{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-hfukca/-/tree/3fb5a563b674895417653fbcb090f5c816c8a470", "build.appstudio.redhat.com/commit_sha": "3fb5a563b674895417653fbcb090f5c816c8a470", "build.appstudio.redhat.com/target_branch": "base-rkonrv", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-rkonrv", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-bwscyb", "pipelinesascode.tekton.dev/git-provider": "gitlab", "pipelinesascode.tekton.dev/log-url": "https://44.239.98.134:9443/ns/build-e2e-exgr/pipelinerun/gl-test-custom-branch-fpnsvp-on-push-rt6rx", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-rkonrv\"", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-fpnsvp-on-push", "pipelinesascode.tekton.dev/repo-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-hfukca", "pipelinesascode.tekton.dev/repository": "gitlab-com-konflux-qe-devfile-sample-hello-world-hfukca", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "3fb5a563b674895417653fbcb090f5c816c8a470", "pipelinesascode.tekton.dev/sha-title": "Merge branch 'konflux-gl-test-custom-branch-fpnsvp' into 'base-rkonrv'", "pipelinesascode.tekton.dev/sha-url": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-hfukca/-/commit/3fb5a563b674895417653fbcb090f5c816c8a470", "pipelinesascode.tekton.dev/source-branch": "base-rkonrv", "pipelinesascode.tekton.dev/source-project-id": "82222847", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/target-project-id": "82222847", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-hfukca", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-exgr/results/8c10c80c-870c-498d-9ae0-f2c3ed729e66/records/ac5401cc-a89c-4526-b559-de23efb3765f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-hfukca\",\"commit\":\"3fb5a563b674895417653fbcb090f5c816c8a470\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-exgr/results/8c10c80c-870c-498d-9ae0-f2c3ed729e66", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-05-15T08:29:47Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-15T08:32:48Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-sccq", "appstudio.openshift.io/component": "gl-test-custom-branch-fpnsvp", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gl-test-custom-branch-fpnsvp-on-push", "pipelinesascode.tekton.dev/repository": "gitlab-com-konflux-qe-devfile-sample-hello-world-hfukca", "pipelinesascode.tekton.dev/sha": "3fb5a563b674895417653fbcb090f5c816c8a470", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "konflux-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-hfukca", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gl-test-custom-branch-fpnsvp-on-push-rt6rx", "tekton.dev/pipelineRun": "gl-test-custom-branch-fpnsvp-on-push-rt6rx", "tekton.dev/pipelineRunUID": "8c10c80c-870c-498d-9ae0-f2c3ed729e66", "tekton.dev/pipelineTask": "build-container", "tekton.dev/task": "buildah-oci-ta" }, "name": "gl-test-custom-branch-fpnsvp-on-push-rt6rx-build-container", "namespace": "build-e2e-exgr", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gl-test-custom-branch-fpnsvp-on-push-rt6rx", "uid": "8c10c80c-870c-498d-9ae0-f2c3ed729e66" } ], "resourceVersion": "32078", "uid": "ac5401cc-a89c-4526-b559-de23efb3765f" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "CONTEXT", "value": "." }, { "name": "HERMETIC", "value": "false" }, { "name": "PREFETCH_INPUT", "value": "" }, { "name": "IMAGE_EXPIRES_AFTER", "value": "" }, { "name": "COMMIT_SHA", "value": "3fb5a563b674895417653fbcb090f5c816c8a470" }, { "name": "BUILD_ARGS", "value": [] }, { "name": "BUILD_ARGS_FILE", "value": "" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-hfukca" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "HTTP_PROXY", "value": "" }, { "name": "NO_PROXY", "value": "" }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp@sha256:afd1a99e41d964a81cd778f295349ff7efc9c78cf926c7cc07bc985756288024" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-gl-test-custom-branch-fpnsvp", "taskRef": { "params": [ { "name": "name", "value": "buildah-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta:0.9@sha256:681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-15T08:31:17Z", "conditions": [ { "lastTransitionTime": "2026-05-15T08:31:17Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gl-test-custom-branch-fpnsvp-on-push-rt6rx-build-container-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "681d9f65a7f50cb260ee576ccab551e11d63c549f1e1ef3d201da3c112855bd6" }, "entryPoint": "buildah-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-buildah-oci-ta" } }, "results": [ { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470@sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470" }, { "name": "SBOM_BLOB_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp@sha256:e9e35689628c8d51c3aea2fd2c94ab846c7576afa59819f9472d505bba2658e0" } ], "startTime": "2026-05-15T08:29:47Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://85e10e6f3644fff6778a1bd61282acd01f7b6f45057dd4cb07e2ee0f1f07ddb7", "exitCode": 0, "finishedAt": "2026-05-15T08:29:57Z", "reason": "Completed", "startedAt": "2026-05-15T08:29:56Z" }, "terminationReason": "Completed" }, { "container": "step-build", "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "provenance": {}, "terminated": { "containerID": "containerd://c21b362c556eb659c4be7f01fa0a937e341ec10d490b459088ca9874b6074f83", "exitCode": 0, "finishedAt": "2026-05-15T08:30:04Z", "reason": "Completed", "startedAt": "2026-05-15T08:29:58Z" }, "terminationReason": "Completed" }, { "container": "step-push", "imageID": "quay.io/konflux-ci/buildah-task@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "provenance": {}, "terminated": { "containerID": "containerd://a83146256d1c9ffa77ec54fd939cce7502afa5e9b6ce6e949e6814961b1b9027", "exitCode": 0, "finishedAt": "2026-05-15T08:30:15Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470@sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-15T08:30:05Z" }, "terminationReason": "Completed" }, { "container": "step-sbom-syft-generate", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "provenance": {}, "terminated": { "containerID": "containerd://a6f4bc918e09b83a057fa9e3a01e9b01c8ea1140077b86e9d98bfb8b9152873f", "exitCode": 0, "finishedAt": "2026-05-15T08:30:19Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470@sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-15T08:30:15Z" }, "terminationReason": "Completed" }, { "container": "step-prepare-sboms", "imageID": "quay.io/konflux-ci/mobster@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "provenance": {}, "terminated": { "containerID": "containerd://a48617d60e6280e013c67724ded9d40487aab8e25d3913e452af328438df23ad", "exitCode": 0, "finishedAt": "2026-05-15T08:30:47Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470@sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-15T08:30:20Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "containerd://b187bb8c805179b796bdb0bcd72e4fb5d64e9304ba23089aace27b1b72687907", "exitCode": 0, "finishedAt": "2026-05-15T08:31:16Z", "message": "[{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470@sha256:6d9119a4507a244cc98ced3102a7b2b650b8e7d179a561bc78323271a12c415a\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470\",\"type\":1},{\"key\":\"SBOM_BLOB_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp@sha256:e9e35689628c8d51c3aea2fd2c94ab846c7576afa59819f9472d505bba2658e0\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-15T08:30:47Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Buildah task builds source code into a container image and pushes the image into container registry using buildah tool.