{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "PipelineRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "https://rekor-server-tssc-tas.apps.rosa.kx-8d9c162f6c.x2e6.p3.openshiftapps.com/api/v1/log/entries?logIndex=34", "pipelinesascode.tekton.dev/branch": "main", "pipelinesascode.tekton.dev/check-run-id": "76480216136", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-eqobev", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "47332704", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-8d9c162f6c.x2e6.p3.openshiftapps.com/k8s/ns/tssc-app-ci/tekton.dev~v1~PipelineRun/e2e-tests-go-jdpuvcnh-gitops-on-pull-request-25cm2", "pipelinesascode.tekton.dev/on-event": "[pull_request]", "pipelinesascode.tekton.dev/on-target-branch": "[main]", "pipelinesascode.tekton.dev/original-prname": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request", "pipelinesascode.tekton.dev/pipeline": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/pipelines/gitops-pull-request-tssc.yaml", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops", "pipelinesascode.tekton.dev/repository": "e2e-tests-go-jdpuvcnh-gitops-repository", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "7ec4f058c2dfd9aca4478b01563171e3285068c6", "pipelinesascode.tekton.dev/sha-title": "Promote to stage environment", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops/commit/7ec4f058c2dfd9aca4478b01563171e3285068c6", "pipelinesascode.tekton.dev/source-branch": "promote-to-stage-1779090347726", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops", "pipelinesascode.tekton.dev/state": "completed", "pipelinesascode.tekton.dev/task-0": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/git-clone.yaml", "pipelinesascode.tekton.dev/task-1": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/gather-deploy-images.yaml", "pipelinesascode.tekton.dev/task-2": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/verify-enterprise-contract.yaml", "pipelinesascode.tekton.dev/task-3": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/gather-deploy-images.yaml", "pipelinesascode.tekton.dev/task-4": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/download-sbom-from-url-in-attestation.yaml", "pipelinesascode.tekton.dev/task-5": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/upload-sbom-to-trustification.yaml", "pipelinesascode.tekton.dev/task-6": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/fetch-gitops-images.yaml", "pipelinesascode.tekton.dev/task-7": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/verify-gitops-conforma.yaml", "pipelinesascode.tekton.dev/task-8": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/download-gitops-sbom.yaml", "pipelinesascode.tekton.dev/task-9": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/upload-gitops-sbom.yaml", "pipelinesascode.tekton.dev/url-org": "rhtap-rhdh-qe", "pipelinesascode.tekton.dev/url-repository": "e2e-tests-go-jdpuvcnh-gitops", "results.tekton.dev/record": "tssc-app-ci/results/26fc3dfe-e6ef-41bf-bf4f-4a91d8b2e22f/records/26fc3dfe-e6ef-41bf-bf4f-4a91d8b2e22f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"e2e-tests-go-jdpuvcnh-gitops\",\"commit\":\"7ec4f058c2dfd9aca4478b01563171e3285068c6\",\"eventType\":\"pull_request\",\"pull_request-id\":1}", "results.tekton.dev/result": "tssc-app-ci/results/26fc3dfe-e6ef-41bf-bf4f-4a91d8b2e22f", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-18T07:45:58Z", "finalizers": [ "chains.tekton.dev/pipelinerun", "results.tekton.dev/pipelinerun", "pipelinesascode.tekton.dev/finalizer" ], "generateName": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-", "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/part-of": "e2e-tests-go-jdpuvcnh", "app.kubernetes.io/version": "v0.39.5", "argocd/app-name": "e2e-tests-go-jdpuvcnh", "backstage.io/kubernetes-id": "e2e-tests-go-jdpuvcnh", "backstage.io/kubernetes-namespace": "tssc-app", "janus-idp.io/tekton": "e2e-tests-go-jdpuvcnh", "pipelinesascode.tekton.dev/check-run-id": "76480216136", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "1", "pipelinesascode.tekton.dev/repository": "e2e-tests-go-jdpuvcnh-gitops-repository", "pipelinesascode.tekton.dev/sha": "7ec4f058c2dfd9aca4478b01563171e3285068c6", "pipelinesascode.tekton.dev/state": "completed", "pipelinesascode.tekton.dev/url-org": "rhtap-rhdh-qe", "pipelinesascode.tekton.dev/url-repository": "e2e-tests-go-jdpuvcnh-gitops", "tekton.dev/pipeline": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-25cm2" }, "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-25cm2", "namespace": "tssc-app-ci", "resourceVersion": "45682", "uid": "26fc3dfe-e6ef-41bf-bf4f-4a91d8b2e22f" }, "spec": { "params": [ { "name": "git-url", "value": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops" }, { "name": "revision", "value": "7ec4f058c2dfd9aca4478b01563171e3285068c6" }, { "name": "target-branch", "value": "main" }, { "name": "fail-if-trustification-not-configured", "value": "false" } ], "pipelineSpec": { "params": [ { "description": "Gitops repo url", "name": "git-url", "type": "string" }, { "default": "", "description": "Gitops repo revision", "name": "revision", "type": "string" }, { "default": "main", "description": "The target branch for the pull request", "name": "target-branch", "type": "string" }, { "default": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7", "description": "Enterprise Contract policy to validate against", "name": "ec-policy-configuration", "type": "string" }, { "default": "true", "description": "Should EC violations cause the pipeline to fail?", "name": "ec-strict", "type": "string" }, { "default": "k8s://$(context.pipelineRun.namespace)/cosign-pub", "description": "The public key that EC should use to verify signatures", "name": "ec-public-key", "type": "string" }, { "default": "tpa-secret", "description": "The name of the Secret that contains Trustification (TPA) configuration", "name": "trustification-secret-name", "type": "string" }, { "default": "true", "description": "Should the pipeline fail when there are SBOMs to upload but Trustification is not properly configured (i.e. the secret is missing or doesn't have all the required keys)?", "name": "fail-if-trustification-not-configured", "type": "string" } ], "tasks": [ { "name": "clone-repository", "params": [ { "name": "url", "value": "$(params.git-url)" }, { "name": "revision", "value": "$(params.revision)" }, { "name": "fetchTags", "value": "true" }, { "name": "depth", "value": "0" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "metadata": { "annotations": { "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "spec": null, "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "$(params.userHome)" }, { "name": "PARAM_URL", "value": "$(params.url)" }, { "name": "PARAM_REVISION", "value": "$(params.revision)" }, { "name": "PARAM_REFSPEC", "value": "$(params.refspec)" }, { "name": "PARAM_SUBMODULES", "value": "$(params.submodules)" }, { "name": "PARAM_SUBMODULE_PATHS", "value": "$(params.submodulePaths)" }, { "name": "PARAM_DEPTH", "value": "$(params.depth)" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "$(params.shortCommitLength)" }, { "name": "PARAM_SSL_VERIFY", "value": "$(params.sslVerify)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "PARAM_DELETE_EXISTING", "value": "$(params.deleteExisting)" }, { "name": "PARAM_HTTP_PROXY", "value": "$(params.httpProxy)" }, { "name": "PARAM_HTTPS_PROXY", "value": "$(params.httpsProxy)" }, { "name": "PARAM_NO_PROXY", "value": "$(params.noProxy)" }, { "name": "PARAM_VERBOSE", "value": "$(params.verbose)" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES", "value": "$(params.sparseCheckoutDirectories)" }, { "name": "PARAM_USER_HOME", "value": "$(params.userHome)" }, { "name": "PARAM_FETCH_TAGS", "value": "$(params.fetchTags)" }, { "name": "PARAM_GIT_INIT_IMAGE", "value": "$(params.gitInitImage)" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "$(params.mergeTargetBranch)" }, { "name": "PARAM_TARGET_BRANCH", "value": "$(params.targetBranch)" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL", "value": "$(params.mergeSourceRepoUrl)" }, { "name": "PARAM_MERGE_SOURCE_DEPTH", "value": "$(params.mergeSourceDepth)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "$(workspaces.ssh-directory.bound)" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH", "value": "$(workspaces.ssh-directory.path)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "$(workspaces.basic-auth.bound)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "$(workspaces.basic-auth.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\nEXIT_CODE=\"$?