From d63921424afe9731057de21ec17284edce4991f0 Mon Sep 17 00:00:00 2001 From: Misha Sugakov <537715+msugakov@users.noreply.github.com> Date: Mon, 20 Jan 2025 11:43:01 +0100 Subject: [PATCH] ROX-27384: Use the updated `determine-image-tag` task (#1771) --- .../scripts/fail-build-if-git-is-dirty.sh | 34 ------------------- .tekton/scanner-build.yaml | 9 +++-- .tekton/scanner-component-pipeline.yaml | 6 ++-- .tekton/scanner-db-build.yaml | 9 +++-- .tekton/scanner-db-slim-build.yaml | 9 +++-- .tekton/scanner-slim-build.yaml | 9 +++-- image/scanner/rhel/konflux.Dockerfile | 2 -- 7 files changed, 20 insertions(+), 58 deletions(-) delete mode 100755 .konflux/scripts/fail-build-if-git-is-dirty.sh diff --git a/.konflux/scripts/fail-build-if-git-is-dirty.sh b/.konflux/scripts/fail-build-if-git-is-dirty.sh deleted file mode 100755 index 4ea829b66..000000000 --- a/.konflux/scripts/fail-build-if-git-is-dirty.sh +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env bash - -# This script works around the fact that RHTAP modifies Dockerfiles provided to it when prefetching dependencies is on. -# RHTAP changes should stop happening after https://issues.redhat.com/browse/STONEBLD-1847 -# Additionally, the script returns no-zero if it detects any other changes to the git repo. -# -# If this script is not called and does not fail the build, things like `make tag` will produce `-dirty` suffix -# (as in `4.3.x-63-g09e5188ab9-dirty`) which gets embedded as the version attribute in built binaries. -# -# The script MUST be executed only from within the Dockerfile (not outside of it) because binaries are built inside. - -set -euo pipefail - -# When executing in RHTAP (as opposed to the script ran directly), we undo RHTAP changes to Dockerfiles. -# I found no better way to detect RHTAP than by checking the presence of cachi2.env file. -if [[ -f /cachi2/cachi2.env ]]; then - # We can safely restore dockerfiles because the modified version of dockerfile interpreted by docker/buildah stays - # outside, and these are local copies inside of the build context. - git restore "**/konflux.Dockerfile" -fi - -# Next, make sure no other things that make it `-dirty` slipped through. If they did, fail the build. - -echo "Checking that files in git repo are not modified." -echo "If this command fails, you should see the list of modified files below." -echo "You need to find the reason and prevent it because otherwise the build results will be inconsistent." -echo "" - -if git status --porcelain | grep -v "^??" | grep '.' >&2 ; then - >&2 echo "ERROR: Modified files found." - exit 2 -else - echo "No modifications to git repo detected." -fi diff --git a/.tekton/scanner-build.yaml b/.tekton/scanner-build.yaml index 2a8113455..f819f87a7 100644 --- a/.tekton/scanner-build.yaml +++ b/.tekton/scanner-build.yaml @@ -9,13 +9,12 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: ( - event == "push" && ( - source_branch == "master" || - target_branch.startsWith("refs/tags/") - ) + pipelinesascode.tekton.dev/on-cel-expression: | + ( + event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$") ) || ( event == "pull_request" && ( + target_branch.startsWith("release-") || source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build") ) diff --git a/.tekton/scanner-component-pipeline.yaml b/.tekton/scanner-component-pipeline.yaml index b040fcf20..9de51776c 100644 --- a/.tekton/scanner-component-pipeline.yaml +++ b/.tekton/scanner-component-pipeline.yaml @@ -188,12 +188,14 @@ spec: value: $(params.output-tag-suffix) - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) + - name: SOURCE_BRANCH + value: '{{source_branch}}' taskRef: params: - name: name value: determine-image-tag - name: bundle - value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:098fb3f43bd32d61874e67adc830cae0845f59fbc06cb52ddcc820f5c2c8be2d + value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:7b7c2f3c1a73190d50f3d2ce68077f44981596f491a52b5d7450a2f717050a11 - name: kind value: task resolver: bundles @@ -215,7 +217,7 @@ spec: - name: name value: fetch-scanner-v2-data - name: bundle - value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:098fb3f43bd32d61874e67adc830cae0845f59fbc06cb52ddcc820f5c2c8be2d + value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:7b7c2f3c1a73190d50f3d2ce68077f44981596f491a52b5d7450a2f717050a11 - name: kind value: task resolver: bundles diff --git a/.tekton/scanner-db-build.yaml b/.tekton/scanner-db-build.yaml index fd2b10bf3..88259a0ba 100644 --- a/.tekton/scanner-db-build.yaml +++ b/.tekton/scanner-db-build.yaml @@ -9,13 +9,12 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: ( - event == "push" && ( - source_branch == "master" || - target_branch.startsWith("refs/tags/") - ) + pipelinesascode.tekton.dev/on-cel-expression: | + ( + event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$") ) || ( event == "pull_request" && ( + target_branch.startsWith("release-") || source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build") ) diff --git a/.tekton/scanner-db-slim-build.yaml b/.tekton/scanner-db-slim-build.yaml index a02bd0956..7543c52fe 100644 --- a/.tekton/scanner-db-slim-build.yaml +++ b/.tekton/scanner-db-slim-build.yaml @@ -9,13 +9,12 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: ( - event == "push" && ( - source_branch == "master" || - target_branch.startsWith("refs/tags/") - ) + pipelinesascode.tekton.dev/on-cel-expression: | + ( + event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$") ) || ( event == "pull_request" && ( + target_branch.startsWith("release-") || source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build") ) diff --git a/.tekton/scanner-slim-build.yaml b/.tekton/scanner-slim-build.yaml index 18f48e1fd..40872b4d5 100644 --- a/.tekton/scanner-slim-build.yaml +++ b/.tekton/scanner-slim-build.yaml @@ -9,13 +9,12 @@ metadata: build.appstudio.redhat.com/target_branch: '{{target_branch}}' pipelinesascode.tekton.dev/max-keep-runs: "500" # TODO(ROX-21073): re-enable for all PR branches - pipelinesascode.tekton.dev/on-cel-expression: ( - event == "push" && ( - source_branch == "master" || - target_branch.startsWith("refs/tags/") - ) + pipelinesascode.tekton.dev/on-cel-expression: | + ( + event == "push" && target_branch.matches("^(master|release-.*|refs/tags/.*)$") ) || ( event == "pull_request" && ( + target_branch.startsWith("release-") || source_branch.matches("(konflux|renovate|appstudio|rhtap)") || body.pull_request.labels.exists(l, l.name == "konflux-build") ) diff --git a/image/scanner/rhel/konflux.Dockerfile b/image/scanner/rhel/konflux.Dockerfile index 731cd1125..6056d080b 100644 --- a/image/scanner/rhel/konflux.Dockerfile +++ b/image/scanner/rhel/konflux.Dockerfile @@ -19,8 +19,6 @@ ENV CI=1 COPY . /src WORKDIR /src -RUN .konflux/scripts/fail-build-if-git-is-dirty.sh - RUN unzip -j .konflux/scanner-data/blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \ unzip -j .konflux/scanner-data/blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \ unzip -j .konflux/scanner-data/blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions