Merge branch 'main' into update-attestation-verify

.github/workflows/install-frsca.yaml

@@ -63,10 +63,22 @@ jobs:
             exit 1
           fi
           sleep 60
-          IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
+          TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+          echo "TASK_RUNS=${TASK_RUNS[@]}"
+          TASK_RUN="none"; IMAGE_URL="none"
+          for tr in "${TASK_RUNS[@]}"; do
+            image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
+            if [ -n "${image}" ]; then
+              TASK_RUN="${tr}"
+              IMAGE_URL="${image}"
+              break
+            fi
+          done
           if [ "${REGISTRY}" = "registry.registry" ]; then
             IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')"
           fi
+          echo "TASK_RUN=${TASK_RUN}"
+          echo "IMAGE_URL=${IMAGE_URL}"
           crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
           tkn tr describe --last -o json | jq -r '.metadata.annotations["chains.tekton.dev/signed"]'
           cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"
@@ -85,10 +97,22 @@ jobs:
             exit 1
           fi
           sleep 60
-          IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
+          TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+          echo "TASK_RUNS=${TASK_RUNS[@]}"
+          TASK_RUN="none"; IMAGE_URL="none"
+          for tr in "${TASK_RUNS[@]}"; do
+            image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
+            if [ -n "${image}" ]; then
+              TASK_RUN="${tr}"
+              IMAGE_URL="${image}"
+              break
+            fi
+          done
           if [ "${REGISTRY}" = "registry.registry" ]; then
             IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:5000#')"
           fi
+          echo "TASK_RUN=${TASK_RUN}"
+          echo "IMAGE_URL=${IMAGE_URL}"
           crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
 
           cosign verify --insecure-ignore-tlog --key k8s://tekton-chains/signing-secrets "${IMAGE_URL}"

examples/buildpacks/README.md

@@ -25,18 +25,25 @@ make example-buildpacks
 # Wait until it completes.
 tkn pr logs --last -f
 
-# Ensure it has been signed.
-tkn tr describe --last -o jsonpath='{.metadata.annotations.chains\.tekton\.dev/signed}'
-# Should output "true"
-
 # Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
-IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
-TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name | match("IMAGE_URL$")) | .k')
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"
 fi
 
+# Ensure it has been signed.
+tkn tr describe "${TASK_RUN}" -o jsonpath='{.metadata.annotations.chains\.tekton\.dev/signed}'
+# Should output "true"
+
 # Double check that the attestation and the signature were uploaded to the OCI.
 crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
 

examples/cosign/README.md

@@ -28,9 +28,16 @@ make example-cosign
 # Wait until it completes.
 tkn pr logs --last -f
 
-# Export the value of IMAGE_URL from the last taskrun and the taskrun name:
-IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
-TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name == "IMAGE_URL") | .k')
+# Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"

examples/go-pipeline/README.md

@@ -31,9 +31,16 @@ make example-golang-pipeline
 # Wait until it completes.
 tkn pr logs --last -f
 
-# Export the value of IMAGE_URL from the last taskrun and the taskrun name:
-IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
-TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name == "IMAGE_URL") | .k')
+# Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"

examples/gradle-pipeline/README.md

@@ -26,8 +26,15 @@ make example-gradle-pipeline
 tkn pr logs --last -f
 
 # Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
-IMAGE_URL="$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')"
-TASK_RUN="$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name | match("IMAGE_URL$")) | .k')"
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name | match("IMAGE_URL$")) | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"

examples/ibm-tutorial/README.md

@@ -23,18 +23,25 @@ make example-ibm-tutorial
 # Wait until it completes.
 tkn pr logs --last -f
 
-# Ensure it has been signed.
-tkn tr describe --last -o jsonpath='{.metadata.annotations.chains\.tekton\.dev/signed}'
-# Should output "true"
-
 # Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
-IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
-TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name == "IMAGE_URL") | .k')
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == IMAGE_URL") | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"
 fi
 
+# Ensure it has been signed.
+tkn tr describe "${TASK_RUN}" -o jsonpath='{.metadata.annotations.chains\.tekton\.dev/signed}'
+# Should output "true"
+
 # Double check that the attestation and the signature were uploaded to the OCI.
 crane ls "$(echo -n ${IMAGE_URL} | sed 's|:[^/]*$||')"
 

examples/sample-pipeline/README.md

@@ -31,9 +31,16 @@ make example-sample-pipeline
 # Wait until it completes.
 tkn pr logs --last -f
 
-# Export the value of IMAGE_URL from the last taskrun and the taskrun name:
-IMAGE_URL=$(tkn pr describe --last -o jsonpath='{..taskResults}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
-TASK_RUN=$(tkn pr describe --last -o json | jq -r '.status.taskRuns | keys[] as $k | {"k": $k, "v": .[$k]} | select(.v.status.taskResults[]?.name == "IMAGE_URL") | .k')
+# Export the value of IMAGE_URL from the last pipeline run and the associated taskrun name:
+TASK_RUNS=($(tkn pr describe --last -o jsonpath='{.status.childReferences}' | jq -r '.[] | select(.kind | match("TaskRun")) | .name'))
+TASK_RUN="none" IMAGE_URL="none"; for tr in "${TASK_RUNS[@]}"; do
+  image=$(tkn tr describe "${tr}" -o jsonpath='{.status.results}' | jq -r '.[] | select(.name == "IMAGE_URL") | .value')
+  if [ -n "${image}" ]; then
+    TASK_RUN="${tr}"
+    IMAGE_URL="${image}"
+    break
+  fi
+done
 if [ "${REGISTRY}" = "registry.registry" ]; then
   : "${REGISTRY_PORT:=5000}"
   IMAGE_URL="$(echo "${IMAGE_URL}" | sed 's#'${REGISTRY}'#127.0.0.1:'${REGISTRY_PORT}'#')"