From 89b9c3c804cb32ff8658d174801714118c8d3eaa Mon Sep 17 00:00:00 2001 From: Pablo Acevedo Montserrat Date: Tue, 17 Mar 2026 15:49:26 +0100 Subject: [PATCH 1/2] update konflux task refs script to use pmt --- release/hack/update-konflux-task-refs.sh | 72 +++++++++--------------- 1 file changed, 28 insertions(+), 44 deletions(-) diff --git a/release/hack/update-konflux-task-refs.sh b/release/hack/update-konflux-task-refs.sh index feea8c9e8..6d4ef85ad 100755 --- a/release/hack/update-konflux-task-refs.sh +++ b/release/hack/update-konflux-task-refs.sh @@ -1,54 +1,38 @@ #!/bin/bash +set -x -command -v yq >/dev/null 2>&1 || { echo >&2 "'yq' is required but it's not installed. Aborting."; exit 1; } -command -v skopeo >/dev/null 2>&1 || { echo >&2 "'skopeo' is required but it's not installed. Aborting."; exit 1; } +command -v yq >/dev/null 2>&1 || { echo >&2 "'yq' is required but it's not installed. Aborting."; exit 1; } +command -v skopeo >/dev/null 2>&1 || { echo >&2 "'skopeo' is required but it's not installed. Aborting."; exit 1; } +command -v pmt >/dev/null 2>&1 || { echo >&2 "'pmt' is required but it's not installed. Aborting."; exit 1; } -PIPELINE_FILE="" - -function update_manifest_if_outdated() { - image=$(echo $1 | cut -d '@' -f 1) - manifest=$(echo $1 | cut -d '@' -f 2) - - new_manifest=$(skopeo inspect --format='{{ .Digest }}' "docker://${image}") - if [[ $? -ne 0 ]]; then - echo "error encountered running skopeo inspect against ${image}. Aborting."; exit 1 - fi - - if [[ "$new_manifest" == "$manifest" ]]; then - return # no new manifest - fi - - if update_manifest $image $manifest $new_manifest; then - echo "Updated manifest for ${image}:" - echo "${manifest} => ${new_manifest}" - - else - echo "unable to patch ${image}. Aborting."; exit 1 - fi -} - -function update_manifest() { - image=$1 - old_manifest=$2 - new_manifest=$3 - - ret=0 - if [[ "$OSTYPE" == "darwin"* ]]; then - sed -i '' -e "s%${image}@${old_manifest}%${image}@${new_manifest}%g" $PIPELINE_FILE - else - sed -i -e "s%${image}@${old_manifest}%${image}@${new_manifest}%g" $PIPELINE_FILE - fi - return $? -} +NEW_BUNDLES=() +# Collect all bundle references from all pipeline files for PIPELINE_FILE in "$@"; do echo "Checking ${PIPELINE_FILE} for task manifest updates..." - active_manifests=() - # Fetch the manifests that are currently used in our pipelines - IFS=$'\n' read -r -d '' -a active_manifests < <( yq '.spec.tasks[].taskRef.params | filter(.name == "bundle") | .[].value' $PIPELINE_FILE && printf '\0' ) + IFS=$'\n' read -r -d '' -a active_manifests < <( yq '.spec.tasks[].taskRef.params | filter(.name == "bundle") | .[].value' "$PIPELINE_FILE" && printf '\0' ) + + for manifest in "${active_manifests[@]}"; do + image=$(echo "$manifest" | cut -d '@' -f 1) + current_digest=$(echo "$manifest" | cut -d '@' -f 2) - for manifest in ${active_manifests[@]}; do - update_manifest_if_outdated $manifest + if ! new_digest=$(skopeo inspect --format='{{ .Digest }}' "docker://${image}"); then + echo "error encountered running skopeo inspect against ${image}. Aborting."; exit 1 + fi + + if [[ "$new_digest" != "$current_digest" ]]; then + echo "Found update for ${image}:" + echo "${current_digest} => ${new_digest}" + NEW_BUNDLES+=("--new-bundle" "${image}@${new_digest}") + fi done done + +# Apply migrations if there are any updates +if [[ ${#NEW_BUNDLES[@]} -gt 0 ]]; then + echo "Applying migrations with pmt..." + pmt migrate "${NEW_BUNDLES[@]}" +else + echo "No updates found." +fi From e96691ec27b3116519d93589e6950c483da9b830 Mon Sep 17 00:00:00 2001 From: Pablo Acevedo Montserrat Date: Tue, 17 Mar 2026 15:49:44 +0100 Subject: [PATCH 2/2] update konflux refs in pipelines --- .tekton/multi-arch-build-pipeline.yaml | 14 +++++++------- .tekton/single-arch-build-pipeline.yaml | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/.tekton/multi-arch-build-pipeline.yaml b/.tekton/multi-arch-build-pipeline.yaml index ff7ade0ab..1309139f4 100644 --- a/.tekton/multi-arch-build-pipeline.yaml +++ b/.tekton/multi-arch-build-pipeline.yaml @@ -230,7 +230,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9f73e95380ad0c3c53678a4b272cfa39c2ac866470bb980422f77ea8e93f455e - name: kind value: task resolver: bundles @@ -250,7 +250,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:945f8ba72381402ce6b00efa24a6eeb19a27ba68b445474c28ebfbfb21bb365f + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb - name: kind value: task resolver: bundles @@ -276,7 +276,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:4fd74f3c0757f703146d3d48d4e96ce15c630b5ab163d1fbb8324d72c37a3c15 - name: kind value: task resolver: bundles @@ -348,7 +348,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:61aa6a0eb8e99057ffd133672adf75880555a81074d9c3b6e3b4f0b41d4eab2a - name: kind value: task resolver: bundles @@ -395,7 +395,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:6f047f52c04ee6e4d2cb25af46e3ea92b235f6c5e02da540fb7ef0b90718bc0a - name: kind value: task resolver: bundles @@ -421,7 +421,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:ff9d70e44b7da78a8d6176880a03c2b3d074eb630ffa512d6c13e1741be19b0f - name: kind value: task resolver: bundles @@ -465,7 +465,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:637fcb11066e2248d901c8f5fcbf713836bb9bf6ef6eff869b9891acd4d32398 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:76f0fc0737a9ad8c01afda595067a45ab06d434dd70164046178bc1de72930c7 - name: kind value: task resolver: bundles diff --git a/.tekton/single-arch-build-pipeline.yaml b/.tekton/single-arch-build-pipeline.yaml index d18a50af5..e01152564 100644 --- a/.tekton/single-arch-build-pipeline.yaml +++ b/.tekton/single-arch-build-pipeline.yaml @@ -185,7 +185,7 @@ spec: - name: name value: clair-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609 + value: quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9f73e95380ad0c3c53678a4b272cfa39c2ac866470bb980422f77ea8e93f455e - name: kind value: task resolver: bundles @@ -205,7 +205,7 @@ spec: - name: name value: ecosystem-cert-preflight-checks - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:945f8ba72381402ce6b00efa24a6eeb19a27ba68b445474c28ebfbfb21bb365f + value: quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:b4ac586edea81dcd25dfc17f1bd57899825be2b443e48d572cd05ce058f153bb - name: kind value: task resolver: bundles @@ -233,7 +233,7 @@ spec: - name: name value: sast-snyk-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:6045ed6f2d37cfdf75cb3f2bf88706839c276a59f892ae027a315456c2914cf3 + value: quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:4fd74f3c0757f703146d3d48d4e96ce15c630b5ab163d1fbb8324d72c37a3c15 - name: kind value: task resolver: bundles @@ -300,7 +300,7 @@ spec: - name: name value: sast-coverity-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:ab60e90de028036be823e75343fdc205418edcfa7c4de569bb5f8ab833bc2037 + value: quay.io/konflux-ci/tekton-catalog/task-sast-coverity-check-oci-ta:0.3@sha256:61aa6a0eb8e99057ffd133672adf75880555a81074d9c3b6e3b4f0b41d4eab2a - name: kind value: task resolver: bundles @@ -347,7 +347,7 @@ spec: - name: name value: sast-shell-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c314b4d5369d7961af51c865be28cd792d5f233aef94ecf035b3f84acde398bf + value: quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:6f047f52c04ee6e4d2cb25af46e3ea92b235f6c5e02da540fb7ef0b90718bc0a - name: kind value: task resolver: bundles @@ -373,7 +373,7 @@ spec: - name: name value: sast-unicode-check-oci-ta - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:3d8a6902ab7c5c2125be07263f395426342c5032b3abfd0140162ad838437bab + value: quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:ff9d70e44b7da78a8d6176880a03c2b3d074eb630ffa512d6c13e1741be19b0f - name: kind value: task resolver: bundles @@ -395,7 +395,7 @@ spec: - name: name value: rpms-signature-scan - name: bundle - value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:637fcb11066e2248d901c8f5fcbf713836bb9bf6ef6eff869b9891acd4d32398 + value: quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:76f0fc0737a9ad8c01afda595067a45ab06d434dd70164046178bc1de72930c7 - name: kind value: task resolver: bundles