From b45a8aa67a5d6153dad302c672514f727c7e8de2 Mon Sep 17 00:00:00 2001 From: Happy Bhati Date: Mon, 29 Jun 2026 12:13:36 -0400 Subject: [PATCH] refactor(RELEASE-2480): convert collect-registry-token-secret to python Replaces inline bash in collect-secret step with the standalone python script from release-service-utils. One happy-path Tekton test; fail scenarios covered by pytest in utils. Assisted-by: Cursor Co-authored-by: Cursor --- .../collect-registry-token-secret.yaml | 47 ++----- ...ct-registry-token-secret-fail-no-data.yaml | 53 -------- ...-registry-token-secret-fail-no-secret.yaml | 105 --------------- ...istry-token-secret-no-secret-required.yaml | 120 ------------------ 4 files changed, 10 insertions(+), 315 deletions(-) delete mode 100644 tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-data.yaml delete mode 100644 tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-secret.yaml delete mode 100644 tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-no-secret-required.yaml diff --git a/tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml b/tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml index 498333aa38..a622a0fb72 100644 --- a/tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml +++ b/tasks/managed/collect-registry-token-secret/collect-registry-token-secret.yaml @@ -119,40 +119,13 @@ spec: requests: memory: 128Mi cpu: 50m - script: | - #!/usr/bin/env bash - set -eux - - DATA_FILE="$(params.dataDir)/$(params.dataPath)" - if [ ! -f "${DATA_FILE}" ] ; then - echo "No valid data file was provided." - exit 1 - fi - - # Check if there is anything to make public - either in defaults, or a component - SECRET_REQUIRED=false - if [ "$(jq -r '.mapping.defaults.public // false' "$DATA_FILE")" = true ] ; then - SECRET_REQUIRED=true - else - NUM_COMPONENTS=$(jq '.mapping.components | length' "$DATA_FILE") - for ((i=0; i < NUM_COMPONENTS; i++)); do - COMPONENT=$(jq -c ".mapping.components[$i]" "$DATA_FILE") - if [ "$(jq -r '.public // false' <<< "$COMPONENT")" = true ] ; then - SECRET_REQUIRED=true - break - fi - done - fi - - if [ "$SECRET_REQUIRED" = false ]; then - echo No repos to make public, so no secret is required. Exiting... - echo -n "" > "$(results.registrySecret.path)" - exit 0 - fi - - if [ "$(jq '.mapping | has("registrySecret")' "$DATA_FILE")" == false ] ; then - echo "Registry secret missing in data JSON file" - exit 1 - fi - - jq -j '.mapping.registrySecret' "$DATA_FILE" | tee "$(results.registrySecret.path)" + env: + - name: PARAM_DATA_DIR + value: $(params.dataDir) + - name: PARAM_DATA_PATH + value: $(params.dataPath) + - name: RESULT_REGISTRY_SECRET + value: $(results.registrySecret.path) + command: + - python3 + - /home/scripts/python/tasks/managed/collect_registry_token_secret.py diff --git a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-data.yaml b/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-data.yaml deleted file mode 100644 index 14063b9b83..0000000000 --- a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-data.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-collect-registry-token-secret-fail-no-data - annotations: - test/assert-task-failure: "run-task" -spec: - description: | - Run the collect-registry-token-secret task with no data file and verify the taks fails as expected - params: - - name: ociStorage - description: The OCI repository where the Trusted Artifacts are stored. - type: string - - name: ociArtifactExpiresAfter - description: Expiration date for the trusted artifacts created in the - OCI repository. An empty string means the artifacts do not expire. - type: string - default: "1d" - - name: orasOptions - description: oras options to pass to Trusted Artifacts calls - type: string - default: "--insecure" - - name: trustedArtifactsDebug - description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable. - type: string - default: "" - - name: dataDir - description: The location where data will be stored - type: string - tasks: - - name: run-task - taskRef: - name: collect-registry-token-secret - params: - - name: dataPath - value: "data.json" - - name: subdirectory - value: $(context.pipelineRun.uid) - - name: ociStorage - value: $(params.ociStorage) - - name: orasOptions - value: $(params.orasOptions) - - name: sourceDataArtifact - value: "" - - name: dataDir - value: $(params.dataDir) - - name: trustedArtifactsDebug - value: $(params.trustedArtifactsDebug) - - name: taskGitUrl - value: "http://localhost" - - name: taskGitRevision - value: "main" diff --git a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-secret.yaml b/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-secret.yaml deleted file mode 100644 index eb2a300d4e..0000000000 --- a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-fail-no-secret.yaml +++ /dev/null @@ -1,105 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-collect-registry-token-secret-fail-no-secret - annotations: - test/assert-task-failure: "run-task" -spec: - description: | - Run the collect-registry-token-secret task with no secret in the data file, - but with some mapping requiring the secret and verify the taks fails as expected - params: - - name: ociStorage - description: The OCI repository where the Trusted Artifacts are stored. - type: string - - name: ociArtifactExpiresAfter - description: Expiration date for the trusted artifacts created in the - OCI repository. An