We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
There was an error while loading. Please reload this page.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1742920180542049
apiVersion: tekton.dev/v1 kind: PipelineRun metadata: generateName: codeserver-ubi9-python-3-11-on-pull-request- annotations: pipelinesascode.tekton.dev/state: started pipelinesascode.tekton.dev/source-branch: jd_sandboxed_tekton_pipelines pipelinesascode.tekton.dev/repo-url: 'https://github.com/opendatahub-io/notebooks' pipelinesascode.tekton.dev/sha-title: 'RHOAIENG-18400: chore(.tekton/): request some greater resources' results.tekton.dev/recordSummaryAnnotations: '{"repo":"notebooks","commit":"aabf68ec9bfa538b7d07125583d4579936a9ed81","eventType":"pull_request","pull_request-id":969}' pipelinesascode.tekton.dev/sender: jiridanek pipelinesascode.tekton.dev/git-auth-secret: pac-gitauth-qtflzq test.appstudio.openshift.io/create-groupsnapshot-status: build PLR cuda-jupyter-tensorflow-ubi9-python-3-11-on-pull-request-6gpv5 failed for component cuda-jupyter-tensorflow-ubi9-python-3-11 so it can't be added to the group Snapshot for PR group jd_sandboxed_tekton_pipelines build.appstudio.openshift.io/repo: 'https://github.com/opendatahub-io/notebooks?rev=aabf68ec9bfa538b7d07125583d4579936a9ed81' pipelinesascode.tekton.dev/controller-info: '{"name":"default","configmap":"pipelines-as-code","secret":"pipelines-as-code-secret", "gRepo": "pipelines-as-code"}' pipelinesascode.tekton.dev/check-run-id: '39107678385' pipelinesascode.tekton.dev/cancel-in-progress: 'true' pipelinesascode.tekton.dev/branch: main test.appstudio.openshift.io/pr-group: jd_sandboxed_tekton_pipelines pipelinesascode.tekton.dev/log-url: 'https://console.redhat.com/application-pipeline/ns/rhoai-ide-konflux-tenant/pipelinerun/codeserver-ubi9-python-3-11-on-pull-request-d6gtb' build.appstudio.redhat.com/target_branch: main pipelinesascode.tekton.dev/url-org: opendatahub-io pipelinesascode.tekton.dev/source-repo-url: 'https://github.com/jiridanek/notebooks' pipelinesascode.tekton.dev/max-keep-runs: '3' pipelinesascode.tekton.dev/original-prname: codeserver-ubi9-python-3-11-on-pull-request build.appstudio.redhat.com/pull_request_number: '969' pipelinesascode.tekton.dev/pull-request: '969' pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "codeserver/ubi9-python-3.11/Pipfile.lock".pathChanged() || "codeserver/ubi9-python-3.11/nginx/api/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/httpconf/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/root/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/serverconf/***".pathChanged() || "codeserver/ubi9-python-3.11/run-code-server.sh".pathChanged() || "codeserver/ubi9-python-3.11/run-nginx.sh".pathChanged() || "codeserver/ubi9-python-3.11/supervisord/supervisord.conf".pathChanged() || "codeserver/ubi9-python-3.11/utils/***".pathChanged() || ".tekton/codeserver-ubi9-python-3-11-pull-request.yaml".pathChanged() || "codeserver/ubi9-python-3.11/Dockerfile.cpu".pathChanged() ) && has(body.repository) && body.repository.full_name == "opendatahub-io/notebooks" pipelinesascode.tekton.dev/url-repository: notebooks test.appstudio.openshift.io/snapshot-creation-report: BuildPLRInProgress pipelinesascode.tekton.dev/repository: jupyter-minimal-ubi9-python-3-11 pipelinesascode.tekton.dev/sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 pipelinesascode.tekton.dev/sha-url: 'https://github.com/opendatahub-io/notebooks/commit/aabf68ec9bfa538b7d07125583d4579936a9ed81' pipelinesascode.tekton.dev/git-provider: github pipelinesascode.tekton.dev/installation-id: '55725832' pipelinesascode.tekton.dev/event-type: pull_request build.appstudio.redhat.com/commit_sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 resourceVersion: '3421156610' name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb uid: 306a91bb-8b45-4760-973c-29b9c534f831 creationTimestamp: '2025-03-20T12:40:59Z' generation: 1 managedFields: - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:finalizers': .: {} 'v:"chains.tekton.dev/pipelinerun"': {} manager: openshift-pipelines-chains-controller operation: Update time: '2025-03-20T12:40:59Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:annotations': 'f:pipelinesascode.tekton.dev/controller-info': {} 'f:pipelinesascode.tekton.dev/pull-request': {} 'f:pipelinesascode.tekton.dev/url-repository': {} 'f:pipelinesascode.tekton.dev/repository': {} 'f:pipelinesascode.tekton.dev/url-org': {} 'f:build.appstudio.redhat.com/target_branch': {} 'f:pipelinesascode.tekton.dev/git-provider': {} 'f:pipelinesascode.tekton.dev/source-repo-url': {} 'f:pipelinesascode.tekton.dev/log-url': {} 'f:pipelinesascode.tekton.dev/max-keep-runs': {} 'f:pipelinesascode.tekton.dev/event-type': {} 'f:build.appstudio.redhat.com/commit_sha': {} 'f:pipelinesascode.tekton.dev/original-prname': {} 'f:pipelinesascode.tekton.dev/on-cel-expression': {} 'f:build.appstudio.redhat.com/pull_request_number': {} .: {} 'f:pipelinesascode.tekton.dev/sha': {} 'f:pipelinesascode.tekton.dev/repo-url': {} 'f:pipelinesascode.tekton.dev/sha-url': {} 'f:pipelinesascode.tekton.dev/installation-id': {} 'f:pipelinesascode.tekton.dev/sender': {} 'f:results.tekton.dev/recordSummaryAnnotations': {} 'f:pipelinesascode.tekton.dev/state': {} 'f:pipelinesascode.tekton.dev/source-branch': {} 'f:pipelinesascode.tekton.dev/sha-title': {} 'f:build.appstudio.openshift.io/repo': {} 'f:pipelinesascode.tekton.dev/git-auth-secret': {} 'f:pipelinesascode.tekton.dev/branch': {} 'f:pipelinesascode.tekton.dev/check-run-id': {} 'f:pipelinesascode.tekton.dev/cancel-in-progress': {} 'f:generateName': {} 'f:labels': 'f:pipelinesascode.tekton.dev/pull-request': {} 'f:pipelinesascode.tekton.dev/url-repository': {} 'f:pipelines.appstudio.openshift.io/type': {} 'f:pipelinesascode.tekton.dev/repository': {} 'f:app.kubernetes.io/managed-by': {} 'f:appstudio.openshift.io/application': {} 'f:pipelinesascode.tekton.dev/url-org': {} 'f:pipelinesascode.tekton.dev/event-type': {} 'f:pipelinesascode.tekton.dev/original-prname': {} .: {} 'f:pipelinesascode.tekton.dev/sha': {} 'f:pipelinesascode.tekton.dev/state': {} 'f:appstudio.openshift.io/component': {} 'f:app.kubernetes.io/version': {} 'f:pipelinesascode.tekton.dev/check-run-id': {} 