\nIn addition, it generates a SBOM file, injects the SBOM file into final container image and pushes the SBOM file as separate image using cosign tool.\nWhen prefetch-dependencies task is activated it is using its artifacts to run build in hermetic environment.", "params": [ { "default": "activation-key", "description": "Name of secret which contains subscription activation key", "name": "ACTIVATION_KEY", "type": "string" }, { "default": [], "description": "Additional base image references to include to the SBOM. Array of image_reference_with_digest strings", "name": "ADDITIONAL_BASE_IMAGES", "type": "array" }, { "default": "does-not-exist", "description": "Name of a secret which will be made available to the build with 'buildah build --secret' at /run/secrets/$ADDITIONAL_SECRET", "name": "ADDITIONAL_SECRET", "type": "string" }, { "default": "", "description": "Comma separated list of extra capabilities to add when running 'buildah build'", "name": "ADD_CAPABILITIES", "type": "string" }, { "default": [], "description": "Additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS", "type": "array" }, { "default": "", "description": "Path to a file with additional key=value annotations that should be applied to the image", "name": "ANNOTATIONS_FILE", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": [], "description": "Array of --build-arg values (\"arg=value\" strings)", "name": "BUILD_ARGS", "type": "array" }, { "default": "", "description": "Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file", "name": "BUILD_ARGS_FILE", "type": "string" }, { "default": "", "description": "Defines the single build time for all buildah builds in seconds since UNIX epoch. Conflicts with SOURCE_DATE_EPOCH.", "name": "BUILD_TIMESTAMP", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "The image is built from this commit.", "name": "COMMIT_SHA", "type": "string" }, { "default": ".", "description": "Path to the directory to use as context.", "name": "CONTEXT", "type": "string" }, { "default": "true", "description": "Determines if SBOM will be contextualized.", "name": "CONTEXTUALIZE_SBOM", "type": "string" }, { "default": "./Dockerfile", "description": "Path to the Dockerfile to build.", "name": "DOCKERFILE", "type": "string" }, { "default": "etc-pki-entitlement", "description": "Name of secret which contains the entitlement certificates", "name": "ENTITLEMENT_SECRET", "type": "string" }, { "default": [], "description": "Array of --env values (\"env=value\" strings)", "name": "ENV_VARS", "type": "array" }, { "default": "false", "description": "Determines if build will be executed without network access.", "name": "HERMETIC", "type": "string" }, { "default": "", "description": "HTTP/HTTPS proxy to use for the buildah pull and build operations. Will not be passed through to the container during the build process.", "name": "HTTP_PROXY", "type": "string" }, { "default": "true", "description": "Whether to keep compatibility location at /root/buildinfo/ for ICM injection", "name": "ICM_KEEP_COMPAT_LOCATION", "type": "string" }, { "description": "Reference of the image buildah will produce.", "name": "IMAGE", "type": "string" }, { "default": "", "description": "Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.", "name": "IMAGE_EXPIRES_AFTER", "type": "string" }, { "default": "true", "description": "Determines if the image inherits the base image labels.", "name": "INHERIT_BASE_IMAGE_LABELS", "type": "string" }, { "default": [], "description": "Additional key=value labels that should be applied to the image", "name": "LABELS", "type": "array" }, { "default": "", "description": "Comma separated list of hosts or domains which should bypass the HTTP/HTTPS proxy.", "name": "NO_PROXY", "type": "string" }, { "default": "false", "description": "Omit build history information from the resulting image. Improves reproducibility by excluding timestamps and layer metadata.", "name": "OMIT_HISTORY", "type": "string" }, { "default": "", "description": "In case it is not empty, the prefetched content should be made available to the build.", "name": "PREFETCH_INPUT", "type": "string" }, { "default": "false", "description": "Whether to enable privileged mode, should be used only with remote VMs", "name": "PRIVILEGED_NESTED", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the proxy CA bundle data.", "name": "PROXY_CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "caching-ca-bundle", "description": "The name of the ConfigMap to read proxy CA bundle data from.", "name": "PROXY_CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "false", "description": "Clamp mtime of all files to at most SOURCE_DATE_EPOCH. Does nothing if SOURCE_DATE_EPOCH is not defined.", "name": "REWRITE_TIMESTAMP", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "true", "description": "Flag to enable or disable SBOM generation from source code. The scanner of the source code is enabled only for non-hermetic builds and can be disabled if the SBOM_SYFT_SELECT_CATALOGERS can't turn off catalogers that cause false positives on source code scanning.", "name": "SBOM_SOURCE_SCAN_ENABLED", "type": "string" }, { "default": "", "description": "Extra option to customize Syft's default catalogers when generating SBOMs. The value corresponds to Syft's CLI flag --select-catalogers. The details about available catalogers can be found here: https://github.com/anchore/syft/wiki/Package-Cataloger-Selection", "name": "SBOM_SYFT_SELECT_CATALOGERS", "type": "string" }, { "default": "spdx", "description": "Select the SBOM format to generate. Valid values: spdx, cyclonedx. Note: the SBOM from the prefetch task - if there is one - must be in the same format.", "name": "SBOM_TYPE", "type": "string" }, { "default": "false", "description": "Don't inject a content-sets.json or a labels.json file. This requires that the canonical Containerfile takes care of this