\"\nif [ \"${EXIT_CODE}\" != 0 ] ; then\n exit \"${EXIT_CODE}\"\nfi\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n FETCH_EXIT_CODE=\"$?\"\n if [ \"${FETCH_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to fetch target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}.\" \u003e\u00262\n exit \"${FETCH_EXIT_CODE}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n git merge \"${MERGE_REMOTE}/${PARAM_TARGET_BRANCH}\" --no-commit --no-ff --allow-unrelated-histories\n MERGE_CHECK_EXIT_CODE=\"$?\"\n if [ \"${MERGE_CHECK_EXIT_CODE}\" != \"0\" ] ; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit \"${MERGE_CHECK_EXIT_CODE}\"\n else\n # Check if there are changes that need to be merged, and if so, create a merge commit.\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"\n COMMIT_EXIT_CODE=\"$?\"\n if [ \"${COMMIT_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit \"${COMMIT_EXIT_CODE}\"\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"$(results.merged_sha.path)\"\n fi\n fi\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.commit.path)\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.CHAINS-GIT_COMMIT.path)\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"$(results.short-commit.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.url.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.CHAINS-GIT_URL.path)\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"$(results.commit-timestamp.path)\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "$(params.enableSymlinkCheck)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "$(params.caTrustConfigMapKey)", "path": "ca-bundle.crt" } ], "name": "$(params.caTrustConfigMapName)", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] }, "workspaces": [ { "name": "output", "workspace": "workspace" }, { "name": "basic-auth", "workspace": "git-auth" } ] }, { "name": "get-images", "params": [ { "name": "PUBLIC_KEY_URL", "value": "$(params.ec-public-key)" }, { "name": "TARGET_BRANCH", "value": "$(params.target-branch)" } ], "runAfter": [ "clone-repository" ], "taskSpec": { "description": "Extract images from deployment YAML to pass to Conforma for validation", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.", "name": "PUBLIC_KEY_URL", "type": "string" }, { "default": "", "description": "If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference.\n", "name": "TARGET_BRANCH", "type": "string" }, { "default": [ "development", "stage", "prod" ], "description": "Gather images from the manifest files for the specified environments", "name": "ENVIRONMENTS", "type": "array" } ], "results": [ { "description": "Cosign base64 encoded public key fetched from secrets.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "description": "The images with SBOMs to upload to Trustification \n", "name": "SBOM_IMAGES", "type": "string" }, { "description": "The images to be verified, in a format compatible with https://github.com/konflux-ci/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string.\n", "name": "CONFORMA_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "init", "script": "pwd\nls -la\n# Sync scripts to the writable workspace\ncp -rf /work/tssc/ $(workspaces.source.path)/\n# Append the dummy function to common.sh\nprintf '\\nfunction registry-login() {\\n echo \"--- Registry Auth Bypass Active ---\"\\n return 0\\n}\\n' \u003e\u003e $(workspaces.source.path)/tssc/common.sh\necho \"Successfully patched $(workspaces.source.path)/tssc/common.sh\"\n\necho \"Parsing public key url\"\nCLEAN_URL=\"${PUBLIC_KEY_URL#k8s://}\"\nNS=\"${CLEAN_URL%/*}\"\nSECRET=\"${CLEAN_URL##*/}\"\nCOSIGN_PUBLIC_KEY=$(oc get secrets $SECRET -n $NS -o json | jq -r '.data.\"cosign.pub\"')\necho $COSIGN_PUBLIC_KEY \u003e $(results.COSIGN_PUBLIC_KEY.path)\n" }, { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "get-images", "script": "echo \"running gather-images-to-upload-sbom\"\n$(workspaces.source.path)/tssc/gather-images-to-upload-sbom.sh\nmv ./results/gather-deploy-images ./results/sbom-images \ncat ./results/sbom-images/IMAGES_TO_VERIFY \u003e $(results.SBOM_IMAGES.path)\n\necho \"running gather-deploy-images\"\n$(workspaces.source.path)/tssc/gather-deploy-images.sh\ncat ./results/gather-deploy-images/IMAGES_TO_VERIFY \u003e $(results.CONFORMA_IMAGES.path)\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "verify-conforma", "params": [ { "name": "STRICT", "value": "$(params.ec-strict)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.ec-policy-configuration)" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Verify the enterprise contract is met", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image.", "name": "TEST_OUTPUT", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "verify", "script": "echo \"running verify-conforma\"\n$(workspaces.source.path)/tssc/verify-conforma.sh\ncat ./results/verify-conforma/TEST_OUTPUT \u003e $(results.TEST_OUTPUT.path)\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.CONFORMA_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "download-sboms", "params": [ { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" }, { "name": "SBOM_IMAGES", "value": "$(tasks.get-images.results.SBOM_IMAGES)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Download SBOM from images", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Images to be considered for SBOM download.", "name": "SBOM_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "download", "script": "echo \"running download-sbom-from-url-in-attestation\"\n$(workspaces.source.path)/tssc/download-sbom-from-url-in-attestation.sh\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "upload-sboms", "params": [ { "name": "TPA_SECRET", "value": "$(params.trustification-secret-name)" } ], "runAfter": [ "download-sboms" ], "taskSpec": { "description": "Upload SBOMs to Trustification", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "TPA Secret to obtain Trustification vars from.", "name": "TPA_SECRET", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "upload", "script": "echo \"running upload-sbom-to-trustification\"\n$(workspaces.source.path)/tssc/upload-sbom-to-trustification.sh\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] } ], "workspaces": [ { "name": "workspace" }, { "name": "git-auth", "optional": true } ] }, "taskRunTemplate": { "serviceAccountName": "pipeline" }, "timeouts": { "pipeline": "1h0m0s" }, "workspaces": [ { "name": "git-auth", "secret": { "secretName": "pac-gitauth-eqobev" } }, { "name": "workspace", "volumeClaimTemplate": { "metadata": { "creationTimestamp": null }, "spec": { "accessModes": [ "ReadWriteOnce" ], "resources": { "requests": { "storage": "1Gi" } } }, "status": {} } } ] }, "status": { "childReferences": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-j62addba71e4a0d2613ed2d9d8803b123-clone-repository", "pipelineTaskName": "clone-repository" }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-25cm2-get-images", "pipelineTaskName": "get-images" }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jd62addba71e4a0d2613ed2d9d8803b123-verify-conforma", "pipelineTaskName": "verify-conforma", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdp62addba71e4a0d2613ed2d9d8803b123-download-sboms", "pipelineTaskName": "download-sboms", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-25cm2-upload-sboms", "pipelineTaskName": "upload-sboms", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] } ], "completionTime": "2026-05-18T07:46:44Z", "conditions": [ { "lastTransitionTime": "2026-05-18T07:46:44Z", "message": "Tasks Completed: 5 (Failed: 0, Cancelled 0), Skipped: 0", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "pipelineSpec": { "params": [ { "description": "Gitops repo url", "name": "git-url", "type": "string" }, { "default": "", "description": "Gitops repo revision", "name": "revision", "type": "string" }, { "default": "main", "description": "The target branch for the pull request", "name": "target-branch", "type": "string" }, { "default": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7", "description": "Enterprise Contract policy to validate against", "name": "ec-policy-configuration", "type": "string" }, { "default": "true", "description": "Should EC violations cause the pipeline to fail?", "name": "ec-strict", "type": "string" }, { "default": "k8s://$(context.pipelineRun.namespace)/cosign-pub", "description": "The public key that EC should use to verify signatures", "name": "ec-public-key", "type": "string" }, { "default": "tpa-secret", "description": "The name of the Secret that contains Trustification (TPA) configuration", "name": "trustification-secret-name", "type": "string" }, { "default": "true", "description": "Should the pipeline