covscanrest/k8s/prod/osh-client-tekton/pipeline/osh-client-from-source-pipeline.yaml

#requires running `tkn hub install task "git-cli"` first 
apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: osh-client-from-source
spec:
  description: This pipeline clones a repo, git archives it then sends it to covscan to be scanned with snyk
  params:

  - name: repo-url
    description: The SCMURL
    type: string

  - name: revision
    description: The revision or tag
    type: string

  - name: mock-build-params
    description: The parameters to pass to covscan mock-build
    type: string

  - name: archive-name
    description: The name of the git archive file
    type: string
    default: $(context.pipelineRun.uid).tar.gz

  workspaces:
    - name: sources
      description: This workspace contains our cloned sources and is temporary
    - name: source-tars
      description: This workspace contains our source tar gzips for covscan and is semi-persistant
    - name: ssl-ca-directory
      description: Location of CA bundle for ssl verification with internal services


  tasks:
    - name: clone
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: sources
          subPath: $(context.pipelineRun.name)
        - name: ssl-ca-directory
          workspace: ssl-ca-directory
      params:
        - name: url
          value: $(params.repo-url)
        - name: revision
          value: $(params.revision)
        - name: verbose
          value: true

    - name: archive
      runAfter:
        - clone
      taskRef:
        name: git-cli
      workspaces:
        - name: source
          workspace: sources
          subPath: $(context.pipelineRun.name)
        - name: source-tars
          workspace: source-tars
          subPath: $(context.pipelineRun.name)
      params:
        - name: USER_HOME
          value: /home/git
        - name: archive-name
          value: $(params.archive-name)
        - name: GIT_SCRIPT
          value: |
            git config --global --add safe.directory /workspace/source
            git archive --format=tar.gz HEAD -o /workspace/source-tars/$(params.archive-name)

            #results:
            #- name: archive-name
            #description: The name of the tar.gz we created            

    - name: covscan
      params:
        - name: targz-file
          value: $(params.archive-name)
        - name: mock-build-params
          value: $(params.mock-build-params)
      runAfter:
        - archive
      taskRef:
        name: osh-scan-task-from-source
      workspaces:
        - name: source-tars
          workspace: source-tars
          subPath: $(context.pipelineRun.name)
  finally:
    - name: cleanup-workspace
      params:
        - name: clear-dir
          value: $(context.pipelineRun.name)
      taskRef:
        name: cleanup-workspace
      workspaces:
        - name: sources
          workspace: sources
          #Note we don't provide a subpath, this way we can contain the whole folder