itself.", "name": "SKIP_INJECTIONS", "type": "string" }, { "default": "false", "description": "Skip SBOM-related operations. This will likely cause EC policies to fail if enabled", "name": "SKIP_SBOM_GENERATION", "type": "string" }, { "default": "true", "description": "Whether to skip stages in Containerfile that seem unused by subsequent stages", "name": "SKIP_UNUSED_STAGES", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": "", "description": "Timestamp in seconds since Unix epoch for reproducible builds. Sets image created time and SOURCE_DATE_EPOCH build arg. Conflicts with BUILD_TIMESTAMP.", "name": "SOURCE_DATE_EPOCH", "type": "string" }, { "default": "", "description": "The image is built from this URL.", "name": "SOURCE_URL", "type": "string" }, { "default": "false", "description": "Squash all new and previous layers added as a part of this build, as per --squash", "name": "SQUASH", "type": "string" }, { "default": "overlay", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "", "description": "Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.", "name": "TARGET_STAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "default": "", "description": "Mount the current working directory into the build using --volume $PWD:/$WORKINGDIR_MOUNT. Note that the $PWD will be the context directory for the build (see the CONTEXT param).", "name": "WORKINGDIR_MOUNT", "type": "string" }, { "default": "fetched.repos.d", "description": "Path in source workspace where dynamically-fetched repos are present", "name": "YUM_REPOS_D_FETCHED", "type": "string" }, { "default": "repos.d", "description": "Path in the git repository in which yum repository files are stored", "name": "YUM_REPOS_D_SRC", "type": "string" }, { "default": "/etc/yum.repos.d", "description": "Target path on the container in which yum repository files should be made available", "name": "YUM_REPOS_D_TARGET", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image reference of the built image", "name": "IMAGE_REF", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "ACTIVATION_KEY", "value": "activation-key" }, { "name": "ADDITIONAL_SECRET", "value": "does-not-exist" }, { "name": "ADD_CAPABILITIES" }, { "name": "ANNOTATIONS_FILE" }, { "name": "BUILD_ARGS_FILE" }, { "name": "BUILD_TIMESTAMP" }, { "name": "CONTEXT", "value": "." }, { "name": "CONTEXTUALIZE_SBOM", "value": "true" }, { "name": "ENTITLEMENT_SECRET", "value": "etc-pki-entitlement" }, { "name": "HERMETIC", "value": "false" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp:3fb5a563b674895417653fbcb090f5c816c8a470" }, { "name": "IMAGE_EXPIRES_AFTER" }, { "name": "INHERIT_BASE_IMAGE_LABELS", "value": "true" }, { "name": "PRIVILEGED_NESTED", "value": "false" }, { "name": "SBOM_SKIP_VALIDATION", "value": "true" }, { "name": "SBOM_SOURCE_SCAN_ENABLED", "value": "true" }, { "name": "SBOM_SYFT_SELECT_CATALOGERS" }, { "name": "SBOM_TYPE", "value": "spdx" }, { "name": "SKIP_INJECTIONS", "value": "false" }, { "name": "SKIP_SBOM_GENERATION", "value": "false" }, { "name": "SKIP_UNUSED_STAGES", "value": "true" }, { "name": "SOURCE_CODE_DIR", "value": "source" }, { "name": "SQUASH", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "overlay" }, { "name": "TARGET_STAGE" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "WORKINGDIR_MOUNT" }, { "name": "YUM_REPOS_D_FETCHED", "value": "fetched.repos.d" }, { "name": "YUM_REPOS_D_SRC", "value": "repos.d" }, { "name": "YUM_REPOS_D_TARGET", "value": "/etc/yum.repos.d" } ], "imagePullPolicy": "IfNotPresent", "volumeMounts": [ { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-exgr/gl-test-custom-branch-fpnsvp@sha256:afd1a99e41d964a81cd778f295349ff7efc9c78cf926c7cc07bc985756288024=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": {}, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:9bd32f6bafb517b309e11a2d89365052b4ab3f1c9c23c4ffd45aff6f03960476", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "args": [ "--build-args", "--env", "--labels", "--annotations" ], "computeResources": { "limits": { "cpu": "4600m", "memory": "8Gi" }, "requests": { "cpu": "4600m", "memory": "8Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "COMMIT_SHA", "value": "3fb5a563b674895417653fbcb090f5c816c8a470" }, { "name": "SOURCE_URL", "value": "https://gitlab.com/konflux-qe/devfile-sample-hello-world-hfukca" }, { "name": "DOCKERFILE", "value": "docker/Dockerfile" }, { "name": "BUILDAH_HTTP_PROXY" }, { "name": "BUILDAH_NO_PROXY" }, { "name": "ICM_KEEP_COMPAT_LOCATION", "value": "true" }, { "name": "BUILDAH_OMIT_HISTORY", "value": "false" }, { "name": "BUILDAH_SOURCE_DATE_EPOCH" }, { "name": "BUILDAH_REWRITE_TIMESTAMP", "value": "false" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "build", "script": "#!/bin/bash\nset -euo pipefail\n\nfunction set_proxy {\n if [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Setting proxy to ${BUILDAH_HTTP_PROXY}\"\n export HTTP_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export HTTPS_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n export ALL_PROXY=\"${BUILDAH_HTTP_PROXY}\"\n if [ -n \"${BUILDAH_NO_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Bypassing proxy for ${BUILDAH_NO_PROXY}\"\n export NO_PROXY=\"${BUILDAH_NO_PROXY}\"\n fi\n fi\n}\n\nfunction unset_proxy {\n echo \"[$(date --utc -Ins)] Unsetting proxy\"\n unset HTTP_PROXY HTTPS_PROXY ALL_PROXY NO_PROXY\n}\n\necho \"[$(date --utc -Ins)] Validate context path\"\n\nif [ -z \"$CONTEXT\" ]; then\n echo \"WARNING: CONTEXT is empty. Defaulting to '.' (the source directory).\" \u003e\u00262\n CONTEXT=\".\"\nfi\n\nsource_dir_path=$(realpath \"$SOURCE_CODE_DIR\")\ncontext_dir_path=$(realpath \"$SOURCE_CODE_DIR/$CONTEXT\")\n\ncase \"$context_dir_path\" in\n\"$source_dir_path\" | \"$source_dir_path/\"*)\n # path is valid, do nothing\n ;;\n*)\n echo \"ERROR: The CONTEXT parameter ('$CONTEXT') is invalid because it escapes the source directory.\" \u003e\u00262\n echo \"Source path: $source_dir_path\" \u003e\u00262\n echo \"Resolved path: $context_dir_path\" \u003e\u00262\n exit 1\n ;;\nesac\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nproxy_ca_bundle=/mnt/proxy-ca-bundle/ca-bundle.crt\nupdate_ca_trust=false\n\nif [ -f \"$ca_bundle\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors/ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ -f \"$proxy_ca_bundle\" ] \u0026\u0026 [ -n \"${BUILDAH_HTTP_PROXY}\" ]; then\n echo \"[$(date --utc -Ins)] Using mounted proxy CA bundle: $proxy_ca_bundle\"\n cp -vf $proxy_ca_bundle /etc/pki/ca-trust/source/anchors/proxy-ca-bundle.crt\n update_ca_trust=true\nfi\n\nif [ \"$update_ca_trust\" = \"true\" ]; then\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Prepare Dockerfile\"\n\nif [ -e \"$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$CONTEXT/$DOCKERFILE\"\nelif [ -e \"$SOURCE_CODE_DIR/$DOCKERFILE\" ]; then\n dockerfile_path=\"$(pwd)/$SOURCE_CODE_DIR/$DOCKERFILE\"\nelif [ -e \"$DOCKERFILE\" ]; then\n # Instrumented builds (SAST) use this custom dockerfile step as their base\n dockerfile_path=\"$DOCKERFILE\"\nelse\n echo \"Cannot find Dockerfile $DOCKERFILE\"\n exit 1\nfi\n\ndockerfile_copy=$(mktemp --tmpdir \"$(basename \"$dockerfile_path\").XXXXXX\")\ncp \"$dockerfile_path\" \"$dockerfile_copy\"\n\n# Inject the image content manifest into the container we are producing.