konflux-ci · zregvart · Dec 21, 2023
@@ -1,5 +1,5 @@
 name: Validate PR - buildah-remote
-on:
+'on':
   pull_request:
     branches: [main]
 jobs:

@@ -29,7 +29,9 @@ spec:
         taskRef:
           name: git-clone
         workspaces:
-          - name: output
+          - name: source
+            workspace: workspace
+          - name: artifacts
             workspace: workspace
         params:
           - name: url
@@ -58,7 +60,9 @@ spec:
         taskRef:
           name: sast-snyk-check
         workspaces:
-          - name: workspace
+          - name: source
+            workspace: workspace
+          - name: artifacts
             workspace: workspace
       - name: build-container
         runAfter:
@@ -73,6 +77,8 @@ spec:
         workspaces:
           - name: source
             workspace: workspace
+          - name: artifacts
+            workspace: workspace
       - name: check-partner-tasks
         runAfter:
           - build-container

@@ -34,7 +34,9 @@ spec:
         taskRef:
           name: git-clone
         workspaces:
-          - name: output
+          - name: source
+            workspace: workspace
+          - name: artifacts
             workspace: workspace
       - name: build-container
         params:
@@ -48,6 +50,8 @@ spec:
           name: buildah
         workspaces:
           - name: source
+            emptyDir: {}
+          - name: artifacts
             workspace: workspace
       - name: build-bundles
         params:

@@ -84,7 +84,7 @@
     taskRef:
       name: acs-image-check
     workspaces:
-      - name: workspace
+      - name: source
         workspace: workspace
 - op: add
   path: /spec/tasks/-

@@ -30,6 +30,10 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: SOURCE_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+  - name: CACHI2_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
 - op: add
   path: /spec/results/-
   value:

@@ -28,6 +28,10 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: SOURCE_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+  - name: CACHI2_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
 - op: add
   path: /spec/tasks/-
   value:
@@ -70,7 +74,7 @@
     - name: BASE_IMAGE
       value: $(tasks.inspect-image.results.BASE_IMAGE)
     workspaces:
-      - name: workspace
+      - name: source
         workspace: workspace
 - op: add
   path: /spec/tasks/-
@@ -86,7 +90,7 @@
       name: fbc-related-image-check
       version: "0.1"
     workspaces:
-      - name: workspace
+      - name: source
         workspace: workspace
 # - op: remove
 #   # build-source-image as source images are not needed for FBC components

@@ -24,6 +24,10 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: SOURCE_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+  - name: CACHI2_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
 - op: add
   path: /spec/results/-
   value:

@@ -24,3 +24,7 @@
     value: "$(params.image-expires-after)"
   - name: COMMIT_SHA
     value: "$(tasks.clone-repository.results.commit)"
+  - name: SOURCE_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+  - name: CACHI2_ARTIFACT
+    value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
@@ -49,7 +49,7 @@ spec:
       taskRef:
         name: git-clone
       workspaces:
-        - name: output
+        - name: source
           workspace: workspace
         - name: basic-auth
           workspace: git-auth

@@ -22,6 +22,10 @@ patches:
         value: $(params.output-image)
       - name: CONTEXT
         value: $(params.path-context)
+      - name: SOURCE_ARTIFACT
+        value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+      - name: CACHI2_ARTIFACT
+        value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
     # Remove tasks that assume a binary image
     - op: remove
       path: /spec/tasks/9  # sbom-json-check

@@ -81,18 +81,18 @@ spec:
         name: git-clone
         version: "0.1"
       workspaces:
-        - name: output
+        - name: source
           workspace: workspace
         - name: basic-auth
           workspace: git-auth
     - name: prefetch-dependencies
-      when:
-      - input: $(params.hermetic)
-        operator: in
-        values: ["true"]
       params:
         - name: input
           value: $(params.prefetch-input)
+        - name: hermetic
+          value: $(params.hermetic)
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
       runAfter:
         - clone-repository
       taskRef:
@@ -106,12 +106,17 @@ spec:
       - input: $(tasks.init.results.build)
         operator: in
         values: ["true"]
-      runAfter:
-        - prefetch-dependencies
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       taskRef:
         name: $REPLACE_ME
       workspaces:
         - name: source
+          emptyDir: {}
+        - name: artifacts
           workspace: workspace
     - name: build-source-image
       when:
@@ -131,8 +136,14 @@ spec:
           value: "$(params.output-image)"
         - name: BASE_IMAGES
           value: "$(tasks.build-container.results.BASE_IMAGES_DIGESTS)"
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       workspaces:
-        - name: workspace
+        - name: source
+          emptyDir: {}
+        - name: artifacts
           workspace: workspace
     - name: deprecated-base-image-check
       when:
@@ -167,13 +178,20 @@ spec:
       - input: $(params.skip-checks)
         operator: in
         values: ["false"]
+      params:
+        - name: SOURCE_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT)
+        - name: CACHI2_ARTIFACT
+          value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT)
       runAfter:
         - clone-repository
       taskRef:
         name: sast-snyk-check
         version: "0.1"
       workspaces:
-      - name: workspace
+      - name: source
+        emptyDir: {}
+      - name: artifacts
         workspace: workspace
     - name: clamav-scan
       when:

@@ -2,8 +2,8 @@
   path: /metadata/name
   value: buildah-10gb
 - op: replace
-  path: /spec/steps/0/computeResources/limits/memory
+  path: /spec/steps/1/computeResources/limits/memory
   value: 10Gi
 - op: replace
-  path: /spec/steps/0/computeResources/requests/memory
+  path: /spec/steps/1/computeResources/requests/memory
   value: 8Gi
@@ -2,8 +2,8 @@
   path: /metadata/name
   value: buildah-6gb
 - op: replace
-  path: /spec/steps/0/computeResources/limits/memory
+  path: /spec/steps/1/computeResources/limits/memory
   value: 6Gi
 - op: replace
-  path: /spec/steps/0/computeResources/requests/memory
+  path: /spec/steps/1/computeResources/requests/memory
   value: 4Gi
@@ -2,8 +2,8 @@
   path: /metadata/name
   value: buildah-8gb
 - op: replace
-  path: /spec/steps/0/computeResources/limits/memory
+  path: /spec/steps/1/computeResources/limits/memory
   value: 8Gi
 - op: replace
-  path: /spec/steps/0/computeResources/requests/memory
+  path: /spec/steps/1/computeResources/requests/memory
   value: 6Gi
@@ -69,6 +69,14 @@ spec:
     description: Target path on the container in which yum repository files should
       be made available
     name: YUM_REPOS_D_TARGET
+  - default: ""
+    description: The source trusted artifact URI
+    name: SOURCE_ARTIFACT
+    type: string
+  - default: ""
+    description: The prefetched dependencies trusted artifact URI
+    name: CACHI2_ARTIFACT
+    type: string
   - description: The platform to build on
     name: PLATFORM
     type: string
@@ -115,6 +123,15 @@ spec:
     - name: BUILDER_IMAGE
       value: $(params.BUILDER_IMAGE)
   steps:
+  - args:
+    - use
+    - --store
+    - $(workspaces.artifacts.path)
+    - $(params.SOURCE_ARTIFACT)=$(workspaces.source.path)/source
+    - $(params.CACHI2_ARTIFACT)=$(workspaces.source.path)/cachi2
+    computeResources: {}
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:dbcf0102d0e9f21c2bcb06dcaa9af680cb9151f1984f5cec1fb397e1356ae771
+    name: use-trusted-artifact
   - computeResources:
       limits:
         memory: 4Gi
@@ -155,6 +172,7 @@ spec:
       fi
 