fail when there are SBOMs to upload but Trustification is not properly configured (i.e. the secret is missing or doesn't have all the required keys)?", "name": "fail-if-trustification-not-configured", "type": "string" } ], "tasks": [ { "name": "clone-repository", "params": [ { "name": "url", "value": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops" }, { "name": "revision", "value": "7ec4f058c2dfd9aca4478b01563171e3285068c6" }, { "name": "fetchTags", "value": "true" }, { "name": "depth", "value": "0" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "metadata": { "annotations": { "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "spec": null, "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "$(params.userHome)" }, { "name": "PARAM_URL", "value": "$(params.url)" }, { "name": "PARAM_REVISION", "value": "7ec4f058c2dfd9aca4478b01563171e3285068c6" }, { "name": "PARAM_REFSPEC", "value": "$(params.refspec)" }, { "name": "PARAM_SUBMODULES", "value": "$(params.submodules)" }, { "name": "PARAM_SUBMODULE_PATHS", "value": "$(params.submodulePaths)" }, { "name": "PARAM_DEPTH", "value": "$(params.depth)" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "$(params.shortCommitLength)" }, { "name": "PARAM_SSL_VERIFY", "value": "$(params.sslVerify)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "PARAM_DELETE_EXISTING", "value": "$(params.deleteExisting)" }, { "name": "PARAM_HTTP_PROXY", "value": "$(params.httpProxy)" }, { "name": "PARAM_HTTPS_PROXY", "value": "$(params.httpsProxy)" }, { "name": "PARAM_NO_PROXY", "value": "$(params.noProxy)" }, { "name": "PARAM_VERBOSE", "value": "$(params.verbose)" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES", "value": "$(params.sparseCheckoutDirectories)" }, { "name": "PARAM_USER_HOME", "value": "$(params.userHome)" }, { "name": "PARAM_FETCH_TAGS", "value": "$(params.fetchTags)" }, { "name": "PARAM_GIT_INIT_IMAGE", "value": "$(params.gitInitImage)" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "$(params.mergeTargetBranch)" }, { "name": "PARAM_TARGET_BRANCH", "value": "$(params.targetBranch)" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL", "value": "$(params.mergeSourceRepoUrl)" }, { "name": "PARAM_MERGE_SOURCE_DEPTH", "value": "$(params.mergeSourceDepth)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "$(workspaces.ssh-directory.bound)" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH", "value": "$(workspaces.ssh-directory.path)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "$(workspaces.basic-auth.bound)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "$(workspaces.basic-auth.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\nEXIT_CODE=\"$?\"\nif [ \"${EXIT_CODE}\" != 0 ] ; then\n exit \"${EXIT_CODE}\"\nfi\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n FETCH_EXIT_CODE=\"$?\"\n if [ \"${FETCH_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to fetch target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}.\" \u003e\u00262\n exit \"${FETCH_EXIT_CODE}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n git merge \"${MERGE_REMOTE}/${PARAM_TARGET_BRANCH}\" --no-commit --no-ff --allow-unrelated-histories\n MERGE_CHECK_EXIT_CODE=\"$?\"\n if [ \"${MERGE_CHECK_EXIT_CODE}\" != \"0\" ] ; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit \"${MERGE_CHECK_EXIT_CODE}\"\n else\n # Check if there are changes that need to be merged, and if so, create a merge commit.\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"\n COMMIT_EXIT_CODE=\"$?\"\n if [ \"${COMMIT_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit \"${COMMIT_EXIT_CODE}\"\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"$(results.merged_sha.path)\"\n fi\n fi\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.commit.path)\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.CHAINS-GIT_COMMIT.path)\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"$(results.short-commit.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.url.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.CHAINS-GIT_URL.path)\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"$(results.commit-timestamp.path)\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "$(params.enableSymlinkCheck)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "$(params.caTrustConfigMapKey)", "path": "ca-bundle.crt" } ], "name": "$(params.caTrustConfigMapName)", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] }, "workspaces": [ { "name": "output", "workspace": "workspace" }, { "name": "basic-auth", "workspace": "git-auth" } ] }, { "name": "get-images", "params": [ { "name": "PUBLIC_KEY_URL", "value": "k8s://tssc-app-ci/cosign-pub" }, { "name": "TARGET_BRANCH", "value": "main" } ], "runAfter": [ "clone-repository" ], "taskSpec": { "description": "Extract images from deployment YAML to pass to Conforma for validation", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.", "name": "PUBLIC_KEY_URL", "type": "string" }, { "default": "", "description": "If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference.\n", "name": "TARGET_BRANCH", "type": "string" }, { "default": [ "development", "stage", "prod" ], "description": "Gather images from the manifest files for the specified environments", "name": "ENVIRONMENTS", "type": "array" } ], "results": [ { "description": "Cosign base64 encoded public key fetched from secrets.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "description": "The images with SBOMs to upload to Trustification \n", "name": "SBOM_IMAGES", "type": "string" }, { "description": "The images to be verified, in a format compatible with https://github.com/konflux-ci/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string.\n", "name": "CONFORMA_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "init", "script": "pwd\nls -la\n# Sync scripts to the writable workspace\ncp -rf /work/tssc/ $(workspaces.source.path)/\n# Append the dummy function to common.sh\nprintf '\\nfunction registry-login() {\\n echo \"--- Registry Auth Bypass Active ---\"\\n return 0\\n}\\n' \u003e\u003e $(workspaces.source.path)/tssc/common.sh\necho \"Successfully patched $(workspaces.source.path)/tssc/common.sh\"\n\necho \"Parsing public key url\"\nCLEAN_URL=\"${PUBLIC_KEY_URL#k8s://}\"\nNS=\"${CLEAN_URL%/*}\"\nSECRET=\"${CLEAN_URL##*/}\"\nCOSIGN_PUBLIC_KEY=$(oc get secrets $SECRET -n $NS -o json | jq -r '.data.\"cosign.pub\"')\necho $COSIGN_PUBLIC_KEY \u003e $(results.COSIGN_PUBLIC_KEY.path)\n", "workingDir": "$(workspaces.source.path)/source" }, { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "get-images", "script": "echo \"running gather-images-to-upload-sbom\"\n$(workspaces.source.path)/tssc/gather-images-to-upload-sbom.sh\nmv ./results/gather-deploy-images ./results/sbom-images \ncat ./results/sbom-images/IMAGES_TO_VERIFY \u003e $(results.SBOM_IMAGES.path)\n\necho \"running gather-deploy-images\"\n$(workspaces.source.path)/tssc/gather-deploy-images.sh\ncat ./results/gather-deploy-images/IMAGES_TO_VERIFY \u003e $(results.CONFORMA_IMAGES.path)\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "verify-conforma", "params": [ { "name": "STRICT", "value": "true" }, { "name": "POLICY_CONFIGURATION", "value": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Verify the enterprise contract is met", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image.", "name": "TEST_OUTPUT", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "verify", "script": "echo \"running verify-conforma\"\n$(workspaces.source.path)/tssc/verify-conforma.sh\ncat ./results/verify-conforma/TEST_OUTPUT \u003e $(results.TEST_OUTPUT.path)\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.CONFORMA_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "download-sboms", "params": [ { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" }, { "name": "SBOM_IMAGES", "value": "$(tasks.get-images.results.SBOM_IMAGES)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Download SBOM from images", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Images to be considered for SBOM download.", "name": "SBOM_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "download", "script": "echo \"running download-sbom-from-url-in-attestation\"\n$(workspaces.source.path)/tssc/download-sbom-from-url-in-attestation.sh\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "upload-sboms", "params": [ { "name": "TPA_SECRET", "value": "tpa-secret" } ], "runAfter": [ "download-sboms" ], "taskSpec": { "description": "Upload SBOMs to Trustification", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "TPA Secret to obtain Trustification vars from.", "name": "TPA_SECRET", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "upload", "script": "echo \"running upload-sbom-to-trustification\"\n$(workspaces.source.path)/tssc/upload-sbom-to-trustification.sh\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] } ], "workspaces": [ { "name": "workspace" }, { "name": "git-auth", "optional": true } ] }, "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "startTime": "2026-05-18T07:45:58Z" } }, { "apiVersion": "tekton.dev/v1", "kind": "PipelineRun", "metadata": { "annotations": { "chains.tekton.dev/signed": "true", "chains.tekton.dev/transparency": "https://rekor-server-tssc-tas.apps.rosa.kx-8d9c162f6c.x2e6.p3.openshiftapps.com/api/v1/log/entries?logIndex=40", "pipelinesascode.tekton.dev/branch": "main", "pipelinesascode.tekton.dev/check-run-id": "76480468316", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-zxyhnz", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "47332704", "pipelinesascode.tekton.dev/log-url": "https://console-openshift-console.apps.rosa.kx-8d9c162f6c.x2e6.p3.openshiftapps.com/k8s/ns/tssc-app-ci/tekton.dev~v1~PipelineRun/e2e-tests-go-jdpuvcnh-gitops-on-pull-request-ttrd5", "pipelinesascode.tekton.dev/on-event": "[pull_request]", "pipelinesascode.tekton.dev/on-target-branch": "[main]", "pipelinesascode.tekton.dev/original-prname": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request", "pipelinesascode.tekton.dev/pipeline": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/pipelines/gitops-pull-request-tssc.yaml", "pipelinesascode.tekton.dev/pull-request": "2", "pipelinesascode.tekton.dev/repo-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops", "pipelinesascode.tekton.dev/repository": "e2e-tests-go-jdpuvcnh-gitops-repository", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "rhtap-ci-tests-bot", "pipelinesascode.tekton.dev/sha": "4f126933027dc227d042c9f254fcd9dba92f900a", "pipelinesascode.tekton.dev/sha-title": "Promote to prod environment", "pipelinesascode.tekton.dev/sha-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops/commit/4f126933027dc227d042c9f254fcd9dba92f900a", "pipelinesascode.tekton.dev/source-branch": "promote-to-prod-1779090453295", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops", "pipelinesascode.tekton.dev/state": "completed", "pipelinesascode.tekton.dev/task-0": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/git-clone.yaml", "pipelinesascode.tekton.dev/task-1": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/gather-deploy-images.yaml", "pipelinesascode.tekton.dev/task-2": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/verify-enterprise-contract.yaml", "pipelinesascode.tekton.dev/task-3": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/gather-deploy-images.yaml", "pipelinesascode.tekton.dev/task-4": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/download-sbom-from-url-in-attestation.yaml", "pipelinesascode.tekton.dev/task-5": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/upload-sbom-to-trustification.yaml", "pipelinesascode.tekton.dev/task-6": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/fetch-gitops-images.yaml", "pipelinesascode.tekton.dev/task-7": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/verify-gitops-conforma.yaml", "pipelinesascode.tekton.dev/task-8": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/download-gitops-sbom.yaml", "pipelinesascode.tekton.dev/task-9": "https://raw.githubusercontent.com/redhat-appstudio/tssc-dev-multi-ci/release-v1.9.x/samples/tekton/pac/tasks/upload-gitops-sbom.yaml", "pipelinesascode.tekton.dev/url-org": "rhtap-rhdh-qe", "pipelinesascode.tekton.dev/url-repository": "e2e-tests-go-jdpuvcnh-gitops", "results.tekton.dev/record": "tssc-app-ci/results/fc88dcd1-62b4-4634-9e61-630e97f1e820/records/fc88dcd1-62b4-4634-9e61-630e97f1e820", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"e2e-tests-go-jdpuvcnh-gitops\",\"commit\":\"4f126933027dc227d042c9f254fcd9dba92f900a\",\"eventType\":\"pull_request\",\"pull_request-id\":2}", "results.tekton.dev/result": "tssc-app-ci/results/fc88dcd1-62b4-4634-9e61-630e97f1e820", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-18T07:47:42Z", "finalizers": [ "results.tekton.dev/pipelinerun", "chains.tekton.dev/pipelinerun", "pipelinesascode.tekton.dev/finalizer" ], "generateName": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-", "generation": 1, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/part-of": "e2e-tests-go-jdpuvcnh", "app.kubernetes.io/version": "v0.39.5", "argocd/app-name": "e2e-tests-go-jdpuvcnh", "backstage.io/kubernetes-id": "e2e-tests-go-jdpuvcnh", "backstage.io/kubernetes-namespace": "tssc-app", "janus-idp.io/tekton": "e2e-tests-go-jdpuvcnh", "pipelinesascode.tekton.dev/check-run-id": "76480468316", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "2", "pipelinesascode.tekton.dev/repository": "e2e-tests-go-jdpuvcnh-gitops-repository", "pipelinesascode.tekton.dev/sha": "4f126933027dc227d042c9f254fcd9dba92f900a", "pipelinesascode.tekton.dev/state": "completed", "pipelinesascode.tekton.dev/url-org": "rhtap-rhdh-qe", "pipelinesascode.tekton.dev/url-repository": "e2e-tests-go-jdpuvcnh-gitops", "tekton.dev/pipeline": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-ttrd5" }, "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-ttrd5", "namespace": "tssc-app-ci", "resourceVersion": "47340", "uid": "fc88dcd1-62b4-4634-9e61-630e97f1e820" }, "spec": { "params": [ { "name": "git-url", "value": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops" }, { "name": "revision", "value": "4f126933027dc227d042c9f254fcd9dba92f900a" }, { "name": "target-branch", "value": "main" }, { "name": "fail-if-trustification-not-configured", "value": "false" } ], "pipelineSpec": { "params": [ { "description": "Gitops repo url", "name": "git-url", "type": "string" }, { "default": "", "description": "Gitops repo revision", "name": "revision", "type": "string" }, { "default": "main", "description": "The target branch for the pull request", "name": "target-branch", "type": "string" }, { "default": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7", "description": "Enterprise Contract policy to validate against", "name": "ec-policy-configuration", "type": "string" }, { "default": "true", "description": "Should EC violations cause the pipeline to fail?", "name": "ec-strict", "type": "string" }, { "default": "k8s://$(context.pipelineRun.namespace)/cosign-pub", "description": "The public key that EC should use to verify signatures", "name": "ec-public-key", "type": "string" }, { "default": "tpa-secret", "description": "The name of the Secret that contains Trustification (TPA) configuration", "name": "trustification-secret-name", "type": "string" }, { "default": "true", "description": "Should the pipeline fail when there are SBOMs to upload but Trustification is not properly configured (i.e. the secret is missing or doesn't have all the required keys)?", "name": "fail-if-trustification-not-configured", "type": "string" } ], "tasks": [ { "name": "clone-repository", "params": [ { "name": "url", "value": "$(params.git-url)" }, { "name": "revision", "value": "$(params.revision)" }, { "name": "fetchTags", "value": "true" }, { "name": "depth", "value": "0" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "metadata": { "annotations": { "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "spec": null, "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "$(params.userHome)" }, { "name": "PARAM_URL", "value": "$(params.url)" }, { "name": "PARAM_REVISION", "value": "$(params.revision)" }, { "name": "PARAM_REFSPEC", "value": "$(params.refspec)" }, { "name": "PARAM_SUBMODULES", "value": "$(params.submodules)" }, { "name": "PARAM_SUBMODULE_PATHS", "value": "$(params.submodulePaths)" }, { "name": "PARAM_DEPTH", "value": "$(params.depth)" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "$(params.shortCommitLength)" }, { "name": "PARAM_SSL_VERIFY", "value": "$(params.sslVerify)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "PARAM_DELETE_EXISTING", "value": "$(params.deleteExisting)" }, { "name": "PARAM_HTTP_PROXY", "value": "$(params.httpProxy)" }, { "name": "PARAM_HTTPS_PROXY", "value": "$(params.httpsProxy)" }, { "name": "PARAM_NO_PROXY", "value": "$(params.noProxy)" }, { "name": "PARAM_VERBOSE", "value": "$(params.verbose)" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES", "value": "$(params.sparseCheckoutDirectories)" }, { "name": "PARAM_USER_HOME", "value": "$(params.userHome)" }, { "name": "PARAM_FETCH_TAGS", "value": "$(params.fetchTags)" }, { "name": "PARAM_GIT_INIT_IMAGE", "value": "$(params.gitInitImage)" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "$(params.mergeTargetBranch)" }, { "name": "PARAM_TARGET_BRANCH", "value": "$(params.targetBranch)" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL", "value": "$(params.mergeSourceRepoUrl)" }, { "name": "PARAM_MERGE_SOURCE_DEPTH", "value": "$(params.mergeSourceDepth)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "$(workspaces.ssh-directory.bound)" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH", "value": "$(workspaces.ssh-directory.path)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "$(workspaces.basic-auth.bound)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "$(workspaces.basic-auth.