\n# This will generate the content-sets.json file and copy it by appending a COPY\n# instruction to the Containerfile.\nicm_opts=()\nif [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n icm_opts+=(-c)\nfi\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n inject-icm-to-containerfile \"${icm_opts[@]}\" \"$dockerfile_copy\" \"/var/workdir/cachi2/output/bom.json\" \"$SOURCE_CODE_DIR/$CONTEXT\"\nfi\n\necho \"[$(date --utc -Ins)] Prepare system (architecture: $(uname -m))\"\n\n# Fixing group permission on /var/lib/containers\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\n# Setting new namespace to run buildah - 2^32-2\necho 'root:1:4294967294' | tee -a /etc/subuid \u003e\u003e/etc/subgid\n\nbuild_args=()\nenv_vars=()\n\nLABELS=()\nANNOTATIONS=()\n# Append any annotations from the specified file\nif [ -n \"${ANNOTATIONS_FILE}\" ] \u0026\u0026 [ -f \"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\" ]; then\n echo \"Reading annotations from file: ${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\n while IFS= read -r line || [[ -n \"$line\" ]]; do\n # Skip empty lines and comments\n if [[ -n \"$line\" \u0026\u0026 ! \"$line\" =~ ^[[:space:]]*# ]]; then\n ANNOTATIONS+=(\"--annotation\" \"$line\")\n fi\n done \u003c\"${SOURCE_CODE_DIR}/${ANNOTATIONS_FILE}\"\nfi\n\n# Split `args` into two sets of arguments.\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --build-args)\n shift\n # Note: this may result in multiple --build-arg=KEY=value flags with the same KEY being\n # passed to buildah. In that case, the *last* occurrence takes precedence. This is why\n # we append BUILD_ARGS after the content of the BUILD_ARGS_FILE\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n build_args+=(\"$1\")\n shift\n done\n ;;\n --env)\n shift\n # Collect env entries of the form KEY=value\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n env_vars+=(\"$1\")\n shift\n done\n ;;\n --labels)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n LABELS+=(\"--label\" \"$1\")\n shift\n done\n ;;\n --annotations)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ANNOTATIONS+=(\"--annotation\" \"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nBUILD_ARG_FLAGS=()\nfor build_arg in \"${build_args[@]}\"; do\n BUILD_ARG_FLAGS+=(\"--build-arg=$build_arg\")\ndone\n\nENV_FLAGS=()\nfor env_var in \"${env_vars[@]}\"; do\n ENV_FLAGS+=(\"--env=$env_var\")\ndone\n\nDOCKERFILE_ARG_FLAGS=()\nDOCKERFILE_ARG_FLAGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nDOCKERFILE_ARG_FLAGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n DOCKERFILE_ARG_FLAGS+=(\"--build-arg-file=${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\nfi\n\ndockerfile-json \"${DOCKERFILE_ARG_FLAGS[@]}\" \"$dockerfile_copy\" \u003e/shared/parsed_dockerfile.json\nBASE_IMAGES=$(\n jq -r '.Stages[] | select(.From | .Stage or .Scratch | not) | .BaseName | select(test(\"^oci-archive:\") | not)' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n)\n\nBUILDAH_ARGS=()\nUNSHARE_ARGS=()\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--pull=never\")\n UNSHARE_ARGS+=(\"--net\")\n buildah_retries=3\n\n set_proxy\n\n for image in $BASE_IMAGES; do\n if ! retry unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 --mount -- buildah pull --retry \"$buildah_retries\" \"$image\"; then\n echo \"Failed to pull base image ${image}\"\n exit 1\n fi\n done\n\n unset_proxy\n\n echo \"Build will be executed with network isolation\"\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n BUILDAH_ARGS+=(\"--target=${TARGET_STAGE}\")\nfi\n\nBUILDAH_ARGS+=(\"${BUILD_ARG_FLAGS[@]}\")\nBUILDAH_ARGS+=(\"${ENV_FLAGS[@]}\")\n\nif [ -n \"${BUILD_ARGS_FILE}\" ]; then\n BUILDAH_ARGS+=(\"--build-arg-file=$(realpath \"${SOURCE_CODE_DIR}/${BUILD_ARGS_FILE}\")\")\nfi\n\n# Necessary for newer version of buildah if the host system does not contain up to date version of container-selinux\n# TODO remove the option once all hosts were updated\nBUILDAH_ARGS+=(\"--security-opt=unmask=/proc/interrupts\")\n\nif [ \"${PRIVILEGED_NESTED}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--security-opt=label=disable\")\n BUILDAH_ARGS+=(\"--cap-add=all\")\n BUILDAH_ARGS+=(\"--device=/dev/fuse\")\nfi\n\nif [ -n \"${ADD_CAPABILITIES}\" ]; then\n BUILDAH_ARGS+=(\"--cap-add=${ADD_CAPABILITIES}\")\nfi\n\nif [ \"${SQUASH}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--squash\")\nfi\n\nif [ \"${SKIP_UNUSED_STAGES}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--skip-unused-stages=false\")\nfi\n\nif [ \"${INHERIT_BASE_IMAGE_LABELS}\" != \"true\" ]; then\n BUILDAH_ARGS+=(\"--inherit-labels=false\")\nfi\n\nif [ -n \"${BUILDAH_SOURCE_DATE_EPOCH}\" ]; then\n BUILDAH_ARGS+=(\"--source-date-epoch=${BUILDAH_SOURCE_DATE_EPOCH}\")\n if [ \"${BUILDAH_REWRITE_TIMESTAMP}\" = \"true\" ]; then\n BUILDAH_ARGS+=(\"--rewrite-timestamp\")\n fi\n if [ -n \"$BUILD_TIMESTAMP\" ]; then\n echo \"ERROR: cannot use both BUILD_TIMESTAMP and SOURCE_DATE_EPOCH\"\n exit 1\n fi\n # but do set it so that we get all the labels/annotations associated with it\n BUILD_TIMESTAMP=\"$BUILDAH_SOURCE_DATE_EPOCH\"\nfi\n\nif [ \"${BUILDAH_OMIT_HISTORY}\" == \"true\" ]; then\n BUILDAH_ARGS+=(\"--omit-history\")\nfi\n\nVOLUME_MOUNTS=()\n\necho \"[$(date --utc -Ins)] Setup prefetched\"\n\nif [ -f \"/var/workdir/cachi2/cachi2.env\" ]; then\n # Identify the current arch to filter the prefetched content\n PREFETCH_ARCH=\"$(uname -m)\"\n echo \"$PREFETCH_ARCH\" \u003e/shared/prefetch-arch\n\n echo \"Prefetched content will be made available\"\n\n cp -r \"/var/workdir/cachi2\" /tmp/\n chmod -R go+rwX /tmp/cachi2\n\n # In case RPMs were prefetched and this is a multi-arch build,\n # clean up the packages that do not match the architecture being built\n RPM_PREFETCH_DIR=\"/tmp/cachi2/output/deps/rpm\"\n if [ -d \"$RPM_PREFETCH_DIR\" ] \u0026\u0026 [ \"$(find $RPM_PREFETCH_DIR | wc -l)\" -gt 1 ]; then\n echo \"Removing prefetched RPMs from non-matching architectures\"\n PREFETCH_ARCH=\"$(uname -m)\"\n for path in \"$RPM_PREFETCH_DIR\"/*; do\n if [ \"$(basename \"$path\")\" != \"$PREFETCH_ARCH\" ]; then\n echo \"Removing: $path\"\n rm -rf \"$path\"\n else\n echo \"Keeping: $path\"\n fi\n done\n fi\n\n VOLUME_MOUNTS+=(--volume /tmp/cachi2:/cachi2)\n # Read in the whole file (https://unix.stackexchange.com/questions/533277), then\n # for each RUN ... line insert the cachi2.env command *after* any options like --mount\n sed -E -i \\\n -e 'H;1h;$!d;x' \\\n -e 's@^\\s*(run((\\s|\\\\\\n)+-\\S+)*(\\s|\\\\\\n)+)@\\1. /cachi2/cachi2.env \\\u0026\\\u0026 \\\\\\n @igM' \\\n \"$dockerfile_copy\"\n\n prefetched_repo_for_my_arch=\"/tmp/cachi2/output/deps/rpm/$(uname -m)/repos.d/cachi2.repo\"\n if [ -f \"$prefetched_repo_for_my_arch\" ]; then\n echo \"Adding $prefetched_repo_for_my_arch to $YUM_REPOS_D_FETCHED\"\n mkdir -p \"$YUM_REPOS_D_FETCHED\"\n if [ ! -f \"${YUM_REPOS_D_FETCHED}/cachi2.repo\" ]; then\n cp \"$prefetched_repo_for_my_arch\" \"$YUM_REPOS_D_FETCHED\"\n fi\n fi\nfi\n\n# if yum repofiles stored in git, copy them to mount point outside the source dir\nif [ -d \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\" ]; then\n mkdir -p \"${YUM_REPOS_D_FETCHED}\"\n cp -r \"${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}\"/* \"${YUM_REPOS_D_FETCHED}\"\nfi\n\n# if anything in the repofiles mount point (either fetched or from git), mount it\nif [ -d \"${YUM_REPOS_D_FETCHED}\" ]; then\n chmod -R go+rwX \"${YUM_REPOS_D_FETCHED}\"\n mount_point=$(realpath \"${YUM_REPOS_D_FETCHED}\")\n VOLUME_MOUNTS+=(--volume \"${mount_point}:${YUM_REPOS_D_TARGET}\")\nfi\n\nDEFAULT_LABELS=(\n \"--label\" \"architecture=$(uname -m)\"\n \"--label\" \"vcs-type=git\"\n)\nif [ -n \"$COMMIT_SHA\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"vcs-ref=${COMMIT_SHA}\" \"--label\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.revision=${COMMIT_SHA}\")\nfi\nif [ -n \"$SOURCE_URL\" ]; then\n DEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.source=${SOURCE_URL}\")\n ANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.source=${SOURCE_URL}\")\nfi\n[ -n \"$IMAGE_EXPIRES_AFTER\" ] \u0026\u0026 DEFAULT_LABELS+=(\"--label\" \"quay.expires-after=$IMAGE_EXPIRES_AFTER\")\n\nBUILD_TIMESTAMP_RFC3339=\"\"\nif [ -n \"$BUILD_TIMESTAMP\" ]; then\n BUILD_TIMESTAMP_RFC3339=$(date -u -d \"@$BUILD_TIMESTAMP\" +'%Y-%m-%dT%H:%M:%SZ')\nelse\n BUILD_TIMESTAMP_RFC3339=$(date -u +'%Y-%m-%dT%H:%M:%SZ')\nfi\n\nDEFAULT_LABELS+=(\"--label\" \"build-date=${BUILD_TIMESTAMP_RFC3339}\")\nDEFAULT_LABELS+=(\"--label\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nANNOTATIONS+=(\"--annotation\" \"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\n\nlabel_pairs=()\n# If INHERIT_BASE_IMAGE_LABELS is true, get the labels from the final base image only\ntouch base_images_labels.json\nif [[ \"$INHERIT_BASE_IMAGE_LABELS\" == \"true\" ]] \u0026\u0026 [[ -n \"$BASE_IMAGES\" ]]; then\n FINAL_BASE_IMAGE=$(\n # Get the base image of the final stage\n # The final stage can refer to a previous `FROM xxx AS yyy` stage, for example 'FROM bar AS foo; ... ; FROM foo; ...'\n # Define a function that keeps nesting recursively into the parent stages until it finds the original base image\n # Run the find_root_stage() function on the final stage\n # If the final stage is scratch or oci-archive, return empty\n jq -r '.Stages as $all_stages |\n def find_root_stage($stage):\n if $stage.From.Stage then\n find_root_stage($all_stages[$stage.From.Stage.Index])\n else\n $stage\n end;\n\n find_root_stage(.Stages[-1]) |\n if .From.Scratch or (.BaseName | test(\"^oci-archive:\")) then\n empty\n else\n .BaseName\n end' /shared/parsed_dockerfile.json |\n tr -d '\"' |\n tr -d \"'\"\n )\n if [[ -n \"$FINAL_BASE_IMAGE\" ]]; then\n set_proxy\n buildah pull \"$FINAL_BASE_IMAGE\" \u003e/dev/null$()\n unset_proxy\n buildah inspect \"$FINAL_BASE_IMAGE\" | jq '.OCIv1.config.Labels' \u003e\"base_images_labels.json\"\n fi\nfi\n\n# Concatenate defaults and explicit labels. If a label appears twice, the last one wins.\nLABELS=(\"${DEFAULT_LABELS[@]}\" \"${LABELS[@]}\")\n\n# Get all the default and explicit labels so that they can be written into labels.json\nfor label in \"${LABELS[@]}\"; do\n if [[ \"$label\" != \"--label\" ]]; then\n label_pairs+=(\"$label\")\n fi\ndone\n\n# Labels that we explicitly add to the image\nlabel_pairs+=(\"org.opencontainers.image.created=${BUILD_TIMESTAMP_RFC3339}\")\nlabel_pairs+=(\"io.buildah.version=$(buildah version --json | jq -r '.version')\")\n\nwhile IFS= read -r label; do\n label_pairs+=(\"$label\")\ndone \u003c \u003c(jq -r '.Stages[].Commands[] | select(.Name == \"LABEL\") | .Labels[] | \"\\(.Key)=\\(.Value)\"' /shared/parsed_dockerfile.json | sed 's/\"//g')\n\nprintf '%s\\n' \"${label_pairs[@]}\" | jq -Rn '\n [ inputs | select(length\u003e0) ]\n| map( split(\"=\") | {(.[0]): (.[1] // \"\")} )\n | add' \u003e\"image_labels.json\"\n\njq -s '(.[0] // {}) * (.[1] // {})' \"base_images_labels.json\" \"image_labels.json\" \u003e\"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\njq '.' \"$SOURCE_CODE_DIR/$CONTEXT/labels.json\"\n\nif [ \"${SKIP_INJECTIONS}\" = \"false\" ]; then\n echo \"\" \u003e\u003e\"$dockerfile_copy\"\n # Always write labels.json to the new standard location\n echo 'COPY labels.json /usr/share/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n # Conditionally write to the old location for backward compatibility\n if [ \"${ICM_KEEP_COMPAT_LOCATION}\" = \"true\" ]; then\n echo 'COPY labels.json /root/buildinfo/labels.json' \u003e\u003e\"$dockerfile_copy\"\n fi\nfi\n\n# Make sure our labels.json file isn't filtered out\ncontainerignore=\"\"\nif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.containerignore\"\nelif [ -f \"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\" ]; then\n containerignore=\"$SOURCE_CODE_DIR/$CONTEXT/.dockerignore\"\nfi\n\nif [ -n \"$containerignore\" ]; then\n ignorefile_copy=$(mktemp --tmpdir \"$(basename \"$containerignore\").XXXXXX\")\n cp \"$containerignore\" \"$ignorefile_copy\"\n {\n echo \"\"\n echo \"!/labels.json\"\n echo \"!/content-sets.json\"\n } \u003e\u003e\"$ignorefile_copy\"\n BUILDAH_ARGS+=(--ignorefile \"$ignorefile_copy\")\nfi\n\necho \"[$(date --utc -Ins)] Register sub-man\"\n\nACTIVATION_KEY_PATH=\"/activation-key\"\nENTITLEMENT_PATH=\"/entitlement\"\n\n# 0. if hermetic=true, skip all subscription related stuff\n# 1. do not enable activation key and entitlement at same time. If both vars are provided, prefer activation key.\n# 2. Activation-keys will be used when the key 'org' exists in the activation key secret.\n# 3. try to pre-register and mount files to the correct location so that users do no need to modify Dockerfiles.