'f:spec': .: {} 'f:params': {} 'f:pipelineSpec': .: {} 'f:description': {} 'f:finally': {} 'f:params': {} 'f:results': {} 'f:tasks': {} 'f:workspaces': {} 'f:taskRunSpecs': {} 'f:taskRunTemplate': {} 'f:timeouts': .: {} 'f:pipeline': {} 'f:workspaces': {} manager: pipelines-as-code-controller operation: Update time: '2025-03-20T12:40:59Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:finalizers': 'v:"pipelinesascode.tekton.dev"': {} manager: pipelines-as-code-watcher operation: Update time: '2025-03-20T12:40:59Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:labels': 'f:tekton.dev/pipeline': {} manager: openshift-pipelines-controller operation: Update time: '2025-03-20T12:51:34Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:annotations': 'f:test.appstudio.openshift.io/create-groupsnapshot-status': {} 'f:test.appstudio.openshift.io/pr-group': {} 'f:test.appstudio.openshift.io/snapshot-creation-report': {} 'f:finalizers': 'v:"test.appstudio.openshift.io/pipelinerun"': {} 'f:labels': 'f:test.appstudio.openshift.io/pr-group-sha': {} manager: manager operation: Update time: '2025-03-20T12:51:36Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:labels': 'f:pipelineservice.appstudio.io/throttled': {} manager: exporter operation: Update time: '2025-03-20T12:52:07Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:status': .: {} 'f:childReferences': {} 'f:conditions': {} 'f:pipelineSpec': .: {} 'f:description': {} 'f:finally': {} 'f:params': {} 'f:results': {} 'f:tasks': {} 'f:workspaces': {} 'f:skippedTasks': {} 'f:spanContext': .: {} 'f:traceparent': {} 'f:startTime': {} manager: openshift-pipelines-controller operation: Update subresource: status time: '2025-03-20T12:56:41Z' namespace: rhoai-ide-konflux-tenant finalizers: - chains.tekton.dev/pipelinerun - pipelinesascode.tekton.dev - test.appstudio.openshift.io/pipelinerun labels: pipelinesascode.tekton.dev/state: started appstudio.openshift.io/component: codeserver-ubi9-python-3-11 pipelineservice.appstudio.io/throttled: codeserver-ubi9-python-3-11-on-b3ffeb351fc9bb220cf303851ee1a65a app.kubernetes.io/version: v0.31.0 tekton.dev/pipeline: codeserver-ubi9-python-3-11-on-pull-request-d6gtb app.kubernetes.io/managed-by: pipelinesascode.tekton.dev pipelinesascode.tekton.dev/check-run-id: '39107678385' test.appstudio.openshift.io/pr-group-sha: e2b2443c8ca9f8cae59318537f6edc0cb602917e2d29945ddc1853eeae6187 appstudio.openshift.io/application: notebooks pipelinesascode.tekton.dev/url-org: opendatahub-io pipelinesascode.tekton.dev/original-prname: codeserver-ubi9-python-3-11-on-pull-request pipelinesascode.tekton.dev/pull-request: '969' pipelines.appstudio.openshift.io/type: build pipelinesascode.tekton.dev/url-repository: notebooks pipelinesascode.tekton.dev/repository: jupyter-minimal-ubi9-python-3-11 pipelinesascode.tekton.dev/sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 pipelinesascode.tekton.dev/event-type: pull_request spec: params: - name: git-url value: 'https://github.com/jiridanek/notebooks' - name: revision value: aabf68ec9bfa538b7d07125583d4579936a9ed81 - name: output-image value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: image-expires-after value: 5d - name: build-platforms value: - linux/x86_64 - name: dockerfile value: codeserver/ubi9-python-3.11/Dockerfile.cpu pipelineSpec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0' - name: kind value: task resolver: bundles params: - description: Source Repository URL name: git-url type: string - default: '' description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: 'false' description: Force rebuild image name: rebuild type: string - default: 'false' description: Skip checks against built image name: skip-checks type: string - default: 'false' description: Execute the build with network isolation name: hermetic type: string - default: '' description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - default: '' description: 'Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.' name: image-expires-after type: string - default: 'false' description: Build a source image. name: build-source-image type: string - default: 'true' description: Add built image into an OCI image index name: build-image-index type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - default: '' description: 'Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file' name: build-args-file type: string - default: - linux/x86_64 description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. name: build-platforms type: array results: - description: '' name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - description: '' name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: '' name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: '' name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: image-url value: $(params.output-image) - name: rebuild value: $(params.rebuild) - name: skip-checks value: $(params.skip-checks) taskRef: params: - name: name value: init - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:2f59e9a3c20ce4509356389d327087213cc82c079b30811935837791da140f9f' - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: $(params.git-url) - name: revision value: $(params.revision) - name: ociStorage value: $(params.output-image).git - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - init taskRef: params: - name: name value: git-clone-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' workspaces: - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: $(params.prefetch-input) - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: $(params.output-image).prefetch - name: ociArtifactExpiresAfter value: $(params.image-expires-after) runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:786a6601c654a48e32ea51b2636982d2e096da3027ea701009ca956b74a7d400' - name: kind value: task resolver: bundles workspaces: - name: git-basic-auth workspace: git-auth - name: netrc workspace: netrc - matrix: params: - name: PLATFORM value: - $(params.build-platforms) name: build-images params: - name: IMAGE value: $(params.output-image) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: HERMETIC value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: - '$(params.build-args[*])' - name: BUILD_ARGS_FILE value: $(params.build-args-file) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: IMAGE_APPEND_PLATFORM value: 'true' runAfter: - prefetch-dependencies taskRef: params: - name: name value: buildah-remote-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:58fb95e010b84e3b7949972a07c98d25fea68b474759891ac6ac539f325b0581' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-image-index params: - name: IMAGE value: $(params.output-image) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: ALWAYS_BUILD_INDEX value: $(params.build-image-index) - name: IMAGES value: - '$(tasks.build-images.results.IMAGE_REF[*])' runAfter: - build-images taskRef: params: - name: name value: build-image-index - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:d34e4245b767c5b1b5edbbad9fc9cf8050cf19a69c8e55856479848405c596ec' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-source-image params: - name: BINARY_IMAGE value: $(params.output-image) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: source-build-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:ea2316bcef60fdbc6d89bb34d343d9157e89e786504fb68e223c04a7486d9e91' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - input: $(params.build-source-image) operator: in values: - 'true' - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:5d63b920b71192906fe4d6c4903f594e6f34c5edcff9d21714a08b5edcfbc667' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d1ef571fe836984101e2d7f1611a2b7c8c0f8e7d5ad3d9b997fc511f9fd66af6' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:50668bab78fcf8aa02d3820a46354d4a125d80eff26fa07f9c23ea58b5e7088e' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-snyk-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:916d7187fdbf20d003db9c673d6cc0c583f4750606c75bf2d9e9c27815b3fcdb' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:e24eb00ffdb7b45da1c9e1c98f65d68e9f13fd3fce4a4aa9e51df0c7aea14854' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: sast-coverity-check params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE value: $(params.output-image) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: HERMETIC value: $(params.hermetic) - name: PREFETCH_INPUT value: $(params.prefetch-input) - name: IMAGE_EXPIRES_AFTER value: $(params.image-expires-after) - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: - '$(params.build-args[*])' - name: BUILD_ARGS_FILE value: $(params.build-args-file) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - coverity-availability-check taskRef: params: - name: name value: sast-coverity-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.2@sha256:32c4d3e795ca141f3f10dbca20c77a4860083006c2b4dffa95ee6b703a9c4810' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - input: $(tasks.coverity-availability-check.results.STATUS) operator: in values: - success - name: coverity-availability-check runAfter: - build-image-index taskRef: params: - name: name value: coverity-availability-check - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:0b35292eed661c5e3ca307c0ba7f594d17555db2a1da567903b0b47697fa23ed' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: sast-shell-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-shell-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:4b704fa3a3f56a350dd93df506e2d13d102202f124548604877377db2c4c9c22' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: sast-unicode-check params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-unicode-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' - name: apply-tags params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e1d365ce85d6448f6ebd0d0a000d0f45b694950b7545a2c34bfbcf992c80df61' - name: kind value: task resolver: bundles - name: push-dockerfile params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: $(params.dockerfile) - name: CONTEXT value: $(params.path-context) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: push-dockerfile-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:a89354ee3fb942a4ce635767dfd6a1fcf47da796c3b984c996190d2965bb6e84' - name: kind value: task resolver: bundles - name: rpms-signature-scan params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1ed16be7d66040bb7eb04c4b252345ff658e1dbdca8274ae7885126ab2214ad1' - name: kind value: task resolver: bundles when: - input: $(params.skip-checks) operator: in values: - 'false' workspaces: - name: git-auth optional: true - name: netrc optional: true taskRunSpecs: - computeResources: limits: memory: 8Gi pipelineTaskName: ecosystem-cert-preflight-checks - computeResources: limits: memory: 8Gi pipelineTaskName: clair-scan taskRunTemplate: podTemplate: nodeSelector: konflux-ci.dev/workload: konflux-tenants tolerations: - effect: NoSchedule key: konflux-ci.dev/workload operator: Equal value: konflux-tenants serviceAccountName: appstudio-pipeline timeouts: pipeline: 4h0m0s workspaces: - name: git-auth secret: secretName: pac-gitauth-qtflzq status: childReferences: - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-init pipelineTaskName: init - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi62dbbe49a2d9f347d1eede02ae002f97-clone-repository pipelineTaskName: clone-repository whenExpressions: - input: 'true' operator: in values: - 'true' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserve62dbbe49a2d9f347d1eede02ae002f97-prefetch-dependencies pipelineTaskName: prefetch-dependencies - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-build-images pipelineTaskName: build-images whenExpressions: - input: 'true' operator: in values: - 'true' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ub62dbbe49a2d9f347d1eede02ae002f97-build-image-index pipelineTaskName: build-image-index whenExpressions: - input: 'true' operator: in values: - 'true' - apiVersion: tekton.dev/v1 kind: TaskRun name: cod62dbbe49a2d9f347d1eede02ae002f97-deprecated-base-image-check pipelineTaskName: deprecated-base-image-check whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-clair-scan pipelineTaskName: clair-scan whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-b3ffeb351fc9bb220cf303851ee1a65a pipelineTaskName: ecosystem-cert-preflight-checks whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi962dbbe49a2d9f347d1eede02ae002f97-sast-snyk-check