diff --git a/tasks/git-clone-checkout/task.yaml b/tasks/git-clone-checkout/task.yaml index 8861bda..8c3207f 100644 --- a/tasks/git-clone-checkout/task.yaml +++ b/tasks/git-clone-checkout/task.yaml @@ -1,99 +1,150 @@ -apiVersion: tekton.dev/v1 +--- +apiVersion: tekton.dev/v1beta1 kind: Task metadata: name: git-clone-checkout - namespace: tekton-pipelines + namespace: gitops-ci + labels: + app.kubernetes.io/version: "0.9" + annotations: + tekton.dev/pipelines.minVersion: "0.38.0" + tekton.dev/categories: Git + tekton.dev/tags: git + tekton.dev/displayName: "git clone & checkout" + tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64" spec: + description: >- + These Tasks are Git tasks to work with repositories used by other tasks + in your Pipeline. + + The git-clone-checkout Task will clone a repo from the provided url into the + output Workspace. By default the repo will be cloned into the root of + your Workspace. You can clone into a subdirectory by setting this Task's + subdirectory param. This Task also supports sparse checkouts. To perform + a sparse checkout, pass a list of comma separated directory patterns to + this Task's sparseCheckoutDirectories param. workspaces: - name: output + description: The git repo will be cloned onto the volume backing this Workspace. - name: ssh-directory optional: true + description: | + A .ssh directory with private key, known_hosts, config, etc. Copied to + the user's home before git commands are executed. Used to authenticate + with the git remote when performing the clone. Binding a Secret to this + Workspace is strongly recommended over other volume types. - name: basic-auth optional: true + description: | + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. - name: ssl-ca-directory optional: true + description: | + A workspace containing CA certificates, this will be used by Git to + verify the peer with when fetching or pushing over HTTPS. params: - - name: repo-url + - name: url + description: Repository URL to clone from. type: string - name: revision + description: Revision to checkout. (branch, tag, sha, ref, etc...) type: string default: "" - name: verbose + description: Log the commands that are executed during `git-clone-checkout`'s operation. type: string default: "true" - name: gitInitImage + description: The image providing the git-init binary that this Task runs. type: string default: "alpine/git:latest" - name: userHome + description: | + Absolute path to the user's home directory. type: string default: "/home/git" results: - name: commit + description: The precise commit SHA that was fetched by this Task. - name: url + description: The precise URL that was fetched by this Task. - name: committer-date + description: The epoch timestamp of the commit that was fetched by this Task. steps: - - name: clone-checkout image: "$(params.gitInitImage)" env: - - name: HOME - value: "$(params.userHome)" - - name: PARAM_URL - value: $(params.repo-url) - - name: PARAM_REVISION - value: $(params.revision) - - name: PARAM_VERBOSE - value: $(params.verbose) - - name: PARAM_USER_HOME - value: $(params.userHome) - - name: WORKSPACE_OUTPUT_PATH - value: $(workspaces.output.path) - - name: WORKSPACE_SSH_DIRECTORY_BOUND - value: $(workspaces.ssh-directory.bound) - - name: WORKSPACE_SSH_DIRECTORY_PATH - value: $(workspaces.ssh-directory.path) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND - value: $(workspaces.basic-auth.bound) - - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH - value: $(workspaces.basic-auth.path) - - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND - value: $(workspaces.ssl-ca-directory.bound) - - name: WORKSPACE_SSL_CA_DIRECTORY_PATH - value: $(workspaces.ssl-ca-directory.path) + - name: HOME + value: "$(params.userHome)" + - name: PARAM_URL + value: $(params.url) + - name: PARAM_REVISION + value: $(params.revision) + - name: PARAM_VERBOSE + value: $(params.verbose) + - name: PARAM_USER_HOME + value: $(params.userHome) + - name: WORKSPACE_OUTPUT_PATH + value: $(workspaces.output.path) + - name: WORKSPACE_SSH_DIRECTORY_BOUND + value: $(workspaces.ssh-directory.bound) + - name: WORKSPACE_SSH_DIRECTORY_PATH + value: $(workspaces.ssh-directory.path) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND + value: $(workspaces.basic-auth.bound) + - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH + value: $(workspaces.basic-auth.path) + - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND + value: $(workspaces.ssl-ca-directory.bound) + - name: WORKSPACE_SSL_CA_DIRECTORY_PATH + value: $(workspaces.ssl-ca-directory.path) + securityContext: + runAsNonRoot: true + runAsUser: 65532 script: | #!/usr/bin/env sh set -eu - if [ "${PARAM_VERBOSE}" = "true" ]; then + if [ "${PARAM_VERBOSE}" = "true" ] ; then set -x fi - if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ]; then + if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials" cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig" chmod 400 "${PARAM_USER_HOME}/.git-credentials" chmod 400 "${PARAM_USER_HOME}/.gitconfig" fi - if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ]; then - cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}/.ssh" - chmod 700 "${PARAM_USER_HOME}/.ssh" - chmod -R 400 "${PARAM_USER_HOME}/.ssh"/* + if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then + cp -R "${WORKSPACE_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh + chmod 700 "${PARAM_USER_HOME}"/.ssh + chmod -R 400 "${PARAM_USER_HOME}"/.ssh/* fi - if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ]; then - export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then + export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}" + if [ "${PARAM_CRT_FILENAME}" != "" ] ; then + export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}" + fi fi git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}" cd "${WORKSPACE_OUTPUT_PATH}" - git clone "${PARAM_URL}" . + git clone "$(params.url)" . git checkout "${PARAM_REVISION}" RESULT_SHA="$(git rev-parse HEAD)" + EXIT_CODE="$?" + if [ "${EXIT_CODE}" != 0 ] ; then + exit "${EXIT_CODE}" + fi RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)" - printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)" printf "%s" "${RESULT_SHA}" > "$(results.commit.path)" - printf "%s" "${PARAM_URL}" > "$(results.url.path)" + printf "%s" "$(params.url)" > "$(results.url.path)" \ No newline at end of file diff --git a/tasks/poetry/task.yaml b/tasks/poetry/task.yaml index 6a13091..492bfb5 100644 --- a/tasks/poetry/task.yaml +++ b/tasks/poetry/task.yaml @@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: name: poetry + namespace: gitops-ci labels: app.kubernetes.io/version: "0.4" annotations: diff --git a/tasks/pypi/task.yaml b/tasks/pypi/task.yaml index c3ca4b8..f4374c3 100644 --- a/tasks/pypi/task.yaml +++ b/tasks/pypi/task.yaml @@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: name: pypi + namespace: gitops-ci labels: app.kubernetes.io/version: "0.2" annotations: diff --git a/tasks/pytest/task.yaml b/tasks/pytest/task.yaml index 60f23da..064a3ed 100644 --- a/tasks/pytest/task.yaml +++ b/tasks/pytest/task.yaml @@ -2,6 +2,7 @@ apiVersion: tekton.dev/v1 kind: Task metadata: name: pytest + namespace: gitops-ci labels: app.kubernetes.io/version: "0.2" annotations: