Merge pull request #28 from jduimovich/update-sbom-hacks

remove  the workaround for the sbom issue

hack/import-build-definitions

@@ -77,7 +77,7 @@ for pipeline in $OUTPUT_PIPELINES_DIR/* ;  do
   FINALLY=$(yq .spec.finally.[].taskRef.name $pipeline )
   # Temporarily keep some to ensure existing templates work
   # until they have been merged for backwards compatibilty  
-  KEEP="show-sbom"
+  KEEP=""
 
   echo "Tasks referenced from $(basename $pipeline):" 
   for task in $TASKS $FINALLY $KEEP
@@ -103,11 +103,3 @@ echo
 echo "update-pipelinerun-imports" 
 bash $SCRIPTDIR/update-pipelinerun-imports
 
-# hack for show-sbom issue
-echo "WARNING RESETTING show-sbom to old version"
-echo "New version is broken"
-cp $OUTPUT_TASKS_DIR/show-sbom-rhdh.yaml $OUTPUT_TASKS_DIR/show-sbom-rhdh.yaml.save
-yq -i ".metadata.name=\"show-sbom-rhdh\"" $OUTPUT_TASKS_DIR/show-sbom.yaml 
-cp $OUTPUT_TASKS_DIR/show-sbom.yaml $OUTPUT_TASKS_DIR/show-sbom-rhdh.yaml
-
-

pac/tasks/show-sbom-rhdh.yaml

@@ -5,40 +5,59 @@ metadata:
   name: show-sbom-rhdh
   labels:
     app.kubernetes.io/version: "0.1"
+    build.appstudio.redhat.com/build_type: "docker"
   annotations:
     tekton.dev/pipelines.minVersion: "0.12.1"
-    tekton.dev/tags: "appstudio, hacbs"
+    tekton.dev/tags: "containers, rhtap"
+    task.results.format: application/text
+    task.results.key: LINK_TO_SBOM
+    task.output.location: results
 spec:
   description: >-
     Shows the Software Bill of Materials (SBOM) generated for the built image in CyloneDX JSON format.
+    The 'task.*' annotations are processed by Red Hat Developer Hub (RHDH) so that the log content can be rendered in its UI.
   params:
     - name: IMAGE_URL
       description: Fully qualified image name to show SBOM for.
       type: string
+  results:
+  - description: Placeholder result meant to make RHDH identify this task as the producer of the SBOM logs.
+    name: LINK_TO_SBOM
   steps:
-    - name: show-sbom
-      image: quay.io/redhat-appstudio/cosign:v2.1.1@sha256:c883d6f8d39148f2cea71bff4622d196d89df3e510f36c140c097b932f0dd5d5
-      # per https://kubernetes.io/docs/concepts/containers/images/#imagepullpolicy-defaulting
-      # the cluster will set imagePullPolicy to IfNotPresent
-      # also per direction from Ralph Bean, we want to use image digest based tags to use a cue to automation like dependabot or renovatebot to periodially submit pull requests that update the digest as new images are released.
-      env:
-        - name: IMAGE_URL
-          value: $(params.IMAGE_URL)
-      script: |
-        #!/busybox/sh
-        status=-1
-        max_try=5
-        wait_sec=2
-        for run in $(seq 1 $max_try); do
-          status=0
-          cosign download sbom $IMAGE_URL 2>>err
-          status=$?
-          if [ "$status" -eq 0 ]; then
-            break
-          fi
-          sleep $wait_sec
-        done
-        if [ "$status" -ne 0 ]; then
-            echo "Failed to get SBOM after ${max_try} tries" >&2
-            cat err >&2
+  - name: annotate-task
+    image: registry.redhat.io/openshift4/ose-cli:4.13@sha256:73df37794ffff7de1101016c23dc623e4990810390ebdabcbbfa065214352c7c
+    script: |
+      #!/usr/bin/env bash
+
+      # When this task is used in a pipelineRun triggered by Pipelines as Code, the annotations will be cleared,
+      # so we're re-adding them here
+      oc annotate taskrun $(context.taskRun.name) task.results.format=application/text
+      oc annotate taskrun $(context.taskRun.name) task.results.key=LINK_TO_SBOM
+      oc annotate taskrun $(context.taskRun.name) task.output.location=results
+  - name: show-sbom
+    image: registry.redhat.io/rhtas-tech-preview/cosign-rhel9@sha256:151f4a1e721b644bafe47bf5bfb8844ff27b95ca098cc37f3f6cbedcda79a897
+    env:
+    - name: IMAGE_URL
+      value: $(params.IMAGE_URL)
+    script: |
+      #!/bin/bash
+      status=-1
+      max_try=5
+      wait_sec=2
+      for run in $(seq 1 $max_try); do
+        status=0
+        cosign download sbom $IMAGE_URL 2>>err
+        status=$?
+        if [ "$status" -eq 0 ]; then
+          break
         fi
+        sleep $wait_sec
+      done
+      if [ "$status" -ne 0 ]; then
+          echo "Failed to get SBOM after ${max_try} tries" >&2
+          cat err >&2
+      fi
+
+      # This result will be ignored by RHDH, but having it set is actually necessary for the task to be properly
+      # identified. For now, we're adding the image URL to the result so it won't be empty.
+      echo -n "$IMAGE_URL" > $(results.LINK_TO_SBOM.path)