diff --git a/.github/workflows/dependabot-deps.yaml b/.github/workflows/dependabot-deps.yaml index eb1c4b622..1057c024a 100644 --- a/.github/workflows/dependabot-deps.yaml +++ b/.github/workflows/dependabot-deps.yaml @@ -14,7 +14,7 @@ jobs: if: ${{ github.actor == 'dependabot[bot]' }} steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ github.head_ref }} path: ./src/github.com/${{ github.repository }} diff --git a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-eventmesh-115.yaml b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-eventmesh-115.yaml index ebe9689a7..ed9301190 100755 --- a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-eventmesh-115.yaml +++ b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-eventmesh-115.yaml @@ -7,8 +7,7 @@ metadata: name: kn-backstage-plugins-eventmesh-115 spec: componentName: kn-backstage-plugins-eventmesh-115 - application: serverless-operator-135 - + application: serverless-operator-135 source: git: url: https://github.com/openshift-knative/backstage-plugins.git diff --git a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-migrate-115.yaml b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-migrate-115.yaml index 2f752b40f..824da44fc 100755 --- a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-migrate-115.yaml +++ b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-migrate-115.yaml @@ -7,8 +7,7 @@ metadata: name: kn-backstage-plugins-migrate-115 spec: componentName: kn-backstage-plugins-migrate-115 - application: serverless-operator-135 - + application: serverless-operator-135 source: git: url: https://github.com/openshift-knative/backstage-plugins.git diff --git a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-test-eventshub-115.yaml b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-test-eventshub-115.yaml index 28a0e4d36..920491c0e 100755 --- a/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-test-eventshub-115.yaml +++ b/.konflux/applications/serverless-operator-135/components/kn-backstage-plugins-test-eventshub-115.yaml @@ -7,8 +7,7 @@ metadata: name: kn-backstage-plugins-test-eventshub-115 spec: componentName: kn-backstage-plugins-test-eventshub-115 - application: serverless-operator-135 - + application: serverless-operator-135 source: git: url: https://github.com/openshift-knative/backstage-plugins.git diff --git a/.tekton/docker-build.yaml b/.tekton/docker-build.yaml index 32e55159d..eabbe31cb 100755 --- a/.tekton/docker-build.yaml +++ b/.tekton/docker-build.yaml @@ -1,7 +1,6 @@ apiVersion: tekton.dev/v1 kind: Pipeline metadata: - creationTimestamp: labels: pipelines.openshift.io/runtime: generic pipelines.openshift.io/strategy: docker @@ -13,27 +12,14 @@ spec: _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://conforma.dev/docs/policy/packages/release_trusted_task.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ - finally: - - name: show-sbom - params: - - name: IMAGE_URL - value: $(tasks.build-image-index.results.IMAGE_URL) - taskRef: - params: - - name: name - value: show-sbom - - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:beb0616db051952b4b861dd8c3e00fa1c0eccbd926feddf71194d3bb3ace9ce7 - - name: kind - value: task - resolver: bundles params: - default: - linux/x86_64 - linux/arm64 - linux/ppc64le - linux/s390x - description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. + description: List of platforms to build the container images on. The available + set of values is determined by the configuration of the multi-platform-controller. name: build-platforms type: array - default: --all-projects --org=3e1a4cca-ebfb-495f-b64c-3cc960d566b4 --exclude=test*,vendor,third_party @@ -45,7 +31,8 @@ spec: name: build-source-image type: string - default: "false" - description: 'Enable in-development package managers. WARNING: the behavior may change at any time without notice. Use at your own risk.' + description: 'Enable in-development package managers. WARNING: the behavior may + change at any time without notice. Use at your own risk.' name: prefetch-input-dev-package-managers - default: [] description: Additional image tags @@ -62,17 +49,15 @@ spec: name: output-image type: string - default: . - description: Path to the source code of an application's component from where to build image. + description: Path to the source code of an application's component from where + to build image. name: path-context type: string - default: Dockerfile - description: Path to the Dockerfile inside the context specified by parameter path-context + description: Path to the Dockerfile inside the context specified by parameter + path-context name: dockerfile type: string - - default: "false" - description: Force rebuild image - name: rebuild - type: string - default: "false" description: Skip checks against built image name: skip-checks @@ -82,17 +67,34 @@ spec: name: hermetic type: string - default: "" - description: Build dependencies to be prefetched by Cachi2 + description: Build dependencies to be prefetched name: prefetch-input type: string - default: "" - description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively. + description: Image tag expiration time, time values could be something like 1h, + 2d, 3w for hours, days, and weeks, respectively. name: image-expires-after type: string - default: "true" description: Add built image into an OCI image index name: build-image-index type: string + - default: docker + description: The format for the resulting image's mediaType. Valid values are + oci or docker. + name: buildah-format + type: string + - default: "false" + description: Enable cache proxy configuration + name: enable-cache-proxy + - default: "true" + description: Use the package registry proxy when prefetching dependencies + name: enable-package-registry-proxy + - default: . + description: Target directories in component's source code to scan with SAST tools. + Multiple values should be separated with commas. + name: sast-target-dirs + type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args @@ -102,13 +104,10 @@ spec: name: build-args-file type: string - default: "false" - description: Whether to enable privileged mode, should be used only with remote VMs + description: Whether to enable privileged mode, should be used only with remote + VMs name: privileged-nested type: string - - name: enable-cache-proxy - default: 'false' - description: Enable cache proxy configuration - type: string results: - description: "" name: IMAGE_URL @@ -131,6 +130,8 @@ spec: value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: TARGET_DIRS + value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT @@ -157,6 +158,8 @@ spec: value: $(params.prefetch-input-dev-package-managers) - name: input value: $(params.prefetch-input) + - name: enable-package-registry-proxy + value: $(params.enable-package-registry-proxy) - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage @@ -200,12 +203,6 @@ spec: resolver: bundles - name: init params: - - name: image-url - value: $(params.output-image) - - name: rebuild - value: $(params.rebuild) - - name: skip-checks - value: $(params.skip-checks) - name: enable-cache-proxy value: $(params.enable-cache-proxy) taskRef: @@ -238,11 +235,6 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" workspaces: - name: basic-auth workspace: git-auth @@ -274,16 +266,20 @@ spec: value: $(params.build-args-file) - name: PRIVILEGED_NESTED value: $(params.privileged-nested) + - name: SOURCE_URL + value: $(tasks.clone-repository.results.url) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) + - name: HTTP_PROXY + value: $(tasks.init.results.http-proxy) + - name: NO_PROXY + value: $(tasks.init.results.no-proxy) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: IMAGE_APPEND_PLATFORM value: "true" - - name: HTTP_PROXY - value: $(tasks.init.results.http-proxy) - - name: NO_PROXY - value: $(tasks.init.results.no-proxy) runAfter: - prefetch-dependencies taskRef: @@ -295,24 +291,17 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - name: build-image-index params: - name: IMAGE value: $(params.output-image) - - name: COMMIT_SHA - value: $(tasks.clone-repository.results.commit) - - name: IMAGE_EXPIRES_AFTER - value: $(params.image-expires-after) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES value: - $(tasks.build-images.results.IMAGE_REF[*]) + - name: BUILDAH_FORMAT + value: $(params.buildah-format) runAfter: - build-images taskRef: @@ -324,11 +313,6 @@ spec: - name: kind value: task resolver: bundles - when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - name: build-source-image params: - name: BINARY_IMAGE @@ -351,10 +335,6 @@ spec: value: task resolver: bundles when: - - input: $(tasks.init.results.build) - operator: in - values: - - "true" - input: $(params.build-source-image) operator: in values: @@ -408,7 +388,12 @@ spec: operator: in values: - "false" - - name: ecosystem-cert-preflight-checks + - matrix: + params: + - name: platform + value: + - $(params.build-platforms) + name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) @@ -461,6 +446,8 @@ spec: value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: TARGET_DIRS + value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT @@ -487,6 +474,8 @@ spec: value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) + - name: TARGET_DIRS + value: $(params.sast-target-dirs) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT @@ -543,7 +532,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/konflux-vanguard/task-rpms-signature-scan:0.2@sha256:7d1c087d7d33dd97effb3b4c9f3788e4c3138da2032040d69da6929e9a3aaceb + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:41720da9dfe26f33b0bdc46bbf8667a27dae4790d8e5c5f4412224658de7b213 - name: kind value: task resolver: bundles diff --git a/.tekton/kn-backstage-plugins-eventmesh-115-pull-request.yaml b/.tekton/kn-backstage-plugins-eventmesh-115-pull-request.yaml index 3b0656530..8e98539af 100755 --- a/.tekton/kn-backstage-plugins-eventmesh-115-pull-request.yaml +++ b/.tekton/kn-backstage-plugins-eventmesh-115-pull-request.yaml @@ -21,7 +21,7 @@ spec: value: openshift/ci-operator/knative-images/eventmesh/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/.tekton/kn-backstage-plugins-eventmesh-115-push.yaml b/.tekton/kn-backstage-plugins-eventmesh-115-push.yaml index d8e9ebd1e..dfd57a329 100755 --- a/.tekton/kn-backstage-plugins-eventmesh-115-push.yaml +++ b/.tekton/kn-backstage-plugins-eventmesh-115-push.yaml @@ -20,7 +20,7 @@ spec: value: openshift/ci-operator/knative-images/eventmesh/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/.tekton/kn-backstage-plugins-migrate-115-pull-request.yaml b/.tekton/kn-backstage-plugins-migrate-115-pull-request.yaml index 60baccdd1..97ea4d442 100755 --- a/.tekton/kn-backstage-plugins-migrate-115-pull-request.yaml +++ b/.tekton/kn-backstage-plugins-migrate-115-pull-request.yaml @@ -21,7 +21,7 @@ spec: value: openshift/ci-operator/knative-images/migrate/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/.tekton/kn-backstage-plugins-migrate-115-push.yaml b/.tekton/kn-backstage-plugins-migrate-115-push.yaml index 466c57f5c..e8c70fc37 100755 --- a/.tekton/kn-backstage-plugins-migrate-115-push.yaml +++ b/.tekton/kn-backstage-plugins-migrate-115-push.yaml @@ -20,7 +20,7 @@ spec: value: openshift/ci-operator/knative-images/migrate/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/.tekton/kn-backstage-plugins-test-eventshub-115-pull-request.yaml b/.tekton/kn-backstage-plugins-test-eventshub-115-pull-request.yaml index 5c83002d7..681cc9aed 100755 --- a/.tekton/kn-backstage-plugins-test-eventshub-115-pull-request.yaml +++ b/.tekton/kn-backstage-plugins-test-eventshub-115-pull-request.yaml @@ -21,7 +21,7 @@ spec: value: openshift/ci-operator/knative-test-images/eventshub/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/.tekton/kn-backstage-plugins-test-eventshub-115-push.yaml b/.tekton/kn-backstage-plugins-test-eventshub-115-push.yaml index bcf1580a5..05674cb1d 100755 --- a/.tekton/kn-backstage-plugins-test-eventshub-115-push.yaml +++ b/.tekton/kn-backstage-plugins-test-eventshub-115-push.yaml @@ -20,7 +20,7 @@ spec: value: openshift/ci-operator/knative-test-images/eventshub/Dockerfile - name: build-args value: - - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.22 + - GO_BUILDER=brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_8_golang_1.25 - GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal - JAVA_BUILDER=registry.access.redhat.com/ubi8/openjdk-21 - JAVA_RUNTIME=registry.access.redhat.com/ubi8/openjdk-21-runtime diff --git a/openshift/ci-operator/build-image/Dockerfile b/openshift/ci-operator/build-image/Dockerfile index c141d4fb9..f6d27d29f 100755 --- a/openshift/ci-operator/build-image/Dockerfile +++ b/openshift/ci-operator/build-image/Dockerfile @@ -3,7 +3,7 @@ FROM registry.ci.openshift.org/ocp/4.17:cli-artifacts as tools # Dockerfile to bootstrap build and test in openshift-ci -FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.22-openshift-4.17 as builder +FROM registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.25-openshift-4.21 as builder ARG TARGETARCH diff --git a/openshift/ci-operator/knative-images/eventmesh/Dockerfile b/openshift/ci-operator/knative-images/eventmesh/Dockerfile index ead6a0e3d..b5d1840f8 100755 --- a/openshift/ci-operator/knative-images/eventmesh/Dockerfile +++ b/openshift/ci-operator/knative-images/eventmesh/Dockerfile @@ -1,5 +1,5 @@ # DO NOT EDIT! Generated Dockerfile for backends/cmd/eventmesh. -ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.22-openshift-4.17 +ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.25-openshift-4.21 ARG GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal FROM $GO_BUILDER as builder @@ -22,14 +22,17 @@ COPY LICENSE /licenses/ USER 65532 LABEL \ - com.redhat.component="openshift-serverless-1-backstage-plugins-eventmesh-rhel8-container" \ - name="openshift-serverless-1/backstage-plugins-eventmesh-rhel8" \ + com.redhat.component="openshift-serverless-1-kn-backstage-plugins-eventmesh-rhel8-container" \ + name="openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8" \ version=$VERSION \ summary="Red Hat OpenShift Serverless 1 Backstage Plugins Eventmesh" \ maintainer="serverless-support@redhat.com" \ description="Red Hat OpenShift Serverless 1 Backstage Plugins Eventmesh" \ io.k8s.display-name="Red Hat OpenShift Serverless 1 Backstage Plugins Eventmesh" \ io.k8s.description="Red Hat OpenShift Serverless Backstage Plugins Eventmesh" \ - io.openshift.tags="eventmesh" - + io.openshift.tags="eventmesh" \ + vendor="Red Hat, Inc." \ + release=$VERSION \ + cpe="cpe:/a:redhat:openshift_serverless:1.35::el8" + ENTRYPOINT ["/usr/bin/eventmesh"] diff --git a/openshift/ci-operator/knative-images/migrate/Dockerfile b/openshift/ci-operator/knative-images/migrate/Dockerfile index 9ff04d2f4..4d7495a62 100755 --- a/openshift/ci-operator/knative-images/migrate/Dockerfile +++ b/openshift/ci-operator/knative-images/migrate/Dockerfile @@ -1,5 +1,5 @@ # DO NOT EDIT! Generated Dockerfile for vendor/knative.dev/pkg/apiextensions/storageversion/cmd/migrate. -ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.22-openshift-4.17 +ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.25-openshift-4.21 ARG GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal FROM $GO_BUILDER as builder @@ -30,6 +30,9 @@ LABEL \ description="Red Hat OpenShift Serverless 1 Backstage Plugins Migrate" \ io.k8s.display-name="Red Hat OpenShift Serverless 1 Backstage Plugins Migrate" \ io.k8s.description="Red Hat OpenShift Serverless Backstage Plugins Migrate" \ - io.openshift.tags="migrate" - + io.openshift.tags="migrate" \ + vendor="Red Hat, Inc." \ + release=$VERSION \ + cpe="cpe:/a:redhat:openshift_serverless:1.35::el8" + ENTRYPOINT ["/usr/bin/migrate"] diff --git a/openshift/ci-operator/knative-test-images/eventshub/Dockerfile b/openshift/ci-operator/knative-test-images/eventshub/Dockerfile index 9a289efe4..0de748ad2 100755 --- a/openshift/ci-operator/knative-test-images/eventshub/Dockerfile +++ b/openshift/ci-operator/knative-test-images/eventshub/Dockerfile @@ -1,5 +1,5 @@ # DO NOT EDIT! Generated Dockerfile for vendor/knative.dev/reconciler-test/cmd/eventshub. -ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.22-openshift-4.17 +ARG GO_BUILDER=registry.ci.openshift.org/openshift/release:rhel-8-release-golang-1.25-openshift-4.21 ARG GO_RUNTIME=registry.access.redhat.com/ubi8/ubi-minimal FROM $GO_BUILDER as builder @@ -30,6 +30,9 @@ LABEL \ description="Red Hat OpenShift Serverless 1 Backstage Plugins Eventshub" \ io.k8s.display-name="Red Hat OpenShift Serverless 1 Backstage Plugins Eventshub" \ io.k8s.description="Red Hat OpenShift Serverless Backstage Plugins Eventshub" \ - io.openshift.tags="eventshub" - + io.openshift.tags="eventshub" \ + vendor="Red Hat, Inc." \ + release=$VERSION \ + cpe="cpe:/a:redhat:openshift_serverless:1.35::el8" + ENTRYPOINT ["/usr/bin/eventshub"]