\n# 3. If the Dockerfile contains the string \"subcription-manager register\", add the activation-keys volume\n# to buildah but don't pre-register for backwards compatibility. Mount an empty directory on\n# shared emptydir volume to \"/etc/pki/entitlement\" to prevent certificates from being included\n\nif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 [ -e /activation-key/org ]; then\n cp -r --preserve=mode \"$ACTIVATION_KEY_PATH\" /tmp/activation-key\n mkdir -p /shared/rhsm/etc/pki/entitlement\n mkdir -p /shared/rhsm/etc/pki/consumer\n\n VOLUME_MOUNTS+=(-v /tmp/activation-key:/activation-key\n -v /shared/rhsm/etc/pki/entitlement:/etc/pki/entitlement:Z\n -v /shared/rhsm/etc/pki/consumer:/etc/pki/consumer:Z)\n echo \"Adding activation key to the build\"\n\n if ! grep -E \"^[^#]*subscription-manager.[^#]*register\" \"$dockerfile_path\"; then\n # user is not running registration in the Containerfile: pre-register.\n echo \"Pre-registering with subscription manager.\"\n export RETRY_MAX_TRIES=6\n if ! retry subscription-manager register --org \"$(cat /tmp/activation-key/org)\" --activationkey \"$(cat /tmp/activation-key/activationkey)\"; then\n echo \"Subscription-manager register failed\"\n exit 1\n fi\n unset RETRY_MAX_TRIES\n trap 'subscription-manager unregister || true' EXIT\n\n # copy generated certificates to /shared volume\n cp /etc/pki/entitlement/*.pem /shared/rhsm/etc/pki/entitlement\n cp /etc/pki/consumer/*.pem /shared/rhsm/etc/pki/consumer\n\n # and then mount get /etc/rhsm/ca/redhat-uep.pem into /run/secrets/rhsm/ca\n VOLUME_MOUNTS+=(--volume /etc/rhsm/ca/redhat-uep.pem:/etc/rhsm/ca/redhat-uep.pem:Z)\n fi\n\nelif [ \"${HERMETIC}\" != \"true\" ] \u0026\u0026 find /entitlement -name \"*.pem\" \u003e/dev/null; then\n cp -r --preserve=mode \"$ENTITLEMENT_PATH\" /tmp/entitlement\n VOLUME_MOUNTS+=(--volume /tmp/entitlement:/etc/pki/entitlement)\n echo \"Adding the entitlement to the build\"\nfi\n\nif [ -n \"$WORKINGDIR_MOUNT\" ]; then\n if [[ \"$WORKINGDIR_MOUNT\" == *:* ]]; then\n echo \"WORKINGDIR_MOUNT contains ':'\" \u003e\u00262\n echo \"Refusing to proceed in case this is an attempt to set unexpected mount options.\" \u003e\u00262\n exit 1\n fi\n # ${SOURCE_CODE_DIR}/${CONTEXT} will be the $PWD when we call 'buildah build'\n # (we set the workdir using 'unshare -w')\n context_dir=$(realpath \"${SOURCE_CODE_DIR}/${CONTEXT}\")\n VOLUME_MOUNTS+=(--volume \"$context_dir:${WORKINGDIR_MOUNT}\")\nfi\n\nif [ -n \"${ADDITIONAL_VOLUME_MOUNTS-}\" ]; then\n # ADDITIONAL_VOLUME_MOUNTS allows to specify more volumes for the build.\n # Instrumented builds (SAST) use this step as their base and add some other tools.\n while read -r volume_mount; do\n VOLUME_MOUNTS+=(\"--volume=$volume_mount\")\n done \u003c\u003c\u003c\"$ADDITIONAL_VOLUME_MOUNTS\"\nfi\n\necho \"[$(date --utc -Ins)] Add secrets\"\n\nADDITIONAL_SECRET_PATH=\"/additional-secret\"\nADDITIONAL_SECRET_TMP=\"/tmp/additional-secret\"\nif [ -d \"$ADDITIONAL_SECRET_PATH\" ]; then\n cp -r --preserve=mode -L \"$ADDITIONAL_SECRET_PATH\" $ADDITIONAL_SECRET_TMP\n while read -r filename; do\n echo \"Adding the secret ${ADDITIONAL_SECRET}/${filename} to the build, available at /run/secrets/${ADDITIONAL_SECRET}/${filename}\"\n BUILDAH_ARGS+=(\"--secret=id=${ADDITIONAL_SECRET}/${filename},src=$ADDITIONAL_SECRET_TMP/${filename}\")\n done \u003c \u003c(find $ADDITIONAL_SECRET_TMP -maxdepth 1 -type f -exec basename {} \\;)\nfi\n\n# Prevent ShellCheck from giving a warning because 'image' is defined and 'IMAGE' is not.\ndeclare IMAGE\n\nbuildah_cmd_array=(\n buildah build\n \"${VOLUME_MOUNTS[@]}\"\n \"${BUILDAH_ARGS[@]}\"\n \"${LABELS[@]}\"\n \"${ANNOTATIONS[@]}\"\n --tls-verify=\"$TLSVERIFY\" --no-cache\n --ulimit nofile=4096:4096\n --http-proxy=false\n -f \"$dockerfile_copy\" -t \"$IMAGE\" .\n)\nbuildah_cmd=$(printf \"%q \" \"${buildah_cmd_array[@]}\")\n\nif [ \"${HERMETIC}\" == \"true\" ]; then\n # enabling loopback adapter enables Bazel builds to work in hermetic mode.\n command=\"ip link set lo up \u0026\u0026 $buildah_cmd\"\nelse\n command=\"$buildah_cmd\"\nfi\n\n# disable host subcription manager integration\nfind /usr/share/rhel/secrets -type l -exec unlink {} \\;\n\nset_proxy\n\necho \"[$(date --utc -Ins)] Run buildah build\"\necho \"[$(date --utc -Ins)] ${command}\"\n\nunshare -Uf \"${UNSHARE_ARGS[@]}\" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w \"${SOURCE_CODE_DIR}/$CONTEXT\" --mount -- sh -c \"$command\"\n\nunset_proxy\n\necho \"[$(date --utc -Ins)] Add metadata\"\n\n# Save the SBOM produced in prefetch so it can be merged into the final SBOM later\nif [ -f \"/tmp/cachi2/output/bom.json\" ]; then\n echo \"Making copy of sbom-prefetch.json\"\n cp /tmp/cachi2/output/bom.json ./sbom-prefetch.json\nfi\n\ntouch /shared/base_images_digests\necho \"Recording base image digests used\"\nfor image in $BASE_IMAGES; do\n # Get the image pullspec and filter out a tag if it is not set\n # Use head -n 1 to ensure we only get one result even if multiple images match the filter\n base_image_digest=$(buildah images --format '{{ .Name }}{{ if ne .Tag \"\u003cnone\u003e\" }}:{{ .Tag }}{{ end }}@{{ .Digest }}' --filter reference=\"$image\" | head -n 1)\n # In some cases, there might be BASE_IMAGES, but not any associated digest. This happens\n # if buildah did not use that particular image during build because it was skipped\n if [ -n \"$base_image_digest\" ]; then\n echo \"$image $base_image_digest\" | tee -a /shared/base_images_digests\n fi\ndone\n\nimage_name=$(echo \"${IMAGE##*/}\" | tr ':' '-')\nbuildah push \"$IMAGE\" oci:\"/shared/$image_name.oci:$IMAGE\"\necho \"/shared/$image_name.oci\" \u003e/shared/container_path\n\necho \"[$(date --utc -Ins)] End build\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/entitlement", "name": "etc-pki-entitlement" }, { "mountPath": "/activation-key", "name": "activation-key" }, { "mountPath": "/additional-secret", "name": "additional-secret" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/mnt/proxy-ca-bundle", "name": "proxy-ca-bundle", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "600m", "memory": "4Gi" }, "requests": { "cpu": "600m", "memory": "4Gi" } }, "env": [ { "name": "HOME", "value": "/root" }, { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "TASKRUN_NAME", "value": "gl-test-custom-branch-fpnsvp-on-push-rt6rx-build-container" } ], "image": "quay.io/konflux-ci/buildah-task:latest@sha256:4c470b5a153c4acd14bf4f8731b5e36c61d7faafe09c2bf376bb81ce84aa5709", "name": "push", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\necho \"[$(date --utc -Ins)] Convert image\"\n\n# While we can build images with the desired format, we will simplify any local\n# and remote build differences by just performing any necessary conversions at\n# push time.