Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include tash in the Task bundle build #1039

Merged
merged 4 commits into from
Jun 12, 2024
Merged

Include tash in the Task bundle build #1039

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
92f6a49
Include recipies for current TA variants
zregvart Jun 5, 2024
ec4ec92
Add script and workflow to generate TA variants
zregvart Jun 5, 2024
2b04285
Regenerate Trusted Artifacts Task
zregvart Jun 5, 2024
38e643e
Update buildah-remote-oci-ta
zregvart Jun 10, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions .github/workflows/check-ta.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
name: Validate PR - Trusted Artifact variants
'on':
pull_request:
branches: [main]
jobs:
go:
name: Check Trusted Artifact variants
runs-on: ubuntu-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Check Trusted Artifact variants
run: hack/generate-ta-tasks.sh
58 changes: 58 additions & 0 deletions hack/generate-ta-tasks.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail
set -o posix
chmeliik marked this conversation as resolved.
Show resolved Hide resolved

shopt -s globstar nullglob

HACK_DIR="$(realpath "$(dirname "${BASH_SOURCE[0]}")")"
TASK_DIR="$(realpath "${HACK_DIR}/../task")"

if ! command -v tash &> /dev/null; then
echo INFO: tash command is not available will download and use the latest version
tash_dir="$(mktemp -d)"
trap 'rm -rf ${tash_dir}' EXIT
tash_url=https://github.com/enterprise-contract/hacks/releases/download/latest/tash
echo INFO: downloading from ${tash_url} to "${tash_dir}"
curl --no-progress-meter --location --output "${tash_dir}/tash" "${tash_url}"
echo INFO: SHA256: "$(sha256sum "${tash_dir}/tash")"
chmod +x "${tash_dir}/tash"
tash() {
"${tash_dir}/tash" "$@"
}
fi

declare -i changes=0
emit() {
if [ "${GITHUB_ACTIONS:-false}" == "true" ]; then
printf "::error file=%s,line=1,col=0::%s\n" "$1" "$2"
else
printf "INFO: \033[1m%s\033[0m %s\n" "$1" "$2"
fi
changes=$((changes + 1))
}


cd "${TASK_DIR}"
for recipe_path in **/recipe.yaml; do
task_path="${recipe_path%/recipe.yaml}/$(basename "${recipe_path%/*/*}").yaml"
tash "${recipe_path}" > "${task_path}"
readme_path="${recipe_path%/recipe.yaml}/README.md"
"${HACK_DIR}/generate-readme.sh" "${task_path}" > "${readme_path}"
if ! git diff --quiet HEAD "${task_path}"; then
emit "task/${task_path}" "file is out of date and has been updated"
fi
if ! git diff --quiet HEAD "${readme_path}"; then
emit "task/${readme_path}" "file is out of date and has been updated"
fi
done

if [[ ${changes} -gt 0 ]]; then
if [ "${GITHUB_ACTIONS:-false}" == "true" ]; then
exit 1
else
printf "INFO: \033[1mMake sure to include the regenerated files in your changeset\033[0m\n"
fi
fi
30 changes: 16 additions & 14 deletions task/buildah-oci-ta/0.1/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,31 +8,33 @@ When prefetch-dependencies task was activated it is using its artifacts to run b
## Parameters
|name|description|default value|required|
|---|---|---|---|
|IMAGE|Reference of the image buildah will produce.||true|
|SOURCE_ARTIFACT|The trusted artifact URI containing the application source code.||true|
|CACHI2_ARTIFACT|The trusted artifact URI containing the prefetched dependencies.|""|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|CACHI2_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|CONTEXT|Path to the directory to use as context.|.|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|DOCKERFILE|Path to the Dockerfile to build.|./Dockerfile|false|
|DOCKER_AUTH|unused, should be removed in next task version|""|false|
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|HERMETIC|Determines if build will be executed without network access.|false|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|IMAGE|Reference of the image buildah will produce.||true|
|IMAGE_EXPIRES_AFTER|Delete image tag after specified time. Empty means to keep the image tag. Time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.|""|false|
|COMMIT_SHA|The image is built from this commit.|""|false|
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
|PREFETCH_INPUT|In case it is not empty, the prefetched content should be made available to the build.|""|false|
|SOURCE_ARTIFACT|The Trusted Artifact URI pointing to the artifact with the application source code.||true|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
|TLSVERIFY|Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)|true|false|
|YUM_REPOS_D_FETCHED|Path in source workspace where dynamically-fetched repos are present|fetched.repos.d|false|
|YUM_REPOS_D_SRC|Path in the git repository in which yum repository files are stored|repos.d|false|
|YUM_REPOS_D_TARGET|Target path on the container in which yum repository files should be made available|/etc/yum.repos.d|false|
|TARGET_STAGE|Target stage in Dockerfile to build. If not specified, the Dockerfile is processed entirely to (and including) its last stage.|""|false|
|ENTITLEMENT_SECRET|Name of secret which contains the entitlement certificates|etc-pki-entitlement|false|
|BUILD_ARGS|Array of --build-arg values ("arg=value" strings)|[]|false|
|BUILD_ARGS_FILE|Path to a file with build arguments, see https://www.mankier.com/1/buildah-build#--build-arg-file|""|false|
|caTrustConfigMapKey|The name of the key in the ConfigMap that contains the CA bundle data.|ca-bundle.crt|false|
|caTrustConfigMapName|The name of the ConfigMap to read CA bundle data from.|trusted-ca|false|

## Results
|name|description|
|---|---|
|BASE_IMAGES_DIGESTS|Digests of the base images used for build|
|IMAGE_DIGEST|Digest of the image just built|
|IMAGE_URL|Image repository where the built image was pushed|
|BASE_IMAGES_DIGESTS|Digests of the base images used for build|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|
|JAVA_COMMUNITY_DEPENDENCIES|The Java dependencies that came from community sources such as Maven central.|
|SBOM_JAVA_COMPONENTS_COUNT|The counting of Java components by publisher in JSON format|

Loading