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\nEXIT_CODE=\"$?\"\nif [ \"${EXIT_CODE}\" != 0 ] ; then\n exit \"${EXIT_CODE}\"\nfi\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n FETCH_EXIT_CODE=\"$?\"\n if [ \"${FETCH_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to fetch target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}.\" \u003e\u00262\n exit \"${FETCH_EXIT_CODE}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n git merge \"${MERGE_REMOTE}/${PARAM_TARGET_BRANCH}\" --no-commit --no-ff --allow-unrelated-histories\n MERGE_CHECK_EXIT_CODE=\"$?\"\n if [ \"${MERGE_CHECK_EXIT_CODE}\" != \"0\" ] ; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit \"${MERGE_CHECK_EXIT_CODE}\"\n else\n # Check if there are changes that need to be merged, and if so, create a merge commit.\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"\n COMMIT_EXIT_CODE=\"$?\"\n if [ \"${COMMIT_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit \"${COMMIT_EXIT_CODE}\"\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"$(results.merged_sha.path)\"\n fi\n fi\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.commit.path)\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.CHAINS-GIT_COMMIT.path)\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"$(results.short-commit.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.url.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.CHAINS-GIT_URL.path)\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"$(results.commit-timestamp.path)\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "$(params.enableSymlinkCheck)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "$(params.caTrustConfigMapKey)", "path": "ca-bundle.crt" } ], "name": "$(params.caTrustConfigMapName)", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] }, "workspaces": [ { "name": "output", "workspace": "workspace" }, { "name": "basic-auth", "workspace": "git-auth" } ] }, { "name": "get-images", "params": [ { "name": "PUBLIC_KEY_URL", "value": "$(params.ec-public-key)" }, { "name": "TARGET_BRANCH", "value": "$(params.target-branch)" } ], "runAfter": [ "clone-repository" ], "taskSpec": { "description": "Extract images from deployment YAML to pass to Conforma for validation", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.", "name": "PUBLIC_KEY_URL", "type": "string" }, { "default": "", "description": "If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference.\n", "name": "TARGET_BRANCH", "type": "string" }, { "default": [ "development", "stage", "prod" ], "description": "Gather images from the manifest files for the specified environments", "name": "ENVIRONMENTS", "type": "array" } ], "results": [ { "description": "Cosign base64 encoded public key fetched from secrets.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "description": "The images with SBOMs to upload to Trustification \n", "name": "SBOM_IMAGES", "type": "string" }, { "description": "The images to be verified, in a format compatible with https://github.com/konflux-ci/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string.\n", "name": "CONFORMA_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "init", "script": "pwd\nls -la\n# Sync scripts to the writable workspace\ncp -rf /work/tssc/ $(workspaces.source.path)/\n# Append the dummy function to common.sh\nprintf '\\nfunction registry-login() {\\n echo \"--- Registry Auth Bypass Active ---\"\\n return 0\\n}\\n' \u003e\u003e $(workspaces.source.path)/tssc/common.sh\necho \"Successfully patched $(workspaces.source.path)/tssc/common.sh\"\n\necho \"Parsing public key url\"\nCLEAN_URL=\"${PUBLIC_KEY_URL#k8s://}\"\nNS=\"${CLEAN_URL%/*}\"\nSECRET=\"${CLEAN_URL##*/}\"\nCOSIGN_PUBLIC_KEY=$(oc get secrets $SECRET -n $NS -o json | jq -r '.data.\"cosign.pub\"')\necho $COSIGN_PUBLIC_KEY \u003e $(results.COSIGN_PUBLIC_KEY.path)\n" }, { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "get-images", "script": "echo \"running gather-images-to-upload-sbom\"\n$(workspaces.source.path)/tssc/gather-images-to-upload-sbom.sh\nmv ./results/gather-deploy-images ./results/sbom-images \ncat ./results/sbom-images/IMAGES_TO_VERIFY \u003e $(results.SBOM_IMAGES.path)\n\necho \"running gather-deploy-images\"\n$(workspaces.source.path)/tssc/gather-deploy-images.sh\ncat ./results/gather-deploy-images/IMAGES_TO_VERIFY \u003e $(results.CONFORMA_IMAGES.path)\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "verify-conforma", "params": [ { "name": "STRICT", "value": "$(params.ec-strict)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.ec-policy-configuration)" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Verify the enterprise contract is met", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image.", "name": "TEST_OUTPUT", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "verify", "script": "echo \"running verify-conforma\"\n$(workspaces.source.path)/tssc/verify-conforma.sh\ncat ./results/verify-conforma/TEST_OUTPUT \u003e $(results.TEST_OUTPUT.path)\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.CONFORMA_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "download-sboms", "params": [ { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" }, { "name": "SBOM_IMAGES", "value": "$(tasks.get-images.results.SBOM_IMAGES)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Download SBOM from images", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Images to be considered for SBOM download.", "name": "SBOM_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "download", "script": "echo \"running download-sbom-from-url-in-attestation\"\n$(workspaces.source.path)/tssc/download-sbom-from-url-in-attestation.sh\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "upload-sboms", "params": [ { "name": "TPA_SECRET", "value": "$(params.trustification-secret-name)" } ], "runAfter": [ "download-sboms" ], "taskSpec": { "description": "Upload SBOMs to Trustification", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "TPA Secret to obtain Trustification vars from.", "name": "TPA_SECRET", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "upload", "script": "echo \"running upload-sbom-to-trustification\"\n$(workspaces.source.path)/tssc/upload-sbom-to-trustification.sh\n" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] } ], "workspaces": [ { "name": "workspace" }, { "name": "git-auth", "optional": true } ] }, "taskRunTemplate": { "serviceAccountName": "pipeline" }, "timeouts": { "pipeline": "1h0m0s" }, "workspaces": [ { "name": "git-auth", "secret": { "secretName": "pac-gitauth-zxyhnz" } }, { "name": "workspace", "volumeClaimTemplate": { "metadata": { "creationTimestamp": null }, "spec": { "accessModes": [ "ReadWriteOnce" ], "resources": { "requests": { "storage": "1Gi" } } }, "status": {} } } ] }, "status": { "childReferences": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-j97c58dd8f53b5be68ada9e72fbcf65c1-clone-repository", "pipelineTaskName": "clone-repository" }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-ttrd5-get-images", "pipelineTaskName": "get-images" }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jd97c58dd8f53b5be68ada9e72fbcf65c1-verify-conforma", "pipelineTaskName": "verify-conforma", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdp97c58dd8f53b5be68ada9e72fbcf65c1-download-sboms", "pipelineTaskName": "download-sboms", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "name": "e2e-tests-go-jdpuvcnh-gitops-on-pull-request-ttrd5-upload-sboms", "pipelineTaskName": "upload-sboms", "whenExpressions": [ { "input": "{\"components\":[{\"containerImage\":\"quay.io/rhtap_qe/e2e-tests-go-jdpuvcnh:022c6df5bbbd643a93bcf795f272c7f14b128ccc\"}]}\n", "operator": "notin", "values": [ "" ] } ] } ], "completionTime": "2026-05-18T07:48:27Z", "conditions": [ { "lastTransitionTime": "2026-05-18T07:48:27Z", "message": "Tasks Completed: 5 (Failed: 0, Cancelled 0), Skipped: 0", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "pipelineSpec": { "params": [ { "description": "Gitops repo url", "name": "git-url", "type": "string" }, { "default": "", "description": "Gitops repo