diff --git a/.github/workflows/install-frsca.yaml b/.github/workflows/install-frsca.yaml index b0a1a852..17499615 100644 --- a/.github/workflows/install-frsca.yaml +++ b/.github/workflows/install-frsca.yaml @@ -46,15 +46,10 @@ jobs: - name: Try the cluster ! run: kubectl get pods -A - name: Initialize FRSCA - env: - REGISTRY: "registry.registry" run: | make setup-frsca - name: Run buildpacks pipeline - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-buildpacks -n example-buildpacks- # tail PipelineRun logs tkn pr logs --last -f @@ -83,12 +78,9 @@ jobs: tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]' cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" - kill %?registry-proxy + kubectl delete pr --all -A - name: Run sample pipeline to test kyverno - env: - REGISTRY: "registry.registry" run: | - make registry-proxy >/dev/null & ./platform/wait-for-pipelinerun.sh -m example-sample-pipeline -n example-sample-pipeline- # tail PipelineRun logs tkn pr logs --last -f @@ -114,9 +106,124 @@ jobs: echo "TASK_RUN=${TASK_RUN}" echo "IMAGE_URL=${IMAGE_URL}" crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" - cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" - kubectl wait --timeout=5m --for=condition=ready pods -l app=picalc -n prod - kill %?registry-proxy + kubectl delete pr --all -A + - name: Run go pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-golang-pipeline -n example-golang- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run IBM tutorial pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-ibm-tutorial -n example-ibm-tutorial- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run gradle pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-gradle-pipeline -n example-gradle- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A + - name: Run maven pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-maven -n example-maven- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + kubectl delete pr --all -A + - name: Run cosign pipeline + run: | + ./platform/wait-for-pipelinerun.sh -m example-cosign -n ko-pipelinerun- + tkn pr logs --last -f + if [ "$(tkn pr describe --last -o jsonpath='{.status.conditions[?(@.type == "Succeeded")].status}')" != "True" ]; then + tkn pr describe --last + exit 1 + fi + sleep 60 + TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name')) + echo "TASK_RUNS=${TASK_RUNS[@]}" + TASK_RUN="none"; IMAGE_URL="none" + for tr in "${TASK_RUNS[@]}"; do + image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value') + if [ -n "${image}" ]; then + TASK_RUN="${tr}" + IMAGE_URL="${image}" + break + fi + done + if [ "${REGISTRY}" = "registry.registry" ]; then + IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')" + fi + crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')" + cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + cosign verify-attestation --insecure-ignore-tlog --type slsaprovenance --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}" + kubectl delete pr --all -A