diff --git a/tasks/git-clone-checkout/task.yaml b/tasks/git-clone-checkout/task.yaml index fc3d070..8861bda 100644 --- a/tasks/git-clone-checkout/task.yaml +++ b/tasks/git-clone-checkout/task.yaml @@ -1,228 +1,99 @@ -apiVersion: tekton.dev/v1beta1 +apiVersion: tekton.dev/v1 kind: Task metadata: name: git-clone-checkout - labels: - app.kubernetes.io/version: "0.4" - annotations: - tekton.dev/pipelines.minVersion: "0.21.0" - tekton.dev/categories: git - tekton.dev/tags: git - tekton.dev/displayName: "git-clone-checkout" - tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le" + namespace: tekton-pipelines spec: - description: >- - This task can be used to perform git operations. - - git command that needs to be run can be passed as a script to - the task. - workspaces: - name: output - description: The git repo will be cloned onto the volume backing this Workspace. - name: ssh-directory optional: true - description: | - A .ssh directory with private key, known_hosts, config, etc. Copied to - the user's home before git commands are executed. Used to authenticate - with the git remote when performing the clone. Binding a Secret to this - Workspace is strongly recommended over other volume types. - name: basic-auth optional: true - description: | - A Workspace containing a .gitconfig and .git-credentials file. These - will be copied to the user's home before any git commands are run. Any - other files in this Workspace are ignored. It is strongly recommended - to use ssh-directory over basic-auth whenever possible and to bind a - Secret to this Workspace over other volume types. - name: ssl-ca-directory optional: true - description: | - A workspace containing CA certificates, this will be used by Git to - verify the peer with when fetching or pushing over HTTPS. - params: - name: repo-url - description: Repository URL to clone from. type: string - name: revision - description: Revision to checkout. (branch, tag, sha, ref, etc...) type: string + default: "" + - name: verbose + type: string + default: "true" - name: gitInitImage - description: The image providing the git-init binary that this Task runs. type: string default: "alpine/git:latest" - name: userHome - description: | - Absolute path to the user's home directory. type: string default: "/home/git" - - - + results: + - name: commit + - name: url + - name: committer-date steps: + - name: clone-checkout - image: $(params.gitInitImage) - workingDir: $(workspaces.output.path) + image: "$(params.gitInitImage)" + env: + - name: HOME + value: "$(params.userHome)" + - name: PARAM_URL + value: $(params.repo-url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND + value: $(workspaces.ssl-ca-directory.bound) + - name: WORKSPACE_SSL_CA_DIRECTORY_PATH + value: $(workspaces.ssl-ca-directory.path) script: | #!/usr/bin/env sh set -eu - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - "ALL" - runAsUser: 65532 - runAsGroup: 65532 - runAsNonRoot: true - seccompProfile: - type: RuntimeDefault + if [ "${PARAM_VERBOSE}" = "true" ]; then + set -x + fi + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ]; then + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" + cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" + chmod 400 "${PARAM_USER_HOME}/.git-credentials" + chmod 400 "${PARAM_USER_HOME}/.gitconfig" + fi + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ]; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}/.ssh" + chmod 700 "${PARAM_USER_HOME}/.ssh" + chmod -R 400 "${PARAM_USER_HOME}/.ssh"/* + fi -# apiVersion: tekton.dev/v1 -# kind: Task -# metadata: -# name: git-clone-checkout -# labels: -# app.kubernetes.io/version: "0.9" -# annotations: -# tekton.dev/pipelines.minVersion: "0.38.0" -# tekton.dev/categories: Git -# tekton.dev/tags: git -# tekton.dev/displayName: "git clone & checkout" -# tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" -# spec: -# description: >- -# These Tasks are Git tasks to work with repositories used by other tasks -# in your Pipeline. + if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ]; then + export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + fi -# The git-clone-checkout Task will clone a repo from the provided url into the -# output Workspace. By default the repo will be cloned into the root of -# your Workspace. You can clone into a subdirectory by setting this Task's -# subdirectory param. This Task also supports sparse checkouts. To perform -# a sparse checkout, pass a list of comma separated directory patterns to -# this Task's sparseCheckoutDirectories param. -# workspaces: -# - name: output -# description: The git repo will be cloned onto the volume backing this Workspace. -# - name: ssh-directory -# optional: true -# description: | -# A .ssh directory with private key, known_hosts, config, etc. Copied to -# the user's home before git commands are executed. Used to authenticate -# with the git remote when performing the clone. Binding a Secret to this -# Workspace is strongly recommended over other volume types. -# - name: basic-auth -# optional: true -# description: | -# A Workspace containing a .gitconfig and .git-credentials file. These -# will be copied to the user's home before any git commands are run. Any -# other files in this Workspace are ignored. It is strongly recommended -# to use ssh-directory over basic-auth whenever possible and to bind a -# Secret to this Workspace over other volume types. -# - name: ssl-ca-directory -# optional: true -# description: | -# A workspace containing CA certificates, this will be used by Git to -# verify the peer with when fetching or pushing over HTTPS. -# params: -# - name: repo-url -# description: Repository URL to clone from. -# type: string -# - name: revision -# description: Revision to checkout. (branch, tag, sha, ref, etc...) -# type: string -# default: "" -# - name: verbose -# description: Log the commands that are executed during `git-clone-checkout`'s operation. -# type: string -# default: "true" -# - name: gitInitImage -# description: The image providing the git-init binary that this Task runs. -# type: string -# default: "alpine/git:latest" -# - name: userHome -# description: | -# Absolute path to the user's home directory. -# type: string -# default: "/home/git" -# results: -# - name: commit -# description: The precise commit SHA that was fetched by this Task. -# - name: url -# description: The precise URL that was fetched by this Task. -# - name: committer-date -# description: The epoch timestamp of the commit that was fetched by this Task. -# steps: -# - name: clone-checkout -# image: "$(params.gitInitImage)" -# env: -# - name: HOME -# value: "$(params.userHome)" -# - name: PARAM_URL -# value: $(params.repo-url) -# - name: PARAM_REVISION -# value: $(params.revision) -# - name: PARAM_VERBOSE -# value: $(params.verbose) -# - name: PARAM_USER_HOME -# value: $(params.userHome) -# - name: WORKSPACE_OUTPUT_PATH -# value: $(workspaces.output.path) -# - name: WORKSPACE_SSH_DIRECTORY_BOUND -# value: $(workspaces.ssh-directory.bound) -# - name: WORKSPACE_SSH_DIRECTORY_PATH -# value: $(workspaces.ssh-directory.path) -# - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND -# value: $(workspaces.basic-auth.bound) -# - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH -# value: $(workspaces.basic-auth.path) -# - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND -# value: $(workspaces.ssl-ca-directory.bound) -# - name: WORKSPACE_SSL_CA_DIRECTORY_PATH -# value: $(workspaces.ssl-ca-directory.path) -# script: | -# #!/usr/bin/env sh -# set -eu + git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" + cd "${WORKSPACE_OUTPUT_PATH}" -# if [ "${PARAM_VERBOSE}" = "true" ] ; then -# set -x -# fi + git clone "${PARAM_URL}" . + git checkout "${PARAM_REVISION}" -# if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then -# cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" -# cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" -# chmod 400 "${PARAM_USER_HOME}/.git-credentials" -# chmod 400 "${PARAM_USER_HOME}/.gitconfig" -# fi + RESULT_SHA="$(git rev-parse HEAD)" + RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" -# if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then -# cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh -# chmod 700 "${PARAM_USER_HOME}"/.ssh -# chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* -# fi - -# if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then -# export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" -# if [ "${PARAM_CRT_FILENAME}" != "" ] ; then -# export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" -# fi -# fi - -# git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" -# cd "${WORKSPACE_OUTPUT_PATH}" - -# git clone "${PARAM_URL}" . -# git checkout "${PARAM_REVISION}" - -# RESULT_SHA="$(git rev-parse HEAD)" -# EXIT_CODE="$?" -# if [ "${EXIT_CODE}" != 0 ] ; then -# exit "${EXIT_CODE}" -# fi -# RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" -# printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" -# printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" -# printf "%s" "${PARAM_URL}" > "$(results.url.path)" + printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" + printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" + printf "%s" "${PARAM_URL}" > "$(results.url.path)"