From 2b1509fee8db2b97854a0b33cd978ed96029bc9d Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:01:40 +0800 Subject: [PATCH 01/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 260 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 260 insertions(+) create mode 100644 .tekton/all-in-one.yaml diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml new file mode 100644 index 000000000000..60cc81f1983b --- /dev/null +++ b/.tekton/all-in-one.yaml @@ -0,0 +1,260 @@ +apiVersion: tekton.dev/v1 +kind: PipelineRun +metadata: + name: trivy-all-in-one + annotations: + pipelinesascode.tekton.dev/on-comment: "^(/allinone)$" + pipelinesascode.tekton.dev/on-cel-expression: |- + ( + source_branch.matches("^(main|master|release-.*)$") || + !last_commit_title.contains("Auto-commit") + ) && (( + event == "push" && ( + source_branch.matches("^(main|master|release-.*)$") || + target_branch.matches("^(main|master|release-.*)$") || + target_branch.startsWith("refs/tags/") + ) + ) || ( + event == "pull_request" && ( + target_branch.matches("^(main|master|release-.*)$") + ) + )) + pipelinesascode.tekton.dev/max-keep-runs: "20" +spec: + timeouts: + pipeline: 3h + tasks: 1h + + params: + - name: git-url + value: "{{ repo_url }}" + - name: git-revision + value: "{{ source_branch }}" + - name: git-commit + value: "{{ revision }}" + + pipelineSpec: + description: The pipeline is used to combine multiple pipeline templates + params: + - name: git-url + description: Repository URL to clone from. + type: string + - name: git-revision + description: Revision to checkout. (branch, tag, sha, ref, etc...) + type: string + - name: git-commit + description: Commit sha used in this build + default: "" + - name: go-environments + type: array + default: + - GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + - GOMAXPROCS=4 + - GOFLAGS=-buildvcs=false + - CGO_ENABLED=0 + - name: trivy-args + type: array + default: + - image + - --scanners + - vuln + # - --ignore-unfixed + # - --severity MEDIUM,HIGH,CRITICAL + - --skip-db-update=false + - --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db + - --skip-java-db-update=false + - --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db + - --exit-code=1 + +# results: +# - name: releases-url +# type: array +# value: $(tasks.result.results.array-result[*]) +# description: Target value and release artifacts URL + + tasks: + - name: git-clone + timeout: 30m + retries: 3 + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: git-clone + - name: version + value: "0.9" + + params: + - name: url + value: $(params.git-url) + - name: revision + value: $(params.git-revision) + + workspaces: + - name: output + workspace: source + - name: basic-auth + workspace: basic-auth + + - name: unit-test + timeout: 60m + retries: 0 + + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: run-script + - name: version + value: "0.1" + + params: + - name: script + value: | + go install tool + mage test:unit + workspaces: + - name: source + workspace: source + + - name: integration-test + timeout: 60m + retries: 0 + + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: run-script + - name: version + value: "0.1" + + params: + - name: script + value: | + go install tool + mage test:integration + workspaces: + - name: source + workspace: source +# - name: result +# runAfter: +# - build-catalog-image +# timeout: 60m +# retries: 1 +# taskRef: +# resolver: hub +# params: +# - name: catalog +# value: catalog +# - name: kind +# value: task +# - name: name +# value: run-script +# - name: version +# value: "0.1" +# +# params: +# - name: image +# value: build-harbor.alauda.cn/devops/nonroot/kustomize:latest +# - name: imagePullPolicy +# value: Always +# - name: script +# value: | +# echo "⚙️ ===> artifacts in values.yaml format" +# cat values.yaml +# +# echo "⚙️ ===> release artifacts" +# export NEXUS_USERNAME=`cat $(workspaces.secret.path)/username` +# export NEXUS_PASSWORD=`cat $(workspaces.secret.path)/password` +# export OUTPUT_FILE=$(results.array-result.path) +# export BRANCH=$(params.git-revision) +# export COMMIT_ID=$(params.git-commit) +# export REPO=catalog +# build-releases.sh +# cat $OUTPUT_FILE +# +# workspaces: +# - name: source +# workspace: source +# - name: secret +# workspace: nexus-auth + + workspaces: + - name: source + description: Workspace for shared code source + - name: dockerconfig + description: >- + Workspace for Docker configuration files, such as `config.json` or `.dockerconfigjson`. + This is optional and is used for authentication when pushing images to the registry. + # 该配置会触发 tekton pipeline 的 bug 导致 controller panic,所以先都设置为必填的。 + # 详见: https://github.com/tektoncd/pipeline/issues/8561 + # optional: true + # - name: cache + # description: Trivy image cache (optional) + # optional: true + - name: basic-auth + # optional: true + description: > + A Workspace containing a .gitconfig and .git-credentials file. These + will be copied to the user's home before any git commands are run. Any + other files in this Workspace are ignored. It is strongly recommended + to use ssh-directory over basic-auth whenever possible and to bind a + Secret to this Workspace over other volume types. + - name: gitversion-config + # optional: true + description: > + A Workspace containing a gitversion-config file. This file is used to set the git version. + + workspaces: + - name: source + volumeClaimTemplate: + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + - name: dockerconfig + secret: + secretName: build-harbor.kauto.docfj + # This secret will be replaced by the pac controller + - name: basic-auth + secret: + secretName: "{{ git_auth_secret }}" + - name: nexus-auth + secret: + secretName: build-nexus.kauto + - name: gitversion-config + configMap: + name: gitversion-config + - name: sonar-credentials + secret: + secretName: sonarqube-credentials + - name: go-cache + persistentVolumeClaim: + claimName: build-cache-v4 + - name: signkey + secret: + secretName: signing-secrets + + taskRunTemplate: + # 让所有任务都以非 root 用户运行。 + podTemplate: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" From eca6bb2870347b9321512c90fc7de3227dd215f2 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:13:22 +0800 Subject: [PATCH 02/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 60cc81f1983b..e4715f71062c 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -6,17 +6,17 @@ metadata: pipelinesascode.tekton.dev/on-comment: "^(/allinone)$" pipelinesascode.tekton.dev/on-cel-expression: |- ( - source_branch.matches("^(main|master|release-.*)$") || + source_branch.matches("^(main|master|release-.*|alauda-.*)$") || !last_commit_title.contains("Auto-commit") ) && (( event == "push" && ( - source_branch.matches("^(main|master|release-.*)$") || - target_branch.matches("^(main|master|release-.*)$") || + source_branch.matches("^(main|master|release-.*|alauda-.*)$") || + target_branch.matches("^(main|master|release-.*|alauda-.*)$") || target_branch.startsWith("refs/tags/") ) ) || ( event == "pull_request" && ( - target_branch.matches("^(main|master|release-.*)$") + target_branch.matches("^(main|master|release-.*|alauda-.*)$") ) )) pipelinesascode.tekton.dev/max-keep-runs: "20" @@ -103,6 +103,8 @@ spec: - name: unit-test timeout: 60m retries: 0 + runAfter: + - git-clone taskRef: resolver: hub @@ -128,6 +130,8 @@ spec: - name: integration-test timeout: 60m retries: 0 + runAfter: + - git-clone taskRef: resolver: hub From f8da7bd42b594ee16a1e177ca20990997595e2be Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:19:26 +0800 Subject: [PATCH 03/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index e4715f71062c..0cc4a5e46994 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -119,6 +119,8 @@ spec: value: "0.1" params: + - name: image + value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - name: script value: | go install tool @@ -146,6 +148,8 @@ spec: value: "0.1" params: + - name: image + value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - name: script value: | go install tool From 03e1259b2622cd60ace31ecac72fa5dedcd6c969 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:45:22 +0800 Subject: [PATCH 04/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 0cc4a5e46994..f01962106a47 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -20,6 +20,16 @@ metadata: ) )) pipelinesascode.tekton.dev/max-keep-runs: "20" + pip.tekton.dev/runspec.golang-check: | + taskRunSpecs: + - pipelineTaskName: go-test + computeResources: + limits: + cpu: '4' + memory: 4Gi + requests: + cpu: '2' + memory: 2Gi spec: timeouts: pipeline: 3h @@ -123,6 +133,7 @@ spec: value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - name: script value: | + go env go install tool mage test:unit workspaces: @@ -152,6 +163,7 @@ spec: value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - name: script value: | + go env go install tool mage test:integration workspaces: From c5b35af04742bfece39ca7e0dffc37a39c87336a Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:54:51 +0800 Subject: [PATCH 05/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 26 ++++++++++++-------------- 1 file changed, 12 insertions(+), 14 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index f01962106a47..6e3cab310136 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -120,22 +120,21 @@ spec: resolver: hub params: - name: catalog - value: catalog + value: extras - name: kind value: task - name: name - value: run-script + value: golang-test - name: version - value: "0.1" + value: '0.3' params: - - name: image - value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - - name: script + - name: command value: | - go env go install tool mage test:unit + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: - name: source workspace: source @@ -150,22 +149,21 @@ spec: resolver: hub params: - name: catalog - value: catalog + value: extras - name: kind value: task - name: name - value: run-script + value: golang-test - name: version - value: "0.1" + value: '0.3' params: - - name: image - value: registry.alauda.cn:60080/devops/nonroot/builder-go:latest - - name: script + - name: command value: | - go env go install tool mage test:integration + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: - name: source workspace: source From b8c49acb3b00631f8f95b6233fec0d6ce663282f Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 16:59:51 +0800 Subject: [PATCH 06/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 6e3cab310136..badad4a74f29 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -138,6 +138,8 @@ spec: workspaces: - name: source workspace: source + - name: cache + workspace: go-cache - name: integration-test timeout: 60m @@ -167,6 +169,8 @@ spec: workspaces: - name: source workspace: source + - name: cache + workspace: go-cache # - name: result # runAfter: # - build-catalog-image @@ -235,6 +239,10 @@ spec: # optional: true description: > A Workspace containing a gitversion-config file. This file is used to set the git version. + - name: go-cache + persistentVolumeClaim: + claimName: build-cache + subPath: golang-nonroot workspaces: - name: source From 1fda7eb20bb71a3238a4bc97baaaff0935fa13e8 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 17:14:17 +0800 Subject: [PATCH 