qwer

Author: jstourac

.tekton/jupyter-minimal-ubi9-python-3-11-pull-request.yaml

@@ -598,6 +598,99 @@ spec:
         operator: in
         values:
         - "false"
+    - name: check-image-software
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-image-index.results.IMAGE_URL)
+      # - name: PLATFORM
+      #   value: $(tasks.build-image-index.results.IMAGE_URL)
+      - name: CHAINS-GIT_URL
+        value: $(tasks.clone-repository.results.url)
+      - name: CHAINS-GIT_COMMIT
+        value: $(tasks.clone-repository.results.commit)
+      - name: COSIGN_VERSION
+        value: v2.4.3
+      runAfter:
+      # - show-sbom
+      - build-image-index
+      # taskRef:
+      #   params:
+      #   - name: name
+      #     value: show-sbom
+      #   - name: bundle
+      #     value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0
+      #   - name: kind
+      #     value: task
+      #   resolver: bundles
+      taskSpec:
+        params:
+        - name: IMAGE_URL
+        # - name: PLATFORM
+        - name: CHAINS-GIT_URL
+        - name: CHAINS-GIT_COMMIT
+        - name: COSIGN_VERSION
+        results:
+        - name: CHECK_OUTPUT
+          description: Check output
+        steps:
+        - name: check-image-software
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          env:
+          - name: IMAGE_URL
+            value: $(params.IMAGE_URL)
+          # - name: PLATFORM
+          #   value: $(params.PLATFORM)
+          - name: GIT_URL
+            value: $(params.CHAINS-GIT_URL)
+          - name: GIT_COMMIT
+            value: $(params.CHAINS-GIT_COMMIT)
+          - name: COSIGN_VERSION
+            value: $(params.COSIGN_VERSION)
+          script: |
+            #!/bin/bash
+            echo "Hello world, Stuchy!"
+            env
+            wget --output-document=cosign "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
+            chmod a+x cosign
+
+            dnf install -y jq skopeo
+
+            download_sbom_with_retry() {
+              status=-1
+              max_try=5
+              wait_sec=2
+
+              PLATFORM_ARG="${1}"
+              for run in $(seq 1 ${max_try}); do
+                status=0
+                ./cosign download sbom $PLATFORM_ARG $IMAGE_URL 2>>err
+                status=$?
+                if [ "$status" -eq 0 ]; then
+                  break
+                fi
+                sleep $wait_sec
+              done
+              if [ "$status" -ne 0 ]; then
+                echo "Failed to get SBOM after ${max_try} tries" >&2
+                cat err >&2
+              fi
+            }
+
+            RAW_OUTPUT=$(skopeo inspect --no-tags --raw docker://${IMAGE_URL})
+            if [ "$(jq 'has("manifests")' <<< "$RAW_OUTPUT")" == "true" ] ; then
+              # Multi arch
+              ARCHES=$(jq -r '.manifests[].platform.architecture' <<< $RAW_OUTPUT)
+            else
+              ARCHES=""
+            fi
+
+            if [ -z "${ARCHES}" ] ; then
+              # single arch image
+              download_sbom_with_retry ""
+            else
+              download_sbom_with_retry " --platform=${PLATFORM} "
+            fi
+
     workspaces:
     - name: git-auth
       optional: true

.tekton/jupyter-minimal-ubi9-python-3-11-push.yaml

@@ -594,6 +594,98 @@ spec:
         operator: in
         values:
         - "false"
+    - name: check-image-software
+      params:
+      - name: IMAGE_URL
+        value: $(tasks.build-image-index.results.IMAGE_URL)
+      # - name: PLATFORM
+      #   value: $(tasks.build-image-index.results.IMAGE_URL)
+      - name: CHAINS-GIT_URL
+        value: $(tasks.clone-repository.results.url)
+      - name: CHAINS-GIT_COMMIT
+        value: $(tasks.clone-repository.results.commit)
+      - name: COSIGN_VERSION
+        value: v2.4.3
+      runAfter:
+      # - show-sbom
+      - build-image-index
+      # taskRef:
+      #   params:
+      #   - name: name
+      #     value: show-sbom
+      #   - name: bundle
+      #     value: quay.io/konflux-ci/tekton-catalog/task-show-sbom:0.1@sha256:04f15cbce548e1db7770eee3f155ccb2cc0140a6c371dc67e9a34d83673ea0c0
+      #   - name: kind
+      #     value: task
+      #   resolver: bundles
+      taskSpec:
+        params:
+        - name: IMAGE_URL
+        # - name: PLATFORM
+        - name: CHAINS-GIT_URL
+        - name: CHAINS-GIT_COMMIT
+        - name: COSIGN_VERSION
+        results:
+        - name: CHECK_OUTPUT
+          description: Check output
+        steps:
+        - name: check-image-software
+          image: registry.redhat.io/openshift4/ose-cli:latest
+          env:
+          - name: IMAGE_URL
+            value: $(params.IMAGE_URL)
+          # - name: PLATFORM
+          #   value: $(params.PLATFORM)
+          - name: GIT_URL
+            value: $(params.CHAINS-GIT_URL)
+          - name: GIT_COMMIT
+            value: $(params.CHAINS-GIT_COMMIT)
+          - name: COSIGN_VERSION
+            value: $(params.COSIGN_VERSION)
+          script: |
+            #!/bin/bash
+            echo "Hello world, Stuchy!"
+            env
+            wget --output-document=cosign "https://github.com/sigstore/cosign/releases/download/${COSIGN_VERSION}/cosign-linux-amd64"
+            chmod a+x cosign
+
+            dnf install -y jq skopeo
+
+            download_sbom_with_retry() {
+              status=-1
+              max_try=5
+              wait_sec=2
+
+              PLATFORM_ARG="${1}"
+              for run in $(seq 1 ${max_try}); do
+                status=0
+                ./cosign download sbom $PLATFORM_ARG $IMAGE_URL 2>>err
+                status=$?
+                if [ "$status" -eq 0 ]; then
+                  break
+                fi
+                sleep $wait_sec
+              done
+              if [ "$status" -ne 0 ]; then
+                echo "Failed to get SBOM after ${max_try} tries" >&2
+                cat err >&2
+              fi
+            }
+
+            RAW_OUTPUT=$(skopeo inspect --no-tags --raw docker://${IMAGE_URL})
+            if [ "$(jq 'has("manifests")' <<< "$RAW_OUTPUT")" == "true" ] ; then
+              # Multi arch
+              ARCHES=$(jq -r '.manifests[].platform.architecture' <<< $RAW_OUTPUT)
+            else
+              ARCHES=""
+            fi
+
+            if [ -z "${ARCHES}" ] ; then
+              # single arch image
+              download_sbom_with_retry ""
+            else
+              download_sbom_with_retry " --platform=${PLATFORM} "
+            fi
     workspaces:
     - name: git-auth
       optional: true

jupyter/minimal/ubi9-python-3.11/Dockerfile.cpu

@@ -26,7 +26,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc
 ####################
 # jupyter-minimal  #
 ####################
-FROM base AS jupyter-minimal  
+FROM base AS jupyter-minimal
 
 ARG JUPYTER_REUSABLE_UTILS=jupyter/utils
 ARG MINIMAL_SOURCE_CODE=jupyter/minimal/ubi9-python-3.11
@@ -47,20 +47,20 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/
 
 COPY ${MINIMAL_SOURCE_CODE}/Pipfile.lock ${MINIMAL_SOURCE_CODE}/start-notebook.sh ./
 
-# Install Python dependencies from Pipfile.lock file
-RUN echo "Installing softwares and packages" && \
-    micropipenv install && \
-    rm -f ./Pipfile.lock && \
-    # Disable announcement plugin of jupyterlab \
-    jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
-    # Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
-    sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
-    # Fix permissions to support pip in Openshift environments \
-    chmod -R g+w /opt/app-root/lib/python3.11/site-packages && \
-    fix-permissions /opt/app-root -P && \
-    # Apply JupyterLab addons \
-    /opt/app-root/bin/utils/addons/apply.sh
-    
+# # Install Python dependencies from Pipfile.lock file
+# RUN echo "Installing softwares and packages" && \
+#     micropipenv install && \
+#     rm -f ./Pipfile.lock && \
+#     # Disable announcement plugin of jupyterlab \
+#     jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
+#     # Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
+#     sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
+#     # Fix permissions to support pip in Openshift environments \
+#     chmod -R g+w /opt/app-root/lib/python3.11/site-packages && \
+#     fix-permissions /opt/app-root -P && \
+#     # Apply JupyterLab addons \
+#     /opt/app-root/bin/utils/addons/apply.sh
+
 WORKDIR /opt/app-root/src
 
-ENTRYPOINT ["start-notebook.sh"]
+ENTRYPOINT ["start-notebook.sh"]