revision", "name": "revision", "type": "string" }, { "default": "main", "description": "The target branch for the pull request", "name": "target-branch", "type": "string" }, { "default": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7", "description": "Enterprise Contract policy to validate against", "name": "ec-policy-configuration", "type": "string" }, { "default": "true", "description": "Should EC violations cause the pipeline to fail?", "name": "ec-strict", "type": "string" }, { "default": "k8s://$(context.pipelineRun.namespace)/cosign-pub", "description": "The public key that EC should use to verify signatures", "name": "ec-public-key", "type": "string" }, { "default": "tpa-secret", "description": "The name of the Secret that contains Trustification (TPA) configuration", "name": "trustification-secret-name", "type": "string" }, { "default": "true", "description": "Should the pipeline fail when there are SBOMs to upload but Trustification is not properly configured (i.e. the secret is missing or doesn't have all the required keys)?", "name": "fail-if-trustification-not-configured", "type": "string" } ], "tasks": [ { "name": "clone-repository", "params": [ { "name": "url", "value": "https://github.com/rhtap-rhdh-qe/e2e-tests-go-jdpuvcnh-gitops" }, { "name": "revision", "value": "4f126933027dc227d042c9f254fcd9dba92f900a" }, { "name": "fetchTags", "value": "true" }, { "name": "depth", "value": "0" } ], "taskSpec": { "description": "The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace.", "metadata": { "annotations": { "tekton.dev/categories": "Git", "tekton.dev/displayName": "git clone", "tekton.dev/pipelines.minVersion": "0.21.0", "tekton.dev/platforms": "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64", "tekton.dev/tags": "git" }, "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "Repository URL to clone from.", "name": "url", "type": "string" }, { "default": "", "description": "Revision to checkout. (branch, tag, sha, ref, etc...)", "name": "revision", "type": "string" }, { "default": "", "description": "Refspec to fetch before checking out revision.", "name": "refspec", "type": "string" }, { "default": "true", "description": "Initialize and fetch git submodules.", "name": "submodules", "type": "string" }, { "default": "", "description": "Comma-separated list of specific submodule paths to initialize and fetch. Only submodules in the specified directories and their subdirectories will be fetched.\nEmpty string fetches all submodules. Parameter \"submodules\" must be set to \"true\" to make this parameter applicable.\n", "name": "submodulePaths", "type": "string" }, { "default": "1", "description": "Perform a shallow clone, fetching only the most recent N commits.", "name": "depth", "type": "string" }, { "default": "7", "description": "Length of short commit SHA", "name": "shortCommitLength", "type": "string" }, { "default": "true", "description": "Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.", "name": "sslVerify", "type": "string" }, { "default": "source", "description": "Subdirectory inside the `output` Workspace to clone the repo into.", "name": "subdirectory", "type": "string" }, { "default": "", "description": "Define the directory patterns to match or exclude when performing a sparse checkout.", "name": "sparseCheckoutDirectories", "type": "string" }, { "default": "true", "description": "Clean out the contents of the destination directory if it already exists before cloning.", "name": "deleteExisting", "type": "string" }, { "default": "", "description": "HTTP proxy server for non-SSL requests.", "name": "httpProxy", "type": "string" }, { "default": "", "description": "HTTPS proxy server for SSL requests.", "name": "httpsProxy", "type": "string" }, { "default": "", "description": "Opt out of proxying HTTP/HTTPS requests.", "name": "noProxy", "type": "string" }, { "default": "false", "description": "Log the commands that are executed during `git-clone`'s operation.", "name": "verbose", "type": "string" }, { "default": "", "description": "Deprecated. Has no effect. Will be removed in the future.", "name": "gitInitImage", "type": "string" }, { "default": "/tekton/home", "description": "Absolute path to the user's home directory. Set this explicitly if you are running the image as a non-root user.\n", "name": "userHome", "type": "string" }, { "default": "true", "description": "Check symlinks in the repo. If they're pointing outside of the repo, the build will fail.\n", "name": "enableSymlinkCheck", "type": "string" }, { "default": "false", "description": "Fetch all tags for the repo.", "name": "fetchTags", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "false", "description": "Set to \"true\" to merge the targetBranch into the checked-out revision.", "name": "mergeTargetBranch", "type": "string" }, { "default": "main", "description": "The target branch to merge into the revision (if mergeTargetBranch is true).", "name": "targetBranch", "type": "string" }, { "default": "", "description": "URL of the repository to fetch the target branch from when mergeTargetBranch is true.\nIf empty, uses the same repository (origin). This allows merging a branch from a different repository.\n", "name": "mergeSourceRepoUrl", "type": "string" }, { "default": "", "description": "Perform a shallow fetch of the target branch, fetching only the most recent N commits.\nIf empty, fetches the full history of the target branch.\n", "name": "mergeSourceDepth", "type": "string" } ], "results": [ { "description": "The precise commit SHA that was fetched by this Task.", "name": "commit", "type": "string" }, { "description": "The commit SHA that was fetched by this Task limited to params.shortCommitLength number of characters", "name": "short-commit", "type": "string" }, { "description": "The precise URL that was fetched by this Task.", "name": "url", "type": "string" }, { "description": "The commit timestamp of the checkout", "name": "commit-timestamp", "type": "string" }, { "description": "The precise URL that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_URL", "type": "string" }, { "description": "The precise commit SHA that was fetched by this Task. This result uses Chains type hinting to include in the provenance.", "name": "CHAINS-GIT_COMMIT", "type": "string" }, { "description": "The SHA of the commit after merging the target branch (if the param mergeTargetBranch is true).", "name": "merged_sha", "type": "string" } ], "spec": null, "steps": [ { "computeResources": {}, "env": [ { "name": "HOME", "value": "$(params.userHome)" }, { "name": "PARAM_URL", "value": "$(params.url)" }, { "name": "PARAM_REVISION", "value": "4f126933027dc227d042c9f254fcd9dba92f900a" }, { "name": "PARAM_REFSPEC", "value": "$(params.refspec)" }, { "name": "PARAM_SUBMODULES", "value": "$(params.submodules)" }, { "name": "PARAM_SUBMODULE_PATHS", "value": "$(params.submodulePaths)" }, { "name": "PARAM_DEPTH", "value": "$(params.depth)" }, { "name": "PARAM_SHORT_COMMIT_LENGTH", "value": "$(params.shortCommitLength)" }, { "name": "PARAM_SSL_VERIFY", "value": "$(params.sslVerify)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "PARAM_DELETE_EXISTING", "value": "$(params.deleteExisting)" }, { "name": "PARAM_HTTP_PROXY", "value": "$(params.httpProxy)" }, { "name": "PARAM_HTTPS_PROXY", "value": "$(params.httpsProxy)" }, { "name": "PARAM_NO_PROXY", "value": "$(params.noProxy)" }, { "name": "PARAM_VERBOSE", "value": "$(params.verbose)" }, { "name": "PARAM_SPARSE_CHECKOUT_DIRECTORIES", "value": "$(params.sparseCheckoutDirectories)" }, { "name": "PARAM_USER_HOME", "value": "$(params.userHome)" }, { "name": "PARAM_FETCH_TAGS", "value": "$(params.fetchTags)" }, { "name": "PARAM_GIT_INIT_IMAGE", "value": "$(params.gitInitImage)" }, { "name": "PARAM_MERGE_TARGET_BRANCH", "value": "$(params.mergeTargetBranch)" }, { "name": "PARAM_TARGET_BRANCH", "value": "$(params.targetBranch)" }, { "name": "PARAM_MERGE_SOURCE_REPO_URL", "value": "$(params.mergeSourceRepoUrl)" }, { "name": "PARAM_MERGE_SOURCE_DEPTH", "value": "$(params.mergeSourceDepth)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" }, { "name": "WORKSPACE_SSH_DIRECTORY_BOUND", "value": "$(workspaces.ssh-directory.bound)" }, { "name": "WORKSPACE_SSH_DIRECTORY_PATH", "value": "$(workspaces.ssh-directory.path)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND", "value": "$(workspaces.basic-auth.bound)" }, { "name": "WORKSPACE_BASIC_AUTH_DIRECTORY_PATH", "value": "$(workspaces.basic-auth.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "clone", "script": "#!/usr/bin/env sh\nset -eu\n\nif [ \"${PARAM_VERBOSE}\" = \"true\" ] ; then\n set -x\nfi\n\nif [ -n \"${PARAM_GIT_INIT_IMAGE}\" ]; then\n echo \"WARNING: provided deprecated gitInitImage parameter has no effect.