07/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index badad4a74f29..26ff1cc97070 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -252,7 +252,7 @@ spec: - ReadWriteMany resources: requests: - storage: 1Gi + storage: 5Gi - name: dockerconfig secret: secretName: build-harbor.kauto.docfj From 6d3f27df48b136137577fe506ea67539773ace5e Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 17:36:46 +0800 Subject: [PATCH 08/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 26ff1cc97070..bceb2e61be33 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -22,7 +22,7 @@ metadata: pipelinesascode.tekton.dev/max-keep-runs: "20" pip.tekton.dev/runspec.golang-check: | taskRunSpecs: - - pipelineTaskName: go-test + - pipelineTaskName: integration-test computeResources: limits: cpu: '4' @@ -30,6 +30,14 @@ metadata: requests: cpu: '2' memory: 2Gi + - pipelineTaskName: unit-test + computeResources: + limits: + cpu: '4' + memory: 4Gi + requests: + cpu: '2' + memory: 2Gi spec: timeouts: pipeline: 3h From 73c19e23fcd5193fb9a26fd26f7f8c7ba4009224 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 17:54:31 +0800 Subject: [PATCH 09/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index bceb2e61be33..d385ea1fee3c 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -20,24 +20,6 @@ metadata: ) )) pipelinesascode.tekton.dev/max-keep-runs: "20" - pip.tekton.dev/runspec.golang-check: | - taskRunSpecs: - - pipelineTaskName: integration-test - computeResources: - limits: - cpu: '4' - memory: 4Gi - requests: - cpu: '2' - memory: 2Gi - - pipelineTaskName: unit-test - computeResources: - limits: - cpu: '4' - memory: 4Gi - requests: - cpu: '2' - memory: 2Gi spec: timeouts: pipeline: 3h @@ -292,3 +274,21 @@ spec: runAsGroup: 65532 fsGroup: 65532 fsGroupChangePolicy: "OnRootMismatch" + + taskRunSpecs: + - pipelineTaskName: unit-test + computeResources: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" + - pipelineTaskName: integration-test + computeResources: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" From a64b056a75db38a93ac936a1cd57511f539c9fed Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 18:25:06 +0800 Subject: [PATCH 10/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index d385ea1fee3c..5c08d77cf307 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -279,16 +279,16 @@ spec: - pipelineTaskName: unit-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: integration-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" From acc10cbf6c5294d8ef9bec346077dc5d9e891c7d Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 19:42:49 +0800 Subject: [PATCH 11/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 5c08d77cf307..e4bfc3683538 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -121,8 +121,8 @@ spec: params: - name: command value: | - go install tool - mage test:unit + go install tool || echo "tool install failed" + mage test:unit || echo "unit test failed" - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: @@ -152,8 +152,8 @@ spec: params: - name: command value: | - go install tool - mage test:integration + go install tool || echo "tool install failed" + mage test:integration || echo "integration test failed" - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: From 2358787a875f3bbeba3006058fda99da4726acf9 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 19:44:57 +0800 Subject: [PATCH 12/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index e4bfc3683538..690d8331d247 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -121,6 +121,7 @@ spec: params: - name: command value: | + set -ex go install tool || echo "tool install failed" mage test:unit || echo "unit test failed" - name: GOPROXY @@ -152,6 +153,7 @@ spec: params: - name: command value: | + set -ex go install tool || echo "tool install failed" mage test:integration || echo "integration test failed" - name: GOPROXY From 0f1959a4564cadeca78f98147814acd5e14d98e2 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 20:36:23 +0800 Subject: [PATCH 13/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 690d8331d247..d32b79036eea 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -122,8 +122,8 @@ spec: - name: command value: | set -ex - go install tool || echo "tool install failed" - mage test:unit || echo "unit test failed" + go install tool + mage test:unit - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: @@ -154,8 +154,8 @@ spec: - name: command value: | set -ex - go install tool || echo "tool install failed" - mage test:integration || echo "integration test failed" + go install tool + mage test:integration - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: From ad12856dc7ffb4a4cd0c7dc604c753952ca107ac Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Tue, 15 Jul 2025 21:13:57 +0800 Subject: [PATCH 14/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index d32b79036eea..82c22cff0c1d 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -100,7 +100,7 @@ spec: - name: basic-auth workspace: basic-auth - - name: unit-test + - name: integration-test timeout: 60m retries: 0 runAfter: @@ -110,33 +110,38 @@ spec: resolver: hub params: - name: catalog - value: extras + value: alauda + - name: type + value: tekton - name: kind value: task - name: name - value: golang-test + value: docker-in-docker - name: version - value: '0.3' + value: "0.2" params: + - name: tools-image + value: "registry.alauda.cn:60080/devops/nonroot/builder-go:latest" - name: command value: | set -ex + export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool - mage test:unit - - name: GOPROXY - value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + mage test:integration workspaces: - name: source workspace: source - name: cache workspace: go-cache - - name: integration-test + - name: unit-test timeout: 60m retries: 0 + + # mage can not run coucurrently runAfter: - - git-clone + - integration-test taskRef: resolver: hub @@ -155,7 +160,7 @@ spec: value: | set -ex go install tool - mage test:integration + mage test:unit - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct workspaces: @@ -163,6 +168,8 @@ spec: workspace: source - name: cache workspace: go-cache + + # - name: result # runAfter: # - build-catalog-image From 03be0f6ddeb8b923b9d6a4660a88d615239c714a Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 09:39:49 +0800 Subject: [PATCH 15/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 31 ++++++++++++++++++++++++++++++- 1 file changed, 30 insertions(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 82c22cff0c1d..a306bf443d2f 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -126,14 +126,36 @@ spec: - name: command value: | set -ex + + # bind go cache + if [ "$(workspaces.modcache.bound)" == "true" ]; then + gocache=$(workspaces.modcache.path)/gocache + gomodcache=$(workspaces.modcache.path)/gomod + + echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" + export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" + fi + + # bind testing image cache + if [ "$(workspaces.cache.bound)" == "true" ]; then + cp -nv $(workspaces.modcache.path)/*.tar.gz ./integration/testdata/fixtures/images/ + fi + export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool mage test:integration + + # make cache + if [ "$(workspaces.cache.bound)" == "true" ]; then + cp -nv ./integration/testdata/fixtures/images/*.tar.gz $(workspaces.cache.path)/fixtures/images/ + fi workspaces: - name: source workspace: source - - name: cache + - name: modcache workspace: go-cache + - name: cache + workspace: trivy-test-image-cache - name: unit-test timeout: 60m @@ -242,6 +264,10 @@ spec: persistentVolumeClaim: claimName: build-cache subPath: golang-nonroot + - name: trivy-test-image-cache + persistentVolumeClaim: + claimName: trivy-test-image-cache + subPath: trivy-test-image workspaces: - name: source @@ -271,6 +297,9 @@ spec: - name: go-cache persistentVolumeClaim: claimName: build-cache-v4 + - name: trivy-test-image-cache + persistentVolumeClaim: + claimName: trivy-test-image-cache - name: signkey secret: secretName: signing-secrets From d1e442320b7de97706c9b8de637588d393f6e18f Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 09:52:21 +0800 Subject: [PATCH 16/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index a306bf443d2f..3f4f3ecef23a 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -138,17 +138,14 @@ spec: # bind testing image cache if [ "$(workspaces.cache.bound)" == "true" ]; then - cp -nv $(workspaces.modcache.path)/*.tar.gz ./integration/testdata/fixtures/images/ + rm -rf ./integration/testdata/fixtures/images/ + mkdir -p $(workspaces.cache.path)/trivy/images + ln -s $(workspaces.cache.path)/trivy/images ./integration/testdata/fixtures/images fi export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool mage test:integration - - # make cache - if [ "$(workspaces.cache.bound)" == "true" ]; then - cp -nv ./integration/testdata/fixtures/images/*.tar.gz $(workspaces.cache.path)/fixtures/images/ - fi workspaces: - name: source workspace: source From a76ff9b832b2546556060f0e9bcab773c8074891 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 10:49:54 +0800 Subject: [PATCH 17/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 3f4f3ecef23a..1629c912ce8b 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -138,9 +138,13 @@ spec: # bind testing image cache if [ "$(workspaces.cache.bound)" == "true" ]; then - rm -rf ./integration/testdata/fixtures/images/ - mkdir -p $(workspaces.cache.path)/trivy/images - ln -s $(workspaces.cache.path)/trivy/images ./integration/testdata/fixtures/images + image_dir=./integration/testdata/fixtures/images + cache_dir=$(workspaces.cache.path)/trivy/images + + rm -rf ${image_dir} + mkdir -p ${cache_dir} + echo "=> ✅ Setting trivy image cache to ${cache_dir}" + ln -s ${cache_dir} ${image_dir} fi export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct @@ -301,14 +305,14 @@ spec: secret: secretName: signing-secrets - taskRunTemplate: - # 让所有任务都以非 root 用户运行。 - podTemplate: - securityContext: - runAsUser: 65532 - runAsGroup: 65532 - fsGroup: 65532 - fsGroupChangePolicy: "OnRootMismatch" +# taskRunTemplate: +# # 让所有任务都以非 root 用户运行。 +# podTemplate: +# securityContext: +# runAsUser: 65532 +# runAsGroup: 65532 +# fsGroup: 65532 +# fsGroupChangePolicy: "OnRootMismatch" taskRunSpecs: - pipelineTaskName: unit-test From 5658703a2e9286adf72398c3a62553a17d198cc7 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 11:10:07 +0800 Subject: [PATCH 18/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 30 ++++------ .tekton/docker-in-docker.yaml | 107 ++++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+), 20 deletions(-) create mode 100644 .tekton/docker-in-docker.yaml diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 1629c912ce8b..7b99321b17db 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -20,6 +20,7 @@ metadata: ) )) pipelinesascode.tekton.dev/max-keep-runs: "20" + pipelinesascode.tekton.dev/task: "[.tekton/docker-in-docker.yaml]" spec: timeouts: pipeline: 3h @@ -107,18 +108,7 @@ spec: - git-clone taskRef: - resolver: hub - params: - - name: catalog - value: alauda - - name: type - value: tekton - - name: kind - value: task - - name: name - value: docker-in-docker - - name: version - value: "0.2" + name: docker-in-docker params: - name: tools-image @@ -305,14 +295,14 @@ spec: secret: secretName: signing-secrets -# taskRunTemplate: -# # 让所有任务都以非 root 用户运行。 -# podTemplate: -# securityContext: -# runAsUser: 65532 -# runAsGroup: 65532 -# fsGroup: 65532 -# fsGroupChangePolicy: "OnRootMismatch" + taskRunTemplate: + # 让所有任务都以非 root 用户运行。 + podTemplate: + securityContext: + runAsUser: 65532 + runAsGroup: 65532 + fsGroup: 65532 + fsGroupChangePolicy: "OnRootMismatch" taskRunSpecs: - pipelineTaskName: unit-test diff --git a/.tekton/docker-in-docker.yaml b/.tekton/docker-in-docker.yaml new file mode 100644 index 000000000000..dc348a1dd3cb --- /dev/null +++ b/.tekton/docker-in-docker.yaml @@ -0,0 +1,107 @@ +apiVersion: tekton.dev/v1 +kind: Task +metadata: + labels: + app.kubernetes.io/version: "0.2" + name: docker-in-docker + annotations: + tekton.dev/pipelines.minVersion: "0.56.0" + tekton.dev/categories: "CICD" + tekton.dev/tags: "Docker" + tekton.dev/displayName: "Docker In Docker" + tekton.dev/platforms: "linux/amd64,linux/arm64" + +spec: + description: 使用 docker in docker, 执行 docker 命令 + workspaces: + - description: code source + name: source + - description: build cache will be placed onto the volume + name: cache + optional: true + - description: gomod cache will be placed onto the volume + name: modcache + optional: true + params: + - name: command + description: the command script to be run + type: string + - name: tools-image + description: "image used to run docker commands" + default: "build-harbor.alauda.cn/devops/docker:28.1-cli" + - name: dind-image + description: "image used to run docker daemon" + default: "docker-mirrors.alauda.cn/library/docker:28.1-dind" + - name: dind-args + description: "args for docker daemon" + type: array + default: + - --default-shm-size=256m + - --storage-driver=overlay2 + - --userland-proxy=false + - --ipv6 + - --fixed-cidr-v6=2001:db8:1::/64 + - --debug + - --registry-mirror=https://docker-mirrors.alauda.cn + volumes: + - name: dind-certs + emptyDir: {} + - name: tmp + emptyDir: {} + sidecars: + - image: $(params.dind-image) + name: docker-daemon + args: [ "$(params.dind-args[*])" ] + securityContext: + privileged: true + runAsUser: 0 + env: + - name: DOCKER_TLS_CERTDIR + value: /certs + computeResources: + requests: + cpu: 2000m + memory: 2000Mi + limits: + cpu: 6000m + memory: 4000Mi + volumeMounts: + - mountPath: /certs/client + name: dind-certs + - mountPath: /tmp + name: tmp + readinessProbe: + periodSeconds: 1 + exec: + command: + - ls + - /certs/client/ca.pem + steps: + - name: command + image: $(params.tools-image) + imagePullPolicy: Always + workingDir: $(workspaces.source.path) + computeResources: + requests: + cpu: 1000m + memory: 2000Mi + limits: + cpu: 3000m + memory: 4000Mi + env: + - name: DOCKER_HOST + value: tcp://localhost:2376 + - name: DOCKER_TLS_VERIFY + value: "1" + - name: DOCKER_CERT_PATH + value: /certs/client + volumeMounts: + - mountPath: /certs/client + name: dind-certs + - mountPath: /tmp + name: tmp + script: | + #!/bin/bash + set -ex + git config --global --add safe.directory $(workspaces.source.path) + $(params.command) From b09422917b87f1be85b62e03d98dda8c39d0330e Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 11:55:14 +0800 Subject: [PATCH 19/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- pkg/fanal/test/integration/registry_test.go | 38 ++++++++++----------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/pkg/fanal/test/integration/registry_test.go b/pkg/fanal/test/integration/registry_test.go index e6fc7445cc87..66c8ee3420ea 100644 --- a/pkg/fanal/test/integration/registry_test.go +++ b/pkg/fanal/test/integration/registry_test.go @@ -119,26 +119,26 @@ func TestTLSRegistry(t *testing.T) { }, wantErr: false, }, - { - name: "happy path with docker login", - imageName: testutil.ImageName("", "alpine-310", ""), - imageFile: "../../../../integration/testdata/fixtures/images/alpine-310.tar.gz", - option: types.ImageOptions{ - RegistryOptions: types.RegistryOptions{ - Insecure: true, + /* { + name: "happy path with docker login", + imageName: testutil.ImageName("", "alpine-310", ""), + imageFile: "../../../../integration/testdata/fixtures/images/alpine-310.tar.gz", + option: types.ImageOptions{ + RegistryOptions: types.RegistryOptions{ + Insecure: true, + }, }, - }, - login: true, - expectedOS: types.OS{ - Name: "3.10.2", - Family: "alpine", - }, - expectedRepo: types.Repository{ - Family: "alpine", - Release: "3.10", - }, - wantErr: false, - }, + login: true, + expectedOS: types.OS{ + Name: "3.10.2", + Family: "alpine", + }, + expectedRepo: types.Repository{ + Family: "alpine", + Release: "3.10", + }, + wantErr: false, + },*/ { name: "sad path: tls verify", imageName: testutil.ImageName("", "alpine-310", ""), From 29b89d94741467090990f3ca674463b4cd143424 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 12:59:10 +0800 Subject: [PATCH 20/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 9 +++++ pkg/fanal/test/integration/registry_test.go | 38 ++++++++++----------- 2 files changed, 28 insertions(+), 19 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 7b99321b17db..028bd945c93e 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -137,6 +137,15 @@ spec: ln -s ${cache_dir} ${image_dir} fi + docker_version=28.1.1 + docker_arch="x86_64" + echo "=> ✅ Install Docker CLI" + wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz && \ + tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C /usr/bin && \ + rm docker-${docker_version}.tgz + + ls /usr/bin + export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool mage test:integration diff --git a/pkg/fanal/test/integration/registry_test.go b/pkg/fanal/test/integration/registry_test.go index 66c8ee3420ea..e6fc7445cc87 100644 --- a/pkg/fanal/test/integration/registry_test.go +++ b/pkg/fanal/test/integration/registry_test.go @@ -119,26 +119,26 @@ func TestTLSRegistry(t *testing.T) { }, wantErr: false, }, - /* { - name: "happy path with docker login", - imageName: testutil.ImageName("", "alpine-310", ""), - imageFile: "../../../../integration/testdata/fixtures/images/alpine-310.tar.gz", - option: types.ImageOptions{ - RegistryOptions: types.RegistryOptions{ - Insecure: true, - }, - }, - login: true, - expectedOS: types.OS{ - Name: "3.10.2", - Family: "alpine", - }, - expectedRepo: types.Repository{ - Family: "alpine", - Release: "3.10", + { + name: "happy path with docker login", + imageName: testutil.ImageName("", "alpine-310", ""), + imageFile: "../../../../integration/testdata/fixtures/images/alpine-310.tar.gz", + option: types.ImageOptions{ + RegistryOptions: types.RegistryOptions{ + Insecure: true, }, - wantErr: false, - },*/ + }, + login: true, + expectedOS: types.OS{ + Name: "3.10.2", + Family: "alpine", + }, + expectedRepo: types.Repository{ + Family: "alpine", + Release: "3.10", + }, + wantErr: false, + }, { name: "sad path: tls verify", imageName: testutil.ImageName("", "alpine-310", ""), From 198f58218babac067db17d854d0b4122cc3559f9 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 13:04:06 +0800 Subject: [PATCH 21/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 028bd945c93e..d30c97aefcce 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -140,11 +140,13 @@ spec: docker_version=28.1.1 docker_arch="x86_64" echo "=> ✅ Install Docker CLI" + mkdir bin + export PATH=$PATH:$(realpath ./bin) wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz && \ - tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C /usr/bin && \ + tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin && \ rm docker-${docker_version}.tgz - ls /usr/bin + ls ./bin export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool From a58580ec096927290ab059feca22fb183264b468 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 14:33:44 +0800 Subject: [PATCH 22/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 91 ++++++++++++++++------------- .tekton/docker-in-docker.yaml | 107 ---------------------------------- 2 files changed, 50 insertions(+), 148 deletions(-) delete mode 100644 .tekton/docker-in-docker.yaml diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index d30c97aefcce..4020e3ec25bf 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -20,7 +20,6 @@ metadata: ) )) pipelinesascode.tekton.dev/max-keep-runs: "20" - pipelinesascode.tekton.dev/task: "[.tekton/docker-in-docker.yaml]" spec: timeouts: pipeline: 3h @@ -101,14 +100,58 @@ spec: - name: basic-auth workspace: basic-auth - - name: integration-test + - name: unit-test timeout: 60m retries: 0 + runAfter: - git-clone taskRef: - name: docker-in-docker + resolver: hub + params: + - name: catalog + value: extras + - name: kind + value: task + - name: name + value: golang-test + - name: version + value: '0.3' + + params: + - name: command + value: | + set -ex + go install tool + mage test:unit + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + workspaces: + - name: source + workspace: source + - name: cache + workspace: go-cache + + - name: integration-test + timeout: 60m + retries: 0 + runAfter: + - unit-test + + taskRef: + resolver: hub + params: + - name: catalog + value: alauda + - name: type + value: tekton + - name: kind + value: task + - name: name + value: docker-in-docker + - name: version + value: "0.2" params: - name: tools-image @@ -137,17 +180,15 @@ spec: ln -s ${cache_dir} ${image_dir} fi + echo "=> ✅ Install Docker CLI" docker_version=28.1.1 docker_arch="x86_64" - echo "=> ✅ Install Docker CLI" - mkdir bin + mkdir -p bin export PATH=$PATH:$(realpath ./bin) - wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz && \ - tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin && \ + wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz + tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin rm docker-${docker_version}.tgz - ls ./bin - export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool mage test:integration @@ -159,39 +200,7 @@ spec: - name: cache workspace: trivy-test-image-cache - - name: unit-test - timeout: 60m - retries: 0 - # mage can not run coucurrently - runAfter: - - integration-test - - taskRef: - resolver: hub - params: - - name: catalog - value: extras - - name: kind - value: task - - name: name - value: golang-test - - name: version - value: '0.3' - - params: - - name: command - value: | - set -ex - go install tool - mage test:unit - - name: GOPROXY - value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - workspaces: - - name: source - workspace: source - - name: cache - workspace: go-cache # - name: result diff --git a/.tekton/docker-in-docker.yaml b/.tekton/docker-in-docker.yaml deleted file mode 100644 index dc348a1dd3cb..000000000000 --- a/.tekton/docker-in-docker.yaml +++ /dev/null @@ -1,107 +0,0 @@ -apiVersion: tekton.dev/v1 -kind: Task -metadata: - labels: - app.kubernetes.io/version: "0.2" - name: docker-in-docker - annotations: - tekton.dev/pipelines.minVersion: "0.56.0" - tekton.dev/categories: "CICD" - tekton.dev/tags: "Docker" - tekton.dev/displayName: "Docker In Docker" - tekton.dev/platforms: "linux/amd64,linux/arm64" - -spec: - description: 使用 docker in docker, 执行 docker 命令 - workspaces: - - description: code source - name: source - - description: build cache will be placed onto the volume - name: cache - optional: true - - description: gomod cache will