-redis:6379" + +tlsClientKeyPath: "/app/config/tls/tls.key" +tlsClientCertPath: "/app/config/tls/tls.crt" +tlsRootCAPath: "/app/config/tls/ca.crt" + +networkPolicy: + enabled: true + redis: + enabled: true + name: allow-agent-to-redis + namespace: "" + redisSelector: + app.kubernetes.io/name: argocd-redis + agentSelector: + app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file diff --git a/helm-chart/argocd-agent-agent/pr-redhat-values.yaml b/helm-chart/argocd-agent-agent/pr-redhat-values.yaml new file mode 100644 index 000000000..d2135fc51 --- /dev/null +++ b/helm-chart/argocd-agent-agent/pr-redhat-values.yaml @@ -0,0 +1,38 @@ +# Default values for argocd-agent-agent. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# Override Namespace to deploy your agent +namespaceOverride: "" + +# Secret names for argo-agent deployment +tlsSecretName: "argocd-agent-client-tls" +userPasswordSecretName: "argocd-agent-agent-userpass" +image: "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" +imageTag: "sha256:d17069d475959a5fca31dc4cd2c2dce4f3d895f2c2b97906261791674a889079" #this is picked form the release repo tag/branch + +# config-map to config parameters for argocd-agent +agentMode: "autonomous" +auth: "mtls:any" +logLevel: "info" +server: "principal.server.address.com" +serverPort: "443" +metricsPort: "8181" +tlsClientInSecure: "false" +healthzPort: "8002" +redisAddress: "argocd-redis:6379" + +tlsClientKeyPath: "/app/config/tls/tls.key" +tlsClientCertPath: "/app/config/tls/tls.crt" +tlsRootCAPath: "/app/config/tls/ca.crt" + +networkPolicy: + enabled: true + redis: + enabled: true + name: allow-agent-to-redis + namespace: "" + redisSelector: + app.kubernetes.io/name: argocd-redis + agentSelector: + app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file diff --git a/helm-chart/argocd-agent-agent/update-values-file.sh b/helm-chart/argocd-agent-agent/update-values-file.sh new file mode 100644 index 000000000..5ba1b8ce8 --- /dev/null +++ b/helm-chart/argocd-agent-agent/update-values-file.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash + +# update image and image tag + +NEW_IMAGE="quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" + +#TODO get release tag from env var RELEASE_BRANCH +RELEASE_TAG=$RELEASE_BRANCH + +NEW_IMAGE_DIGEST=$(skopeo inspect --override-os linux --override-arch amd64 docker://${NEW_IMAGE}:${RELEASE_TAG} | yq '.Digest') + +CI_VALUES_FILE="helm-chart/argocd-agent-agent/PR-values.yaml" +DOWNSTERAM_VALUES_FILE="helm-chart/argocd-agent-agent/downstream-values.yaml" + +# update the image in values file for both PRs and downstream +yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$CI_VALUES_FILE" +yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$DOWNSTERAM_VALUES_FILE" + + + From a40307430d7d73cfe39f3412ceb2f971bdf02501 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 9 Oct 2025 15:41:55 +0530 Subject: [PATCH 03/22] fix template error Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 24f2af6b8..d991ccea9 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -13,7 +13,7 @@ metadata: ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-pull-request.yaml".pathChanged() || - "helm-chart/***.pathChanged()" + "helm-chart/argocd-agent-agent/***".pathChanged() ) creationTimestamp: null labels: From cbe4aec47c94d3b839d5e645da4097badb1db798 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 9 Oct 2025 15:47:18 +0530 Subject: [PATCH 04/22] fix template error Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index d991ccea9..e819fc9f5 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -109,7 +109,7 @@ spec: type: string - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" description: directory where the chart is stored - name: CHART_CONTEXT + name: chart-context type: string results: - description: "" From d3e4c391bd53b04edebb183ed537ec6a5d99539b Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 9 Oct 2025 16:44:43 +0530 Subject: [PATCH 05/22] fix SymlinkCheck Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index e819fc9f5..2058b6b2f 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -152,6 +152,8 @@ spec: value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) + - name: enableSymlinkCheck + value: "false" runAfter: - init taskRef: From 8511674f1ad8847bcdd8adb7220dfcd0f0ec701e Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 13 Oct 2025 11:49:11 +0530 Subject: [PATCH 06/22] update pipeline to use custom task to update the image digest on bvalues files Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 24 ++++++-- .tekton/agent-helm-build-push.yaml | 61 ++++++++++--------- .tekton/tasks/updateDigestForHelm.yaml | 46 ++++++++++++++ .../argocd-agent-agent/downstream-values.yaml | 38 ------------ .../argocd-agent-agent/pr-redhat-values.yaml | 38 ------------ .../argocd-agent-agent/update-values-file.sh | 20 ------ 6 files changed, 99 insertions(+), 128 deletions(-) create mode 100644 .tekton/tasks/updateDigestForHelm.yaml delete mode 100644 helm-chart/argocd-agent-agent/downstream-values.yaml delete mode 100644 helm-chart/argocd-agent-agent/pr-redhat-values.yaml delete mode 100644 helm-chart/argocd-agent-agent/update-values-file.sh diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 2058b6b2f..6d29d6adc 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -199,6 +199,17 @@ spec: workspace: git-auth - name: netrc workspace: netrc + - name: update-digest-for-helm + params: + - name: CHART_CONTEXT + value: $(params.chart-context) + description: Directory where helm chart resources are stored + - name: SOURCE_ARTIFACT + type: string + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + description: The Trusted Artifact URI pointing to the artifact with the application source code. + runAfter: + - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT @@ -211,11 +222,16 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH value: $(params.target_branch) - - name: VALUES_FILES - value: - - "pr-values.yaml" + - name: IMAGE_MAPPINGS + value: | + [ + { + "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" + } + ] runAfter: - - prefetch-dependencies + - update-digest-for-helm taskRef: params: - name: name diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 953f3733f..1e799da7f 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -8,7 +8,10 @@ metadata: pipelinesascode.tekton.dev/cancel-in-progress: "false" pipelinesascode.tekton.dev/max-keep-runs: "3" pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch - == "main" && ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-push.yaml".pathChanged() + == "main" && ( + "sources/argocd-agent/***".pathChanged() || + ".tekton/agent-helm-build-push.yaml".pathChanged() || + "./config.yaml" ) creationTimestamp: null labels: @@ -184,43 +187,45 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: build-container + - name: update-digest-for-helm params: + - name: CHART_CONTEXT + value: $(params.chart-context) + description: Directory where helm chart resources are stored + - name: SOURCE_ARTIFACT + type: string + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + description: The Trusted Artifact URI pointing to the artifact with the application source code. + runAfter: + - prefetch-dependencies + - name: build-helm-chart + params: + - name: CHART_CONTEXT + value: $(params.chart-context) - name: IMAGE value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: PRIVILEGED_NESTED - value: $(params.privileged-nested) - - name: SOURCE_URL - value: $(tasks.clone-repository.results.url) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + - name: RELEASE_BRANCH + value: $(params.target_branch) + - name: IMAGE_MAPPINGS + value: | + [ + { + "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" + } + ] runAfter: - - prefetch-dependencies + - update-digest-for-helm taskRef: params: - name: name - value: buildah-oci-ta + value: build-helm-chart-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.5@sha256:fdd3f39c8ea97de0d77bcde160704dbd33fdcb9cd235836927bbb170aaefb80f + value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db - name: kind value: task resolver: bundles @@ -241,9 +246,9 @@ spec: value: $(params.build-image-index) - name: IMAGES value: - - $(tasks.build-container.results.IMAGE_URL)@$(tasks.build-container.results.IMAGE_DIGEST) + - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) runAfter: - - build-container + - build-helm-chart taskRef: params: - name: name diff --git a/.tekton/tasks/updateDigestForHelm.yaml b/.tekton/tasks/updateDigestForHelm.yaml new file mode 100644 index 000000000..06477933a --- /dev/null +++ b/.tekton/tasks/updateDigestForHelm.yaml @@ -0,0 +1,46 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + name: update-digest-for-helm +spec: + params: + - name: SOURCE_ARTIFACT + type: string + description: The Trusted Artifact URI pointing to the artifact with the application source code. + - name: CHART_CONTEXT + type: string + description: Path to Chart directory. + steps: + - name: use-trusted-artifact + # pin the image to a digest, Konflux will automatically send you updates + image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:9b180776a41d9a22a1c51539f1647c60defbbd55b44bbebdd4130e33512d8b0d + args: + - use + - $(params.SOURCE_ARTIFACT)=/tekton/home/source + + - name: update-digest + # prefer Red Hat images for security + image: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 + workingDir: /tekton/home/source + args: + - "$(params.CHART_CONTEXT)" + script: | + #!