\"\nfi\n\nif [ \"${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n if [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" ]; then\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials\" \"${PARAM_USER_HOME}/.git-credentials\"\n cp \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig\" \"${PARAM_USER_HOME}/.gitconfig\"\n # Compatibility with kubernetes.io/basic-auth secrets\n elif [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username\" ] \u0026\u0026 [ -f \"${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password\" ]; then\n HOSTNAME=$(echo $PARAM_URL | awk -F/ '{print $3}')\n echo \"https://$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/username):$(cat ${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/password)@$HOSTNAME\" \u003e \"${PARAM_USER_HOME}/.git-credentials\"\n echo -e \"[credential \\\"https://$HOSTNAME\\\"]\\n helper = store\" \u003e \"${PARAM_USER_HOME}/.gitconfig\"\n else\n echo \"Unknown basic-auth workspace format\"\n exit 1\n fi\n chmod 400 \"${PARAM_USER_HOME}/.git-credentials\"\n chmod 400 \"${PARAM_USER_HOME}/.gitconfig\"\nfi\n\n# Should be called after the gitconfig is copied from the repository secret\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n git config --global http.sslCAInfo \"$ca_bundle\"\nfi\n\nif [ \"${WORKSPACE_SSH_DIRECTORY_BOUND}\" = \"true\" ] ; then\n cp -R \"${WORKSPACE_SSH_DIRECTORY_PATH}\" \"${PARAM_USER_HOME}\"/.ssh\n chmod 700 \"${PARAM_USER_HOME}\"/.ssh\n chmod -R 400 \"${PARAM_USER_HOME}\"/.ssh/*\nfi\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\n\ncleandir() {\n # Delete any existing contents of the repo directory if it exists.\n #\n # We don't just \"rm -rf ${CHECKOUT_DIR}\" because ${CHECKOUT_DIR} might be \"/\"\n # or the root of a mounted volume.\n if [ -d \"${CHECKOUT_DIR}\" ] ; then\n # Delete non-hidden files and directories\n rm -rf \"${CHECKOUT_DIR:?}\"/*\n # Delete files and directories starting with . but excluding ..\n rm -rf \"${CHECKOUT_DIR}\"/.[!.]*\n # Delete files and directories starting with .. plus any other character\n rm -rf \"${CHECKOUT_DIR}\"/..?*\n fi\n}\n\nif [ \"${PARAM_DELETE_EXISTING}\" = \"true\" ] ; then\n cleandir\nfi\n\ntest -z \"${PARAM_HTTP_PROXY}\" || export HTTP_PROXY=\"${PARAM_HTTP_PROXY}\"\ntest -z \"${PARAM_HTTPS_PROXY}\" || export HTTPS_PROXY=\"${PARAM_HTTPS_PROXY}\"\ntest -z \"${PARAM_NO_PROXY}\" || export NO_PROXY=\"${PARAM_NO_PROXY}\"\n\n/ko-app/git-init \\\n -url=\"${PARAM_URL}\" \\\n -revision=\"${PARAM_REVISION}\" \\\n -refspec=\"${PARAM_REFSPEC}\" \\\n -path=\"${CHECKOUT_DIR}\" \\\n -sslVerify=\"${PARAM_SSL_VERIFY}\" \\\n -submodules=\"${PARAM_SUBMODULES}\" \\\n -submodulePaths=\"${PARAM_SUBMODULE_PATHS}\" \\\n -depth=\"${PARAM_DEPTH}\" \\\n -sparseCheckoutDirectories=\"${PARAM_SPARSE_CHECKOUT_DIRECTORIES}\" \\\n -retryMaxAttempts=10\ncd \"${CHECKOUT_DIR}\"\nRESULT_SHA=\"$(git rev-parse HEAD)\"\nRESULT_SHA_SHORT=\"$(git rev-parse --short=\"${PARAM_SHORT_COMMIT_LENGTH}\" HEAD)\"\nEXIT_CODE=\"$?\"\nif [ \"${EXIT_CODE}\" != 0 ] ; then\n exit \"${EXIT_CODE}\"\nfi\nif [ \"${PARAM_MERGE_TARGET_BRANCH}\" = \"true\" ]; then\n echo \"Merge option enabled. Attempting to merge target branch '${PARAM_TARGET_BRANCH}' into HEAD (${RESULT_SHA}).\"\n\n if [ \"${PARAM_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow clone with depth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n if [ \"${PARAM_MERGE_SOURCE_DEPTH}\" = \"1\" ]; then\n echo \"WARNING: Shallow fetch with mergeSourceDepth=1 may cause merge conflicts due to insufficient commit history.\" \u003e\u00262\n fi\n\n # Determine if merging from a different repository or the same one\n if [ -n \"${PARAM_MERGE_SOURCE_REPO_URL}\" ]; then\n # Normalize URLs for comparison (remove trailing slashes and .git suffix)\n normalize_url() {\n echo \"$1\" | sed -e 's#/$##' -e 's#\\.git$##'\n }\n\n NORMALIZED_ORIGIN_URL=$(normalize_url \"${PARAM_URL}\")\n NORMALIZED_MERGE_URL=$(normalize_url \"${PARAM_MERGE_SOURCE_REPO_URL}\")\n\n if [ \"${NORMALIZED_ORIGIN_URL}\" = \"${NORMALIZED_MERGE_URL}\" ]; then\n echo \"Merge source URL is the same as origin. Using existing 'origin' remote.\"\n MERGE_REMOTE=\"origin\"\n else\n echo \"Merging from different repository: ${PARAM_MERGE_SOURCE_REPO_URL}\"\n echo \"Adding remote 'merge-source'...\"\n git remote add merge-source \"${PARAM_MERGE_SOURCE_REPO_URL}\"\n MERGE_REMOTE=\"merge-source\"\n fi\n else\n echo \"Merging from the same repository (origin)\"\n MERGE_REMOTE=\"origin\"\n fi\n\n echo \"Fetching target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}...\"\n if [ -n \"${PARAM_MERGE_SOURCE_DEPTH}\" ]; then\n retry git fetch --depth=\"${PARAM_MERGE_SOURCE_DEPTH}\" ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n else\n retry git fetch ${MERGE_REMOTE} \"${PARAM_TARGET_BRANCH}\"\n fi\n FETCH_EXIT_CODE=\"$?\"\n if [ \"${FETCH_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to fetch target branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE}.\" \u003e\u00262\n exit \"${FETCH_EXIT_CODE}\"\n fi\n\n echo \"Merging ${MERGE_REMOTE}/${PARAM_TARGET_BRANCH} into current HEAD...\"\n git config --global user.email \"tekton-git-clone@tekton.dev\"\n git config --global user.name \"Tekton Git Clone Task\"\n git merge \"${MERGE_REMOTE}/${PARAM_TARGET_BRANCH}\" --no-commit --no-ff --allow-unrelated-histories\n MERGE_CHECK_EXIT_CODE=\"$?\"\n if [ \"${MERGE_CHECK_EXIT_CODE}\" != \"0\" ] ; then\n echo \"ERROR: Merge conflict detected or merge failed before commit.\" \u003e\u00262\n echo \"--- Git Status ---\"\n git status\n echo \"------------------\"\n exit \"${MERGE_CHECK_EXIT_CODE}\"\n else\n # Check if there are changes that need to be merged, and if so, create a merge commit.\n if git diff --staged --quiet; then\n echo \"No diff was found, skipping merge...\" \u003e\u00262\n else\n echo \"Merge successful (no conflicts found), committing...\"\n git commit -m \"Merge branch '${PARAM_TARGET_BRANCH}' from ${MERGE_REMOTE} into ${RESULT_SHA}\"\n COMMIT_EXIT_CODE=\"$?\"\n if [ \"${COMMIT_EXIT_CODE}\" != \"0\" ]; then\n echo \"ERROR: Failed to commit merge.\" \u003e\u00262\n exit \"${COMMIT_EXIT_CODE}\"\n fi\n MERGED_SHA=$(git rev-parse HEAD)\n echo \"New HEAD after merge: ${MERGED_SHA}\"\n echo \"${MERGED_SHA}\" \u003e \"$(results.merged_sha.path)\"\n fi\n fi\nelse\n echo \"Merge option disabled. Using checked-out revision ${RESULT_SHA} directly.\"\nfi\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.commit.path)\"\nprintf \"%s\" \"${RESULT_SHA}\" \u003e \"$(results.CHAINS-GIT_COMMIT.path)\"\nprintf \"%s\" \"${RESULT_SHA_SHORT}\" \u003e \"$(results.short-commit.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.url.path)\"\nprintf \"%s\" \"${PARAM_URL}\" \u003e \"$(results.CHAINS-GIT_URL.path)\"\nprintf \"%s\" \"$(git log -1 --pretty=%ct)\" \u003e \"$(results.commit-timestamp.path)\"\n\nif [ \"${PARAM_FETCH_TAGS}\" = \"true\" ] ; then\n echo \"Fetching tags\"\n retry git fetch --tags\nfi\n", "securityContext": { "runAsUser": 0 }, "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, { "computeResources": {}, "env": [ { "name": "PARAM_ENABLE_SYMLINK_CHECK", "value": "$(params.enableSymlinkCheck)" }, { "name": "PARAM_SUBDIRECTORY", "value": "$(params.subdirectory)" }, { "name": "WORKSPACE_OUTPUT_PATH", "value": "$(workspaces.output.path)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "symlink-check", "script": "#!/usr/bin/env bash\nset -euo pipefail\n\nCHECKOUT_DIR=\"${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}\"\ncheck_symlinks() {\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=false\n while read -r symlink\n do\n target=$(readlink -m \"$symlink\")\n if ! [[ \"$target\" =~ ^$CHECKOUT_DIR ]]; then\n echo \"The cloned repository contains symlink pointing outside of the cloned repository: $symlink\"\n FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO=true\n fi\n done \u003c \u003c(find $CHECKOUT_DIR -type l -print)\n if [ \"$FOUND_SYMLINK_POINTING_OUTSIDE_OF_REPO\" = true ] ; then\n return 1\n fi\n}\n\nif [ \"${PARAM_ENABLE_SYMLINK_CHECK}\" = \"true\" ] ; then\n echo \"Running symlink check\"\n check_symlinks\nfi\n" } ], "volumes": [ { "configMap": { "items": [ { "key": "$(params.caTrustConfigMapKey)", "path": "ca-bundle.crt" } ], "name": "$(params.caTrustConfigMapName)", "optional": true }, "name": "trusted-ca" } ], "workspaces": [ { "description": "The git repo will be cloned onto the volume backing this Workspace.", "name": "output" }, { "description": "A .ssh directory with private key, known_hosts, config, etc. Copied to\nthe user's home before git commands are executed. Used to authenticate\nwith the git remote when performing the clone. Binding a Secret to this\nWorkspace is strongly recommended over other volume types.\n", "name": "ssh-directory", "optional": true }, { "description": "A Workspace containing a .gitconfig and .git-credentials file or username and password.\nThese will be copied to the user's home before any git commands are run. Any\nother files in this Workspace are ignored. It is strongly recommended\nto use ssh-directory over basic-auth whenever possible and to bind a\nSecret to this Workspace over other volume types.\n", "name": "basic-auth", "optional": true } ] }, "workspaces": [ { "name": "output", "workspace": "workspace" }, { "name": "basic-auth", "workspace": "git-auth" } ] }, { "name": "get-images", "params": [ { "name": "PUBLIC_KEY_URL", "value": "k8s://tssc-app-ci/cosign-pub" }, { "name": "TARGET_BRANCH", "value": "main" } ], "runAfter": [ "clone-repository" ], "taskSpec": { "description": "Extract images from deployment YAML to pass to Conforma for validation", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a valid k8s cosign reference, e.g. k8s://my-space/my-secret where my-secret contains the expected cosign.pub attribute.", "name": "PUBLIC_KEY_URL", "type": "string" }, { "default": "", "description": "If specified, will gather only the images that changed between the current revision and the target branch. Useful for pull requests. Note that the repository cloned on the source workspace must already contain the origin/$TARGET_BRANCH reference.\n", "name": "TARGET_BRANCH", "type": "string" }, { "default": [ "development", "stage", "prod" ], "description": "Gather images from the manifest files for the specified environments", "name": "ENVIRONMENTS", "type": "array" } ], "results": [ { "description": "Cosign base64 encoded public key fetched from secrets.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "description": "The images with SBOMs to upload to Trustification \n", "name": "SBOM_IMAGES", "type": "string" }, { "description": "The images to be verified, in a format compatible with https://github.com/konflux-ci/build-definitions/tree/main/task/verify-enterprise-contract/0.1. When there are no images to verify, this is an empty string.\n", "name": "CONFORMA_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "init", "script": "pwd\nls -la\n# Sync scripts to the writable workspace\ncp -rf /work/tssc/ $(workspaces.source.path)/\n# Append the dummy function to common.sh\nprintf '\\nfunction registry-login() {\\n echo \"--- Registry Auth Bypass Active ---\"\\n return 0\\n}\\n' \u003e\u003e $(workspaces.source.path)/tssc/common.sh\necho \"Successfully patched $(workspaces.source.path)/tssc/common.sh\"\n\necho \"Parsing public key url\"\nCLEAN_URL=\"${PUBLIC_KEY_URL#k8s://}\"\nNS=\"${CLEAN_URL%/*}\"\nSECRET=\"${CLEAN_URL##*/}\"\nCOSIGN_PUBLIC_KEY=$(oc get secrets $SECRET -n $NS -o json | jq -r '.data.\"cosign.pub\"')\necho $COSIGN_PUBLIC_KEY \u003e $(results.COSIGN_PUBLIC_KEY.path)\n", "workingDir": "$(workspaces.source.path)/source" }, { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TARGET_BRANCH", "value": "$(params.TARGET_BRANCH)" }, { "name": "PUBLIC_KEY_URL", "value": "$(params.PUBLIC_KEY_URL)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "get-images", "script": "echo \"running gather-images-to-upload-sbom\"\n$(workspaces.source.path)/tssc/gather-images-to-upload-sbom.sh\nmv ./results/gather-deploy-images ./results/sbom-images \ncat ./results/sbom-images/IMAGES_TO_VERIFY \u003e $(results.SBOM_IMAGES.path)\n\necho \"running gather-deploy-images\"\n$(workspaces.source.path)/tssc/gather-deploy-images.sh\ncat ./results/gather-deploy-images/IMAGES_TO_VERIFY \u003e $(results.CONFORMA_IMAGES.path)\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "verify-conforma", "params": [ { "name": "STRICT", "value": "true" }, { "name": "POLICY_CONFIGURATION", "value": "github.com/redhat-appstudio/tssc-dev-multi-ci//samples/conforma/policies/tekton-slsa3-v0.7" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Verify the enterprise contract is met", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "enterprise-contract-service/default", "description": "Name of the policy configuration (EnterpriseContractPolicy\nresource) to use. `namespace/name` or `name` syntax supported. If\nnamespace is omitted the namespace where the task runs is used.\nYou can also specify a policy configuration using a git url, e.g.\n`github.com/conforma/config//slsa3`.\n", "name": "POLICY_CONFIGURATION", "type": "string" }, { "default": "true", "description": "Fail the task if policy fails. Set to `\"false\"` to disable it.", "name": "STRICT", "type": "string" } ], "results": [ { "description": "Short summary of the policy evaluation for each image.", "name": "TEST_OUTPUT", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "STRICT", "value": "$(params.STRICT)" }, { "name": "POLICY_CONFIGURATION", "value": "$(params.POLICY_CONFIGURATION)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "verify", "script": "echo \"running verify-conforma\"\n$(workspaces.source.path)/tssc/verify-conforma.sh\ncat ./results/verify-conforma/TEST_OUTPUT \u003e $(results.TEST_OUTPUT.path)\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.CONFORMA_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "download-sboms", "params": [ { "name": "COSIGN_PUBLIC_KEY", "value": "$(tasks.get-images.results.COSIGN_PUBLIC_KEY)" }, { "name": "SBOM_IMAGES", "value": "$(tasks.get-images.results.SBOM_IMAGES)" } ], "runAfter": [ "get-images" ], "taskSpec": { "description": "Download SBOM from images", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "default": "", "description": "Public key used to verify signatures. Must be a base64 encoded key.", "name": "COSIGN_PUBLIC_KEY", "type": "string" }, { "default": "", "description": "Images to be considered for SBOM download.", "name": "SBOM_IMAGES", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "COSIGN_PUBLIC_KEY", "value": "$(params.COSIGN_PUBLIC_KEY)" }, { "name": "IMAGES", "value": "$(params.SBOM_IMAGES)" }, { "name": "REKOR_HOST", "valueFrom": { "secretKeyRef": { "key": "rekor_url", "name": "tas-secret" } } }, { "name": "TUF_MIRROR", "valueFrom": { "secretKeyRef": { "key": "tuf_url", "name": "tas-secret" } } } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "download", "script": "echo \"running download-sbom-from-url-in-attestation\"\n$(workspaces.source.path)/tssc/download-sbom-from-url-in-attestation.sh\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] }, { "name": "upload-sboms", "params": [ { "name": "TPA_SECRET", "value": "tpa-secret" } ], "runAfter": [ "download-sboms" ], "taskSpec": { "description": "Upload SBOMs to Trustification", "metadata": { "labels": { "app.kubernetes.io/version": "0.1" } }, "params": [ { "description": "TPA Secret to obtain Trustification vars from.", "name": "TPA_SECRET", "type": "string" } ], "spec": null, "stepTemplate": { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "workingDir": "$(workspaces.source.path)/source" }, "steps": [ { "computeResources": {}, "env": [ { "name": "CI_TYPE", "value": "tekton" }, { "name": "TRUSTIFICATION_BOMBASTIC_API_URL", "valueFrom": { "secretKeyRef": { "key": "bombastic_api_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_ID", "valueFrom": { "secretKeyRef": { "key": "oidc_client_id", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_CLIENT_SECRET", "valueFrom": { "secretKeyRef": { "key": "oidc_client_secret", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_OIDC_ISSUER_URL", "valueFrom": { "secretKeyRef": { "key": "oidc_issuer_url", "name": "$(params.TPA_SECRET)" } } }, { "name": "TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION", "valueFrom": { "secretKeyRef": { "key": "supported_cyclonedx_version", "name": "$(params.TPA_SECRET)" } } } ], "image": "quay.io/redhat-tssc/task-runner:1.9", "imagePullPolicy": "Always", "name": "upload", "script": "echo \"running upload-sbom-to-trustification\"\n$(workspaces.source.path)/tssc/upload-sbom-to-trustification.sh\n", "workingDir": "$(workspaces.source.path)/source" } ], "workspaces": [ { "description": "Should contain a cloned gitops repo at the ./source subpath", "name": "source" } ] }, "when": [ { "input": "$(tasks.get-images.results.SBOM_IMAGES)", "operator": "notin", "values": [ "" ] } ], "workspaces": [ { "name": "source", "workspace": "workspace" } ] } ], "workspaces": [ { "name": "workspace" }, { "name": "git-auth", "optional": true } ] }, "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "startTime": "2026-05-18T07:47:42Z" } } ], "kind": "List", "metadata": { "resourceVersion": "" } }