manifests/pipelines/gitops-update-pipeline.yaml

apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: gitops-update-pipeline
spec:
  params:
    - name: image-registry-repo
      type: string
    - name: image-digest
      type: string
    - name: gitServer
      type: string
    - name: gitApiServer
      type: string
    - name: gitOrgName
      type: string
    - name: gitRepoName
      type: string
    - name: gitRepoBranchBase
      default: main
      type: string
    - name: gitApiPrefix
      default: ''
      type: string
    - name: gitTokenSecretName
      type: string
    - name: gitTokenSecretKey
      default: token
      type: string
    - name: yq-script
      description: |
        The yq script (can be multiple lines/commands) to execute inside the git repository.
        `$IMAGE_NAME` and `$IMAGE_DIGEST` will be set as environment variables, and can be used in the expressions.
        See the default value for an example that updates values in the `images section of a kustomization.yaml file.
      type: string
  results:
    - name: pr-url
      description: The URL of the pull request
      value: $(tasks.open-pr.results.URL)
  tasks:
    - name: git-clone
      params:
        - name: url
          value: $(params.gitServer)/$(params.gitOrgName)/$(params.gitRepoName)
        - name: revision
          value: $(params.gitRepoBranchBase)
        - name: gitInitImage
          value: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:1a50511583fc02a27012d17d942e247813404104ddd282d7e26f99765174392c
        - name: subdirectory
          value: /$(params.gitRepoName)/
      taskRef:
        kind: ClusterTask
        name: git-clone
      workspaces:
        - name: output
          workspace: git-workspace
        - name: basic-auth
          workspace: git-basic-auth
    - name: yq-update
      params:
        - name: SCRIPT
          value: $(params.yq-script)
        - name: env-image-name
          value: $(params.image-registry-repo)
        - name: env-image-digest
          value: $(params.image-digest)
        - name: git-repo-path
          value: $(params.gitRepoName)
      runAfter:
        - git-clone
      taskRef:
        kind: Task
        name: yq-update
      workspaces:
        - name: source
          workspace: git-workspace
    - name: git-commit-and-push
      params:
        - name: BASE_IMAGE
          value: cgr.dev/chainguard/git:root-2.39@sha256:7759f87050dd8bacabe61354d75ccd7f864d6b6f8ec42697db7159eccd491139
        - name: GIT_USER_NAME
          value: Pipeline Image Updater
        - name: GIT_USER_EMAIL
          value: pipeline@example.com
        - name: GIT_SCRIPT
          value: |
            # Move repo to HOME so Git does not complain
            # https://stackoverflow.com/a/71941707/19020549
            cp -r $(workspaces.source.path)/$(params.gitRepoName) ~/$(params.gitRepoName)

            cd ~/$(params.gitRepoName)

            PR_BRANCH=pipeline_$(context.pipelineRun.uid)
            git checkout -b $PR_BRANCH

            if [ -z "$(git status --porcelain)" ]; then
                echo "Update did not cause a modification"
                exit 0
            fi

            git commit -am "Update image ref from pipeline"
            git push origin $PR_BRANCH:$PR_BRANCH
        - name: USER_HOME
          value: /home/git
        - name: VERBOSE
          value: "true"
      runAfter:
        - yq-update
      taskRef:
        kind: ClusterTask
        name: git-cli
      workspaces:
        - name: source
          workspace: git-workspace
        - name: basic-auth
          workspace: git-basic-auth
    - name: open-pr
      params:
        - name: GITHUB_HOST_URL
          value: $(params.gitApiServer)
        - name: API_PATH_PREFIX
          value: $(params.gitApiPrefix)
        - name: REPO_FULL_NAME
          value: $(params.gitOrgName)/$(params.gitRepoName)
        - name: GITHUB_TOKEN_SECRET_NAME
          value: $(params.gitTokenSecretName)
        - name: GITHUB_TOKEN_SECRET_KEY
          value: $(params.gitTokenSecretKey)
        - name: AUTH_TYPE
          value: Bearer
        - name: HEAD
          value: pipeline_$(context.pipelineRun.uid)
        - name: BASE
          value: $(params.gitRepoBranchBase)
        - name: BODY
          value: |
            This pull request has been automatically generated by an OpenShift Pipeline in order to update an image ref. Here are the details:

            | Key              | Value                                                                     |
            |------------------|---------------------------------------------------------------------------|
            | Pipeline Name    | $(context.pipeline.name)                                                  |
            | PipelineRun Name | $(context.pipelineRun.name)                                               |
            | PipelinRun UID   | `$(context.pipelineRun.uid)`                                              |
            | Image registry   | `$(params.image-registry-repo)`                                           |
            | New Digest       | `$(params.image-digest)`                                                  |
        - name: TITLE
          value: "Auto: update image ref"
      runAfter:
        - git-commit-and-push
      taskRef:
        kind: Task
        name: github-open-pr
      when:
        - input: $(tasks.git-clone.results.commit)
          operator: notin
          values:
            - $(tasks.git-commit-and-push.results.commit)
  workspaces:
    - name: git-workspace
    - name: git-basic-auth