empty string means the artifacts do not expire. - type: string - default: "1d" - - name: orasOptions - description: oras options to pass to Trusted Artifacts calls - type: string - default: "--insecure" - - name: trustedArtifactsDebug - description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable. - type: string - default: "" - - name: dataDir - description: The location where data will be stored - type: string - tasks: - - name: setup - taskSpec: - results: - - name: sourceDataArtifact - type: string - volumes: - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - env: - - name: IMAGE_EXPIRES_AFTER - value: $(params.ociArtifactExpiresAfter) - - name: "ORAS_OPTIONS" - value: "$(params.orasOptions)" - - name: "DEBUG" - value: "$(params.trustedArtifactsDebug)" - steps: - - name: setup-values - image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3 - script: | - #!/usr/bin/env sh - set -eux - - mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)" - cat > "$(params.dataDir)/$(context.pipelineRun.uid)/data.json" << EOF - { - "mapping": { - "components": [ - { - "name": "mycomponent" - } - ], - "defaults": { - "public": true - } - } - } - EOF - - name: create-trusted-artifact - ref: - name: create-trusted-artifact - params: - - name: ociStorage - value: $(params.ociStorage) - - name: workDir - value: $(params.dataDir) - - name: sourceDataArtifact - value: $(results.sourceDataArtifact.path) - - name: run-task - taskRef: - name: collect-registry-token-secret - params: - - name: dataPath - value: "$(context.pipelineRun.uid)/data.json" - - name: ociStorage - value: $(params.ociStorage) - - name: orasOptions - value: $(params.orasOptions) - - name: sourceDataArtifact - value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)" - - name: dataDir - value: $(params.dataDir) - - name: trustedArtifactsDebug - value: $(params.trustedArtifactsDebug) - - name: taskGitUrl - value: "http://localhost" - - name: taskGitRevision - value: "main" - runAfter: - - setup diff --git a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-no-secret-required.yaml b/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-no-secret-required.yaml deleted file mode 100644 index 9b7a3ae278..0000000000 --- a/tasks/managed/collect-registry-token-secret/tests/test-collect-registry-token-secret-no-secret-required.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -apiVersion: tekton.dev/v1 -kind: Pipeline -metadata: - name: test-collect-registry-token-secret-no-secret-required -spec: - description: | - Run the collect-registry-token-secret task with nothing to make public - and verify that it will just return an empty secret string. - params: - - name: ociStorage - description: The OCI repository where the Trusted Artifacts are stored. - type: string - - name: ociArtifactExpiresAfter - description: Expiration date for the trusted artifacts created in the - OCI repository. An empty string means the artifacts do not expire. - type: string - default: "1d" - - name: orasOptions - description: oras options to pass to Trusted Artifacts calls - type: string - default: "--insecure" - - name: trustedArtifactsDebug - description: Flag to enable debug logging in trusted artifacts. Set to a non-empty string to enable. - type: string - default: "" - - name: dataDir - description: The location where data will be stored - type: string - tasks: - - name: setup - taskSpec: - results: - - name: sourceDataArtifact - type: string - volumes: - - name: workdir - emptyDir: {} - stepTemplate: - volumeMounts: - - mountPath: /var/workdir - name: workdir - env: - - name: IMAGE_EXPIRES_AFTER - value: $(params.ociArtifactExpiresAfter) - - name: "ORAS_OPTIONS" - value: "$(params.orasOptions)" - - name: "DEBUG" - value: "$(params.trustedArtifactsDebug)" - steps: - - name: setup-values - image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3 - script: | - #!/usr/bin/env sh - set -eux - - mkdir -p "$(params.dataDir)/$(context.pipelineRun.uid)" - cat > "$(params.dataDir)/$(context.pipelineRun.uid)/data.json" << EOF - { - "mapping": { - "components": [ - { - "name": "mycomponent" - } - ], - "defaults": {} - } - } - EOF - - name: create-trusted-artifact - ref: - name: create-trusted-artifact - params: - - name: ociStorage - value: $(params.ociStorage) - - name: workDir - value: $(params.dataDir) - - name: sourceDataArtifact - value: $(results.sourceDataArtifact.path) - - name: run-task - taskRef: - name: collect-registry-token-secret - params: - - name: dataPath - value: "$(context.pipelineRun.uid)/data.json" - - name: ociStorage - value: $(params.ociStorage) - - name: orasOptions - value: $(params.orasOptions) - - name: sourceDataArtifact - value: "$(tasks.setup.results.sourceDataArtifact)=$(params.dataDir)" - - name: dataDir - value: $(params.dataDir) - - name: trustedArtifactsDebug - value: $(params.trustedArtifactsDebug) - - name: taskGitUrl - value: "http://localhost" - - name: taskGitRevision - value: "main" - runAfter: - - setup - - name: check-result - params: - - name: secret - value: $(tasks.run-task.results.registrySecret) - taskSpec: - params: - - name: secret - type: string - steps: - - name: check-result - image: quay.io/konflux-ci/release-service-utils@sha256:5546fa78d3c88d7b6a2e8cff8902f7757f00541d0bbaf113b9f293133894afa3 - env: - - name: "SECRET" - value: '$(params.secret)' - script: | - #!/usr/bin/env sh - set -eux - - test -z "$SECRET"