       rsync -ra $(workspaces.source.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/source/"
+      rsync -ra $(workspaces.artifacts.path)/ "$SSH_HOST:$BUILD_DIR/workspaces/artifacts/"
       rsync -ra "$HOME/.docker/" "$SSH_HOST:$BUILD_DIR/.docker/"
       rsync -ra "/tekton/results/" "$SSH_HOST:$BUILD_DIR/tekton-results/"
       cat >scripts/script-build.sh <<'REMOTESSHEOF'
@@ -276,11 +294,13 @@ spec:
        -e YUM_REPOS_D_TARGET="$YUM_REPOS_D_TARGET" \
        -e COMMIT_SHA="$COMMIT_SHA" \
        -v "$BUILD_DIR/workspaces/source:$(workspaces.source.path):Z" \
+       -v "$BUILD_DIR/workspaces/artifacts:$(workspaces.artifacts.path):Z" \
        -v "$BUILD_DIR/.docker/:/root/.docker:Z" \
        -v "$BUILD_DIR/tekton-results/:/tekton/results:Z" \
        -v $BUILD_DIR/scripts:/script:Z \
       --user=0  --rm  "$BUILDER_IMAGE" /script/script-build.sh
       rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/source/" "$(workspaces.source.path)/"
+      rsync -ra "$SSH_HOST:$BUILD_DIR/workspaces/artifacts/" "$(workspaces.artifacts.path)/"
       rsync -ra "$SSH_HOST:$BUILD_DIR/tekton-results/" "/tekton/results/"
       buildah pull oci:rhtap-final-image
       buildah images
@@ -452,3 +472,5 @@ spec:
   workspaces:
   - description: Workspace containing the source code to build.
     name: source
+  - description: The trusted artifact store
+    name: artifacts
@@ -28,6 +28,14 @@ spec:
     description: Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)
     name: TLSVERIFY
     type: string
+  - name: SOURCE_ARTIFACT
+    type: string
+    description: The source trusted artifact URI
+    default: ""
+  - name: CACHI2_ARTIFACT
+    type: string
+    description: The prefetched dependencies trusted artifact URI
+    default: ""
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -48,6 +56,14 @@ spec:
     - name: TLSVERIFY
       value: $(params.TLSVERIFY)
   steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:dbcf0102d0e9f21c2bcb06dcaa9af680cb9151f1984f5cec1fb397e1356ae771
+    args:
+      - use
+      - --store
+      - $(workspaces.artifacts.path)
+      - $(params.SOURCE_ARTIFACT)=$(workspaces.source.path)/source
+      - $(params.CACHI2_ARTIFACT)=$(workspaces.source.path)/cachi2
   - name: build
     image: registry.access.redhat.com/ubi9/buildah@sha256:04fde77ea72c25b56efb3f71db809c5d7b09938130df2da9175a3c888b94043d
     script: |
@@ -172,3 +188,5 @@ spec:
   workspaces:
   - name: source
     description: Workspace containing the source code to build.
+  - name: artifacts
+    description: The trusted artifact store
@@ -66,6 +66,14 @@ spec:
   - name: YUM_REPOS_D_TARGET
     description: Target path on the container in which yum repository files should be made available
     default: /etc/yum.repos.d
+  - name: SOURCE_ARTIFACT
+    type: string
+    description: The source trusted artifact URI
+    default: ""
+  - name: CACHI2_ARTIFACT
+    type: string
+    description: The prefetched dependencies trusted artifact URI
+    default: ""
   results:
   - description: Digest of the image just built
     name: IMAGE_DIGEST
@@ -105,6 +113,14 @@ spec:
     - name: YUM_REPOS_D_TARGET
       value: $(params.YUM_REPOS_D_TARGET)
   steps:
+  - name: use-trusted-artifact
+    image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:dbcf0102d0e9f21c2bcb06dcaa9af680cb9151f1984f5cec1fb397e1356ae771
+    args:
+      - use
+      - --store
+      - $(workspaces.artifacts.path)
+      - $(params.SOURCE_ARTIFACT)=$(workspaces.source.path)/source
+      - $(params.CACHI2_ARTIFACT)=$(workspaces.source.path)/cachi2
   - image: $(params.BUILDER_IMAGE)
     # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
     # the cluster will set imagePullPolicy to IfNotPresent; our default param above specifies a digest
@@ -392,3 +408,5 @@ spec:
   workspaces:
   - name: source
     description: Workspace containing the source code to build.
+  - name: artifacts
+    description: The trusted artifact store