be placed onto the volume - name: modcache - optional: true - params: - - name: command - description: the command script to be run - type: string - - name: tools-image - description: "image used to run docker commands" - default: "build-harbor.alauda.cn/devops/docker:28.1-cli" - - name: dind-image - description: "image used to run docker daemon" - default: "docker-mirrors.alauda.cn/library/docker:28.1-dind" - - name: dind-args - description: "args for docker daemon" - type: array - default: - - --default-shm-size=256m - - --storage-driver=overlay2 - - --userland-proxy=false - - --ipv6 - - --fixed-cidr-v6=2001:db8:1::/64 - - --debug - - --registry-mirror=https://docker-mirrors.alauda.cn - volumes: - - name: dind-certs - emptyDir: {} - - name: tmp - emptyDir: {} - sidecars: - - image: $(params.dind-image) - name: docker-daemon - args: [ "$(params.dind-args[*])" ] - securityContext: - privileged: true - runAsUser: 0 - env: - - name: DOCKER_TLS_CERTDIR - value: /certs - computeResources: - requests: - cpu: 2000m - memory: 2000Mi - limits: - cpu: 6000m - memory: 4000Mi - volumeMounts: - - mountPath: /certs/client - name: dind-certs - - mountPath: /tmp - name: tmp - readinessProbe: - periodSeconds: 1 - exec: - command: - - ls - - /certs/client/ca.pem - steps: - - name: command - image: $(params.tools-image) - imagePullPolicy: Always - workingDir: $(workspaces.source.path) - computeResources: - requests: - cpu: 1000m - memory: 2000Mi - limits: - cpu: 3000m - memory: 4000Mi - env: - - name: DOCKER_HOST - value: tcp://localhost:2376 - - name: DOCKER_TLS_VERIFY - value: "1" - - name: DOCKER_CERT_PATH - value: /certs/client - volumeMounts: - - mountPath: /certs/client - name: dind-certs - - mountPath: /tmp - name: tmp - script: | - #!/bin/bash - set -ex - git config --global --add safe.directory $(workspaces.source.path) - $(params.command) From accbbe0354f8a3b4e41efe761a76e10710cc6a32 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 15:03:13 +0800 Subject: [PATCH 23/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 69 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 4020e3ec25bf..dd407b5fb39e 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -200,6 +200,75 @@ spec: - name: cache workspace: trivy-test-image-cache + - name: build-amd64 + timeout: 60m + retries: 0 + + runAfter: + - git-clone + + taskRef: + resolver: hub + params: + - name: catalog + value: extras + - name: kind + value: task + - name: name + value: golang-build + - name: version + value: '0.4' + + params: + - name: command + value: | + go build --ldflags "-w -s -extldflags '-static'" -o trivy-0.62.1-amd64 cmd/trivy/main.go + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + - name: GOARCH + value: amd64 + - name: CGO_ENABLED + value: "0" + workspaces: + - name: source + workspace: source + - name: cache + workspace: go-cache + + - name: build-arm64 + timeout: 60m + retries: 0 + + runAfter: + - git-clone + + taskRef: + resolver: hub + params: + - name: catalog + value: extras + - name: kind + value: task + - name: name + value: golang-build + - name: version + value: '0.4' + + params: + - name: command + value: | + go build --ldflags "-w -s -extldflags '-static'" -o trivy-0.62.1-arm64 cmd/trivy/main.go + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + - name: GOARCH + value: arm64 + - name: CGO_ENABLED + value: "0" + workspaces: + - name: source + workspace: source + - name: cache + workspace: go-cache From dd0c9dc775ddb31ff2eeedd45ad96206881e88f0 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 15:17:23 +0800 Subject: [PATCH 24/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 90 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 85 insertions(+), 5 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index dd407b5fb39e..3916d0853c95 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -270,7 +270,71 @@ spec: - name: cache workspace: go-cache + - name: scan-amd64 + timeout: 60m + retries: 0 + + runAfter: + - build-amd64 + + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: trivy-scanner + - name: version + value: '0.4' + + params: + - name: COMMAND + value: | + set -ex + trivy fs --scanners vuln \ + --exit-code=1 \ + --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ + --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ + ./trivy-0.62.1-amd64 + workspaces: + - name: source + workspace: source + + + + - name: scan-arm64 + timeout: 60m + retries: 0 + + runAfter: + - build-arm64 + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: trivy-scanner + - name: version + value: '0.4' + + params: + - name: COMMAND + value: | + set -ex + trivy fs --scanners vuln \ + --exit-code=1 \ + --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ + --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ + ./trivy-0.62.1-arm64 + workspaces: + - name: source + workspace: source # - name: result # runAfter: @@ -397,16 +461,32 @@ spec: - pipelineTaskName: unit-test computeResources: limits: - cpu: "8" - memory: "8Gi" - requests: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" - pipelineTaskName: integration-test computeResources: limits: - cpu: "8" - memory: "8Gi" + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" + - pipelineTaskName: build-amd64 + computeResources: + limits: + cpu: "4" + memory: "4Gi" requests: + cpu: "2" + memory: "2Gi" + - pipelineTaskName: build-arm64 + computeResources: + limits: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" From 0aba35d2a69fa58beb5cfa5f27501b8b195c13ce Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 15:40:32 +0800 Subject: [PATCH 25/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 64 +++++++---------------------------------- 1 file changed, 11 insertions(+), 53 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 3916d0853c95..0616ba412280 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -32,6 +32,8 @@ spec: value: "{{ source_branch }}" - name: git-commit value: "{{ revision }}" + - name: artifact-version + value: "0.62.1" pipelineSpec: description: The pipeline is used to combine multiple pipeline templates @@ -52,19 +54,9 @@ spec: - GOMAXPROCS=4 - GOFLAGS=-buildvcs=false - CGO_ENABLED=0 - - name: trivy-args - type: array - default: - - image - - --scanners - - vuln - # - --ignore-unfixed - # - --severity MEDIUM,HIGH,CRITICAL - - --skip-db-update=false - - --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db - - --skip-java-db-update=false - - --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db - - --exit-code=1 + - name: artifact-version + description: The artifact version. + type: string # results: # - name: releases-url @@ -222,7 +214,7 @@ spec: params: - name: command value: | - go build --ldflags "-w -s -extldflags '-static'" -o trivy-0.62.1-amd64 cmd/trivy/main.go + go build --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-amd64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - name: GOARCH @@ -257,7 +249,7 @@ spec: params: - name: command value: | - go build --ldflags "-w -s -extldflags '-static'" -o trivy-0.62.1-arm64 cmd/trivy/main.go + go build --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-arm64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - name: GOARCH @@ -270,46 +262,12 @@ spec: - name: cache workspace: go-cache - - name: scan-amd64 - timeout: 60m - retries: 0 - - runAfter: - - build-amd64 - - taskRef: - resolver: hub - params: - - name: catalog - value: catalog - - name: kind - value: task - - name: name - value: trivy-scanner - - name: version - value: '0.4' - - params: - - name: COMMAND - value: | - set -ex - trivy fs --scanners vuln \ - --exit-code=1 \ - --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ - --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ - ./trivy-0.62.1-amd64 - workspaces: - - name: source - workspace: source - - - - - name: scan-arm64 + - name: trivy-scan timeout: 60m retries: 0 runAfter: - - build-arm64 + - git-clone taskRef: resolver: hub @@ -327,11 +285,11 @@ spec: - name: COMMAND value: | set -ex - trivy fs --scanners vuln \ + trivy repo --scanners vuln \ --exit-code=1 \ --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ - ./trivy-0.62.1-arm64 + ./ workspaces: - name: source workspace: source From 16d2e9b8bdeb6cdfd17eb69ddeecd342ed134f59 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 16:12:15 +0800 Subject: [PATCH 26/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 325 ++++++++++++++++++++-------------------- 1 file changed, 162 insertions(+), 163 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 0616ba412280..b94aa654b599 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -92,105 +92,105 @@ spec: - name: basic-auth workspace: basic-auth - - name: unit-test - timeout: 60m - retries: 0 - - runAfter: - - git-clone - - taskRef: - resolver: hub - params: - - name: catalog - value: extras - - name: kind - value: task - - name: name - value: golang-test - - name: version - value: '0.3' - - params: - - name: command - value: | - set -ex - go install tool - mage test:unit - - name: GOPROXY - value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - workspaces: - - name: source - workspace: source - - name: cache - workspace: go-cache - - - name: integration-test - timeout: 60m - retries: 0 - runAfter: - - unit-test - - taskRef: - resolver: hub - params: - - name: catalog - value: alauda - - name: type - value: tekton - - name: kind - value: task - - name: name - value: docker-in-docker - - name: version - value: "0.2" - - params: - - name: tools-image - value: "registry.alauda.cn:60080/devops/nonroot/builder-go:latest" - - name: command - value: | - set -ex - - # bind go cache - if [ "$(workspaces.modcache.bound)" == "true" ]; then - gocache=$(workspaces.modcache.path)/gocache - gomodcache=$(workspaces.modcache.path)/gomod - - echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" - export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" - fi - - # bind testing image cache - if [ "$(workspaces.cache.bound)" == "true" ]; then - image_dir=./integration/testdata/fixtures/images - cache_dir=$(workspaces.cache.path)/trivy/images - - rm -rf ${image_dir} - mkdir -p ${cache_dir} - echo "=> ✅ Setting trivy image cache to ${cache_dir}" - ln -s ${cache_dir} ${image_dir} - fi - - echo "=> ✅ Install Docker CLI" - docker_version=28.1.1 - docker_arch="x86_64" - mkdir -p bin - export PATH=$PATH:$(realpath ./bin) - wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz - tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin - rm docker-${docker_version}.tgz - - export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - go install tool - mage test:integration - workspaces: - - name: source - workspace: source - - name: modcache - workspace: go-cache - - name: cache - workspace: trivy-test-image-cache +# - name: unit-test +# timeout: 60m +# retries: 0 +# +# runAfter: +# - git-clone +# +# taskRef: +# resolver: hub +# params: +# - name: catalog +# value: extras +# - name: kind +# value: task +# - name: name +# value: golang-test +# - name: version +# value: '0.3' +# +# params: +# - name: command +# value: | +# set -ex +# go install tool +# mage test:unit +# - name: GOPROXY +# value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct +# workspaces: +# - name: source +# workspace: source +# - name: cache +# workspace: go-cache +# +# - name: integration-test +# timeout: 60m +# retries: 0 +# runAfter: +# - unit-test +# +# taskRef: +# resolver: hub +# params: +# - name: catalog +# value: alauda +# - name: type +# value: tekton +# - name: kind +# value: task +# - name: name +# value: docker-in-docker +# - name: version +# value: "0.2" +# +# params: +# - name: tools-image +# value: "registry.alauda.cn:60080/devops/nonroot/builder-go:latest" +# - name: command +# value: | +# set -ex +# +# # bind go cache +# if [ "$(workspaces.modcache.bound)" == "true" ]; then +# gocache=$(workspaces.modcache.path)/gocache +# gomodcache=$(workspaces.modcache.path)/gomod +# +# echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" +# export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" +# fi +# +# # bind testing image cache +# if [ "$(workspaces.cache.bound)" == "true" ]; then +# image_dir=./integration/testdata/fixtures/images +# cache_dir=$(workspaces.cache.path)/trivy/images +# +# rm -rf ${image_dir} +# mkdir -p ${cache_dir} +# echo "=> ✅ Setting trivy image cache to ${cache_dir}" +# ln -s ${cache_dir} ${image_dir} +# fi +# +# echo "=> ✅ Install Docker CLI" +# docker_version=28.1.1 +# docker_arch="x86_64" +# mkdir -p bin +# export PATH=$PATH:$(realpath ./bin) +# wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz +# tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin +# rm docker-${docker_version}.tgz +# +# export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct +# go install tool +# mage test:integration +# workspaces: +# - name: source +# workspace: source +# - name: modcache +# workspace: go-cache +# - name: cache +# workspace: trivy-test-image-cache - name: build-amd64 timeout: 60m @@ -267,7 +267,7 @@ spec: retries: 0 runAfter: - - git-clone + - build-amd64 taskRef: resolver: hub @@ -285,57 +285,59 @@ spec: - name: COMMAND value: | set -ex - trivy repo --scanners vuln \ + trivy fs --scanners vuln \ --exit-code=1 \ --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ - ./ + ./trivy-$(params.artifact-version)-amd64 workspaces: - name: source workspace: source -# - name: result -# runAfter: -# - build-catalog-image -# timeout: 60m -# retries: 1 -# taskRef: -# resolver: hub -# params: -# - name: catalog -# value: catalog -# - name: kind -# value: task -# - name: name -# value: run-script -# - name: version -# value: "0.1" -# -# params: -# - name: image -# value: build-harbor.alauda.cn/devops/nonroot/kustomize:latest -# - name: imagePullPolicy -# value: Always -# - name: script -# value: | -# echo "⚙️ ===> artifacts in values.yaml format" -# cat values.yaml -# -# echo "⚙️ ===> release artifacts" -# export NEXUS_USERNAME=`cat $(workspaces.secret.path)/username` -# export NEXUS_PASSWORD=`cat $(workspaces.secret.path)/password` -# export OUTPUT_FILE=$(results.array-result.path) -# export BRANCH=$(params.git-revision) -# export COMMIT_ID=$(params.git-commit) -# export REPO=catalog -# build-releases.sh -# cat $OUTPUT_FILE -# -# workspaces: -# - name: source -# workspace: source -# - name: secret -# workspace: nexus-auth + - name: upload-to-nexus + runAfter: + - build-amd64 + - build-arm64 + timeout: 60m + retries: 3 + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: run-script + - name: version + value: "0.1" + + params: + - name: script + value: | + NEXUS_URL="https://build-nexus.alauda.cn/repository/alauda/devops" # Nexus 地址(无尾斜杠) + UPLOAD_PATH="trivy-cli/$(params.git-revision)" # 上传到仓库中的路径(可选) + USERNAME=`cat $(workspaces.secret.path)/username` + PASSWORD=`cat $(workspaces.secret.path)/password` + FILES=("trivy-$(params.artifact-version)-amd64" "trivy-$(params.artifact-version)-arm64") + + for file in "${FILES[@]}"; do + if [[ -f "$file" ]]; then + echo "Uploading $file ..." + curl -u "$USERNAME:$PASSWORD" \ + --upload-file "$file" \ + "$NEXUS_URL/repository/$REPOSITORY/$UPLOAD_PATH/$file" + echo "Done: $file" + else + echo "File not found: $file" + fi + done + + workspaces: + - name: source + workspace: source + - name: secret + workspace: nexus-auth workspaces: - name: source @@ -347,9 +349,6 @@ spec: # 该配置会触发 tekton pipeline 的 bug 导致 controller panic,所以先都设置为必填的。 # 详见: https://github.com/tektoncd/pipeline/issues/8561 # optional: true - # - name: cache - # description: Trivy image cache (optional) - # optional: true - name: basic-auth # optional: true description: > @@ -416,22 +415,22 @@ spec: fsGroupChangePolicy: "OnRootMismatch" taskRunSpecs: - - pipelineTaskName: unit-test - computeResources: - limits: - cpu: "4" - memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - - pipelineTaskName: integration-test - computeResources: - limits: - cpu: "4" - memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" +# - pipelineTaskName: unit-test +# computeResources: +# limits: +# cpu: "4" +# memory: "4Gi" +# requests: +# cpu: "2" +# memory: "2Gi" +# - pipelineTaskName: integration-test +# computeResources: +# limits: +# cpu: "4" +# memory: "4Gi" +# requests: +# cpu: "2" +# memory: "2Gi" - pipelineTaskName: build-amd64 computeResources: limits: From a22c96ae17f4477726cdd25ecc9fb51091c0c85d Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 16:30:51 +0800 Subject: [PATCH 27/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index b94aa654b599..669672d5b771 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -214,7 +214,7 @@ spec: params: - name: command value: | - go build --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-amd64 cmd/trivy/main.go + go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-amd64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - name: GOARCH @@ -249,7 +249,7 @@ spec: params: - name: command value: | - go build --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-arm64 cmd/trivy/main.go + go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-arm64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - name: GOARCH @@ -315,8 +315,8 @@ spec: params: - name: script value: | - NEXUS_URL="https://build-nexus.alauda.cn/repository/alauda/devops" # Nexus 地址(无尾斜杠) - UPLOAD_PATH="trivy-cli/$(params.git-revision)" # 上传到仓库中的路径(可选) + NEXUS_URL="https://build-nexus.alauda.cn/repository/alauda/devops" + UPLOAD_PATH="trivy-cli/$(params.git-revision)" USERNAME=`cat $(workspaces.secret.path)/username` PASSWORD=`cat $(workspaces.secret.path)/password` FILES=("trivy-$(params.artifact-version)-amd64" "trivy-$(params.artifact-version)-arm64") From 8c3a8b0f403606ea4bbfaeb885847ca906f90a8f Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 17:06:35 +0800 Subject: [PATCH 28/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 669672d5b771..bbe679d45dcf 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -315,8 +315,9 @@ spec: params: - name: script value: | - NEXUS_URL="https://build-nexus.alauda.cn/repository/alauda/devops" - UPLOAD_PATH="trivy-cli/$(params.git-revision)" + NEXUS_URL="https://build-nexus.alauda.cn" + REPOSITORY="alauda/devops/trivy-cli" + UPLOAD_PATH="$(params.git-revision)" USERNAME=`cat $(workspaces.secret.path)/username` PASSWORD=`cat $(workspaces.secret.path)/password` FILES=("trivy-$(params.artifact-version)-amd64" "trivy-$(params.artifact-version)-arm64") From bf1af931de24a05d69836341ce650c2db84bf62a Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 17:17:48 +0800 Subject: [PATCH 29/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 200 ++++++++++++++++++++-------------------- 1 file changed, 100 insertions(+), 100 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index bbe679d45dcf..41a29556d8e6 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -92,105 +92,105 @@ spec: - name: basic-auth workspace: basic-auth -# - name: unit-test -# timeout: 60m -# retries: 0 -# -# runAfter: -# - git-clone -# -# taskRef: -# resolver: hub -# params: -# - name: catalog -# value: extras -# - name: kind -# value: task -# - name: name -# value: golang-test -# - name: version -# value: '0.3' -# -# params: -# - name: command -# value: | -# set -ex -# go install tool -# mage test:unit -# - name: GOPROXY -# value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct -# workspaces: -# - name: source -# workspace: source -# - name: cache -# workspace: go-cache -# -# - name: integration-test -# timeout: 60m -# retries: 0 -# runAfter: -# - unit-test -# -# taskRef: -# resolver: hub -# params: -# - name: catalog -# value: alauda -# - name: type -# value: tekton -# - name: kind -# value: task -# - name: name -# value: docker-in-docker -# - name: version -# value: "0.2" -# -# params: -# - name: tools-image -# value: "registry.alauda.cn:60080/devops/nonroot/builder-go:latest" -# - name: command -# value: | -# set -ex -# -# # bind go cache -# if [ "$(workspaces.modcache.bound)" == "true" ]; then -# gocache=$(workspaces.modcache.path)/gocache -# gomodcache=$(workspaces.modcache.path)/gomod -# -# echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" -# export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" -# fi -# -# # bind testing image cache -# if [ "$(workspaces.cache.bound)" == "true" ]; then -# image_dir=./integration/testdata/fixtures/images -# cache_dir=$(workspaces.cache.path)/trivy/images -# -# rm -rf ${image_dir} -# mkdir -p ${cache_dir} -# echo "=> ✅ Setting trivy image cache to ${cache_dir}" -# ln -s ${cache_dir} ${image_dir} -# fi -# -# echo "=> ✅ Install Docker CLI" -# docker_version=28.1.1 -# docker_arch="x86_64" -# mkdir -p bin -# export PATH=$PATH:$(realpath ./bin) -# wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz -# tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin -# rm docker-${docker_version}.tgz -# -# export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct -# go install tool -# mage test:integration -# workspaces: -# - name: source -# workspace: source -# - name: modcache -# workspace: go-cache -# - name: cache -# workspace: trivy-test-image-cache + - name: unit-test + timeout: 60m + retries: 0 + + runAfter: + - git-clone + + taskRef: + resolver: hub + params: + - name: catalog + value: extras + - name: kind + value: task + - name: name + value: golang-test + - name: version + value: '0.3' + + params: + - name: command + value: | + set -ex + go install tool + mage test:unit + - name: GOPROXY + value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + workspaces: + - name: source + workspace: source + - name: cache + workspace: go-cache + + - name: integration-test + timeout: 60m + retries: 0 + runAfter: + - unit-test + + taskRef: + resolver: hub + params: + - name: catalog + value: alauda + - name: type + value: tekton + - name: kind + value: task + - name: name + value: docker-in-docker + - name: version + value: "0.2" + + params: + - name: tools-image + value: "registry.alauda.cn:60080/devops/nonroot/builder-go:latest" + - name: command + value: | + set -ex + + # bind go cache + if [ "$(workspaces.modcache.bound)" == "true" ]; then + gocache=$(workspaces.modcache.path)/gocache + gomodcache=$(workspaces.modcache.path)/gomod + + echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" + export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" + fi + + # bind testing image cache + if [ "$(workspaces.cache.bound)" == "true" ]; then + image_dir=./integration/testdata/fixtures/images + cache_dir=$(workspaces.cache.path)/trivy/images + + rm -rf ${image_dir} + mkdir -p ${cache_dir} + echo "=> ✅ Setting trivy image cache to ${cache_dir}" + ln -s ${cache_dir} ${image_dir} + fi + + echo "=> ✅ Install Docker CLI" + docker_version=28.1.1 + docker_arch="x86_64" + mkdir -p bin + export PATH=$PATH:$(realpath ./bin) + wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz + tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin + rm docker-${docker_version}.tgz + + export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + go install tool + mage test:integration + workspaces: + - name: source + workspace: source + - name: modcache + workspace: go-cache + - name: cache + workspace: trivy-test-image-cache - name: build-amd64 timeout: 60m @@ -285,7 +285,7 @@ spec: - name: COMMAND value: | set -ex - trivy fs --scanners vuln \ + trivy rootfs --scanners vuln \ --exit-code=1 \ --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ From ad5e411c5ce2419267af684d95d480f49c26598e Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Wed, 16 Jul 2025 17:18:45 +0800 Subject: [PATCH 30/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 41a29556d8e6..ddb3361bb099 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -416,22 +416,22 @@ spec: fsGroupChangePolicy: "OnRootMismatch" taskRunSpecs: -# - pipelineTaskName: unit-test -# computeResources: -# limits: -# cpu: "4" -# memory: "4Gi" -# requests: -# cpu: "2" -# memory: "2Gi" -# - pipelineTaskName: integration-test -# computeResources: -# limits: -# cpu: "4" -# memory: "4Gi" -# requests: -# cpu: "2" -# memory: "2Gi" + - pipelineTaskName: unit-test + computeResources: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" + - pipelineTaskName: integration-test + computeResources: + limits: + cpu: "4" + memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" - pipelineTaskName: build-amd64 computeResources: limits: From 444ce0aae4fcbe845363a198b448cf81f7a1dbf0 Mon Sep 17 00:00:00 2001 From: yzc <127376228+yuzichen12123@users.noreply.github.com> Date: Wed, 16 Jul 2025 21:34:47 +0800 Subject: [PATCH 31/64] Update all-in-one.yaml --- .tekton/all-in-one.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index ddb3361bb099..3e18af94fc4b 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -122,8 +122,6 @@ spec: workspaces: - name: source workspace: source - - name: cache - workspace: go-cache - name: integration-test timeout: 60m @@ -187,8 +185,6 @@ spec: workspaces: - name: source workspace: source - - name: modcache - workspace: go-cache - name: cache workspace: trivy-test-image-cache @@ -224,8 +220,6 @@ spec: workspaces: - name: source workspace: source - - name: cache - workspace: go-cache - name: build-arm64 timeout: 60m @@ -259,8 +253,6 @@ spec: workspaces: - name: source workspace: source - - name: cache - workspace: go-cache - name: trivy-scan timeout: 60m From ab95d2f158646ecde8bd938b2751b3859aae05b8 Mon Sep 17 00:00:00 2001 From: yzc <127376228+yuzichen12123@users.noreply.github.com> Date: Wed, 16 Jul 2025 22:16:43 +0800 Subject: [PATCH 32/64] Update all-in-one.yaml --- .tekton/all-in-one.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 3e18af94fc4b..0896d56e6d41 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -157,6 +157,11 @@ spec: echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" + else + tempdir=$(mktemp -d) + export GOCACHE=$tempdir/gocache + export GOMODCACHE=$tempdir/gomod + fi # bind testing image cache @@ -210,6 +215,9 @@ spec: params: - name: command value: | + tempdir=$(mktemp -d) + export GOCACHE=$tempdir/gocache + export GOMODCACHE=$tempdir/gomod go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-amd64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct @@ -243,6 +251,9 @@ spec: params: - name: command value: | + tempdir=$(mktemp -d) + export GOCACHE=$tempdir/gocache + export GOMODCACHE=$tempdir/gomod go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-arm64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct From 12d42975180aeb439f4de1d82f82699b05e1784e Mon Sep 17 00:00:00 2001 From: yzc <127376228+yuzichen12123@users.noreply.github.com> Date: Wed, 16 Jul 2025 22:24:34 +0800 Subject: [PATCH 33/64] Update all-in-one.yaml --- .tekton/all-in-one.yaml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 0896d56e6d41..c877de664220 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -151,18 +151,12 @@ spec: set -ex # bind go cache - if [ "$(workspaces.modcache.bound)" == "true" ]; then - gocache=$(workspaces.modcache.path)/gocache - gomodcache=$(workspaces.modcache.path)/gomod - - echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" - export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" - else - tempdir=$(mktemp -d) - export GOCACHE=$tempdir/gocache - export GOMODCACHE=$tempdir/gomod - fi + tempdir=$(mktemp -d) + export GOCACHE=$tempdir/gocache + export GOMODCACHE=$tempdir/gomod + + # bind testing image cache if [ "$(workspaces.cache.bound)" == "true" ]; then From 8fde7cf3179ac25b8254cc264bf19b502d958e59 Mon Sep 17 00:00:00 2001 From: yzc <127376228+yuzichen12123@users.noreply.github.com> Date: Wed, 16 Jul 2025 23:55:33 +0800 Subject: [PATCH 34/64] Update all-in-one.yaml --- .tekton/all-in-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index c877de664220..7cd17b067345 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -376,7 +376,7 @@ spec: - ReadWriteMany resources: requests: - storage: 5Gi + storage: 10Gi - name: dockerconfig secret: secretName: build-harbor.kauto.docfj From cbf84f6f0645a7a6f5df9d073d23327a95e53825 Mon Sep 17 00:00:00 2001 From: yzc <127376228+yuzichen12123@users.noreply.github.com> Date: Thu, 17 Jul 2025 00:03:51 +0800 Subject: [PATCH 35/64] Update all-in-one.yaml --- .tekton/all-in-one.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 7cd17b067345..2781b032b2a3 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -115,6 +115,9 @@ spec: - name: command value: | set -ex + tempdir=$(mktemp -d) + export GOCACHE=$tempdir/gocache + export GOMODCACHE=$tempdir/gomod go install tool mage test:unit - name: GOPROXY From 9d4e1b3eaee17694719b532dc3eb0232b98fd8ad Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 09:36:51 +0800 Subject: [PATCH 36/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 2781b032b2a3..564843cd4626 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -115,9 +115,6 @@ spec: - name: command value: | set -ex - tempdir=$(mktemp -d) - export GOCACHE=$tempdir/gocache - export GOMODCACHE=$tempdir/gomod go install tool mage test:unit - name: GOPROXY @@ -125,6 +122,8 @@ spec: workspaces: - name: source workspace: source + - name: cache + workspace: go-cache - name: integration-test timeout: 60m @@ -159,7 +158,14 @@ spec: export GOCACHE=$tempdir/gocache export GOMODCACHE=$tempdir/gomod - + # bind cache + if [ "$(workspaces.modcache.bound)" == "true" ]; then + gocache=$(workspaces.modcache.path)/gocache + gomodcache=$(workspaces.modcache.path)/gomod + + echo "=> ✅ Setting cache env GOCACHE=${gocache} GOMODCACHE=${gomodcache}" + export GOCACHE="${gocache}" GOMODCACHE="${gomodcache}" + fi # bind testing image cache if [ "$(workspaces.cache.bound)" == "true" ]; then @@ -189,6 +195,8 @@ spec: workspace: source - name: cache workspace: trivy-test-image-cache + - name: modcache + workspace: go-cache - name: build-amd64 timeout: 60m @@ -212,9 +220,6 @@ spec: params: - name: command value: | - tempdir=$(mktemp -d) - export GOCACHE=$tempdir/gocache - export GOMODCACHE=$tempdir/gomod go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-amd64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct @@ -225,6 +230,8 @@ spec: workspaces: - name: source workspace: source + - name: cache + workspace: go-cache - name: build-arm64 timeout: 60m @@ -248,9 +255,6 @@ spec: params: - name: command value: | - tempdir=$(mktemp -d) - export GOCACHE=$tempdir/gocache - export GOMODCACHE=$tempdir/gomod go build -x -v --ldflags "-w -s -extldflags '-static'" -o trivy-$(params.artifact-version)-arm64 cmd/trivy/main.go - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct @@ -261,6 +265,8 @@ spec: workspaces: - name: source workspace: source + - name: cache + workspace: go-cache - name: trivy-scan timeout: 60m @@ -296,8 +302,9 @@ spec: - name: upload-to-nexus runAfter: - - build-amd64 - - build-arm64 + - trivy-scan + - integration-test + - unit-test timeout: 60m retries: 3 taskRef: @@ -398,7 +405,8 @@ spec: secretName: sonarqube-credentials - name: go-cache persistentVolumeClaim: - claimName: build-cache-v4 + claimName: build-cache + subPath: golang-nonroot - name: trivy-test-image-cache persistentVolumeClaim: claimName: trivy-test-image-cache From bae282190ba4b8811d76b9f2ad42336a1b61f249 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 09:59:44 +0800 Subject: [PATCH 37/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 46 ++++++++++++++++++++++++++++++++++++----- 1 file changed, 41 insertions(+), 5 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 564843cd4626..993a85b4b4f1 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -97,7 +97,8 @@ spec: retries: 0 runAfter: - - git-clone + - build-amd64 + - build-arm64 taskRef: resolver: hub @@ -268,10 +269,10 @@ spec: - name: cache workspace: go-cache - - name: trivy-scan + - name: trivy-scan-amd64 timeout: 60m retries: 0 - + onError: continue runAfter: - build-amd64 @@ -300,9 +301,44 @@ spec: - name: source workspace: source + - name: trivy-scan-arm64 + timeout: 60m + retries: 0 + onError: continue + runAfter: + - build-arm64 + + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: trivy-scanner + - name: version + value: '0.4' + + params: + - name: COMMAND + value: | + set -ex + trivy rootfs --scanners vuln \ + --exit-code=1 \ + --db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-db \ + --java-db-repository=registry.alauda.cn:60070/ops/aquasecurity/trivy-java-db \ + ./trivy-$(params.artifact-version)-arm64 + workspaces: + - name: source + workspace: source + - name: upload-to-nexus runAfter: - - trivy-scan + - build-amd64 + - build-arm64 + - trivy-scan-amd64 + - trivy-scan-arm64 - integration-test - unit-test timeout: 60m @@ -386,7 +422,7 @@ spec: - ReadWriteMany resources: requests: - storage: 10Gi + storage: 5Gi - name: dockerconfig secret: secretName: build-harbor.kauto.docfj From b569588c44fd56e88705a51139bd8b8edeb04dca Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 10:35:13 +0800 Subject: [PATCH 38/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 993a85b4b4f1..8d841288bdc0 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -463,19 +463,19 @@ spec: - pipelineTaskName: unit-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: integration-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: build-amd64 computeResources: limits: From 9f1153ee0052fb41f65ac22fd62965523ba4b35c Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 10:55:36 +0800 Subject: [PATCH 39/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 8d841288bdc0..fb0e18369e23 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -58,11 +58,11 @@ spec: description: The artifact version. type: string -# results: -# - name: releases-url -# type: array -# value: $(tasks.result.results.array-result[*]) -# description: Target value and release artifacts URL + results: + - name: releases-url + type: array + value: $(tasks.upload-to-nexus.results.array-result[*]) + description: Target value and release artifacts URL tasks: - name: git-clone @@ -365,17 +365,24 @@ spec: PASSWORD=`cat $(workspaces.secret.path)/password` FILES=("trivy-$(params.artifact-version)-amd64" "trivy-$(params.artifact-version)-arm64") + results=() + for file in "${FILES[@]}"; do if [[ -f "$file" ]]; then - echo "Uploading $file ..." + url="$NEXUS_URL/repository/$REPOSITORY/$UPLOAD_PATH/$file" + echo "Uploading $file to $url ..." curl -u "$USERNAME:$PASSWORD" \ --upload-file "$file" \ - "$NEXUS_URL/repository/$REPOSITORY/$UPLOAD_PATH/$file" + $url + results+=("$url") echo "Done: $file" else echo "File not found: $file" + exit 1 fi done + + echo ${results[*]} > $(results.array-result.path) workspaces: - name: source From 28642798bfeacaa14f92bab1d34025ecd32983eb Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 10:56:55 +0800 Subject: [PATCH 40/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index fb0e18369e23..f1ef30ad6b80 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -486,16 +486,16 @@ spec: - pipelineTaskName: build-amd64 computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: build-arm64 computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" From 2ea3963e1417086cda745623b8c3be6690c8d1a3 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 11:18:57 +0800 Subject: [PATCH 41/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index f1ef30ad6b80..a68e8ada8a2b 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -239,7 +239,7 @@ spec: retries: 0 runAfter: - - git-clone + - build-amd64 taskRef: resolver: hub @@ -364,8 +364,7 @@ spec: USERNAME=`cat $(workspaces.secret.path)/username` PASSWORD=`cat $(workspaces.secret.path)/password` FILES=("trivy-$(params.artifact-version)-amd64" "trivy-$(params.artifact-version)-arm64") - - results=() + RESULTS=() for file in "${FILES[@]}"; do if [[ -f "$file" ]]; then @@ -374,7 +373,7 @@ spec: curl -u "$USERNAME:$PASSWORD" \ --upload-file "$file" \ $url - results+=("$url") + RESULTS+=("$url") echo "Done: $file" else echo "File not found: $file" @@ -382,7 +381,7 @@ spec: fi done - echo ${results[*]} > $(results.array-result.path) + echo ${RESULTS[*]} > $(results.array-result.path) workspaces: - name: source From 7ee39e4228cf2017c494b2742a3cc823cdcf2333 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 11:45:46 +0800 Subject: [PATCH 42/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index a68e8ada8a2b..a0e789586f2f 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -469,32 +469,32 @@ spec: - pipelineTaskName: unit-test computeResources: limits: - cpu: "8" - memory: "8Gi" - requests: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" - pipelineTaskName: integration-test computeResources: limits: - cpu: "8" - memory: "8Gi" - requests: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" - pipelineTaskName: build-amd64 computeResources: limits: - cpu: "8" - memory: "8Gi" - requests: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" - pipelineTaskName: build-arm64 computeResources: limits: - cpu: "8" - memory: "8Gi" - requests: cpu: "4" memory: "4Gi" + requests: + cpu: "2" + memory: "2Gi" From cce04d2035261727a8ea427c3f17ec8307c3cf1f Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 12:38:45 +0800 Subject: [PATCH 43/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 60 ++++++++++++++++++++++++++--------------- 1 file changed, 39 insertions(+), 21 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index a0e789586f2f..1e5d44ab36c4 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -126,6 +126,39 @@ spec: - name: cache workspace: go-cache + - name: prepare-integration-test + runAfter: + - git-clone + timeout: 60m + retries: 3 + params: + - name: script + value: | + tool_dir=./bin + + echo "=> ✅ Install Docker CLI" + docker_version=28.1.1 + docker_arch="x86_64" + mkdir -p ${tool_dir} + wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz + tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ${tool_dir} + rm docker-${docker_version}.tgz + + taskRef: + resolver: hub + params: + - name: catalog + value: catalog + - name: kind + value: task + - name: name + value: run-script + - name: version + value: "0.1" + workspaces: + - name: source + workspace: source + - name: integration-test timeout: 60m retries: 0 @@ -152,12 +185,6 @@ spec: - name: command value: | set -ex - - # bind go cache - - tempdir=$(mktemp -d) - export GOCACHE=$tempdir/gocache - export GOMODCACHE=$tempdir/gomod # bind cache if [ "$(workspaces.modcache.bound)" == "true" ]; then @@ -179,15 +206,6 @@ spec: ln -s ${cache_dir} ${image_dir} fi - echo "=> ✅ Install Docker CLI" - docker_version=28.1.1 - docker_arch="x86_64" - mkdir -p bin - export PATH=$PATH:$(realpath ./bin) - wget https://download.docker.com/linux/static/stable/${docker_arch}/docker-${docker_version}.tgz - tar --strip-components=1 -xvzf docker-${docker_version}.tgz -C ./bin - rm docker-${docker_version}.tgz - export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct go install tool mage test:integration @@ -469,19 +487,19 @@ spec: - pipelineTaskName: unit-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: integration-test computeResources: limits: + cpu: "8" + memory: "8Gi" + requests: cpu: "4" memory: "4Gi" - requests: - cpu: "2" - memory: "2Gi" - pipelineTaskName: build-amd64 computeResources: limits: From 5eb211745a40fd780c1fdca3c13b17adf198b8fb Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 12:40:02 +0800 Subject: [PATCH 44/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 1e5d44ab36c4..6f7ec135be21 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -164,6 +164,7 @@ spec: retries: 0 runAfter: - unit-test + - prepare-integration-test taskRef: resolver: hub From c91cda1dd6d97821be7b4c5fe6e5e18ede9b64a1 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 13:24:31 +0800 Subject: [PATCH 45/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 6f7ec135be21..614b7362b5ac 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -120,6 +120,9 @@ spec: mage test:unit - name: GOPROXY value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + - name: environments + value: + - `GOMAXPROCS=8` workspaces: - name: source workspace: source @@ -208,6 +211,7 @@ spec: fi export GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + export GOMAXPROCS=8 go install tool mage test:integration workspaces: From 36d7e28634ced047d91e8a7b2974744aa1fb3864 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 13:26:30 +0800 Subject: [PATCH 46/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 614b7362b5ac..ad59a8e68c5c 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -122,7 +122,7 @@ spec: value: https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct - name: environments value: - - `GOMAXPROCS=8` + - "GOMAXPROCS=8" workspaces: - name: source workspace: source From 2fa0bba4225ede884e6663d5859813494fcc537c Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 14:03:15 +0800 Subject: [PATCH 47/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index ad59a8e68c5c..c2a9be1fb904 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -97,8 +97,7 @@ spec: retries: 0 runAfter: - - build-amd64 - - build-arm64 + - git-clone taskRef: resolver: hub @@ -190,6 +189,8 @@ spec: value: | set -ex + export PATH=$PATH:$(realpath ./bin) + # bind cache if [ "$(workspaces.modcache.bound)" == "true" ]; then gocache=$(workspaces.modcache.path)/gocache From 573e4998a38d9b41ac73022f7384a0d70ab983b0 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 14:21:10 +0800 Subject: [PATCH 48/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index c2a9be1fb904..5a6ae534a8e0 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -263,7 +263,7 @@ spec: retries: 0 runAfter: - - build-amd64 + - git-clone taskRef: resolver: hub From 6336ee5ed40eeffc3f4845ffc4307824e7eefda0 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 14:32:38 +0800 Subject: [PATCH 49/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 5a6ae534a8e0..654bb63c30b5 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -405,7 +405,7 @@ spec: fi done - echo ${RESULTS[*]} > $(results.array-result.path) + echo ${RESULTS} > $(results.array-result.path) workspaces: - name: source From e6ae30c9a6107cfba9bb62c55a63b302ef639d38 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 14:58:35 +0800 Subject: [PATCH 50/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 654bb63c30b5..95039fd5d35e 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -405,7 +405,13 @@ spec: fi done - echo ${RESULTS} > $(results.array-result.path) + JSON_RESULT="[\"${RESULTS[0]}\"" + for i in "${RESULTS[@]:1}"; do + JSON_RESULT+=",\"$i\"" + done + JSON_RESULT+="]" + + echo "${JSON_RESULT}" > $(results.array-result.path) workspaces: - name: source From baf1e6a3db31c2b79eb3735313a42223cc724d28 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 15:52:19 +0800 Subject: [PATCH 51/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 28 +++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 .github/workflows/alauda-release.yaml diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml new file mode 100644 index 000000000000..d5da929e2ba6 --- /dev/null +++ b/.github/workflows/alauda-release.yaml @@ -0,0 +1,28 @@ +on: + pull_request: + branches: + - alauda-v0.62.1 +jobs: + release: + name: Release + runs-on: ubuntu-latest-m + + steps: + - name: Checkout code + uses: actions/checkout@v4.1.6 + with: + fetch-depth: 0 + + - name: Set up Go + uses: actions/setup-go@v5 + with: + go-version-file: go.mod + cache: false + + - name: Set up GoReleaser + uses: goreleaser/goreleaser-action@v6 + with: + version: v2.1.0 + args: release --snapshot --set version=0.62.1-alauda + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 4f8e7659fa404366b2037bb3124ae2c545d7955f Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:17:14 +0800 Subject: [PATCH 52/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index d5da929e2ba6..c9fa25d60f13 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -4,8 +4,8 @@ on: - alauda-v0.62.1 jobs: release: - name: Release - runs-on: ubuntu-latest-m + name: alauda-elease + runs-on: ubuntu-latest steps: - name: Checkout code From 6ec4db7e7b4d8363f683b688bfa7d45eb10569dd Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:18:37 +0800 Subject: [PATCH 53/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index c9fa25d60f13..ea035ab6bff2 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -23,6 +23,6 @@ jobs: uses: goreleaser/goreleaser-action@v6 with: version: v2.1.0 - args: release --snapshot --set version=0.62.1-alauda + args: release --snapshot env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From ceefbdbb361bbaa5bc916e3056685c54bdc09f49 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:23:09 +0800 Subject: [PATCH 54/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 2 +- alauda-goreleaser.yml | 57 +++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 1 deletion(-) create mode 100644 alauda-goreleaser.yml diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index ea035ab6bff2..6939ed56754d 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -23,6 +23,6 @@ jobs: uses: goreleaser/goreleaser-action@v6 with: version: v2.1.0 - args: release --snapshot + args: release --snapshot -f=alauda-goreleaser.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/alauda-goreleaser.yml b/alauda-goreleaser.yml new file mode 100644 index 000000000000..107a3f75fe25 --- /dev/null +++ b/alauda-goreleaser.yml @@ -0,0 +1,57 @@ +# This is an example .goreleaser.yml file with some sensible defaults. +# Make sure to check the documentation at https://goreleaser.com + +# The lines below are called `modelines`. See `:help modeline` +# Feel free to remove those if you don't want/need to use them. +# yaml-language-server: $schema=https://goreleaser.com/static/schema.json +# vim: set ts=2 sw=2 tw=0 fo=cnqoj + +version: 2 + +before: + hooks: + # You may remove this if you don't use go modules. + - go mod tidy + +builds: + - env: + - CGO_ENABLED=0 + - GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct + goos: + - linux + goarch: + - amd64 + - arm64 + ldflags: + - -w -s -extldflags '-static' + main: ./cmd/trivy/ + binary: alauda-trivy + +archives: + - formats: [tar.gz] + # this name template makes the OS and Arch compatible with the results of `uname`. + name_template: >- + {{ .ProjectName }}_ + {{- title .Os }}_ + {{- if eq .Arch "amd64" }}x86_64 + {{- else if eq .Arch "386" }}i386 + {{- else }}{{ .Arch }}{{ end }} + {{- if .Arm }}v{{ .Arm }}{{ end }} + # use zip for windows archives + format_overrides: + - goos: windows + formats: [zip] + +changelog: + sort: asc + filters: + exclude: + - "^docs:" + - "^test:" + +release: + footer: >- + + --- + + Released by [GoReleaser](https://github.com/goreleaser/goreleaser). From 3126f26a0ee80a4df72aa4c2993e96964f2c2a61 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:28:17 +0800 Subject: [PATCH 55/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 4 ++-- alauda-goreleaser.yml => goreleaser-alauda.yml | 4 +++- 2 files changed, 5 insertions(+), 3 deletions(-) rename alauda-goreleaser.yml => goreleaser-alauda.yml (84%) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index 6939ed56754d..a37c82fbd0e3 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -4,7 +4,7 @@ on: - alauda-v0.62.1 jobs: release: - name: alauda-elease + name: alauda-release runs-on: ubuntu-latest steps: @@ -23,6 +23,6 @@ jobs: uses: goreleaser/goreleaser-action@v6 with: version: v2.1.0 - args: release --snapshot -f=alauda-goreleaser.yml + args: release --snapshot -f=goreleaser-alauda.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/alauda-goreleaser.yml b/goreleaser-alauda.yml similarity index 84% rename from alauda-goreleaser.yml rename to goreleaser-alauda.yml index 107a3f75fe25..938965130c50 100644 --- a/alauda-goreleaser.yml +++ b/goreleaser-alauda.yml @@ -54,4 +54,6 @@ release: --- - Released by [GoReleaser](https://github.com/goreleaser/goreleaser). + This release is intended for use only as part of the Alauda product suite. + It is not recommended for use by individuals or teams outside of Alauda. + Any consequences arising from its use are the sole responsibility of the user. From 55d9e035c6cae52b1ca6fb77a9aa9400d3143a80 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:32:27 +0800 Subject: [PATCH 56/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- goreleaser-alauda.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/goreleaser-alauda.yml b/goreleaser-alauda.yml index 938965130c50..84c013dfd152 100644 --- a/goreleaser-alauda.yml +++ b/goreleaser-alauda.yml @@ -29,7 +29,6 @@ builds: archives: - formats: [tar.gz] - # this name template makes the OS and Arch compatible with the results of `uname`. name_template: >- {{ .ProjectName }}_ {{- title .Os }}_ @@ -37,7 +36,6 @@ archives: {{- else if eq .Arch "386" }}i386 {{- else }}{{ .Arch }}{{ end }} {{- if .Arm }}v{{ .Arm }}{{ end }} - # use zip for windows archives format_overrides: - goos: windows formats: [zip] From c6747e820a32b43497125a5c731ea4a569c2d4d2 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:37:12 +0800 Subject: [PATCH 57/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- goreleaser.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/goreleaser.yml b/goreleaser.yml index c81c7c0ae1bb..56f6a7c32a5f 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -108,7 +108,7 @@ nfpms: archives: - id: archive - format: tar.gz + formats: [tar.gz] name_template: >- {{ .ProjectName }}_{{ .Version }}_ {{- if eq .Os "darwin" }}macOS @@ -130,7 +130,7 @@ archives: - contrib/*.tpl format_overrides: - goos: windows - format: zip + formats: [zip] brews: From e9d9ffc4993ae79a621de8c05c074ae1319d4870 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:41:43 +0800 Subject: [PATCH 58/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- goreleaser-alauda.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/goreleaser-alauda.yml b/goreleaser-alauda.yml index 84c013dfd152..512119b0ebe3 100644 --- a/goreleaser-alauda.yml +++ b/goreleaser-alauda.yml @@ -28,7 +28,8 @@ builds: binary: alauda-trivy archives: - - formats: [tar.gz] + - id: archive + formats: [tar.gz] name_template: >- {{ .ProjectName }}_ {{- title .Os }}_ From 1a370f55d70210207dcff8d4876bf0a5b0ab0537 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:45:00 +0800 Subject: [PATCH 59/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 1 + goreleaser-alauda.yml | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index a37c82fbd0e3..1b567fe784da 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -26,3 +26,4 @@ jobs: args: release --snapshot -f=goreleaser-alauda.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} +x \ No newline at end of file diff --git a/goreleaser-alauda.yml b/goreleaser-alauda.yml index 512119b0ebe3..ff33a3e678fb 100644 --- a/goreleaser-alauda.yml +++ b/goreleaser-alauda.yml @@ -29,7 +29,7 @@ builds: archives: - id: archive - formats: [tar.gz] + format: tar.gz name_template: >- {{ .ProjectName }}_ {{- title .Os }}_ @@ -39,7 +39,7 @@ archives: {{- if .Arm }}v{{ .Arm }}{{ end }} format_overrides: - goos: windows - formats: [zip] + format: zip changelog: sort: asc From 042cff6e6b69fd48bab44fa970f35e3b9de09803 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:45:15 +0800 Subject: [PATCH 60/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/alauda-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/alauda-release.yaml index 1b567fe784da..a37c82fbd0e3 100644 --- a/.github/workflows/alauda-release.yaml +++ b/.github/workflows/alauda-release.yaml @@ -26,4 +26,3 @@ jobs: args: release --snapshot -f=goreleaser-alauda.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} -x \ No newline at end of file From 691bb758b1a04251b4ad2b86730cb7f652089c32 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 16:57:31 +0800 Subject: [PATCH 61/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/{alauda-release.yaml => release-alauda.yaml} | 0 goreleaser-alauda.yml | 1 - 2 files changed, 1 deletion(-) rename .github/workflows/{alauda-release.yaml => release-alauda.yaml} (100%) diff --git a/.github/workflows/alauda-release.yaml b/.github/workflows/release-alauda.yaml similarity index 100% rename from .github/workflows/alauda-release.yaml rename to .github/workflows/release-alauda.yaml diff --git a/goreleaser-alauda.yml b/goreleaser-alauda.yml index ff33a3e678fb..9194fe4af348 100644 --- a/goreleaser-alauda.yml +++ b/goreleaser-alauda.yml @@ -16,7 +16,6 @@ before: builds: - env: - CGO_ENABLED=0 - - GOPROXY=https://build-nexus.alauda.cn/repository/golang/,https://goproxy.cn,direct goos: - linux goarch: From 7c5f0d79cdfa8acca3b25a7582d9754838ddd791 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 17:09:44 +0800 Subject: [PATCH 62/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .github/workflows/release-alauda.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-alauda.yaml b/.github/workflows/release-alauda.yaml index a37c82fbd0e3..4c8d51310fd2 100644 --- a/.github/workflows/release-alauda.yaml +++ b/.github/workflows/release-alauda.yaml @@ -1,7 +1,7 @@ on: - pull_request: + push: branches: - - alauda-v0.62.1 + - alauda-v* jobs: release: name: alauda-release @@ -23,6 +23,6 @@ jobs: uses: goreleaser/goreleaser-action@v6 with: version: v2.1.0 - args: release --snapshot -f=goreleaser-alauda.yml + args: release -f=goreleaser-alauda.yml env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 59d89a662dccaeb0d095fc2ff94db5f47a0c6ee8 Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 17:19:16 +0800 Subject: [PATCH 63/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- DEVELOPMENT.md | 35 +++++++++++++++++++++++++++++++++++ goreleaser.yml | 4 ++-- 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 DEVELOPMENT.md diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md new file mode 100644 index 000000000000..9bb9e18c9646 --- /dev/null +++ b/DEVELOPMENT.md @@ -0,0 +1,35 @@ +# Trivy alauda 分支开发指南 + +## 背景 + +此前,trivy 作为通用的 cli,在多个插件中都有被使用,需要各自修复 trivy 自身的漏洞。 + +为了避免重复工作,所以我们基于 [trivy](https://github.com/aquasecurity/trivy.git) fork 出了当前仓库,并通过 `alauda-vx.xx.xx` 分支来维护。 + +使用 [renovate](https://gitlab-ce.alauda.cn/devops/tech-research/renovate/-/blob/main/docs/quick-start/0002-quick-start.md) 自动修复对应版本上的漏洞。 + +## 仓库结构 + +在原有代码的基础上,添加了以下内容: + +1. `.tekton`: 维护 pac 流水线,包含编译、测试、漏洞扫描等步骤,最终会将制品上传到 nexus +2. `.github/release-alauda.yaml`: 使用 goreleaser 自动创建 release +3. `goreleaser-alauda.yml`: 发布 alauda 版本的 release 的配置文件 + +## 维护方案 + +当需要使用新版本的 trivy 时,按照以下步骤执行: + +1. 从对应 tag 拉出 alauda 分支,例如 `v0.62.1` tag 对应 `alauda-v0.62.1` 分支 +2. 将新分支加入到 renovate 的配置文件中,用于自动扫描并修复漏洞 +3. renovate 提 PR 后,会自动跑流水线,若所有测试通过,则 PR 将会被自动合并 +4. 合并到 `alauda-v0.62.1` 分支后,goreleaser 会自动创建出 `alauda-v0.62.1` release +5. 其他插件中配置的 renovate 会根据配置自动从 release 中获取制品 + +## 自动化流水线 + +- `.github/workflow/test.yaml`: 官方测试,包含单元测试、集成测试等,基于 Github Action 运行 +- `.tekton/all-in-one.yaml`: pac 流水线,包含编译、测试、漏洞扫描等步骤,基于 Tekton 运行(后续考虑废弃该流水线,仅依靠 Github Action 运行官方测试?) + + + diff --git a/goreleaser.yml b/goreleaser.yml index 56f6a7c32a5f..c81c7c0ae1bb 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -108,7 +108,7 @@ nfpms: archives: - id: archive - formats: [tar.gz] + format: tar.gz name_template: >- {{ .ProjectName }}_{{ .Version }}_ {{- if eq .Os "darwin" }}macOS @@ -130,7 +130,7 @@ archives: - contrib/*.tpl format_overrides: - goos: windows - formats: [zip] + format: zip brews: From 40968f7e4d113ed61ebc27d0aeaf2fe33d766f1d Mon Sep 17 00:00:00 2001 From: yuzichen <1062955096@qq.com> Date: Thu, 17 Jul 2025 17:41:53 +0800 Subject: [PATCH 64/64] feat: [DEVOPS-41238] add trivy all-in-one pipeline --- .tekton/all-in-one.yaml | 2 -- DEVELOPMENT.md | 5 +---- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/.tekton/all-in-one.yaml b/.tekton/all-in-one.yaml index 95039fd5d35e..72952eed89e4 100644 --- a/.tekton/all-in-one.yaml +++ b/.tekton/all-in-one.yaml @@ -296,7 +296,6 @@ spec: - name: trivy-scan-amd64 timeout: 60m retries: 0 - onError: continue runAfter: - build-amd64 @@ -328,7 +327,6 @@ spec: - name: trivy-scan-arm64 timeout: 60m retries: 0 - onError: continue runAfter: - build-arm64 diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 9bb9e18c9646..36c34628e2e8 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -28,8 +28,5 @@ ## 自动化流水线 -- `.github/workflow/test.yaml`: 官方测试,包含单元测试、集成测试等,基于 Github Action 运行 +- `.github/workflow/test.yaml`: 官方测试,包含单元测试、集成测试、构建测试等,基于 Github Action 运行 - `.tekton/all-in-one.yaml`: pac 流水线,包含编译、测试、漏洞扫描等步骤,基于 Tekton 运行(后续考虑废弃该流水线,仅依靠 Github Action 运行官方测试?) - - -