\npush_format=oci\nif [ \"${BUILDAH_FORMAT}\" == \"docker\" ]; then\n push_format=docker\nfi\n\necho \"[$(date --utc -Ins)] Push image with unique tag\"\n\nbuildah_retries=3\n\n# Push to a unique tag based on the TaskRun name to avoid race conditions\necho \"Pushing to ${IMAGE%:*}:${TASKRUN_NAME}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n \"$IMAGE\" \\\n \"docker://${IMAGE%:*}:${TASKRUN_NAME}\"; then\n echo \"Failed to push image to ${IMAGE%:*}:${TASKRUN_NAME}\"\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] Push image with git revision\"\n\n# Push to a tag based on the git revision\necho \"Pushing to ${IMAGE}\"\nif ! retry buildah push \\\n --format=\"$push_format\" \\\n --retry \"$buildah_retries\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --digestfile \"/var/workdir/image-digest\" \"$IMAGE\" \\\n \"docker://$IMAGE\"; then\n echo \"Failed to push image to $IMAGE\"\n exit 1\nfi\n\ntee \"/tekton/results/IMAGE_DIGEST\" \u003c\"/var/workdir\"/image-digest\necho -n \"$IMAGE\" | tee /tekton/results/IMAGE_URL\n{\n echo -n \"${IMAGE}@\"\n cat \"/var/workdir/image-digest\"\n} \u003e\"/tekton/results/IMAGE_REF\"\necho\n\n# detect if keyless signing is required\nSIGNING_CONFIG='{}'\nKFLX_CONFIG_PATH='/tmp/konflux_config.json'\nif ! RETRY_STOP_IF_STDERR_MATCHES='configmaps \"cluster-config\" not found' retry kubectl get configmap cluster-config -n konflux-info -o json \u003e\"${KFLX_CONFIG_PATH}\"; then\n echo \"Failed to fetch konflux cluster-config, default values will be used\" \u003e\u00262\nelse\n SIGNING_CONFIG=\"$(cat ${KFLX_CONFIG_PATH})\"\nfi\n\n# configmap key -\u003e variable name mapping\ndeclare -A SIGNING_KEY_MAP=(\n [defaultOIDCIssuer]=SIGSTORE_OIDC_ISSUER\n [rekorInternalUrl]=REKOR_URL\n [fulcioInternalUrl]=SIGSTORE_FULCIO_URL\n [tufInternalUrl]=TUF_URL\n)\n\n# fallback keys when internal URL is not available\ndeclare -A SIGNING_FALLBACK_MAP=(\n [rekorInternalUrl]=rekorExternalUrl\n [fulcioInternalUrl]=fulcioExternalUrl\n [tufInternalUrl]=tufExternalUrl\n)\n\nmissing=\"\"\nconfigured=0\nfor key in \"${!SIGNING_KEY_MAP[@]}\"; do\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${key} // empty\")\n if [ -z \"${val}\" ] \u0026\u0026 [ -n \"${SIGNING_FALLBACK_MAP[$key]+x}\" ]; then\n fallback_key=\"${SIGNING_FALLBACK_MAP[$key]}\"\n val=$(echo \"${SIGNING_CONFIG}\" | jq -r \".data.${fallback_key} // empty\")\n if [ -n \"${val}\" ]; then\n echo \"Using fallback ${fallback_key} instead of ${key}\"\n fi\n fi\n if [ -z \"${val}\" ]; then\n missing=\"${missing:+${missing}, }${key}\"\n else\n declare \"${SIGNING_KEY_MAP[$key]}=${val}\"\n configured=$((configured + 1))\n fi\ndone\n\nif [ \"${configured}\" -eq \"${#SIGNING_KEY_MAP[@]}\" ]; then\n echo \"Keyless signing is enabled\"\n\n # Save signing config for upload-sbom step\n for key in \"${!SIGNING_KEY_MAP[@]}\"; do\n envvar=\"${SIGNING_KEY_MAP[$key]}\"\n printf '%s=%q\\n' \"${envvar}\" \"${!envvar}\"\n done \u003e/shared/signing-config.env\n\n echo \"Using Rekor URL: ${REKOR_URL}\"\n echo \"Using Fulcio URL: ${SIGSTORE_FULCIO_URL}\"\n echo \"Using OIDC issuer: ${SIGSTORE_OIDC_ISSUER}\"\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n # Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\n mkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"${IMAGE_REF}\" \u003e/tmp/auth/config.json\n export DOCKER_CONFIG=/tmp/auth\n\n echo \"[$(date --utc -Ins)] Sign image\"\n echo \"Signing image ${IMAGE_REF} using keyless signing\"\n if ! retry cosign sign -y \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign image\" \u003e\u00262\n exit 1\n fi\nelif [ \"${configured}\" -eq 0 ]; then\n echo \"Keyless signing is disabled (none of ${missing} are configured in the konflux-info/cluster-config configmap)\"\nelse\n echo \"ERROR: Incomplete keyless signing configuration in konflux-info/cluster-config configmap. Missing: ${missing}\" \u003e\u00262\n exit 1\nfi\n\necho \"[$(date --utc -Ins)] End push\"\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "1100m", "memory": "4Gi" }, "requests": { "cpu": "1100m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "sbom-syft-generate", "script": "#!/bin/bash\nset -euo pipefail\necho \"[$(date --utc -Ins)] Generate SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\ncase $SBOM_TYPE in\ncyclonedx)\n syft_sbom_type=cyclonedx-json@1.5\n ;;\nspdx)\n syft_sbom_type=spdx-json@2.3\n ;;\n*)\n echo \"Invalid SBOM type: $SBOM_TYPE. Valid: cyclonedx, spdx\" \u003e\u00262\n exit 1\n ;;\nesac\n\nOCI_DIR=\"$(cat /shared/container_path)\"\n\nsyft_oci_args=(\n oci-dir:\"${OCI_DIR}\"\n --output \"$syft_sbom_type=/var/workdir/sbom-image.json\"\n)\nsyft_source_args=(\n dir:\"/var/workdir/$SOURCE_CODE_DIR/$CONTEXT\"\n --output \"$syft_sbom_type=/var/workdir/sbom-source.json\"\n)\n\nif [ \"${SBOM_SYFT_SELECT_CATALOGERS}\" != \"\" ]; then\n syft_oci_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\n syft_source_args+=(--select-catalogers \"${SBOM_SYFT_SELECT_CATALOGERS}\")\nfi\n\necho \"Running syft on the image\"\nsyft \"${syft_oci_args[@]}\"\nif [[ \"${HERMETIC}\" == \"false\" \u0026\u0026 \"${SBOM_SOURCE_SCAN_ENABLED}\" == \"true\" ]]; then\n echo \"Running syft on the source code\"\n syft \"${syft_source_args[@]}\"\nelse\n echo \"Skipping syft on source code.\"\nfi\n\necho \"[$(date --utc -Ins)] End sbom-syft-generate\"\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/var/lib/containers", "name": "varlibcontainers" }, { "mountPath": "/shared", "name": "shared" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" }, { "args": [ "--additional-base-images" ], "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/mobster:1.2.0-1774868067@sha256:2e00c2f0aeff55713150b51822013327ea0e0d75b8164a52f837fb297c17703d", "name": "prepare-sboms", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Prepare SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\n# Convert Tekton array params into Mobster params\nADDITIONAL_BASE_IMAGES=()\nwhile [[ $# -gt 0 ]]; do\n case $1 in\n --additional-base-images)\n shift\n while [[ $# -gt 0 \u0026\u0026 $1 != --* ]]; do\n ADDITIONAL_BASE_IMAGES+=(\"$1\")\n shift\n done\n ;;\n *)\n echo \"unexpected argument: $1\" \u003e\u00262\n exit 2\n ;;\n esac\ndone\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\n\necho \"[$(date --utc -Ins)] Generate SBOM with mobster\"\n\nmobster_args=(\n generate\n --output sbom.json\n)\n\n# Validation is a flag for `generate`, not `oci-image`, so we need to\n# handle it before the oci-image arguments\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-image\n --from-syft \"/var/workdir/sbom-image.json\"\n --image-pullspec \"$IMAGE_URL\"\n --image-digest \"$IMAGE_DIGEST\"\n --parsed-dockerfile-path \"/shared/parsed_dockerfile.json\"\n --base-image-digest-file \"/shared/base_images_digests\"\n)\n\nif [ -f \"/var/workdir/sbom-source.json\" ]; then\n mobster_args+=(--from-syft \"/var/workdir/sbom-source.json\")\nfi\n\nif [ -f \"/var/workdir/sbom-prefetch.json\" ]; then\n mobster_args+=(--from-hermeto \"/var/workdir/sbom-prefetch.json\")\nfi\n\nif [ -n \"${TARGET_STAGE}\" ]; then\n mobster_args+=(--dockerfile-target \"${TARGET_STAGE}\")\nfi\n\nfor ADDITIONAL_BASE_IMAGE in \"${ADDITIONAL_BASE_IMAGES[@]}\"; do\n mobster_args+=(--additional-base-image \"$ADDITIONAL_BASE_IMAGE\")\ndone\n\nif [ \"${CONTEXTUALIZE_SBOM}\" == \"true\" ] \u0026\u0026 [ \"${HERMETIC}\" == \"false\" ]; then\n mobster_args+=(--contextualize)\nfi\n\nif [ -f \"/shared/prefetch-arch\" ]; then\n mobster_args+=(--arch \"$(cat /shared/prefetch-arch)\")\nfi\n\nmobster \"${mobster_args[@]}\"\n\necho \"[$(date --utc -Ins)] End prepare-sboms\"\n", "securityContext": { "runAsUser": 0 }, "workingDir": "/var/workdir" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -euo pipefail\n\necho \"[$(date --utc -Ins)] Upload SBOM\"\n\nif [ \"${SKIP_SBOM_GENERATION}\" = \"true\" ]; then\n echo \"Skipping SBOM generation\"\n exit 0\nfi\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e/tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom sbom.json --type \"$SBOM_TYPE\" \"$(cat \"/tekton/results/IMAGE_REF\")\"; then\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum sbom.json | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n\nif [ -f \"/shared/signing-config.env\" ]; then\n # shellcheck source=/dev/null\n source /shared/signing-config.env\n\n echo \"Initializing TUF root from ${TUF_URL}\"\n if ! retry cosign initialize --root \"${TUF_URL}/root.json\" --mirror \"${TUF_URL}\"; then\n echo \"Failed to initialize TUF root\" \u003e\u00262\n exit 1\n fi\n\n # env var consumed by cosign\n SIGSTORE_ID_TOKEN=\"$(cat /var/run/sigstore/cosign/oidc-token)\"\n export SIGSTORE_ID_TOKEN\n\n IMAGE_REF=\"$(cat \"/tekton/results/IMAGE_REF\")\"\n\n ATT_SBOM_TYPE=\"${SBOM_TYPE}\"\n if [ \"${ATT_SBOM_TYPE}\" = \"spdx\" ]; then\n # for format cossistency with cyclonedx format, we want to use spdxjson instad of spdx\n # spdx export data as rawstring, we want structured json as cyclonedx\n ATT_SBOM_TYPE=\"spdxjson\"\n fi\n\n echo \"[$(date --utc -Ins)] Sign SBOM\"\n echo \"Signing and attaching SBOM to ${IMAGE_REF} using keyless signing\"\n if ! retry cosign attest -y --type \"${ATT_SBOM_TYPE}\" --predicate sbom.json \\\n --rekor-url=\"${REKOR_URL}\" \\\n --fulcio-url=\"${SIGSTORE_FULCIO_URL}\" \\\n --oidc-issuer=\"${SIGSTORE_OIDC_ISSUER}\" \\\n \"${IMAGE_REF}\"; then\n echo \"Failed to sign SBOM\" \u003e\u00262\n exit 1\n fi\nfi\n\necho\necho \"[$(date --utc -Ins)] End upload-sbom\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true }, { "mountPath": "/var/run/sigstore/cosign", "name": "oidc-token", "readOnly": true } ], "workingDir": "/var/workdir" } ], "volumes": [ { "name": "activation-key", "secret": { "optional": true, "secretName": "activation-key" } }, { "name": "additional-secret", "secret": { "optional": true, "secretName": "does-not-exist" } }, { "name": "etc-pki-entitlement", "secret": { "optional": true, "secretName": "etc-pki-entitlement" } }, { "name": "oidc-token", "projected": { "sources": [ { "serviceAccountToken": { "audience": "sigstore", "expirationSeconds": 600, "path": "oidc-token" } } ] } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "caching-ca-bundle", "optional": true }, "name": "proxy-ca-bundle" }, { "emptyDir": {}, "name": "shared" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "varlibcontainers" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.redhat.com/nudged-components": "gl-multi-component-child-kvnd", "build.appstudio.redhat.com/nudging-commit": "4a961be2f71797a2903c2b8590a43e4344004fdf", "build.appstudio.redhat.com/nudging-component": "gl-multi-component-parent-kvnd", "build.appstudio.redhat.com/nudging-image": "quay.io/redhat-appstudio-qe/build-e2e-geef/gl-multi-component-parent-kvnd:4a961be2f71797a2903c2b8590a43e4344004fdf", "build.appstudio.redhat.com/nudging-pipeline": "gl-multi-component-parent-kvnd-on-push-hslhf", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-geef/results/22715865-01c9-4cf4-ae98-60096aaf2bb3/records/9fd972ac-cc40-4d33-aaf1-775893921ac1", "results.tekton.dev/result": "build-e2e-geef/results/22715865-01c9-4cf4-ae98-60096aaf2bb3", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-15T08:25:20Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "build.appstudio.redhat.com/type": "nudge", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-pipeline-1778833520-22c39", "tekton.dev/pipelineRun": "renovate-pipeline-1778833520-22c39", "tekton.dev/pipelineRunUID": "22715865-01c9-4cf4-ae98-60096aaf2bb3", "tekton.dev/pipelineTask": "renovate" }, "name": "renovate-pipeline-1778833520-22c39-renovate", "namespace": "build-e2e-geef", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-pipeline-1778833520-22c39", "uid": "22715865-01c9-4cf4-ae98-60096aaf2bb3" } ], "resourceVersion": "28818", "uid": "9fd972ac-cc40-4d33-aaf1-775893921ac1" }, "spec": { "serviceAccountName": "build-pipeline-gl-multi-component-parent-kvnd", "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_390b8f03b1 RENOVATE_CONFIG_FILE=/configs/gl-multi-component-child-kvnd-130a5.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_geef_gl_multi_component_parent_kvnd_26dda3b956','password':'${TOKEN_a740bd3154}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778833520-22c39" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778833520-22c39" } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778833520-22c39" }, "name": "renovate-pipeline-1778833520-22c39" } ] }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-15T08:29:51Z", "conditions": [ { "lastTransitionTime": "2026-05-15T08:29:51Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "renovate-pipeline-1778833520-22c39-renovate-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "startTime": "2026-05-15T08:25:20Z", "steps": [ { "container": "step-renovate", "imageID": "quay.io/konflux-ci/mintmaker-renovate-image@sha256:67d26b20533790565a2949a3f732d595dda9378fea506f1cba88ca17cef13873", "name": "renovate", "provenance": {}, "terminated": { "containerID": "containerd://373939d99de93cd2eec49f66442231ef1e7c90ef3bf76aaef53813648796e202", "exitCode": 0, "finishedAt": "2026-05-15T08:29:51Z", "reason": "Completed", "startedAt": "2026-05-15T08:29:38Z" }, "terminationReason": "Completed" } ], "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_390b8f03b1 RENOVATE_CONFIG_FILE=/configs/gl-multi-component-child-kvnd-130a5.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_geef_gl_multi_component_parent_kvnd_26dda3b956','password':'${TOKEN_a740bd3154}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778833520-22c39" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778833520-22c39" } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778833520-22c39" }, "name": "renovate-pipeline-1778833520-22c39" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }