From 5f60da8bd19c89af57977adf4d7275ed402843e8 Mon Sep 17 00:00:00 2001
From: ccronca <ccota@redhat.com>
Date: Fri, 16 Aug 2024 10:39:14 +0200
Subject: [PATCH 1/2] fix(KONFLUX-3663): format Tekton PipelineRun files

Format PipelineRun files with yq for consistent indentation and format

Signed-off-by: ccronca <ccota@redhat.com>
---
 .tekton/fulcio-pull-request.yaml | 26 +++++++++++---------------
 .tekton/fulcio-push.yaml         | 26 +++++++++++---------------
 2 files changed, 22 insertions(+), 30 deletions(-)

diff --git a/.tekton/fulcio-pull-request.yaml b/.tekton/fulcio-pull-request.yaml
index cda060e90..b89b09dd1 100644
--- a/.tekton/fulcio-pull-request.yaml
+++ b/.tekton/fulcio-pull-request.yaml
@@ -7,8 +7,7 @@ metadata:
     build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
-      == "main"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "main"
   creationTimestamp: null
   labels:
     appstudio.openshift.io/application: fulcio
@@ -82,13 +81,11 @@ spec:
       name: output-image
       type: string
     - default: .
-      description: Path to the source code of an application's component from where
-        to build image.
+      description: Path to the source code of an application's component from where to build image.
       name: path-context
       type: string
     - default: Dockerfile
-      description: Path to the Dockerfile inside the context specified by parameter
-        path-context
+      description: Path to the Dockerfile inside the context specified by parameter path-context
       name: dockerfile
       type: string
     - default: "false"
@@ -116,8 +113,7 @@ spec:
       name: java
       type: string
     - default: ""
-      description: Image tag expiration time, time values could be something like
-        1h, 2d, 3w for hours, days, and weeks, respectively.
+      description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
       name: image-expires-after
     - default: "false"
       description: Build a source image.
@@ -390,19 +386,19 @@ spec:
           value: task
         resolver: bundles
       workspaces:
-        - name: source
-          workspace: workspace
+      - name: source
+        workspace: workspace
     workspaces:
     - name: workspace
     - name: git-auth
       optional: true
   taskRunTemplate: {}
   taskRunSpecs:
-    - pipelineTaskName: run-unit-test
-      serviceAccountName: appstudio-pipeline
-      podTemplate:
-        imagePullSecrets:
-          - name: brew-registry-pull-secret
+  - pipelineTaskName: run-unit-test
+    serviceAccountName: appstudio-pipeline
+    podTemplate:
+      imagePullSecrets:
+      - name: brew-registry-pull-secret
   workspaces:
   - name: workspace
     volumeClaimTemplate:
diff --git a/.tekton/fulcio-push.yaml b/.tekton/fulcio-push.yaml
index 77427ca07..1aa8cb2a7 100644
--- a/.tekton/fulcio-push.yaml
+++ b/.tekton/fulcio-push.yaml
@@ -6,8 +6,7 @@ metadata:
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
-      == "main"
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "main"
     build.appstudio.openshift.io/build-nudge-files: "controllers/constants/*"
   creationTimestamp: null
   labels:
@@ -80,13 +79,11 @@ spec:
       name: output-image
       type: string
     - default: .
-      description: Path to the source code of an application's component from where
-        to build image.
+      description: Path to the source code of an application's component from where to build image.
       name: path-context
       type: string
     - default: Dockerfile
-      description: Path to the Dockerfile inside the context specified by parameter
-        path-context
+      description: Path to the Dockerfile inside the context specified by parameter path-context
       name: dockerfile
       type: string
     - default: "false"
@@ -114,8 +111,7 @@ spec:
       name: java
       type: string
     - default: ""
-      description: Image tag expiration time, time values could be something like
-        1h, 2d, 3w for hours, days, and weeks, respectively.
+      description: Image tag expiration time, time values could be something like 1h, 2d, 3w for hours, days, and weeks, respectively.
       name: image-expires-after
     - default: "false"
       description: Build a source image.
@@ -388,19 +384,19 @@ spec:
           value: task
         resolver: bundles
       workspaces:
-        - name: source
-          workspace: workspace
+      - name: source
+        workspace: workspace
     workspaces:
     - name: workspace
     - name: git-auth
       optional: true
   taskRunTemplate: {}
   taskRunSpecs:
-    - pipelineTaskName: run-unit-test
-      serviceAccountName: appstudio-pipeline
-      podTemplate:
-        imagePullSecrets:
-          - name: brew-registry-pull-secret
+  - pipelineTaskName: run-unit-test
+    serviceAccountName: appstudio-pipeline
+    podTemplate:
+      imagePullSecrets:
+      - name: brew-registry-pull-secret
   workspaces:
   - name: workspace
     volumeClaimTemplate:

From 8bc8570bd9485929ceb9f507e2ef79980664f486 Mon Sep 17 00:00:00 2001
From: ccronca <ccota@redhat.com>
Date: Fri, 16 Aug 2024 10:39:14 +0200
Subject: [PATCH 2/2] fix(KONFLUX-3663): upload SAST results to quay.io

Configure the SAST task to upload SARIF results to quay.io for
long-term storage

Signed-off-by: ccronca <ccota@redhat.com>
---
 .tekton/fulcio-pull-request.yaml | 7 ++++++-
 .tekton/fulcio-push.yaml         | 7 ++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.tekton/fulcio-pull-request.yaml b/.tekton/fulcio-pull-request.yaml
index b89b09dd1..6b8391a55 100644
--- a/.tekton/fulcio-pull-request.yaml
+++ b/.tekton/fulcio-pull-request.yaml
@@ -311,7 +311,7 @@ spec:
         - "false"
     - name: sast-snyk-check
       runAfter:
-      - clone-repository
+      - build-container
       taskRef:
         params:
         - name: name
@@ -329,6 +329,11 @@ spec:
       workspaces:
       - name: workspace
         workspace: workspace
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
     - name: clamav-scan
       params:
       - name: image-digest
diff --git a/.tekton/fulcio-push.yaml b/.tekton/fulcio-push.yaml
index 1aa8cb2a7..3972c1274 100644
--- a/.tekton/fulcio-push.yaml
+++ b/.tekton/fulcio-push.yaml
@@ -309,7 +309,7 @@ spec:
         - "false"
     - name: sast-snyk-check
       runAfter:
-      - clone-repository
+      - build-container
       taskRef:
         params:
         - name: name
@@ -327,6 +327,11 @@ spec:
       workspaces:
       - name: workspace
         workspace: workspace
+      params:
+      - name: image-digest
+        value: $(tasks.build-container.results.IMAGE_DIGEST)
+      - name: image-url
+        value: $(tasks.build-container.results.IMAGE_URL)
     - name: clamav-scan
       params:
       - name: image-digest