redhat-appstudio / build-definitions Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
redhat-appstudio/infra-deployments#53 (comment)
The following tekton manifests should consume pipeline definitions from https://quay.io/repository/redhat-appstudio/build-templates-bundle?tab=tags which are built off https://github.com/redhat-appstudio/build-definitions/tree/main/pipelines/build-templates-bundle
The task starts by downloading an SBOM to figure out the base images, but this doesn't work for multi-arch images unless you specify which SBOM to download.
It should probably download all of them and check all of them if its a multiarch image.
This repo creates multiple images for delivery into the app studio platform.
Default pipelines are delivered into quay.io/redhat-appstudio/build-templates-bundle
Base Image for the ClusterTasks are in quay.io/redhat-appstudio/appstudio-utils
The versions for these images are maintained separately in each directory which leads to confusion
Options
I think we should do both -- and embed the automation in the .ci script for building and then installing new pipelines into app studio.
I am trying to use the build-definitions with https://github.com/openshift-pipelines/pipelines-service.
With some fixes in pipelines-service (https://github.com/openshift-pipelines/pipelines-service/compare/main...guillaumerose:builddef?expand=1), the PR is triggered but I hit an issue: ClusterTask doesn't exist on KCP and all definitions are using them.
How could we solve that?
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Started 29s PipelineRun
Warning Failed 27s PipelineRun Pipeline /noop can't be Run; it contains Tasks that don't exist: Couldn't retrieve Task "openshift-client": the server could not find the requested resource (get clustertasks.tekton.dev openshift-client)
Warning InternalError 27s PipelineRun 1 error occurred:
* Couldn't retrieve Task "openshift-client": the server could not find the requested resource (get clustertasks.tekton.dev openshift-client)
For RHTAS prodsec compliance, we have been asked to provide links to systems or documents where it is shown how SAST findings are analyzed and processed by the team. With the current Konflux configuration, it is not straightforward to do this. Snyk Code results are stored as pipeline results, but are not shipped anywhere else during a pipelinerun. It would be ideal for us if the snyk results could be published to snyk.io using the --report
option for snyk code test
. This feature appears to be in private beta, but it has been for about a year. Perhaps we could use it?
This is a request to include oras binaries in the appstudio-utils image from https://github.com/oras-project/oras/releases
Not sure if this is too experimental or if this is not the right place to include it but open to feedback.
In various contexts, we want to install packages into a sub directory of the root directory, and then use them as the root directory of a subsequent stage. Examples include:
In all of these cases, we really don't want to install into a bare directory - this will result in weirdness like redirections to /dev/null going into a actual file. The directory at least needs a skeleton /dev populated and would ideally have /proc and /sys as well.
There are two basic ways that this could be enabled:
Allow running buildah build
with --cap-add=all --security-opt=label=disable
; this is sufficient to allow the Containerfile to create its own mount namespace and populate the root directory itself.
Instead specify the install directory as a task parameter, and have the buildah task add something like:
--device=/dev/null:"$INSTALL_ROOT"/dev/null
--device=/dev/random:"$INSTALL_ROOT"/dev/random
--device=/dev/urandom:"$INSTALL_ROOT"/dev/urandom
--device=/dev/zero:"$INSTALL_ROOT"/dev/zero
The advantage of this is that it is more flexible and satisfies some other needs for nested sandboxing1. It may the only way that actually works for the bootc case [@cgwalters - is that right?]. On the other hand, the second approach is more obviously secure. 2
To delve some into this, if we were using buildah with user namespaces, then --cap-add=all would not be necessary since the Containerfile could create a nested user namespace where it had the SYS_ADMIN capability, and then create a mount namespace and set things up there. But with --isolation=chroot
the run commands are being run in an active chroot, and the Linux kernel disables user namespace creation when a chroot is active, so we have to actually give the SYS_ADMIN capability to the subprocess so it can create a mount namespace ↩
--cap-add=all
will not compromise overall system security, since we're counting on the pod running the task for that, and buildah --isolation=chroot
is already not that strong. And of course, an actual malicious component could specify their own pipeline with its own build steps already. The main weakness it introduces is that it could make it easier for malicious content pulled into the Containerfile during the build process to mess with the build artifacts and build metadata. ↩
Upon, merge to https://github.com/redhat-appstudio/build-definitions , everything inside https://github.com/redhat-appstudio/build-definitions/tree/main/pipelines/build-templates-bundle should be built into a new bundle as deemed relevant.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These problems occurred while renovating this repository.
Failed to look up docker package registry.redhat.io/openshift4/ose-tools-rhel8
, Failed to look up docker package registry.redhat.io/openshift4/ose-cli
, Could not determine new digest for update (datasource: docker)
.Files affected: .tekton/pull-request.yaml
, task/init/0.1/init.yaml
, task/s2i-java/0.1/s2i-java.yaml
, task/s2i-nodejs/0.1/s2i-nodejs.yaml
, task/summary/0.1/summary.yaml
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
.tekton/tasks/yaml-lint.yaml
appstudio-utils/Dockerfile
syft.Dockerfile
registry.access.redhat.com/ubi8 8.7-1090
.github/workflows/shellspec.yaml
actions/checkout v3
jerop/tkn v0.1.0
.tekton/pull-request.yaml
registry.redhat.io/openshift4/ose-tools-rhel8 v4.12
registry.redhat.io/openshift4/ose-cli v4.12@sha256:9f0cdc00b1b1a3c17411e50653253b9f6bb5329ea4fb82ad983790a6dbf2d9ad
.tekton/push.yaml
.tekton/tasks/buildah.yaml
.tekton/tasks/yaml-lint.yaml
docker.io/cytopia/yamllint 1.26@sha256:1bf8270a671a2e5f2fea8ac2e80164d627e0c5fa083759862bbde80628f942b2
task/buildah/0.1/buildah.yaml
quay.io/redhat-appstudio/buildah v1.28
quay.io/redhat-appstudio/syft v0.47.0
registry.access.redhat.com/ubi9/python-39 1-108
quay.io/redhat-appstudio/cosign v1.13.1
task/clair-scan/0.1/clair-scan.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/clamav-scan/0.1/clamav-scan.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/deprecated-image-check/0.1/deprecated-image-check.yaml
registry.access.redhat.com/ubi8/ubi-minimal 8.7-1085@sha256:dc06ba83c6f47fc0a2bca516a9b99f1cf8ef37331fd460f4ca55579a815ee6cb
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/fbc-related-image-check/0.1/fbc-related-image-check.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/fbc-validation/0.1/fbc-validation.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/git-clone/0.1/git-clone.yaml
task/init/0.1/init.yaml
registry.redhat.io/openshift4/ose-tools-rhel8 v4.12@sha256:253d042ecfad7b64593112a4aa3f528d39cb5fe738852e44f009db87964cf051
task/prefetch-dependencies/0.1/prefetch-dependencies.yaml
quay.io/containerbuildsystem/cachi2 sha256:bd8abcd9782af134d3c0d2f91cd469424ce413195dcfc050a7321ae0b29f5507
task/s2i-java/0.1/s2i-java.yaml
registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8 sha256:637c15600359cb45bc01445b5e811b6240ca239f0ebfe406b50146e34f68f631
quay.io/redhat-appstudio/syft v0.47.0
registry.access.redhat.com/ubi8/python-39 1-105
quay.io/redhat-appstudio/cosign v1.13.1
task/s2i-nodejs/0.1/s2i-nodejs.yaml
registry.redhat.io/ocp-tools-4-tech-preview/source-to-image-rhel8 sha256:e518e05a730ae066e371a4bd36a5af9cedc8686fd04bd59648d20ea0a486d7e5
quay.io/redhat-appstudio/syft v0.47.0
registry.access.redhat.com/ubi9/python-39 1-108
quay.io/redhat-appstudio/cosign v1.13.1
task/sanity-inspect-image/0.1/sanity-inspect-image.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/sanity-label-check/0.1/sanity-label-check.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/sast-go/0.1/sast-go.yaml
task/sast-java-sec-check/0.1/sast-java-sec-check.yaml
task/sast-snyk-check/0.1/sast-snyk-check.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/sbom-json-check/0.1/sbom-json-check.yaml
quay.io/redhat-appstudio/hacbs-test v1.0.11@sha256:acf4e35adfbe16916d400f36b616236d872c2527c7618ffc6758ae930e353668
task/summary/0.1/summary.yaml
registry.redhat.io/openshift4/ose-cli v4.12@sha256:9f0cdc00b1b1a3c17411e50653253b9f6bb5329ea4fb82ad983790a6dbf2d9ad
task/tkn-bundle/0.1/tkn-bundle.yaml
quay.io/openshift-pipeline/openshift-pipelines-cli-tkn 1.10
task/update-infra-deployments/0.1/update-infra-deployments.yaml
quay.io/chmouel/github-app-token sha256:b4f2af12e9beea68055995ccdbdb86cfe1be97688c618117e5da2243dc1da18e
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.