pipelineTaskName: sast-snyk-check whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-clamav-scan pipelineTaskName: clamav-scan whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: cod62dbbe49a2d9f347d1eede02ae002f97-coverity-availability-check pipelineTaskName: coverity-availability-check whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi62dbbe49a2d9f347d1eede02ae002f97-sast-shell-check pipelineTaskName: sast-shell-check whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-u62dbbe49a2d9f347d1eede02ae002f97-sast-unicode-check pipelineTaskName: sast-unicode-check whenExpressions: - input: 'false' operator: in values: - 'false' - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-apply-tags pipelineTaskName: apply-tags - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-ubi962dbbe49a2d9f347d1eede02ae002f97-push-dockerfile pipelineTaskName: push-dockerfile - apiVersion: tekton.dev/v1 kind: TaskRun name: codeserver-62dbbe49a2d9f347d1eede02ae002f97-rpms-signature-scan pipelineTaskName: rpms-signature-scan whenExpressions: - input: 'false' operator: in values: - 'false' conditions: - lastTransitionTime: '2025-03-20T12:56:41Z' message: 'Tasks Completed: 15 (Failed: 0, Cancelled 0), Incomplete: 2, Skipped: 2' reason: Running status: Unknown type: Succeeded pipelineSpec: description: | This pipeline is ideal for building multi-arch container images from a Containerfile while maintaining trust after pipeline customization. _Uses `buildah` to create a multi-platform container image leveraging [trusted artifacts](https://konflux-ci.dev/architecture/ADR/0036-trusted-artifacts.html). It also optionally creates a source image and runs some build-time tests. This pipeline requires that the [multi platform controller](https://github.com/konflux-ci/multi-platform-controller) is deployed and configured on your Konflux instance. Information is shared between tasks using OCI artifacts instead of PVCs. EC will pass the [`trusted_task.trusted`](https://enterprisecontract.dev/docs/ec-policies/release_policy.html#trusted_task__trusted) policy as long as all data used to build the artifact is generated from trusted tasks. This pipeline is pushed as a Tekton bundle to [quay.io](https://quay.io/repository/konflux-ci/tekton-catalog/pipeline-docker-build-multi-platform-oci-ta?tab=tags)_ finally: - name: show-sbom params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) taskRef: params: - name: name value: show-sbom - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0' - name: kind value: task resolver: bundles params: - description: Source Repository URL name: git-url type: string - default: '' description: Revision of the Source Repository name: revision type: string - description: Fully Qualified Output Image name: output-image type: string - default: . description: Path to the source code of an application's component from where to build image. name: path-context type: string - default: Dockerfile description: Path to the Dockerfile inside the context specified by parameter path-context name: dockerfile type: string - default: 'false' description: Force rebuild image name: rebuild type: string - default: 'false' description: Skip checks against built image name: skip-checks type: string - default: 'false' description: Execute the build with network isolation name: hermetic type: string - default: '' description: Build dependencies to be prefetched by Cachi2 name: prefetch-input type: string - default: '' description: 'Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.' name: image-expires-after type: string - default: 'false' description: Build a source image. name: build-source-image type: string - default: 'true' description: Add built image into an OCI image index name: build-image-index type: string - default: [] description: Array of --build-arg values ("arg=value" strings) for buildah name: build-args type: array - default: '' description: 'Path to a file with build arguments for buildah, see https://www.mankier.com/1/buildah-build#--build-arg-file' name: build-args-file type: string - default: - linux/x86_64 description: List of platforms to build the container images on. The available set of values is determined by the configuration of the multi-platform-controller. name: build-platforms type: array results: - description: '' name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - description: '' name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - description: '' name: CHAINS-GIT_URL value: $(tasks.clone-repository.results.url) - description: '' name: CHAINS-GIT_COMMIT value: $(tasks.clone-repository.results.commit) tasks: - name: init params: - name: image-url value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: rebuild value: 'false' - name: skip-checks value: 'false' taskRef: params: - name: name value: init - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-init:0.2@sha256:2f59e9a3c20ce4509356389d327087213cc82c079b30811935837791da140f9f' - name: kind value: task resolver: bundles - name: clone-repository params: - name: url value: 'https://github.com/jiridanek/notebooks' - name: revision value: aabf68ec9bfa538b7d07125583d4579936a9ed81 - name: ociStorage value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81.git' - name: ociArtifactExpiresAfter value: 5d runAfter: - init taskRef: params: - name: name value: git-clone-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-git-clone-oci-ta:0.1@sha256:9709088bf3c581d4763e9804d9ee3a1f06ad6a61c23237277057c4f0cdc4f9c3' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' workspaces: - name: basic-auth workspace: git-auth - name: prefetch-dependencies params: - name: input value: '' - name: SOURCE_ARTIFACT value: $(tasks.clone-repository.results.SOURCE_ARTIFACT) - name: ociStorage value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81.prefetch' - name: ociArtifactExpiresAfter value: 5d runAfter: - clone-repository taskRef: params: - name: name value: prefetch-dependencies-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-prefetch-dependencies-oci-ta:0.2@sha256:786a6601c654a48e32ea51b2636982d2e096da3027ea701009ca956b74a7d400' - name: kind value: task resolver: bundles workspaces: - name: git-basic-auth workspace: git-auth - name: netrc workspace: netrc - matrix: params: - name: PLATFORM value: - linux/x86_64 name: build-images params: - name: IMAGE value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: DOCKERFILE value: codeserver/ubi9-python-3.11/Dockerfile.cpu - name: CONTEXT value: . - name: HERMETIC value: 'false' - name: PREFETCH_INPUT value: '' - name: IMAGE_EXPIRES_AFTER value: 5d - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: [] - name: BUILD_ARGS_FILE value: '' - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) - name: IMAGE_APPEND_PLATFORM value: 'true' runAfter: - prefetch-dependencies taskRef: params: - name: name value: buildah-remote-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-buildah-remote-oci-ta:0.4@sha256:58fb95e010b84e3b7949972a07c98d25fea68b474759891ac6ac539f325b0581' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-image-index params: - name: IMAGE value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: IMAGE_EXPIRES_AFTER value: 5d - name: ALWAYS_BUILD_INDEX value: 'true' - name: IMAGES value: - '$(tasks.build-images.results.IMAGE_REF[*])' runAfter: - build-images taskRef: params: - name: name value: build-image-index - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.1@sha256:d34e4245b767c5b1b5edbbad9fc9cf8050cf19a69c8e55856479848405c596ec' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - name: build-source-image params: - name: BINARY_IMAGE value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: source-build-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-source-build-oci-ta:0.2@sha256:ea2316bcef60fdbc6d89bb34d343d9157e89e786504fb68e223c04a7486d9e91' - name: kind value: task resolver: bundles when: - input: $(tasks.init.results.build) operator: in values: - 'true' - input: 'false' operator: in values: - 'true' - name: deprecated-base-image-check params: - name: IMAGE_URL value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: deprecated-image-check - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-deprecated-image-check:0.5@sha256:5d63b920b71192906fe4d6c4903f594e6f34c5edcff9d21714a08b5edcfbc667' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: clair-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clair-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.2@sha256:d1ef571fe836984101e2d7f1611a2b7c8c0f8e7d5ad3d9b997fc511f9fd66af6' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: ecosystem-cert-preflight-checks params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: ecosystem-cert-preflight-checks - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:50668bab78fcf8aa02d3820a46354d4a125d80eff26fa07f9c23ea58b5e7088e' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: sast-snyk-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-snyk-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.3@sha256:916d7187fdbf20d003db9c673d6cc0c583f4750606c75bf2d9e9c27815b3fcdb' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: clamav-scan params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: clamav-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:e24eb00ffdb7b45da1c9e1c98f65d68e9f13fd3fce4a4aa9e51df0c7aea14854' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: sast-coverity-check params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: DOCKERFILE value: codeserver/ubi9-python-3.11/Dockerfile.cpu - name: CONTEXT value: . - name: HERMETIC value: 'false' - name: PREFETCH_INPUT value: '' - name: IMAGE_EXPIRES_AFTER value: 5d - name: COMMIT_SHA value: $(tasks.clone-repository.results.commit) - name: BUILD_ARGS value: [] - name: BUILD_ARGS_FILE value: '' - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - coverity-availability-check taskRef: params: - name: name value: sast-coverity-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.2@sha256:32c4d3e795ca141f3f10dbca20c77a4860083006c2b4dffa95ee6b703a9c4810' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - input: $(tasks.coverity-availability-check.results.STATUS) operator: in values: - success - name: coverity-availability-check runAfter: - build-image-index taskRef: params: - name: name value: coverity-availability-check - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-coverity-availability-check:0.2@sha256:0b35292eed661c5e3ca307c0ba7f594d17555db2a1da567903b0b47697fa23ed' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: sast-shell-check params: - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-shell-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:4b704fa3a3f56a350dd93df506e2d13d102202f124548604877377db2c4c9c22' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: sast-unicode-check params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) - name: CACHI2_ARTIFACT value: $(tasks.prefetch-dependencies.results.CACHI2_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: sast-unicode-check-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.1@sha256:424f2f659c02998dc3a43e1ce869e3148982c59adb74f953f8fa91ff1c9ab86e' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' - name: apply-tags params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) runAfter: - build-image-index taskRef: params: - name: name value: apply-tags - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.1@sha256:e1d365ce85d6448f6ebd0d0a000d0f45b694950b7545a2c34bfbcf992c80df61' - name: kind value: task resolver: bundles - name: push-dockerfile params: - name: IMAGE value: $(tasks.build-image-index.results.IMAGE_URL) - name: IMAGE_DIGEST value: $(tasks.build-image-index.results.IMAGE_DIGEST) - name: DOCKERFILE value: codeserver/ubi9-python-3.11/Dockerfile.cpu - name: CONTEXT value: . - name: SOURCE_ARTIFACT value: $(tasks.prefetch-dependencies.results.SOURCE_ARTIFACT) runAfter: - build-image-index taskRef: params: - name: name value: push-dockerfile-oci-ta - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-push-dockerfile-oci-ta:0.1@sha256:a89354ee3fb942a4ce635767dfd6a1fcf47da796c3b984c996190d2965bb6e84' - name: kind value: task resolver: bundles - name: rpms-signature-scan params: - name: image-url value: $(tasks.build-image-index.results.IMAGE_URL) - name: image-digest value: $(tasks.build-image-index.results.IMAGE_DIGEST) runAfter: - build-image-index taskRef: params: - name: name value: rpms-signature-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:1ed16be7d66040bb7eb04c4b252345ff658e1dbdca8274ae7885126ab2214ad1' - name: kind value: task resolver: bundles when: - input: 'false' operator: in values: - 'false' workspaces: - name: git-auth optional: true - name: netrc optional: true skippedTasks: - name: build-source-image reason: When Expressions evaluated to false whenExpressions: - input: 'true' operator: in values: - 'true' - input: 'false' operator: in values: - 'true' - name: sast-coverity-check reason: When Expressions evaluated to false whenExpressions: - input: 'false' operator: in values: - 'false' - input: failed operator: in values: - success spanContext: traceparent: 00-7081753ad8569972a191b2d718e0d2ef-14cb014d54c39ca2-01 startTime: '2025-03-20T12:41:00Z'
The text was updated successfully, but these errors were encountered:
apiVersion: tekton.dev/v1 kind: TaskRun metadata: annotations: pipelinesascode.tekton.dev/state: started pipelinesascode.tekton.dev/source-branch: jd_sandboxed_tekton_pipelines pipeline.tekton.dev/release: 1dd488e pipelinesascode.tekton.dev/repo-url: 'https://github.com/opendatahub-io/notebooks' pipelinesascode.tekton.dev/sha-title: 'RHOAIENG-18400: chore(.tekton/): request some greater resources' results.tekton.dev/recordSummaryAnnotations: '{"repo":"notebooks","commit":"aabf68ec9bfa538b7d07125583d4579936a9ed81","eventType":"pull_request","pull_request-id":969}' pipelinesascode.tekton.dev/sender: jiridanek tekton.dev/tags: 'virus, konflux' pipelinesascode.tekton.dev/git-auth-secret: pac-gitauth-qtflzq test.appstudio.openshift.io/create-groupsnapshot-status: build PLR cuda-jupyter-tensorflow-ubi9-python-3-11-on-pull-request-6gpv5 failed for component cuda-jupyter-tensorflow-ubi9-python-3-11 so it can't be added to the group Snapshot for PR group jd_sandboxed_tekton_pipelines build.appstudio.openshift.io/repo: 'https://github.com/opendatahub-io/notebooks?rev=aabf68ec9bfa538b7d07125583d4579936a9ed81' pipelinesascode.tekton.dev/controller-info: '{"name":"default","configmap":"pipelines-as-code","secret":"pipelines-as-code-secret", "gRepo": "pipelines-as-code"}' tekton.dev/taskrunSpanContext: '{"traceparent":"00-7081753ad8569972a191b2d718e0d2ef-52ebb7c226704754-01"}' tekton.dev/pipelines.minVersion: 0.12.1 pipelinesascode.tekton.dev/check-run-id: '39107678385' pipelinesascode.tekton.dev/cancel-in-progress: 'true' pipelinesascode.tekton.dev/branch: main test.appstudio.openshift.io/pr-group: jd_sandboxed_tekton_pipelines pipelinesascode.tekton.dev/log-url: 'https://console.redhat.com/application-pipeline/ns/rhoai-ide-konflux-tenant/pipelinerun/codeserver-ubi9-python-3-11-on-pull-request-d6gtb' build.appstudio.redhat.com/target_branch: main pipelinesascode.tekton.dev/url-org: opendatahub-io pipelinesascode.tekton.dev/source-repo-url: 'https://github.com/jiridanek/notebooks' pipelinesascode.tekton.dev/max-keep-runs: '3' pipelinesascode.tekton.dev/original-prname: codeserver-ubi9-python-3-11-on-pull-request build.appstudio.redhat.com/pull_request_number: '969' pipelinesascode.tekton.dev/pull-request: '969' pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main" && ( "codeserver/ubi9-python-3.11/Pipfile.lock".pathChanged() || "codeserver/ubi9-python-3.11/nginx/api/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/httpconf/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/root/***".pathChanged() || "codeserver/ubi9-python-3.11/nginx/serverconf/***".pathChanged() || "codeserver/ubi9-python-3.11/run-code-server.sh".pathChanged() || "codeserver/ubi9-python-3.11/run-nginx.sh".pathChanged() || "codeserver/ubi9-python-3.11/supervisord/supervisord.conf".pathChanged() || "codeserver/ubi9-python-3.11/utils/***".pathChanged() || ".tekton/codeserver-ubi9-python-3-11-pull-request.yaml".pathChanged() || "codeserver/ubi9-python-3.11/Dockerfile.cpu".pathChanged() ) && has(body.repository) && body.repository.full_name == "opendatahub-io/notebooks" pipelinesascode.tekton.dev/url-repository: notebooks test.appstudio.openshift.io/snapshot-creation-report: BuildPLRInProgress pipelinesascode.tekton.dev/repository: jupyter-minimal-ubi9-python-3-11 pipelinesascode.tekton.dev/sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 pipelinesascode.tekton.dev/sha-url: 'https://github.com/opendatahub-io/notebooks/commit/aabf68ec9bfa538b7d07125583d4579936a9ed81' pipelinesascode.tekton.dev/git-provider: github pipelinesascode.tekton.dev/installation-id: '55725832' pipelinesascode.tekton.dev/event-type: pull_request build.appstudio.redhat.com/commit_sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 resourceVersion: '3421129663' name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb-clamav-scan uid: d34d7cb2-a0cd-49a7-9d39-48b36361635b creationTimestamp: '2025-03-20T12:51:59Z' generation: 1 managedFields: - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:finalizers': .: {} 'v:"chains.tekton.dev"': {} manager: openshift-pipelines-chains-controller operation: Update time: '2025-03-20T12:51:59Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:metadata': 'f:annotations': 'f:pipelinesascode.tekton.dev/controller-info': {} 'f:pipelinesascode.tekton.dev/pull-request': {} 'f:pipelinesascode.tekton.dev/url-repository': {} 'f:pipelinesascode.tekton.dev/repository': {} 'f:test.appstudio.openshift.io/pr-group': {} 'f:pipelinesascode.tekton.dev/url-org': {} 'f:build.appstudio.redhat.com/target_branch': {} 'f:pipelinesascode.tekton.dev/git-provider': {} 'f:pipelinesascode.tekton.dev/source-repo-url': {} 'f:pipelinesascode.tekton.dev/log-url': {} 'f:pipelinesascode.tekton.dev/max-keep-runs': {} 'f:pipelinesascode.tekton.dev/event-type': {} 'f:build.appstudio.redhat.com/commit_sha': {} 'f:pipelinesascode.tekton.dev/original-prname': {} 'f:pipelinesascode.tekton.dev/on-cel-expression': {} 'f:build.appstudio.redhat.com/pull_request_number': {} 'f:test.appstudio.openshift.io/snapshot-creation-report': {} .: {} 'f:pipelinesascode.tekton.dev/sha': {} 'f:pipeline.tekton.dev/release': {} 'f:pipelinesascode.tekton.dev/repo-url': {} 'f:pipelinesascode.tekton.dev/sha-url': {} 'f:pipelinesascode.tekton.dev/installation-id': {} 'f:pipelinesascode.tekton.dev/sender': {} 'f:results.tekton.dev/recordSummaryAnnotations': {} 'f:pipelinesascode.tekton.dev/state': {} 'f:tekton.dev/tags': {} 'f:pipelinesascode.tekton.dev/source-branch': {} 'f:test.appstudio.openshift.io/create-groupsnapshot-status': {} 'f:pipelinesascode.tekton.dev/sha-title': {} 'f:build.appstudio.openshift.io/repo': {} 'f:tekton.dev/taskrunSpanContext': {} 'f:pipelinesascode.tekton.dev/git-auth-secret': {} 'f:tekton.dev/pipelines.minVersion': {} 'f:pipelinesascode.tekton.dev/branch': {} 'f:pipelinesascode.tekton.dev/check-run-id': {} 'f:pipelinesascode.tekton.dev/cancel-in-progress': {} 'f:labels': 'f:tekton.dev/task': {} 'f:tekton.dev/pipelineTask': {} 'f:tekton.dev/pipelineRunUID': {} 'f:pipelinesascode.tekton.dev/pull-request': {} 'f:pipelinesascode.tekton.dev/url-repository': {} 'f:pipelines.appstudio.openshift.io/type': {} 'f:pipelinesascode.tekton.dev/repository': {} 'f:test.appstudio.openshift.io/pr-group-sha': {} 'f:app.kubernetes.io/managed-by': {} 'f:appstudio.openshift.io/application': {} 'f:pipelinesascode.tekton.dev/url-org': {} 'f:pipelinesascode.tekton.dev/event-type': {} 'f:pipelinesascode.tekton.dev/original-prname': {} 'f:tekton.dev/memberOf': {} .: {} 'f:tekton.dev/pipelineRun': {} 'f:pipelinesascode.tekton.dev/sha': {} 'f:pipelinesascode.tekton.dev/state': {} 'f:appstudio.openshift.io/component': {} 'f:app.kubernetes.io/version': {} 'f:tekton.dev/pipeline': {} 'f:pipelinesascode.tekton.dev/check-run-id': {} 'f:ownerReferences': .: {} 'k:{"uid":"306a91bb-8b45-4760-973c-29b9c534f831"}': {} 'f:spec': .: {} 'f:params': {} 'f:podTemplate': .: {} 'f:nodeSelector': .: {} 'f:konflux-ci.dev/workload': {} 'f:tolerations': {} 'f:serviceAccountName': {} 'f:taskRef': .: {} 'f:params': {} 'f:resolver': {} manager: openshift-pipelines-controller operation: Update time: '2025-03-20T12:52:01Z' - apiVersion: tekton.dev/v1 fieldsType: FieldsV1 fieldsV1: 'f:status': .: {} 'f:conditions': {} 'f:podName': {} 'f:spanContext': .: {} 'f:traceparent': {} 'f:startTime': {} 'f:steps': {} 'f:taskSpec': .: {} 'f:description': {} 'f:params': {} 'f:results': {} 'f:steps': {} 'f:volumes': {} manager: openshift-pipelines-controller operation: Update subresource: status time: '2025-03-20T12:52:07Z' namespace: rhoai-ide-konflux-tenant ownerReferences: - apiVersion: tekton.dev/v1 blockOwnerDeletion: true controller: true kind: PipelineRun name: codeserver-ubi9-python-3-11-on-pull-request-d6gtb uid: 306a91bb-8b45-4760-973c-29b9c534f831 finalizers: - chains.tekton.dev labels: pipelinesascode.tekton.dev/state: started tekton.dev/memberOf: tasks appstudio.openshift.io/component: codeserver-ubi9-python-3-11 app.kubernetes.io/version: v0.31.0 tekton.dev/pipeline: codeserver-ubi9-python-3-11-on-pull-request-d6gtb app.kubernetes.io/managed-by: pipelinesascode.tekton.dev pipelinesascode.tekton.dev/check-run-id: '39107678385' test.appstudio.openshift.io/pr-group-sha: e2b2443c8ca9f8cae59318537f6edc0cb602917e2d29945ddc1853eeae6187 appstudio.openshift.io/application: notebooks tekton.dev/task: clamav-scan pipelinesascode.tekton.dev/url-org: opendatahub-io tekton.dev/pipelineTask: clamav-scan tekton.dev/pipelineRunUID: 306a91bb-8b45-4760-973c-29b9c534f831 pipelinesascode.tekton.dev/original-prname: codeserver-ubi9-python-3-11-on-pull-request pipelinesascode.tekton.dev/pull-request: '969' pipelines.appstudio.openshift.io/type: build pipelinesascode.tekton.dev/url-repository: notebooks tekton.dev/pipelineRun: codeserver-ubi9-python-3-11-on-pull-request-d6gtb pipelinesascode.tekton.dev/repository: jupyter-minimal-ubi9-python-3-11 pipelinesascode.tekton.dev/sha: aabf68ec9bfa538b7d07125583d4579936a9ed81 pipelinesascode.tekton.dev/event-type: pull_request spec: params: - name: image-digest value: 'sha256:7a4f7f2c56da805cd1b5934c1f4739ca870c8dd539928a90eac8cc50e3ff1677' - name: image-url value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' podTemplate: nodeSelector: konflux-ci.dev/workload: konflux-tenants tolerations: - effect: NoSchedule key: konflux-ci.dev/workload operator: Equal value: konflux-tenants serviceAccountName: appstudio-pipeline taskRef: params: - name: name value: clamav-scan - name: bundle value: 'quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.2@sha256:e24eb00ffdb7b45da1c9e1c98f65d68e9f13fd3fce4a4aa9e51df0c7aea14854' - name: kind value: task resolver: bundles timeout: 2h0m0s status: conditions: - lastTransitionTime: '2025-03-20T12:52:07Z' message: Not all Steps in the Task have finished executing reason: Running status: Unknown type: Succeeded podName: codeserver-ubi9-python-3-119a678667b94ca45afea95e0f2bbc47f9-pod spanContext: traceparent: 00-7081753ad8569972a191b2d718e0d2ef-52ebb7c226704754-01 startTime: '2025-03-20T12:51:59Z' steps: - container: step-extract-and-scan-image imageID: 'quay.io/konflux-ci/clamav-db@sha256:3acf8183c959e84bf498dc042f2947557422a556146fe0c89bd4030051079de8' name: extract-and-scan-image running: startedAt: '2025-03-20T12:52:04Z' - container: step-upload imageID: 'quay.io/konflux-ci/oras@sha256:95763191fde9879fcefc504cddea6b6e40420eda05a6a2b0d4a8fbcd8e0d7e54' name: upload running: startedAt: '2025-03-20T12:52:06Z' taskSpec: description: 'Scans the content of container images for viruses, malware, and other malicious content using ClamAV antivirus scanner.' params: - description: Image digest to scan. name: image-digest type: string - description: Image URL. name: image-url type: string - default: '' description: unused name: docker-auth type: string - default: trusted-ca description: The name of the ConfigMap to read CA bundle data from. name: ca-trust-config-map-name type: string - default: ca-bundle.crt description: The name of the key in the ConfigMap that contains the CA bundle data. name: ca-trust-config-map-key type: string results: - description: Tekton task test output. name: TEST_OUTPUT type: string - description: Images processed in the task. name: IMAGES_PROCESSED type: string steps: - computeResources: limits: memory: 8Gi requests: cpu: 500m memory: 2Gi env: - name: HOME value: /work - name: IMAGE_URL value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: IMAGE_DIGEST value: 'sha256:7a4f7f2c56da805cd1b5934c1f4739ca870c8dd539928a90eac8cc50e3ff1677' image: 'quay.io/konflux-ci/clamav-db:latest' name: extract-and-scan-image script: | #!/usr/bin/env bash set -euo pipefail . /utils.sh trap 'handle_error /tekton/results/TEST_OUTPUT' EXIT imagewithouttag=$(echo $IMAGE_URL | sed "s/\(.*\):.*/\1/" | tr -d '\n') # strip new-line escape symbol from parameter and save it to variable imageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST) # check if image is attestation one, skip the clamav scan in such case if [[ $imageanddigest == *.att ]] then echo "$imageanddigest is an attestation image. Skipping ClamAV scan." exit 0 fi images_processed_template='{"image": {"pullspec": "'"$IMAGE_URL"'", "digests": [%s]}}' digests_processed=() mkdir logs mkdir content cd content echo "Extracting image(s)." # Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes image_manifests=$(get_image_manifests -i ${imageanddigest}) if [ -n "$image_manifests" ]; then while read -r arch arch_sha; do destination=$(echo content-$arch) mkdir -p "$destination" arch_imageanddigest=$(echo $imagewithouttag@$arch_sha) echo "Running \"oc image extract\" on image of arch $arch" oc image extract --registry-config ~/.docker/config.json $arch_imageanddigest --path="/:${destination}" --filter-by-os="linux/${arch}" if [ $? -ne 0 ]; then echo "Unable to extract image for arch $arch. Skipping ClamAV scan!" exit 0 fi db_version=$(clamscan --version | sed 's|.*/\(.*\)/.*|\1|') echo "Scanning image for arch $arch. This operation may take a while." clamscan "${destination}" -ri --max-scansize=4095M --max-filesize=2000M \ --max-scantime=0 --max-files=0 --max-recursion=1000 --max-dir-recursion=20000 --max-embeddedpe=4095M \ --max-htmlnormalize=10M --max-htmlnotags=4095M --max-scriptnormalize=5M --max-ziptypercg=4095M \ --max-partitions=50000 --max-iconspe=100000 --max-rechwp3=20000 --pcre-match-limit=100000000 --pcre-recmatch-limit=2000000 \ --pcre-max-filesize=4095M --alert-exceeds-max=yes \ --alert-encrypted=yes --alert-encrypted-archive=yes --alert-encrypted-doc=yes --alert-macros=yes \ --alert-phishing-ssl=yes --alert-phishing-cloak=yes --alert-partition-intersection=yes \ | tee /work/logs/clamscan-result-$arch.log || true echo "Executed-on: Scan was executed on clamscan version - $(clamscan --version) Database version: $db_version" | tee -a "/work/logs/clamscan-result-$arch.log" digests_processed+=("\"$arch_sha\"") if [[ -e "/work/logs/clamscan-result-$arch.log" ]]; then # file_suffix=$(basename "$file" | sed 's/clamscan-result-//;s/.log//') # OPA/EC requires structured data input, add clamAV log into json jq -Rs '{ output: . }' /work/logs/clamscan-result-$arch.log > /work/logs/clamscan-result-log-$arch.json EC_EXPERIMENTAL=1 ec test \ --namespace required_checks \ --policy /project/clamav/virus-check.rego \ -o json \ /work/logs/clamscan-result-log-$arch.json || true # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again EC_EXPERIMENTAL=1 ec test \ --namespace required_checks \ --policy /project/clamav/virus-check.rego \ -o appstudio \ /work/logs/clamscan-result-log-$arch.json | tee /work/logs/clamscan-ec-test-$arch.json || true cat /work/logs/clamscan-ec-test-$arch.json fi done < <(echo "$image_manifests" | jq -r 'to_entries[] | "\(.key) \(.value)"') fi jq -s -rce ' reduce .[] as $item ({"timestamp":"0","namespace":"","successes":0,"failures":0,"warnings":0,"result":"","note":""}; { "timestamp" : (if .timestamp < $item.timestamp then $item.timestamp else .timestamp end), "namespace" : $item.namespace, "successes" : (.successes + $item.successes), "failures" : (.failures + $item.failures), "warnings" : (.warnings + $item.warnings), "result" : (if .result == "" or ($item.result == "SKIPPED" and .result == "SUCCESS") or ($item.result == "WARNING" and (.result == "SUCCESS" or .result == "SKIPPED")) or ($item.result == "FAILURE" and .result != "ERROR") or $item.result == "ERROR" then $item.result else .result end), "note" : (if .result == "" or ($item.result == "SKIPPED" and .result == "SUCCESS") or ($item.result == "WARNING" and (.result == "SUCCESS" or .result == "SKIPPED")) or ($item.result == "FAILURE" and .result != "ERROR") or $item.result == "ERROR" then $item.note else .note end) })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT # If the image is an Image Index, also add the Image Index digest to the list. if [[ "${digests_processed[*]}" != *"$IMAGE_DIGEST"* ]]; then digests_processed+=("\"$IMAGE_DIGEST\"") fi digests_processed_string=$(IFS=,; echo "${digests_processed[*]}") echo "${images_processed_template/\[%s]/[$digests_processed_string]}" | tee /tekton/results/IMAGES_PROCESSED securityContext: runAsUser: 1000 volumeMounts: - mountPath: /work name: work - mountPath: /etc/pki/tls/certs/ca-custom-bundle.crt name: trusted-ca readOnly: true subPath: ca-bundle.crt workingDir: /work - computeResources: limits: memory: 512Mi requests: cpu: 100m memory: 256Mi env: - name: IMAGE_URL value: 'quay.io/redhat-user-workloads/rhoai-ide-konflux-tenant/codeserver-ubi9-python-3-11:on-pr-aabf68ec9bfa538b7d07125583d4579936a9ed81' - name: IMAGE_DIGEST value: 'sha256:7a4f7f2c56da805cd1b5934c1f4739ca870c8dd539928a90eac8cc50e3ff1677' image: 'quay.io/konflux-ci/oras:latest@sha256:d9fea2ee280880feef6909bef3e18318444231c83736bcc41d54b4e5064f23c9' name: upload script: | #!/usr/bin/env bash cd logs for UPLOAD_FILE in $(find . -name "clamscan-result*.log"); do MEDIA_TYPE=text/vnd.clamav args+=("${UPLOAD_FILE}:${MEDIA_TYPE}") done for UPLOAD_FILE in $(find . -name "clamscan-ec-test*.json"); do MEDIA_TYPE=application/vnd.konflux.test_output+json args+=("${UPLOAD_FILE}:${MEDIA_TYPE}") done if [ -z "${args}" ]; then echo "No files found. Skipping upload." exit 0; fi echo "Selecting auth" select-oci-auth $IMAGE_URL > $HOME/auth.json echo "Attaching to ${IMAGE_URL}" oras attach --no-tty --registry-config "$HOME/auth.json" --artifact-type application/vnd.clamav "${IMAGE_URL}" "${args[@]}" volumeMounts: - mountPath: /work name: work workingDir: /work volumes: - emptyDir: {} name: dbfolder - emptyDir: {} name: work - configMap: items: - key: ca-bundle.crt path: ca-bundle.crt name: trusted-ca optional: true name: trusted-ca
Sorry, something went wrong.
No branches or pull requests
Uh oh!
There was an error while loading. Please reload this page.
https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1742920180542049
The text was updated successfully, but these errors were encountered: