stackrox · msugakov · May 29, 2024 · May 23, 2024 · May 23, 2024 · May 23, 2024
@@ -9,13 +9,13 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "500"
     # TODO(ROX-21073): re-enable for all PR branches
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && (source_branch.contains("rhtap") || source_branch.contains("konflux"))
+    pipelinesascode.tekton.dev/on-cel-expression: (event == "push" && target_branch == "master") || (event == "pull_request" && (source_branch.contains("rhtap") || source_branch.contains("konflux")))
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: acs
     appstudio.openshift.io/component: collector
     pipelines.appstudio.openshift.io/type: build
-  name: collector-on-pull-request
+  name: collector-build
   namespace: rh-acs-tenant
 
 spec:
@@ -25,11 +25,10 @@ spec:
   - name: git-url
     value: '{{repo_url}}'
   - name: image-expires-after
+    # TODO(ROX-20230): make release images not expire.
     value: '13w'
   - name: output-image-repo
     value: quay.io/rhacs-eng/collector
-  - name: output-tag-suffix
-    value: '-latest'
   - name: path-context
     value: .
   - name: revision
@@ -50,8 +49,6 @@ spec:
     value: 'true'
   - name: build-source-image
     value: 'true'
-  - name: build-target-stage
-    value: collector
 
   workspaces:
   - name: workspace
@@ -71,6 +68,26 @@ spec:
     secret:
       secretName: subscription-manager-activation-key
 
+  taskRunSpecs:
+  - pipelineTaskName: build-container
+    stepSpecs:
+    - name: build
+      # CPU requests are increased to speed up builds compared to the defaults.
+      # Defaults: https://github.com/redhat-appstudio/build-definitions/blob/main/task/buildah/0.1/buildah.yaml#L126
+      computeResources:
+        limits:
+          cpu: 4
+        requests:
+          cpu: 4
+  - pipelineTaskName: clamav-scan
+    stepSpecs:
+    # Provision more CPU to speed up ClamAV scan compared to the defaults.
+    # https://github.com/redhat-appstudio/build-definitions/blob/main/task/clamav-scan/0.1/clamav-scan.yaml#L48
+    - name: extract-and-scan-image
+      computeResources:
+        requests:
+          cpu: 1
+
   # The pipeline regularly takes >1h to finish.
   timeouts:
     pipeline: 1h30m0s

@@ -53,9 +53,6 @@ spec:
   - description: Output Image Repository
     name: output-image-repo
     type: string
-  - description: Suffix appended to the tag of the output image
-    name: output-tag-suffix
-    type: string
   - default: .
     description: Path to the source code of an application's component from where
       to build image.
@@ -130,11 +127,10 @@ spec:
   - name: init
     params:
     - name: image-url
-      # We can't provide a real tag because it is not known at this time.
-      # We still provide a fake tag to the task to comply with the expected input.
-      # Because 'rebuild' is set to true, this has no effect.
-      # TODO(ROX-24116): Apply both Konflux-style and StackRox-style tags to containers
-      value: $(params.output-image-repo):fake-tag
+      # We can't provide a StackRox-style tag because it is not known at this time (requires cloning source, etc.)
+      # As a workaround, we still provide a unique tag that's based on a revision to this task to comply with its
+      # expected input. We later actually add this tag on a built image with apply-tags task.
+      value: $(params.output-image-repo):konflux-$(params.revision)
     - name: rebuild
       value: $(params.rebuild)
     taskRef:
@@ -227,7 +223,7 @@ spec:
   - name: build-container
     params:
     - name: IMAGE
-      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)$(params.output-tag-suffix)
+      value: $(params.output-image-repo):$(tasks.determine-image-tag.results.image-tag)
     - name: DOCKERFILE
       value: $(params.dockerfile)
     - name: CONTEXT
@@ -262,6 +258,28 @@ spec:
     - name: source
       workspace: workspace
 
+  - name: apply-tags
+    params:
+    - name: IMAGE
+      value: $(tasks.build-container.results.IMAGE_URL)
+    - name: ADDITIONAL_TAGS
+      value:
+      - konflux-$(params.revision)
+      # TODO(ROX-24402): don't publish multiple tags when ability to install Slim collector is gone.
+      - $(tasks.determine-image-tag.results.image-tag)-latest
+      - $(tasks.determine-image-tag.results.image-tag)-slim
+    runAfter:
+    - build-container
+    taskRef:
+      params:
+      - name: name
+        value: apply-tags
+      - name: bundle
+        value: quay.io/redhat-appstudio-tekton-catalog/task-apply-tags:0.1@sha256:29add9a49a2281a3755a9b580d2b9c5cb110231b14cccf8ade2fd7895a9b4b4a
+      - name: kind
+        value: task
+      resolver: bundles
+
   - name: build-source-image
     params:
     - name: BINARY_IMAGE

@@ -112,7 +112,7 @@ RUN /tmp/.konflux/scripts/subscription-manager-bro.sh register /mnt && \
     rpm --root=/mnt --verbose -e --nodeps $(rpm --root=/mnt -qa 'curl' '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \
     rm -rf /mnt/var/cache/dnf /mnt/var/cache/yum
 
-FROM scratch as collector-common
+FROM scratch
 
 COPY --from=rpm-implanter-app /mnt /
 
@@ -160,15 +160,6 @@ CMD collector-wrapper.sh \
     --collection-method=$COLLECTION_METHOD \
     --grpc-server=$GRPC_SERVER
 
-FROM collector-common AS collector-slim
-
-LABEL \
-    com.redhat.component="rhacs-collector-slim-container" \
-    io.k8s.display-name="collector-slim" \
-    name="rhacs-collector-slim-rhel8"
-
-FROM collector-common AS collector
-
 LABEL \
     com.redhat.component="rhacs-collector-container" \
     io.k8s.display-name="collector" \