From e10b9bb1a7f8e4755261819ee1f8008f36273ab9 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 13:39:47 +0200 Subject: [PATCH 1/6] Add Checkton workflow Based on https://github.com/chmeliik/checkton#example-usage Signed-off-by: Adam Cmiel --- .github/workflows/checkton.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/checkton.yaml diff --git a/.github/workflows/checkton.yaml b/.github/workflows/checkton.yaml new file mode 100644 index 0000000000..6297b59233 --- /dev/null +++ b/.github/workflows/checkton.yaml @@ -0,0 +1,29 @@ +name: Checkton +on: + pull_request: + branches: [main] + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # Differential Checkton requires full git history + fetch-depth: 0 + + - name: Run Checkton + id: checkton + uses: chmeliik/checkton@v0.1.2 + with: + fail-on-findings: false + find-copies-harder: true + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.checkton.outputs.sarif }} + # Avoid clashing with ShellCheck + category: checkton From ab86b8f0edc280b7e1f16a9e0159a78582977917 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 13:34:26 +0200 Subject: [PATCH 2/6] mv .tekton/pull-request.yaml -> .tekton/pr.yaml Checkton should not report any warnings Signed-off-by: Adam Cmiel --- .tekton/{pull-request.yaml => pr.yaml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename .tekton/{pull-request.yaml => pr.yaml} (100%) diff --git a/.tekton/pull-request.yaml b/.tekton/pr.yaml similarity index 100% rename from .tekton/pull-request.yaml rename to .tekton/pr.yaml From 7d1f3fc1d8ae466b9a084d7720ccfb647c56278d Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 13:52:09 +0200 Subject: [PATCH 3/6] add problematic bash code to .tekton/pr.yaml Checkton should only report the new addition Signed-off-by: Adam Cmiel --- .tekton/pr.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.tekton/pr.yaml b/.tekton/pr.yaml index 1feb1d8b5f..eb2425a8b6 100644 --- a/.tekton/pr.yaml +++ b/.tekton/pr.yaml @@ -248,6 +248,7 @@ spec: image: registry.redhat.io/openshift4/ose-cli:v4.12@sha256:0d21299d2adfa3cb74562c4dffbedd3b107fffac3a2a537f14770088abd4671f script: | #!/usr/bin/env bash + echo $HI # Perform cleanup of resources created by gitops service oc delete --ignore-not-found deployment --all -n $(params.e2e_test_namespace) oc delete --ignore-not-found eventlisteners --all -n $(params.e2e_test_namespace) From f04430642d96d74899a399fdf342012c11d0c8c1 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 17:40:28 +0200 Subject: [PATCH 4/6] cp prefetch-dependencies/{0.1 -> 0.2} Checkton should not report any warnings Signed-off-by: Adam Cmiel --- task/prefetch-dependencies/0.2/README.md | 19 +++ .../0.2/prefetch-dependencies.yaml | 122 ++++++++++++++++++ 2 files changed, 141 insertions(+) create mode 100644 task/prefetch-dependencies/0.2/README.md create mode 100644 task/prefetch-dependencies/0.2/prefetch-dependencies.yaml diff --git a/task/prefetch-dependencies/0.2/README.md b/task/prefetch-dependencies/0.2/README.md new file mode 100644 index 0000000000..6a6914bb3e --- /dev/null +++ b/task/prefetch-dependencies/0.2/README.md @@ -0,0 +1,19 @@ +# prefetch-dependencies task + +Task that uses Cachi2 to prefetch build dependencies. +See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. + +## Parameters +|name|description|default value|required| +|---|---|---|---| +|input|Configures project packages that will have their dependencies prefetched.||true| +|dev-package-managers|Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk. |false|false| +|log-level|Set cachi2 log level (debug, info, warning, error)|info|false| +|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false| +|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false| + +## Workspaces +|name|description|optional| +|---|---|---| +|source|Workspace with the source code, cachi2 artifacts will be stored on the workspace as well|false| +|git-basic-auth|A Workspace containing a .gitconfig and .git-credentials file or username and password. These will be copied to the user's home before any cachi2 commands are run. Any other files in this Workspace are ignored. It is strongly recommended to bind a Secret to this Workspace over other volume types. |true| diff --git a/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml new file mode 100644 index 0000000000..0161463fb2 --- /dev/null +++ b/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml @@ -0,0 +1,122 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.1" + annotations: + tekton.dev/pipelines.minVersion: "0.12.1" + tekton.dev/tags: "image-build, hacbs" + name: prefetch-dependencies +spec: + description: |- + Task that uses Cachi2 to prefetch build dependencies. + See docs at https://github.com/containerbuildsystem/cachi2#basic-usage. + params: + - description: Configures project packages that will have their dependencies prefetched. + name: input + - description: > + Enable in-development package managers. WARNING: the behavior may change at any time without + notice. Use at your own risk. + name: dev-package-managers + default: "false" + - description: Set cachi2 log level (debug, info, warning, error) + name: log-level + default: "info" + - name: caTrustConfigMapName + type: string + description: The name of the ConfigMap to read CA bundle data from. + default: trusted-ca + - name: caTrustConfigMapKey + type: string + description: The name of the key in the ConfigMap that contains the CA bundle data. + default: ca-bundle.crt + steps: + - image: quay.io/redhat-appstudio/cachi2:0.7.0@sha256:1fc772aa3636fd0b43d62120d832e5913843e028e8cac42814b487c3a0a32bd8 + # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting + # the cluster will set imagePullPolicy to IfNotPresent + name: prefetch-dependencies + env: + - name: INPUT + value: $(params.input) + - name: DEV_PACKAGE_MANAGERS + value: $(params.dev-package-managers) + - name: LOG_LEVEL + value: $(params.log-level) + - name: WORKSPACE_GIT_AUTH_BOUND + value: $(workspaces.git-basic-auth.bound) + - name: WORKSPACE_GIT_AUTH_PATH + value: $(workspaces.git-basic-auth.path) + volumeMounts: + - name: trusted-ca + mountPath: /mnt/trusted-ca + readOnly: true + script: | + if [ -z "${INPUT}" ] + then + # Confirm input was provided though it's likely the whole task would be skipped if it wasn't + echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" + exit 0 + fi + + if [ "$DEV_PACKAGE_MANAGERS" = "true" ]; then + dev_pacman_flag=--dev-package-managers + else + dev_pacman_flag="" + fi + + # Copied from https://github.com/konflux-ci/build-definitions/blob/main/task/git-clone/0.1/git-clone.yaml + if [ "${WORKSPACE_GIT_AUTH_BOUND}" = "true" ] ; then + if [ -f "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" ]; then + cp "${WORKSPACE_GIT_AUTH_PATH}/.git-credentials" "${HOME}/.git-credentials" + cp "${WORKSPACE_GIT_AUTH_PATH}/.gitconfig" "${HOME}/.gitconfig" + # Compatibility with kubernetes.io/basic-auth secrets + elif [ -f "${WORKSPACE_GIT_AUTH_PATH}/username" ] && [ -f "${WORKSPACE_GIT_AUTH_PATH}/password" ]; then + HOSTNAME=$(cd "$(workspaces.source.path)/source" && git remote get-url origin | awk -F/ '{print $3}') + echo "https://$(cat ${WORKSPACE_GIT_AUTH_PATH}/username):$(cat ${WORKSPACE_GIT_AUTH_PATH}/password)@$HOSTNAME" > "${HOME}/.git-credentials" + echo -e "[credential \"https://$HOSTNAME\"]\n helper = store" > "${HOME}/.gitconfig" + else + echo "Unknown git-basic-auth workspace format" + exit 1 + fi + chmod 400 "${HOME}/.git-credentials" + chmod 400 "${HOME}/.gitconfig" + fi + + ca_bundle=/mnt/trusted-ca/ca-bundle.crt + if [ -f "$ca_bundle" ]; then + echo "INFO: Using mounted CA bundle: $ca_bundle" + cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors + update-ca-trust + fi + + cachi2 --log-level="$LOG_LEVEL" fetch-deps \ + $dev_pacman_flag \ + --source=$(workspaces.source.path)/source \ + --output=$(workspaces.source.path)/cachi2/output \ + "${INPUT}" + + cachi2 --log-level="$LOG_LEVEL" generate-env $(workspaces.source.path)/cachi2/output \ + --format env \ + --for-output-dir=/cachi2/output \ + --output $(workspaces.source.path)/cachi2/cachi2.env + + cachi2 --log-level="$LOG_LEVEL" inject-files $(workspaces.source.path)/cachi2/output \ + --for-output-dir=/cachi2/output + workspaces: + - name: source + description: Workspace with the source code, cachi2 artifacts will be stored on the workspace as well + - name: git-basic-auth + description: | + A Workspace containing a .gitconfig and .git-credentials file or username and password. + These will be copied to the user's home before any cachi2 commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to bind a Secret to this Workspace over other volume types. + optional: true + volumes: + - name: trusted-ca + configMap: + name: $(params.caTrustConfigMapName) + items: + - key: $(params.caTrustConfigMapKey) + path: ca-bundle.crt + optional: true From 3dd6dc0b7655ff3f6badbec0efa7049914a2bb22 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 17:59:58 +0200 Subject: [PATCH 5/6] add bash problem to prefetch-dependencies/0.2 Checkton should only report the new problem Signed-off-by: Adam Cmiel --- task/prefetch-dependencies/0.2/prefetch-dependencies.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml b/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml index 0161463fb2..c5a04a8417 100644 --- a/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml +++ b/task/prefetch-dependencies/0.2/prefetch-dependencies.yaml @@ -51,7 +51,7 @@ spec: mountPath: /mnt/trusted-ca readOnly: true script: | - if [ -z "${INPUT}" ] + if [ -z ${INPUT} ] then # Confirm input was provided though it's likely the whole task would be skipped if it wasn't echo "No prefetch will be performed because no input was provided for cachi2 fetch-deps" From 020fd2f8ae056873017f9cff01c26ece520e5c2d Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Fri, 21 Jun 2024 18:04:57 +0200 Subject: [PATCH 6/6] add bash problem to buildah.yaml While at the same time, fixing another problem by using a more accurate shebang Signed-off-by: Adam Cmiel --- task/buildah/0.1/buildah.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/task/buildah/0.1/buildah.yaml b/task/buildah/0.1/buildah.yaml index 79d147cc8b..98271f9dd3 100644 --- a/task/buildah/0.1/buildah.yaml +++ b/task/buildah/0.1/buildah.yaml @@ -173,6 +173,8 @@ spec: args: - $(params.BUILD_ARGS[*]) script: | + #!/bin/bash + set -e if [ -n "${PARAM_BUILDER_IMAGE}" ]; then echo "WARNING: provided deprecated BUILDER_IMAGE parameter has no effect." fi @@ -308,7 +310,7 @@ spec: unshare -Uf $UNSHARE_ARGS --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w ${SOURCE_CODE_DIR}/$CONTEXT -- buildah build \ $VOLUME_MOUNTS \ - "${BUILDAH_ARGS[@]}" \ + ${BUILDAH_ARGS[@]} \ "${LABELS[@]}" \ --tls-verify=$TLSVERIFY --no-cache \ --ulimit nofile=4096:4096 \