diff --git a/.github/workflows/kustomize-build.yml b/.github/workflows/kustomize-build.yml index 38d8e2f..270a5e8 100644 --- a/.github/workflows/kustomize-build.yml +++ b/.github/workflows/kustomize-build.yml @@ -20,3 +20,33 @@ jobs: - name: Build push-to-external-registry pipeline run: kustomize build tekton-catalog/pipelines/push-to-external-registry/ + + - name: Build docker-build-oci-ta pipeline + run: kustomize build tekton-catalog/pipelines/docker-build-oci-ta/ + + - name: Verify build-source-image defaults to true + run: | + BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/) + DEFAULT=$(echo "$BUILT" | yq '.spec.params[] | select(.name == "build-source-image") | .default') + if [ "$DEFAULT" != "true" ]; then + echo "ERROR: build-source-image default is '${DEFAULT}', expected 'true'" + echo "The upstream pipeline may have reordered params — check patch.yaml index." + exit 1 + fi + echo "OK: build-source-image default is 'true'" + + - name: Verify build-container uses our custom task bundle + run: | + BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/) + RESOLVER=$(echo "$BUILT" | yq '.spec.tasks[] | select(.name == "build-container") | .taskRef.resolver') + BUNDLE=$(echo "$BUILT" | yq '.spec.tasks[] | select(.name == "build-container") | .taskRef.params[] | select(.name == "bundle") | .value') + if [ "$RESOLVER" != "bundles" ]; then + echo "ERROR: build-container taskRef.resolver is '${RESOLVER}', expected 'bundles'" + echo "The upstream pipeline may have reordered tasks — check patch.yaml index." + exit 1 + fi + if [[ "$BUNDLE" != quay.io/foreman/tekton-catalog/task-buildah-oci-ta* ]]; then + echo "ERROR: build-container bundle is '${BUNDLE}', expected quay.io/foreman/tekton-catalog/task-buildah-oci-ta:*" + exit 1 + fi + echo "OK: build-container uses ${BUNDLE}" diff --git a/.github/workflows/publish-pipeline-bundle.yml b/.github/workflows/publish-pipeline-bundle.yml index 1e7b4ed..fbe1081 100644 --- a/.github/workflows/publish-pipeline-bundle.yml +++ b/.github/workflows/publish-pipeline-bundle.yml @@ -7,6 +7,10 @@ on: - develop paths: - 'tekton-catalog/**' + schedule: + # Weekly rebuild to pick up upstream docker-build-oci-ta changes + # (kustomization.yaml fetches refs/heads/main at build time). + - cron: '0 6 * * 1' workflow_dispatch: jobs: @@ -21,17 +25,29 @@ jobs: id: filter with: filters: | - pipeline: - - 'tekton-catalog/pipelines/**' + pipeline-push-to-external-registry: + - 'tekton-catalog/pipelines/push-to-external-registry/**' + pipeline-docker-build-oci-ta: + - 'tekton-catalog/pipelines/docker-build-oci-ta/**' task-buildah-oci-ta: - 'tekton-catalog/tasks/buildah-oci-ta/**' - name: Set up kustomize - if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true' + if: >- + steps.filter.outputs.pipeline-push-to-external-registry == 'true' || + steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' || + steps.filter.outputs.task-buildah-oci-ta == 'true' || + github.event_name == 'schedule' || + github.event_name == 'workflow_dispatch' uses: imranismail/setup-kustomize@v2 - name: Install tkn CLI - if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true' + if: >- + steps.filter.outputs.pipeline-push-to-external-registry == 'true' || + steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' || + steps.filter.outputs.task-buildah-oci-ta == 'true' || + github.event_name == 'schedule' || + github.event_name == 'workflow_dispatch' run: | TKN_VERSION=0.39.0 curl -Ls "https://github.com/tektoncd/cli/releases/download/v${TKN_VERSION}/tkn_${TKN_VERSION}_Linux_x86_64.tar.gz" \ @@ -40,7 +56,12 @@ jobs: tkn version - name: Login to Quay.io - if: steps.filter.outputs.pipeline == 'true' || steps.filter.outputs.task-buildah-oci-ta == 'true' + if: >- + steps.filter.outputs.pipeline-push-to-external-registry == 'true' || + steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' || + steps.filter.outputs.task-buildah-oci-ta == 'true' || + github.event_name == 'schedule' || + github.event_name == 'workflow_dispatch' uses: redhat-actions/podman-login@v1 with: registry: quay.io @@ -48,7 +69,7 @@ jobs: password: ${{ secrets.QUAY_ROBOT_TOKEN }} - name: Build and push push-to-external-registry pipeline bundle - if: steps.filter.outputs.pipeline == 'true' + if: steps.filter.outputs.pipeline-push-to-external-registry == 'true' run: | REPO=quay.io/foreman/tekton-catalog/pipeline-push-to-external-registry BUILT=$(kustomize build tekton-catalog/pipelines/push-to-external-registry/) @@ -72,3 +93,20 @@ jobs: skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:${MINOR_VERSION}" skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:latest" echo "Published ${REPO}:${FULL_VERSION}, ${REPO}:${MINOR_VERSION} and ${REPO}:latest" + + - name: Build and push docker-build-oci-ta pipeline bundle + if: >- + steps.filter.outputs.pipeline-docker-build-oci-ta == 'true' || + steps.filter.outputs.task-buildah-oci-ta == 'true' || + github.event_name == 'schedule' || + github.event_name == 'workflow_dispatch' + run: | + REPO=quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta + BUILT=$(kustomize build tekton-catalog/pipelines/docker-build-oci-ta/) + FULL_VERSION=$(echo "$BUILT" | python3 -c "import sys, yaml; d = yaml.safe_load(sys.stdin); print(d['metadata'].get('labels', {}).get('app.kubernetes.io/version') or d['metadata']['annotations']['tekton.dev/pipelines.minVersion'])") + MINOR_VERSION=$(echo "$FULL_VERSION" | cut -d. -f1,2) + echo "Publishing ${REPO}:${FULL_VERSION} and ${REPO}:${MINOR_VERSION}" + echo "$BUILT" | tkn bundle push "${REPO}:${FULL_VERSION}" -f - + skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:${MINOR_VERSION}" + skopeo copy "docker://${REPO}:${FULL_VERSION}" "docker://${REPO}:latest" + echo "Published ${REPO}:${FULL_VERSION}, ${REPO}:${MINOR_VERSION} and ${REPO}:latest" diff --git a/CLAUDE.md b/CLAUDE.md index dfeac4b..8cd1c3b 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -224,6 +224,7 @@ uv run pytest hack/branch-release/tests/ yamllint . # Validate kustomize renders cleanly +kustomize build tekton-catalog/pipelines/docker-build-oci-ta/ kustomize build tekton-catalog/pipelines/push-to-external-registry/ kustomize build tekton-catalog/tasks/buildah-oci-ta/ ``` @@ -236,7 +237,36 @@ Bundles are **not** built from this repo's YAML directly — they are assembled `tekton-catalog/hack/push-bundles.sh` is the local equivalent for manual testing only. -**When a task bundle is updated:** after a new `task-buildah-oci-ta` bundle is published (triggered by a merge to `develop` that changes `tekton-catalog/tasks/buildah-oci-ta/`), open a follow-up PR to every OCI image repo to update the bundle digest in their `.tekton/` files. Use `skopeo inspect docker://quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9 | jq -r .Digest` to get the current digest. +### Bundle inventory + +| Bundle | Quay repo | Trigger | +|---|---|---| +| `pipeline-docker-build-oci-ta` | `quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta` | Changes to `tekton-catalog/pipelines/docker-build-oci-ta/**`, task bundle changes, or weekly schedule | +| `pipeline-push-to-external-registry` | `quay.io/foreman/tekton-catalog/pipeline-push-to-external-registry` | Changes to `tekton-catalog/pipelines/push-to-external-registry/**` | +| `task-buildah-oci-ta` | `quay.io/foreman/tekton-catalog/task-buildah-oci-ta` | Changes to `tekton-catalog/tasks/buildah-oci-ta/**` | + +**`pipeline-docker-build-oci-ta`** is a patched fork of the upstream Konflux build pipeline. It embeds two overrides relative to upstream: +- `build-container` task uses our custom `task-buildah-oci-ta` bundle (higher memory/CPU limits). +- `build-source-image` param defaults to `"true"` (upstream default is `"false"`). + +The weekly scheduled rebuild (Monday 06:00 UTC) picks up upstream `docker-build-oci-ta` changes automatically, since the kustomization fetches `refs/heads/main` at build time. The `pipeline-docker-build-oci-ta` bundle is also rebuilt whenever `task-buildah-oci-ta` changes. + +**When a task bundle is updated:** the `pipeline-docker-build-oci-ta` bundle is rebuilt automatically in the same CI run. For OCI repos that are not yet using the custom pipeline bundle, also open a follow-up PR to update the bundle digest in their `.tekton/` files. Use `skopeo inspect docker://quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9 | jq -r .Digest` to get the current digest. + +### Activating the custom pipeline bundle in tenants-config + +After `pipeline-docker-build-oci-ta` is published, update every Foreman component annotation in tenants-config to use our bundle instead of the upstream one: + +```yaml +# Before (upstream bundle) +build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"latest"}' + +# After (our custom bundle) +build.appstudio.openshift.io/pipeline: '{"name":"docker-build-oci-ta","bundle":"quay.io/foreman/tekton-catalog/pipeline-docker-build-oci-ta:latest"}' +build.appstudio.openshift.io/request: "configure-pac" +``` + +The `configure-pac` annotation triggers Konflux to regenerate the `.tekton` files in the OCI repos with the correct pipeline bundle reference. **Regeneration does not preserve prior `.tekton` customizations** — `ADDITIONAL_TAGS` (see issue #26) must be re-applied after each `configure-pac` reconfiguration. ## PR/MR rules diff --git a/tekton-catalog/hack/push-bundles.sh b/tekton-catalog/hack/push-bundles.sh index 3dfc8c5..570de55 100755 --- a/tekton-catalog/hack/push-bundles.sh +++ b/tekton-catalog/hack/push-bundles.sh @@ -37,5 +37,6 @@ print(version)") echo "==> Published ${repo}:${full_version}, ${repo}:${minor_version} and ${repo}:latest" } +push_bundle pipeline-docker-build-oci-ta tekton-catalog/pipelines/docker-build-oci-ta push_bundle pipeline-push-to-external-registry tekton-catalog/pipelines/push-to-external-registry push_bundle task-buildah-oci-ta tekton-catalog/tasks/buildah-oci-ta diff --git a/tekton-catalog/pipelines/docker-build-oci-ta/kustomization.yaml b/tekton-catalog/pipelines/docker-build-oci-ta/kustomization.yaml new file mode 100644 index 0000000..6b06c65 --- /dev/null +++ b/tekton-catalog/pipelines/docker-build-oci-ta/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - "https://raw.githubusercontent.com/konflux-ci/build-definitions/refs/heads/main/pipelines/docker-build-oci-ta/docker-build-oci-ta.yaml" +patches: + - path: patch.yaml + target: + kind: Pipeline diff --git a/tekton-catalog/pipelines/docker-build-oci-ta/patch.yaml b/tekton-catalog/pipelines/docker-build-oci-ta/patch.yaml new file mode 100644 index 0000000..fb60785 --- /dev/null +++ b/tekton-catalog/pipelines/docker-build-oci-ta/patch.yaml @@ -0,0 +1,31 @@ +--- +# JSON 6902 patch for the docker-build-oci-ta pipeline. +# +# Upstream pipeline params (0-based indices used below): +# 9: build-source-image ← default "false" → override to "true" +# +# Upstream pipeline tasks (0-based indices used below): +# 3: build-container ← uses upstream buildah-oci-ta; redirect to our custom bundle +# +# Task indices verified with: +# curl -Ls "$UPSTREAM_URL" | yq ".spec.tasks.[].name" | nl -v0 + +# Override build-source-image default to "true" — the generated .tekton files +# default this to "false"; source images are required for production Quay pushes. +- op: replace + path: /spec/params/9/default + value: "true" + +# Redirect build-container to our custom buildah-oci-ta bundle, which raises +# memory/CPU limits to handle large Foreman images (build: 16Gi, sbom: 8Gi). +- op: replace + path: /spec/tasks/3/taskRef + value: + resolver: bundles + params: + - name: bundle + value: quay.io/foreman/tekton-catalog/task-buildah-oci-ta:0.9 + - name: name + value: buildah-oci-ta + - name: kind + value: task diff --git a/tekton-catalog/pipelines/kustomization.yaml b/tekton-catalog/pipelines/kustomization.yaml index 422c90a..cf50311 100644 --- a/tekton-catalog/pipelines/kustomization.yaml +++ b/tekton-catalog/pipelines/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - docker-build-oci-ta/ - push-to-external-registry/