/bin/bash + set -euo pipefail + + microdnf -y install skopeo yq + + echo "--> Parsing values.yaml in Directory ..." + + VALUES_FILE="$(params.CHART_CONTEXT)/values.yaml" + CONFIG_FILE="./config.yaml" + IMAGE=$(yq eval '.konfluxImages[] | select(.name == "argocd-agent") | .buildRef' config.yaml) + RELEASE_TAG=$(yq eval '.sources[] | select(.path == "sources/argocd-agent") | .ref' config.yaml) + + NEW_IMAGE_DIGEST=$(skopeo inspect --override-os linux --override-arch amd64 docker://${NEW_IMAGE}:${RELEASE_TAG} | yq '.Digest') + + # fetch Digest of latest release + yq eval '.sources[] | select(.path == "sources/argocd-agent") | .ref' config.yaml + + # update Digest in the values file + yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$VALUES_FILE" diff --git a/helm-chart/argocd-agent-agent/downstream-values.yaml b/helm-chart/argocd-agent-agent/downstream-values.yaml deleted file mode 100644 index 9e070d722..000000000 --- a/helm-chart/argocd-agent-agent/downstream-values.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Default values for argocd-agent-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Override Namespace to deploy your agent -namespaceOverride: "" - -# Secret names for argo-agent deployment -tlsSecretName: "argocd-agent-client-tls" -userPasswordSecretName: "argocd-agent-agent-userpass" -image: "registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8" -imageTag: "sha256:d17069d475959a5fca31dc4cd2c2dce4f3d895f2c2b97906261791674a889079" - -# config-map to config parameters for argocd-agent -agentMode: "autonomous" -auth: "mtls:any" -logLevel: "info" -server: "principal.server.address.com" -serverPort: "443" -metricsPort: "8181" -tlsClientInSecure: "false" -healthzPort: "8002" -redisAddress: "argocd-redis:6379" - -tlsClientKeyPath: "/app/config/tls/tls.key" -tlsClientCertPath: "/app/config/tls/tls.crt" -tlsRootCAPath: "/app/config/tls/ca.crt" - -networkPolicy: - enabled: true - redis: - enabled: true - name: allow-agent-to-redis - namespace: "" - redisSelector: - app.kubernetes.io/name: argocd-redis - agentSelector: - app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file diff --git a/helm-chart/argocd-agent-agent/pr-redhat-values.yaml b/helm-chart/argocd-agent-agent/pr-redhat-values.yaml deleted file mode 100644 index d2135fc51..000000000 --- a/helm-chart/argocd-agent-agent/pr-redhat-values.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Default values for argocd-agent-agent. -# This is a YAML-formatted file. -# Declare variables to be passed into your templates. - -# Override Namespace to deploy your agent -namespaceOverride: "" - -# Secret names for argo-agent deployment -tlsSecretName: "argocd-agent-client-tls" -userPasswordSecretName: "argocd-agent-agent-userpass" -image: "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" -imageTag: "sha256:d17069d475959a5fca31dc4cd2c2dce4f3d895f2c2b97906261791674a889079" #this is picked form the release repo tag/branch - -# config-map to config parameters for argocd-agent -agentMode: "autonomous" -auth: "mtls:any" -logLevel: "info" -server: "principal.server.address.com" -serverPort: "443" -metricsPort: "8181" -tlsClientInSecure: "false" -healthzPort: "8002" -redisAddress: "argocd-redis:6379" - -tlsClientKeyPath: "/app/config/tls/tls.key" -tlsClientCertPath: "/app/config/tls/tls.crt" -tlsRootCAPath: "/app/config/tls/ca.crt" - -networkPolicy: - enabled: true - redis: - enabled: true - name: allow-agent-to-redis - namespace: "" - redisSelector: - app.kubernetes.io/name: argocd-redis - agentSelector: - app.kubernetes.io/name: argocd-agent-agent \ No newline at end of file diff --git a/helm-chart/argocd-agent-agent/update-values-file.sh b/helm-chart/argocd-agent-agent/update-values-file.sh deleted file mode 100644 index 5ba1b8ce8..000000000 --- a/helm-chart/argocd-agent-agent/update-values-file.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/usr/bin/env bash - -# update image and image tag - -NEW_IMAGE="quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" - -#TODO get release tag from env var RELEASE_BRANCH -RELEASE_TAG=$RELEASE_BRANCH - -NEW_IMAGE_DIGEST=$(skopeo inspect --override-os linux --override-arch amd64 docker://${NEW_IMAGE}:${RELEASE_TAG} | yq '.Digest') - -CI_VALUES_FILE="helm-chart/argocd-agent-agent/PR-values.yaml" -DOWNSTERAM_VALUES_FILE="helm-chart/argocd-agent-agent/downstream-values.yaml" - -# update the image in values file for both PRs and downstream -yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$CI_VALUES_FILE" -yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$DOWNSTERAM_VALUES_FILE" - - - From 02b806fabda05fad0c89f54ec5e2d7dc3ff937f9 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 13 Oct 2025 12:24:45 +0530 Subject: [PATCH 07/22] fix missing taskRef Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 4 +++- .tekton/agent-helm-build-push.yaml | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 6d29d6adc..6da6dd83d 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -200,6 +200,8 @@ spec: - name: netrc workspace: netrc - name: update-digest-for-helm + taskRef: + name: update-digest-for-helm params: - name: CHART_CONTEXT value: $(params.chart-context) @@ -209,7 +211,7 @@ spec: value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) description: The Trusted Artifact URI pointing to the artifact with the application source code. runAfter: - - prefetch-dependencies + - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 1e799da7f..2c7be97da 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -188,6 +188,8 @@ spec: - name: netrc workspace: netrc - name: update-digest-for-helm + taskRef: + name: update-digest-for-helm params: - name: CHART_CONTEXT value: $(params.chart-context) From 830b78d8f2e5fe8b6115b8137f2c9d90ec29560b Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 13 Oct 2025 12:50:58 +0530 Subject: [PATCH 08/22] update ./helm-chart/agent.yaml Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 +- .tekton/agent-helm-build-push.yaml | 2 +- helm-chart/agent.yaml | 2 ++ 3 files changed, 4 insertions(+), 2 deletions(-) create mode 100644 helm-chart/agent.yaml diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 6da6dd83d..c494841df 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -13,7 +13,7 @@ metadata: ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-pull-request.yaml".pathChanged() || - "helm-chart/argocd-agent-agent/***".pathChanged() + ""./helm-chart/agent.yaml" ) creationTimestamp: null labels: diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 2c7be97da..c71b178a2 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -11,7 +11,7 @@ metadata: == "main" && ( "sources/argocd-agent/***".pathChanged() || ".tekton/agent-helm-build-push.yaml".pathChanged() || - "./config.yaml" + "./helm-chart/agent.yaml" ) creationTimestamp: null labels: diff --git a/helm-chart/agent.yaml b/helm-chart/agent.yaml new file mode 100644 index 000000000..2d031d378 --- /dev/null +++ b/helm-chart/agent.yaml @@ -0,0 +1,2 @@ +chart: + digest: \ No newline at end of file From ca1b162ae427885a968687046bbbd50ab401a9a0 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 13 Oct 2025 13:02:39 +0530 Subject: [PATCH 09/22] fix error Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 5 ++--- .tekton/agent-helm-build-push.yaml | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index c494841df..7a117c19f 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -12,9 +12,8 @@ metadata: == "main" && ( "sources/argocd-agent/***".pathChanged() || - ".tekton/agent-helm-build-pull-request.yaml".pathChanged() || - ""./helm-chart/agent.yaml" - ) + ".tekton/agent-helm-build-pull-request.yaml".pathChanged() + ) creationTimestamp: null labels: appstudio.openshift.io/application: test-argocd-agent-helmchart diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index c71b178a2..62b6656b4 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -10,9 +10,8 @@ metadata: pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main" && ( "sources/argocd-agent/***".pathChanged() || - ".tekton/agent-helm-build-push.yaml".pathChanged() || - "./helm-chart/agent.yaml" - ) + ".tekton/agent-helm-build-push.yaml".pathChanged() + ) creationTimestamp: null labels: appstudio.openshift.io/application: test-argocd-agent-helmchart From 26d01ea2f55369c88ac534b238132be411e40312 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Tue, 14 Oct 2025 18:54:49 +0530 Subject: [PATCH 10/22] use helm-build-oci-ta to update image tag Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 33 ++++++++++++---------- .tekton/agent-helm-build-push.yaml | 31 ++++++++++---------- .tekton/tasks/updateDigestForHelm.yaml | 7 +++-- 3 files changed, 38 insertions(+), 33 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 7a117c19f..3ee227254 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -198,19 +198,21 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: update-digest-for-helm - taskRef: - name: update-digest-for-helm - params: - - name: CHART_CONTEXT - value: $(params.chart-context) - description: Directory where helm chart resources are stored - - name: SOURCE_ARTIFACT - type: string - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - description: The Trusted Artifact URI pointing to the artifact with the application source code. - runAfter: - - prefetch-dependencies + # - name: update-digest-for-helm + # taskRef: + # name: update-digest-for-helm + # params: + # - name: CHART_CONTEXT + # value: $(params.chart-context) + # description: Directory where helm chart resources are stored + # - name: SOURCE_ARTIFACT + # type: string + # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + # description: The Trusted Artifact URI pointing to the artifact with the application source code. + # - name: RELEASE_BRANCH + # value: '{{target_branch}}' + # runAfter: + # - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT @@ -228,11 +230,12 @@ spec: [ { "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" } ] runAfter: - - update-digest-for-helm + # - update-digest-for-helm + - prefetch-dependencies taskRef: params: - name: name diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 62b6656b4..7e7bf8abd 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -186,19 +186,19 @@ spec: workspace: git-auth - name: netrc workspace: netrc - - name: update-digest-for-helm - taskRef: - name: update-digest-for-helm - params: - - name: CHART_CONTEXT - value: $(params.chart-context) - description: Directory where helm chart resources are stored - - name: SOURCE_ARTIFACT - type: string - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - description: The Trusted Artifact URI pointing to the artifact with the application source code. - runAfter: - - prefetch-dependencies + # - name: update-digest-for-helm + # taskRef: + # name: update-digest-for-helm + # params: + # - name: CHART_CONTEXT + # value: $(params.chart-context) + # description: Directory where helm chart resources are stored + # - name: SOURCE_ARTIFACT + # type: string + # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + # description: The Trusted Artifact URI pointing to the artifact with the application source code. + # runAfter: + # - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT @@ -216,11 +216,12 @@ spec: [ { "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8" + "target": "registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8:'{{target_branch}}'" } ] runAfter: - - update-digest-for-helm + # - update-digest-for-helm + - prefetch-dependencies taskRef: params: - name: name diff --git a/.tekton/tasks/updateDigestForHelm.yaml b/.tekton/tasks/updateDigestForHelm.yaml index 06477933a..17e1dfad7 100644 --- a/.tekton/tasks/updateDigestForHelm.yaml +++ b/.tekton/tasks/updateDigestForHelm.yaml @@ -10,6 +10,9 @@ spec: - name: CHART_CONTEXT type: string description: Path to Chart directory. + - name: RELEASE_BRANCH + type: string + description: branch/tag associated to build. e.g. 1.18 branch is for 1.18 gitops release steps: - name: use-trusted-artifact # pin the image to a digest, Konflux will automatically send you updates @@ -28,14 +31,12 @@ spec: #!/bin/bash set -euo pipefail - microdnf -y install skopeo yq - echo "--> Parsing values.yaml in Directory ..." VALUES_FILE="$(params.CHART_CONTEXT)/values.yaml" CONFIG_FILE="./config.yaml" IMAGE=$(yq eval '.konfluxImages[] | select(.name == "argocd-agent") | .buildRef' config.yaml) - RELEASE_TAG=$(yq eval '.sources[] | select(.path == "sources/argocd-agent") | .ref' config.yaml) + RELEASE_TAG=$(params.RELEASE_BRANCH) NEW_IMAGE_DIGEST=$(skopeo inspect --override-os linux --override-arch amd64 docker://${NEW_IMAGE}:${RELEASE_TAG} | yq '.Digest') From 6c1ce10d36b2bf3bcd2478b2b46277bab4f6ead8 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 11:37:49 +0530 Subject: [PATCH 11/22] fix pipeline skipping build helm task Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 55 ++++++++++++---------- 1 file changed, 31 insertions(+), 24 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 3ee227254..4e64e836f 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -106,10 +106,6 @@ spec: VMs name: privileged-nested type: string - - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" - description: directory where the chart is stored - name: chart-context - type: string results: - description: "" name: IMAGE_URL @@ -198,21 +194,6 @@ spec: workspace: git-auth - name: netrc workspace: netrc - # - name: update-digest-for-helm - # taskRef: - # name: update-digest-for-helm - # params: - # - name: CHART_CONTEXT - # value: $(params.chart-context) - # description: Directory where helm chart resources are stored - # - name: SOURCE_ARTIFACT - # type: string - # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - # description: The Trusted Artifact URI pointing to the artifact with the application source code. - # - name: RELEASE_BRANCH - # value: '{{target_branch}}' - # runAfter: - # - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT @@ -250,10 +231,6 @@ spec: operator: in values: - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - name: build-image-index params: - name: IMAGE @@ -283,6 +260,36 @@ spec: operator: in values: - "true" + - name: build-source-image + params: + - name: BINARY_IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: BINARY_IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: source-build-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.3@sha256:b0d6cb28a23f20db4f5cf78ed78ae3a91b9a5adfe989696ed0bbc63840a485b6 + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" - name: deprecated-base-image-check params: - name: IMAGE_URL @@ -586,4 +593,4 @@ spec: - name: git-auth secret: secretName: '{{ git_auth_secret }}' -status: {} +status: {} \ No newline at end of file From 0a496b877b7759d37709b76521be331b08cbb6b3 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 11:43:17 +0530 Subject: [PATCH 12/22] fix error Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 4e64e836f..a86557f21 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -119,6 +119,10 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: chart-context + type: string tasks: - name: init params: From 202db85cab590a55a9a8bc1a997d8a094fd4f909 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 11:59:15 +0530 Subject: [PATCH 13/22] fix params Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index a86557f21..2e9232f1a 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -106,6 +106,10 @@ spec: VMs name: privileged-nested type: string + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: chart-context + type: string results: - description: "" name: IMAGE_URL @@ -119,10 +123,6 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) - - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" - description: directory where the chart is stored - name: chart-context - type: string tasks: - name: init params: From 4b8b4f571fc3b636e136800e8b6e48308917eb7e Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 13:11:41 +0530 Subject: [PATCH 14/22] debug Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 32 +++++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 2e9232f1a..8406e91c9 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -107,7 +107,7 @@ spec: name: privileged-nested type: string - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" - description: directory where the chart is stored + description: directory where the chart is stored name: chart-context type: string results: @@ -198,6 +198,36 @@ spec: workspace: git-auth - name: netrc workspace: netrc +# debug + - name: check-helm-dir + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: run-script-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/run-script-oci-ta:0.1 + - name: kind + value: task + resolver: bundles + params: + - name: ociStorage + value: $(params.output-image).prefetch + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: SCRIPT + value: ls /var/workdir/source + - name: SCRIPT_RUNNER_IMAGE + value: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 + # taskSpec: + # steps: + # - name: run-my-script + # image: registry.access.redhat.com/ubi9/ubi:9.5 + # script: | + # #!/bin/bash + # cd /var/workdir/source + # ls - name: build-helm-chart params: - name: CHART_CONTEXT From e13177fc4c136c2bb5e718a14f1dd6efbc0f4a9d Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 16:02:04 +0530 Subject: [PATCH 15/22] update argocd-agent commit id Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 42 +- .tekton/helm-copy-pull-request.yaml | 589 +++++++++++++++++++++ config.yaml | 5 +- sources/argocd-agent | 2 +- 4 files changed, 615 insertions(+), 23 deletions(-) create mode 100644 .tekton/helm-copy-pull-request.yaml diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 8406e91c9..7d2ece45e 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -199,27 +199,27 @@ spec: - name: netrc workspace: netrc # debug - - name: check-helm-dir - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: run-script-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/run-script-oci-ta:0.1 - - name: kind - value: task - resolver: bundles - params: - - name: ociStorage - value: $(params.output-image).prefetch - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: SCRIPT - value: ls /var/workdir/source - - name: SCRIPT_RUNNER_IMAGE - value: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 + # - name: check-helm-dir + # runAfter: + # - prefetch-dependencies + # taskRef: + # params: + # - name: name + # value: run-script-oci-ta + # - name: bundle + # value: quay.io/konflux-ci/tekton-catalog/task-run-script-oci-ta:0.1 + # - name: kind + # value: task + # resolver: bundles + # params: + # - name: ociStorage + # value: $(params.output-image).prefetch + # - name: SOURCE_ARTIFACT + # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + # - name: SCRIPT + # value: ls /var/workdir/source + # - name: SCRIPT_RUNNER_IMAGE + # value: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 # taskSpec: # steps: # - name: run-my-script diff --git a/.tekton/helm-copy-pull-request.yaml b/.tekton/helm-copy-pull-request.yaml new file mode 100644 index 000000000..3ee227254 --- /dev/null +++ b/.tekton/helm-copy-pull-request.yaml @@ -0,0 +1,589 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && + ( + "sources/argocd-agent/***".pathChanged() || + ".tekton/agent-helm-build-pull-request.yaml".pathChanged() + ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: test-argocd-agent-helmchart + appstudio.openshift.io/component: agent-helm-build + pipelines.appstudio.openshift.io/type: build + name: agent-helm-build-on-pull-request + namespace: rh-openshift-gitops-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{pull_request_number}}-{{revision}} + - name: target_branch + value: '{{target_branch}}' + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: sources/argocd-agent + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: chart-context + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: enableSymlinkCheck + value: "false" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + # - name: update-digest-for-helm + # taskRef: + # name: update-digest-for-helm + # params: + # - name: CHART_CONTEXT + # value: $(params.chart-context) + # description: Directory where helm chart resources are stored + # - name: SOURCE_ARTIFACT + # type: string + # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + # description: The Trusted Artifact URI pointing to the artifact with the application source code. + # - name: RELEASE_BRANCH + # value: '{{target_branch}}' + # runAfter: + # - prefetch-dependencies + - name: build-helm-chart + params: + - name: CHART_CONTEXT + value: $(params.chart-context) + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: RELEASE_BRANCH + value: $(params.target_branch) + - name: IMAGE_MAPPINGS + value: | + [ + { + "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" + } + ] + runAfter: + # - update-digest-for-helm + - prefetch-dependencies + taskRef: + params: + - name: name + value: build-helm-chart-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) + runAfter: + - build-helm-chart + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-agent-helm-build + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} diff --git a/config.yaml b/config.yaml index 8a016f834..13dd8f663 100644 --- a/config.yaml +++ b/config.yaml @@ -85,12 +85,15 @@ sources: - path: sources/argocd-agent url: https://github.com/argoproj-labs/argocd-agent.git ref: main - commit: 94faa6a43804c7ccf8f49dd77ecec08884b4692a + commit: a62e7e098c5150ea655ce64b5fed51ec12c65b79 + # update the chartVersion for never version of release + chartVersion: 0.1.0 - path: sources/argocd-image-updater url: https://github.com/argoproj-labs/argocd-image-updater.git ref: master commit: 70406ed7af925a9b2fa0143a4fa2d9f7abfbce5c + # External images pulled directly from Red Hat registry and are # required by the operator at runtime. # Bundle generation script will automatically fetch latest sha for each image diff --git a/sources/argocd-agent b/sources/argocd-agent index 94faa6a43..a62e7e098 160000 --- a/sources/argocd-agent +++ b/sources/argocd-agent @@ -1 +1 @@ -Subproject commit 94faa6a43804c7ccf8f49dd77ecec08884b4692a +Subproject commit a62e7e098c5150ea655ce64b5fed51ec12c65b79 From f2202ab2c545e7fe5f858328ddca27a80507548e Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 16:21:56 +0530 Subject: [PATCH 16/22] update commit sha in pipeline Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 7d2ece45e..b46970abe 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -235,7 +235,7 @@ spec: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) + value: "a62e7e098c5150ea655ce64b5fed51ec12c65b79" - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH From 923e3573f926730f4ed579344c36b4df336fbcf2 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 22 Oct 2025 16:27:38 +0530 Subject: [PATCH 17/22] rebase Signed-off-by: Anand Kumar Singh --- .tekton/helm-copy-pull-request.yaml | 589 ---------------------------- 1 file changed, 589 deletions(-) delete mode 100644 .tekton/helm-copy-pull-request.yaml diff --git a/.tekton/helm-copy-pull-request.yaml b/.tekton/helm-copy-pull-request.yaml deleted file mode 100644 index 3ee227254..000000000 --- a/.tekton/helm-copy-pull-request.yaml +++ /dev/null @@ -1,589 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/cancel-in-progress: "true" - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" && - ( - "sources/argocd-agent/***".pathChanged() || - ".tekton/agent-helm-build-pull-request.yaml".pathChanged() - ) - creationTimestamp: null - labels: - appstudio.openshift.io/application: test-argocd-agent-helmchart - appstudio.openshift.io/component: agent-helm-build - pipelines.appstudio.openshift.io/type: build - name: agent-helm-build-on-pull-request - namespace: rh-openshift-gitops-tenant -spec: - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image - value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{pull_request_number}}-{{revision}} - - name: target_branch - value: '{{target_branch}}' - - name: image-expires-after - value: 5d - - name: dockerfile - value: Dockerfile - - name: path-context - value: sources/argocd-agent - pipelineSpec: - description: | - This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. - - _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. - This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched - name: prefetch-input - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "false" - description: Build a source image. - name: build-source-image - type: string - - default: "false" - description: Add built image into an OCI image index - name: build-image-index - type: string - - default: [] - description: Array of --build-arg values ("arg=value" strings) for buildah - name: build-args - type: array - - default: "" - description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file - name: build-args-file - type: string - - default: "false" - description: Whether to enable privileged mode, should be used only with remote - VMs - name: privileged-nested - type: string - - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" - description: directory where the chart is stored - name: chart-context - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: ociStorage - value: $(params.output-image).git - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - - name: enableSymlinkCheck - value: "false" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 - - name: kind - value: task - resolver: bundles - workspaces: - - name: git-basic-auth - workspace: git-auth - - name: netrc - workspace: netrc - # - name: update-digest-for-helm - # taskRef: - # name: update-digest-for-helm - # params: - # - name: CHART_CONTEXT - # value: $(params.chart-context) - # description: Directory where helm chart resources are stored - # - name: SOURCE_ARTIFACT - # type: string - # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - # description: The Trusted Artifact URI pointing to the artifact with the application source code. - # - name: RELEASE_BRANCH - # value: '{{target_branch}}' - # runAfter: - # - prefetch-dependencies - - name: build-helm-chart - params: - - name: CHART_CONTEXT - value: $(params.chart-context) - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: RELEASE_BRANCH - value: $(params.target_branch) - - name: IMAGE_MAPPINGS - value: | - [ - { - "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" - } - ] - runAfter: - # - update-digest-for-helm - - prefetch-dependencies - taskRef: - params: - - name: name - value: build-helm-chart-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - - name: build-image-index - params: - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: ALWAYS_BUILD_INDEX - value: $(params.build-image-index) - - name: IMAGES - value: - - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) - runAfter: - - build-helm-chart - taskRef: - params: - - name: name - value: build-image-index - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - name: deprecated-base-image-check - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-snyk-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-coverity-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - coverity-availability-check - taskRef: - params: - - name: name - value: sast-coverity-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - input: $(tasks.coverity-availability-check.results.STATUS) - operator: in - values: - - success - - name: coverity-availability-check - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: coverity-availability-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-shell-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-shell-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-unicode-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-unicode-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: apply-tags - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: apply-tags - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 - - name: kind - value: task - resolver: bundles - - name: push-dockerfile - params: - - name: IMAGE - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: push-dockerfile-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec - - name: kind - value: task - resolver: bundles - - name: rpms-signature-scan - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: rpms-signature-scan - - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: git-auth - optional: true - - name: netrc - optional: true - taskRunTemplate: - serviceAccountName: build-pipeline-agent-helm-build - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {} From 0cdf407c97e2bd215834cad8aabc53232e32f78b Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 30 Oct 2025 11:55:57 +0530 Subject: [PATCH 18/22] remove task not related to helm chart Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 94 ---------------------- .tekton/agent-helm-build-push.yaml | 86 ++------------------ 2 files changed, 7 insertions(+), 173 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index b46970abe..f8debbee8 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -198,36 +198,6 @@ spec: workspace: git-auth - name: netrc workspace: netrc -# debug - # - name: check-helm-dir - # runAfter: - # - prefetch-dependencies - # taskRef: - # params: - # - name: name - # value: run-script-oci-ta - # - name: bundle - # value: quay.io/konflux-ci/tekton-catalog/task-run-script-oci-ta:0.1 - # - name: kind - # value: task - # resolver: bundles - # params: - # - name: ociStorage - # value: $(params.output-image).prefetch - # - name: SOURCE_ARTIFACT - # value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - # - name: SCRIPT - # value: ls /var/workdir/source - # - name: SCRIPT_RUNNER_IMAGE - # value: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 - # taskSpec: - # steps: - # - name: run-my-script - # image: registry.access.redhat.com/ubi9/ubi:9.5 - # script: | - # #!/bin/bash - # cd /var/workdir/source - # ls - name: build-helm-chart params: - name: CHART_CONTEXT @@ -346,48 +316,6 @@ spec: operator: in values: - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: sast-snyk-check params: - name: image-digest @@ -594,28 +522,6 @@ spec: - name: kind value: task resolver: bundles - - name: rpms-signature-scan - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: rpms-signature-scan - - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" workspaces: - name: git-auth optional: true diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 7e7bf8abd..37a7d543a 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -113,6 +113,10 @@ spec: - description: "" name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: chart-context + type: string tasks: - name: init params: @@ -141,6 +145,8 @@ spec: value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) + - name: enableSymlinkCheck + value: "false" runAfter: - init taskRef: @@ -186,19 +192,6 @@ spec: workspace: git-auth - name: netrc workspace: netrc - # - name: update-digest-for-helm - # taskRef: - # name: update-digest-for-helm - # params: - # - name: CHART_CONTEXT - # value: $(params.chart-context) - # description: Directory where helm chart resources are stored - # - name: SOURCE_ARTIFACT - # type: string - # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - # description: The Trusted Artifact URI pointing to the artifact with the application source code. - # runAfter: - # - prefetch-dependencies - name: build-helm-chart params: - name: CHART_CONTEXT @@ -206,7 +199,7 @@ spec: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) + value: "a62e7e098c5150ea655ce64b5fed51ec12c65b79" - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH @@ -220,7 +213,6 @@ spec: } ] runAfter: - # - update-digest-for-helm - prefetch-dependencies taskRef: params: @@ -317,48 +309,6 @@ spec: operator: in values: - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - name: sast-snyk-check params: - name: image-digest @@ -565,28 +515,6 @@ spec: - name: kind value: task resolver: bundles - - name: rpms-signature-scan - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: rpms-signature-scan - - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" workspaces: - name: git-auth optional: true From a6dda6b3e4594764f7ab01e8982ba73d4a462347 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Thu, 30 Oct 2025 12:30:06 +0530 Subject: [PATCH 19/22] update commit for argocd-agent Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 3 ++- .tekton/agent-helm-build-push.yaml | 3 ++- config.yaml | 4 +--- sources/argocd-agent | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index f8debbee8..0c18521c8 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -204,8 +204,9 @@ spec: value: $(params.chart-context) - name: IMAGE value: $(params.output-image) + # update this COMMIT_SHA with agent repo commit id - name: COMMIT_SHA - value: "a62e7e098c5150ea655ce64b5fed51ec12c65b79" + value: "591bcce1befb6d0d8f05edeba6f0266ff7a98d6a" - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 37a7d543a..82acc9d6d 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -198,8 +198,9 @@ spec: value: $(params.chart-context) - name: IMAGE value: $(params.output-image) + # update this COMMIT_SHA with agent repo commit id - name: COMMIT_SHA - value: "a62e7e098c5150ea655ce64b5fed51ec12c65b79" + value: "591bcce1befb6d0d8f05edeba6f0266ff7a98d6a" - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH diff --git a/config.yaml b/config.yaml index 13dd8f663..3b6d03474 100644 --- a/config.yaml +++ b/config.yaml @@ -85,9 +85,7 @@ sources: - path: sources/argocd-agent url: https://github.com/argoproj-labs/argocd-agent.git ref: main - commit: a62e7e098c5150ea655ce64b5fed51ec12c65b79 - # update the chartVersion for never version of release - chartVersion: 0.1.0 + commit: 591bcce1befb6d0d8f05edeba6f0266ff7a98d6a - path: sources/argocd-image-updater url: https://github.com/argoproj-labs/argocd-image-updater.git ref: master diff --git a/sources/argocd-agent b/sources/argocd-agent index a62e7e098..591bcce1b 160000 --- a/sources/argocd-agent +++ b/sources/argocd-agent @@ -1 +1 @@ -Subproject commit a62e7e098c5150ea655ce64b5fed51ec12c65b79 +Subproject commit 591bcce1befb6d0d8f05edeba6f0266ff7a98d6a From abb67a93319f5a2cfcdcf9603f6566ea7bed0095 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 3 Nov 2025 16:32:39 +0530 Subject: [PATCH 20/22] update image mapping Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 +- .tekton/tasks/updateDigestForHelm.yaml | 47 -- .tekton/test-helm-copy-pull-request.yaml | 588 +++++++++++++++++++++ 3 files changed, 589 insertions(+), 48 deletions(-) delete mode 100644 .tekton/tasks/updateDigestForHelm.yaml create mode 100644 .tekton/test-helm-copy-pull-request.yaml diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 0c18521c8..7a9fa5263 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -216,7 +216,7 @@ spec: [ { "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:{{target_branch}}" } ] runAfter: diff --git a/.tekton/tasks/updateDigestForHelm.yaml b/.tekton/tasks/updateDigestForHelm.yaml deleted file mode 100644 index 17e1dfad7..000000000 --- a/.tekton/tasks/updateDigestForHelm.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - name: update-digest-for-helm -spec: - params: - - name: SOURCE_ARTIFACT - type: string - description: The Trusted Artifact URI pointing to the artifact with the application source code. - - name: CHART_CONTEXT - type: string - description: Path to Chart directory. - - name: RELEASE_BRANCH - type: string - description: branch/tag associated to build. e.g. 1.18 branch is for 1.18 gitops release - steps: - - name: use-trusted-artifact - # pin the image to a digest, Konflux will automatically send you updates - image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:9b180776a41d9a22a1c51539f1647c60defbbd55b44bbebdd4130e33512d8b0d - args: - - use - - $(params.SOURCE_ARTIFACT)=/tekton/home/source - - - name: update-digest - # prefer Red Hat images for security - image: registry.access.redhat.com/ubi9/ubi-minimal:9.5@sha256:a50731d3397a4ee28583f1699842183d4d24fadcc565c4688487af9ee4e13a44 - workingDir: /tekton/home/source - args: - - "$(params.CHART_CONTEXT)" - script: | - #!/bin/bash - set -euo pipefail - - echo "--> Parsing values.yaml in Directory ..." - - VALUES_FILE="$(params.CHART_CONTEXT)/values.yaml" - CONFIG_FILE="./config.yaml" - IMAGE=$(yq eval '.konfluxImages[] | select(.name == "argocd-agent") | .buildRef' config.yaml) - RELEASE_TAG=$(params.RELEASE_BRANCH) - - NEW_IMAGE_DIGEST=$(skopeo inspect --override-os linux --override-arch amd64 docker://${NEW_IMAGE}:${RELEASE_TAG} | yq '.Digest') - - # fetch Digest of latest release - yq eval '.sources[] | select(.path == "sources/argocd-agent") | .ref' config.yaml - - # update Digest in the values file - yq -i ".imageTag = \"$NEW_IMAGE_DIGEST\"" "$VALUES_FILE" diff --git a/.tekton/test-helm-copy-pull-request.yaml b/.tekton/test-helm-copy-pull-request.yaml new file mode 100644 index 000000000..0878e43bf --- /dev/null +++ b/.tekton/test-helm-copy-pull-request.yaml @@ -0,0 +1,588 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + annotations: + build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} + build.appstudio.redhat.com/commit_sha: '{{revision}}' + build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' + build.appstudio.redhat.com/target_branch: '{{target_branch}}' + pipelinesascode.tekton.dev/cancel-in-progress: "true" + pipelinesascode.tekton.dev/max-keep-runs: "3" + pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch + == "main" && + ( + "sources/argocd-agent/***".pathChanged() || + ".tekton/agent-helm-build-pull-request.yaml".pathChanged() + ) + creationTimestamp: null + labels: + appstudio.openshift.io/application: test-argocd-agent-helmchart + appstudio.openshift.io/component: agent-helm-build + pipelines.appstudio.openshift.io/type: build + name: agent-helm-build-on-pull-request + namespace: rh-openshift-gitops-tenant +spec: + params: + - name: git-url + value: '{{source_url}}' + - name: revision + value: '{{revision}}' + - name: output-image + value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{pull_request_number}}-{{revision}} + - name: target_branch + value: '{{target_branch}}' + - name: image-expires-after + value: 5d + - name: dockerfile + value: Dockerfile + - name: path-context + value: sources/argocd-agent + pipelineSpec: + description: | + This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. + + _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. + This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ + params: + - description: Source Repository URL + name: git-url + type: string + - default: "" + description: Revision of the Source Repository + name: revision + type: string + - description: Fully Qualified Output Image + name: output-image + type: string + - default: . + description: Path to the source code of an application's component from where + to build image. + name: path-context + type: string + - default: Dockerfile + description: Path to the Dockerfile inside the context specified by parameter + path-context + name: dockerfile + type: string + - default: "false" + description: Force rebuild image + name: rebuild + type: string + - default: "false" + description: Skip checks against built image + name: skip-checks + type: string + - default: "false" + description: Execute the build with network isolation + name: hermetic + type: string + - default: "" + description: Build dependencies to be prefetched + name: prefetch-input + type: string + - default: "" + description: Image tag expiration time, time values could be something like + 1h, 2d, 3w for hours, days, and weeks, respectively. + name: image-expires-after + type: string + - default: "false" + description: Build a source image. + name: build-source-image + type: string + - default: "false" + description: Add built image into an OCI image index + name: build-image-index + type: string + - default: [] + description: Array of --build-arg values ("arg=value" strings) for buildah + name: build-args + type: array + - default: "" + description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file + name: build-args-file + type: string + - default: "false" + description: Whether to enable privileged mode, should be used only with remote + VMs + name: privileged-nested + type: string + - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" + description: directory where the chart is stored + name: chart-context + type: string + results: + - description: "" + name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - description: "" + name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - description: "" + name: CHAINS-GIT_URL + value: $(tasks.clone-repository.results.url) + - description: "" + name: CHAINS-GIT_COMMIT + value: $(tasks.clone-repository.results.commit) + tasks: + - name: init + params: + - name: image-url + value: $(params.output-image) + - name: rebuild + value: $(params.rebuild) + - name: skip-checks + value: $(params.skip-checks) + taskRef: + params: + - name: name + value: init + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc + - name: kind + value: task + resolver: bundles + - name: clone-repository + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.revision) + - name: ociStorage + value: $(params.output-image).git + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + - name: enableSymlinkCheck + value: "false" + runAfter: + - init + taskRef: + params: + - name: name + value: git-clone-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + workspaces: + - name: basic-auth + workspace: git-auth + - name: prefetch-dependencies + params: + - name: input + value: $(params.prefetch-input) + - name: SOURCE_ARTIFACT + value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: ociStorage + value: $(params.output-image).prefetch + - name: ociArtifactExpiresAfter + value: $(params.image-expires-after) + runAfter: + - clone-repository + taskRef: + params: + - name: name + value: prefetch-dependencies-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 + - name: kind + value: task + resolver: bundles + workspaces: + - name: git-basic-auth + workspace: git-auth + - name: netrc + workspace: netrc + # - name: update-digest-for-helm + # taskRef: + # name: update-digest-for-helm + # params: + # - name: CHART_CONTEXT + # value: $(params.chart-context) + # description: Directory where helm chart resources are stored + # - name: SOURCE_ARTIFACT + # type: string + # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + # description: The Trusted Artifact URI pointing to the artifact with the application source code. + # - name: RELEASE_BRANCH + # value: '{{target_branch}}' + # runAfter: + # - prefetch-dependencies + - name: build-helm-chart + params: + - name: CHART_CONTEXT + value: $(params.chart-context) + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: RELEASE_BRANCH + value: $(params.target_branch) + - name: IMAGE_MAPPINGS + value: | + [ + { + "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", + "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" + } + ] + runAfter: + - prefetch-dependencies + taskRef: + params: + - name: name + value: build-helm-chart-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - input: $(params.build-source-image) + operator: in + values: + - "true" + - name: build-image-index + params: + - name: IMAGE + value: $(params.output-image) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: ALWAYS_BUILD_INDEX + value: $(params.build-image-index) + - name: IMAGES + value: + - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) + runAfter: + - build-helm-chart + taskRef: + params: + - name: name + value: build-image-index + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d + - name: kind + value: task + resolver: bundles + when: + - input: $(tasks.init.results.build) + operator: in + values: + - "true" + - name: deprecated-base-image-check + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: deprecated-image-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clair-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clair-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: ecosystem-cert-preflight-checks + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: ecosystem-cert-preflight-checks + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-snyk-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-snyk-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: clamav-scan + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: clamav-scan + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-coverity-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE + value: $(params.output-image) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: HERMETIC + value: $(params.hermetic) + - name: PREFETCH_INPUT + value: $(params.prefetch-input) + - name: IMAGE_EXPIRES_AFTER + value: $(params.image-expires-after) + - name: COMMIT_SHA + value: $(tasks.clone-repository.results.commit) + - name: BUILD_ARGS + value: + - $(params.build-args[*]) + - name: BUILD_ARGS_FILE + value: $(params.build-args-file) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - coverity-availability-check + taskRef: + params: + - name: name + value: sast-coverity-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - input: $(tasks.coverity-availability-check.results.STATUS) + operator: in + values: + - success + - name: coverity-availability-check + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: coverity-availability-check + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-shell-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-shell-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: sast-unicode-check + params: + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + - name: CACHI2_ARTIFACT + value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: sast-unicode-check-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + - name: apply-tags + params: + - name: IMAGE_URL + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: apply-tags + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 + - name: kind + value: task + resolver: bundles + - name: push-dockerfile + params: + - name: IMAGE + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: IMAGE_DIGEST + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + - name: DOCKERFILE + value: $(params.dockerfile) + - name: CONTEXT + value: $(params.path-context) + - name: SOURCE_ARTIFACT + value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: push-dockerfile-oci-ta + - name: bundle + value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec + - name: kind + value: task + resolver: bundles + - name: rpms-signature-scan + params: + - name: image-url + value: $(tasks.build-image-index.results.IMAGE_URL) + - name: image-digest + value: $(tasks.build-image-index.results.IMAGE_DIGEST) + runAfter: + - build-image-index + taskRef: + params: + - name: name + value: rpms-signature-scan + - name: bundle + value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 + - name: kind + value: task + resolver: bundles + when: + - input: $(params.skip-checks) + operator: in + values: + - "false" + workspaces: + - name: git-auth + optional: true + - name: netrc + optional: true + taskRunTemplate: + serviceAccountName: build-pipeline-agent-helm-build + workspaces: + - name: git-auth + secret: + secretName: '{{ git_auth_secret }}' +status: {} From cc89ea4a4cc80aa40f262f10aaaf2844b4e42083 Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Mon, 3 Nov 2025 16:33:59 +0530 Subject: [PATCH 21/22] update image mapping Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-push.yaml | 2 +- .tekton/test-helm-copy-pull-request.yaml | 588 ----------------------- 2 files changed, 1 insertion(+), 589 deletions(-) delete mode 100644 .tekton/test-helm-copy-pull-request.yaml diff --git a/.tekton/agent-helm-build-push.yaml b/.tekton/agent-helm-build-push.yaml index 82acc9d6d..ac4f93984 100644 --- a/.tekton/agent-helm-build-push.yaml +++ b/.tekton/agent-helm-build-push.yaml @@ -210,7 +210,7 @@ spec: [ { "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8:'{{target_branch}}'" + "target": "registry.redhat.io/openshift-gitops-1/argocd-agent-rhel8:{{target_branch}}" } ] runAfter: diff --git a/.tekton/test-helm-copy-pull-request.yaml b/.tekton/test-helm-copy-pull-request.yaml deleted file mode 100644 index 0878e43bf..000000000 --- a/.tekton/test-helm-copy-pull-request.yaml +++ /dev/null @@ -1,588 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: PipelineRun -metadata: - annotations: - build.appstudio.openshift.io/repo: https://github.com/rh-gitops-midstream/release?rev={{revision}} - build.appstudio.redhat.com/commit_sha: '{{revision}}' - build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}' - build.appstudio.redhat.com/target_branch: '{{target_branch}}' - pipelinesascode.tekton.dev/cancel-in-progress: "true" - pipelinesascode.tekton.dev/max-keep-runs: "3" - pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch - == "main" && - ( - "sources/argocd-agent/***".pathChanged() || - ".tekton/agent-helm-build-pull-request.yaml".pathChanged() - ) - creationTimestamp: null - labels: - appstudio.openshift.io/application: test-argocd-agent-helmchart - appstudio.openshift.io/component: agent-helm-build - pipelines.appstudio.openshift.io/type: build - name: agent-helm-build-on-pull-request - namespace: rh-openshift-gitops-tenant -spec: - params: - - name: git-url - value: '{{source_url}}' - - name: revision - value: '{{revision}}' - - name: output-image - value: quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/agent-helm-build:on-pr-{{pull_request_number}}-{{revision}} - - name: target_branch - value: '{{target_branch}}' - - name: image-expires-after - value: 5d - - name: dockerfile - value: Dockerfile - - name: path-context - value: sources/argocd-agent - pipelineSpec: - description: | - This pipeline is ideal for building container images from a Containerfile while maintaining trust after pipeline customization. - - _Uses `buildah` to create a container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. - This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-oci-ta?tab=tags)_ - params: - - description: Source Repository URL - name: git-url - type: string - - default: "" - description: Revision of the Source Repository - name: revision - type: string - - description: Fully Qualified Output Image - name: output-image - type: string - - default: . - description: Path to the source code of an application's component from where - to build image. - name: path-context - type: string - - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter - path-context - name: dockerfile - type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - - default: "false" - description: Skip checks against built image - name: skip-checks - type: string - - default: "false" - description: Execute the build with network isolation - name: hermetic - type: string - - default: "" - description: Build dependencies to be prefetched - name: prefetch-input - type: string - - default: "" - description: Image tag expiration time, time values could be something like - 1h, 2d, 3w for hours, days, and weeks, respectively. - name: image-expires-after - type: string - - default: "false" - description: Build a source image. - name: build-source-image - type: string - - default: "false" - description: Add built image into an OCI image index - name: build-image-index - type: string - - default: [] - description: Array of --build-arg values ("arg=value" strings) for buildah - name: build-args - type: array - - default: "" - description: Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file - name: build-args-file - type: string - - default: "false" - description: Whether to enable privileged mode, should be used only with remote - VMs - name: privileged-nested - type: string - - default: "sources/argocd-agent/install/helm-repo/argocd-agent-agent" - description: directory where the chart is stored - name: chart-context - type: string - results: - - description: "" - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - description: "" - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - description: "" - name: CHAINS-GIT_URL - value: $(tasks.clone-repository.results.url) - - description: "" - name: CHAINS-GIT_COMMIT - value: $(tasks.clone-repository.results.commit) - tasks: - - name: init - params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - taskRef: - params: - - name: name - value: init - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:ec962d0be18f36ca7d331c99bf243800f569fc0a2ea6f8c8c3d3a574b71c44dc - - name: kind - value: task - resolver: bundles - - name: clone-repository - params: - - name: url - value: $(params.git-url) - - name: revision - value: $(params.revision) - - name: ociStorage - value: $(params.output-image).git - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - - name: enableSymlinkCheck - value: "false" - runAfter: - - init - taskRef: - params: - - name: name - value: git-clone-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:3f1b468066b301083d8550e036f5a654fcb064810bd29eb06fec6d8ad3e35b9c - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - workspaces: - - name: basic-auth - workspace: git-auth - - name: prefetch-dependencies - params: - - name: input - value: $(params.prefetch-input) - - name: SOURCE_ARTIFACT - value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - - name: ociStorage - value: $(params.output-image).prefetch - - name: ociArtifactExpiresAfter - value: $(params.image-expires-after) - runAfter: - - clone-repository - taskRef: - params: - - name: name - value: prefetch-dependencies-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:dc82a7270aace9b1c26f7e96f8ccab2752e53d32980c41a45e1733baad76cde6 - - name: kind - value: task - resolver: bundles - workspaces: - - name: git-basic-auth - workspace: git-auth - - name: netrc - workspace: netrc - # - name: update-digest-for-helm - # taskRef: - # name: update-digest-for-helm - # params: - # - name: CHART_CONTEXT - # value: $(params.chart-context) - # description: Directory where helm chart resources are stored - # - name: SOURCE_ARTIFACT - # type: string - # value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - # description: The Trusted Artifact URI pointing to the artifact with the application source code. - # - name: RELEASE_BRANCH - # value: '{{target_branch}}' - # runAfter: - # - prefetch-dependencies - - name: build-helm-chart - params: - - name: CHART_CONTEXT - value: $(params.chart-context) - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: RELEASE_BRANCH - value: $(params.target_branch) - - name: IMAGE_MAPPINGS - value: | - [ - { - "source": "ghcr.io/argoproj-labs/argocd-agent/argocd-agent", - "target": "quay.io/redhat-user-workloads/rh-openshift-gitops-tenant/argocd-agent-rhel8:'{{target_branch}}'" - } - ] - runAfter: - - prefetch-dependencies - taskRef: - params: - - name: name - value: build-helm-chart-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-helm-chart-oci-ta:0.3@sha256:5ba1f6a566e332533f1214abd750e47bf1608e8763e498c51f8600a40c4a67db - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - input: $(params.build-source-image) - operator: in - values: - - "true" - - name: build-image-index - params: - - name: IMAGE - value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: ALWAYS_BUILD_INDEX - value: $(params.build-image-index) - - name: IMAGES - value: - - $(tasks.build-helm-chart.results.IMAGE_URL)@$(tasks.build-helm-chart.results.IMAGE_DIGEST) - runAfter: - - build-helm-chart - taskRef: - params: - - name: name - value: build-image-index - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:79784d53749584bc5a8de32142ec4e2f01cdbf42c20d94e59280e0b927c8597d - - name: kind - value: task - resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - - name: deprecated-base-image-check - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: deprecated-image-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:1d07d16810c26713f3d875083924d93697900147364360587ccb5a63f2c31012 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clair-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clair-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:a7cc183967f89c4ac100d04ab8f81e54733beee60a0528208107c9a22d3c43af - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: ecosystem-cert-preflight-checks - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: ecosystem-cert-preflight-checks - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:dae8e28761cee4ab0baf04ab9f8f1a4b3cee3c7decf461fda2bacc5c01652a60 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-snyk-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-snyk-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:783f5de1b4def2fb3fad20b914f4b3afee46ffb8f652114946e321ef3fa86449 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: clamav-scan - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: clamav-scan - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:b0bd59748cda4a7abf311e4f448e6c1d00c6b6d8c0ecc1c2eb33e08dc0e0b802 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-coverity-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE - value: $(params.output-image) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: HERMETIC - value: $(params.hermetic) - - name: PREFETCH_INPUT - value: $(params.prefetch-input) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: BUILD_ARGS - value: - - $(params.build-args[*]) - - name: BUILD_ARGS_FILE - value: $(params.build-args-file) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - coverity-availability-check - taskRef: - params: - - name: name - value: sast-coverity-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:cdbe1a968676e4f5519b082bf1e27a4cdcf66dd60af66dbc26b3e604f957f7e9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - input: $(tasks.coverity-availability-check.results.STATUS) - operator: in - values: - - success - - name: coverity-availability-check - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: coverity-availability-check - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:db2b267dc15e4ed17f704ee91b8e9b38068e1a35b1018a328fdca621819d74c6 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-shell-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-shell-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:bf7bdde00b7212f730c1356672290af6f38d070da2c8a316987b5c32fd49e0b9 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: sast-unicode-check - params: - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - - name: CACHI2_ARTIFACT - value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: sast-unicode-check-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.3@sha256:a2bde66f6b4164620298c7d709b8f08515409404000fa1dc2260d2508b135651 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - - name: apply-tags - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: apply-tags - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.2@sha256:f44be1bf0262471f2f503f5e19da5f0628dcaf968c86272a2ad6b4871e708448 - - name: kind - value: task - resolver: bundles - - name: push-dockerfile - params: - - name: IMAGE - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: IMAGE_DIGEST - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - - name: DOCKERFILE - value: $(params.dockerfile) - - name: CONTEXT - value: $(params.path-context) - - name: SOURCE_ARTIFACT - value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: push-dockerfile-oci-ta - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:49f778479f468e71c2cfef722e96aa813d7ef98bde8a612e1bf1a13cd70849ec - - name: kind - value: task - resolver: bundles - - name: rpms-signature-scan - params: - - name: image-url - value: $(tasks.build-image-index.results.IMAGE_URL) - - name: image-digest - value: $(tasks.build-image-index.results.IMAGE_DIGEST) - runAfter: - - build-image-index - taskRef: - params: - - name: name - value: rpms-signature-scan - - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:49ff6d117c3e9dc3966d1244e118e168b3501742ec14c3a4161a276ff48d04d5 - - name: kind - value: task - resolver: bundles - when: - - input: $(params.skip-checks) - operator: in - values: - - "false" - workspaces: - - name: git-auth - optional: true - - name: netrc - optional: true - taskRunTemplate: - serviceAccountName: build-pipeline-agent-helm-build - workspaces: - - name: git-auth - secret: - secretName: '{{ git_auth_secret }}' -status: {} From 789ad17653fdc6d99aebd631b7e27ba72d4d7bcc Mon Sep 17 00:00:00 2001 From: Anand Kumar Singh Date: Wed, 19 Nov 2025 15:52:39 +0530 Subject: [PATCH 22/22] add todo's Signed-off-by: Anand Kumar Singh --- .tekton/agent-helm-build-pull-request.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.tekton/agent-helm-build-pull-request.yaml b/.tekton/agent-helm-build-pull-request.yaml index 7a9fa5263..8c4f1ddd7 100644 --- a/.tekton/agent-helm-build-pull-request.yaml +++ b/.tekton/agent-helm-build-pull-request.yaml @@ -204,6 +204,7 @@ spec: value: $(params.chart-context) - name: IMAGE value: $(params.output-image) + # TODO: determine this at runtime using a custom task # update this COMMIT_SHA with agent repo commit id - name: COMMIT_SHA value: "591bcce1befb6d0d8f05edeba6f0266ff7a98d6a" @@ -211,6 +212,7 @@ spec: value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: RELEASE_BRANCH value: $(params.target_branch) + #TODO: use a SHA here instead of a tag for image mapping - name: IMAGE_MAPPINGS value: | [