cicd/tasks/git-clone.yaml

apiVersion: tekton.dev/v1
kind: Task
metadata:
  annotations:
    tekton.dev/categories: Git
    tekton.dev/displayName: git clone
    tekton.dev/pipelines.minVersion: 0.38.0
    tekton.dev/platforms: linux/amd64,linux/s390x,linux/ppc64le,linux/arm64
    tekton.dev/tags: git
  labels:
    app.kubernetes.io/version: "0.9"
    operator.tekton.dev/operand-name: openshift-pipelines-addons
    operator.tekton.dev/provider-type: redhat
  name: git-clone
  namespace: goghvideo-cicd-pipeline
spec:
  description: |-
    These Tasks are Git tasks to work with repositories used by other tasks in your Pipeline.
    The git-clone Task will clone a repo from the provided url into the output Workspace. By default the repo will be cloned into the root of your Workspace. You can clone into a subdirectory by setting this Task's subdirectory param. This Task also supports sparse checkouts. To perform a sparse checkout, pass a list of comma separated directory patterns to this Task's sparseCheckoutDirectories param.
  params:
  - description: Repository URL to clone from.
    name: url
    type: string
  - default: ""
    description: Revision to checkout. (branch, tag, sha, ref, etc...)
    name: revision
    type: string
  - default: ""
    description: Refspec to fetch before checking out revision.
    name: refspec
    type: string
  - default: "true"
    description: Initialize and fetch git submodules.
    name: submodules
    type: string
  - default: "1"
    description: Perform a shallow clone, fetching only the most recent N commits.
    name: depth
    type: string
  - default: "true"
    description: Set the `http.sslVerify` global git config. Setting this to `false`
      is not advised unless you are sure that you trust your git remote.
    name: sslVerify
    type: string
  - default: ca-bundle.crt
    description: file name of mounted crt using ssl-ca-directory workspace. default
      value is ca-bundle.crt.
    name: crtFileName
    type: string
  - default: ""
    description: Subdirectory inside the `output` Workspace to clone the repo into.
    name: subdirectory
    type: string
  - default: ""
    description: Define the directory patterns to match or exclude when performing
      a sparse checkout.
    name: sparseCheckoutDirectories
    type: string
  - default: "true"
    description: Clean out the contents of the destination directory if it already
      exists before cloning.
    name: deleteExisting
    type: string
  - default: ""
    description: HTTP proxy server for non-SSL requests.
    name: httpProxy
    type: string
  - default: ""
    description: HTTPS proxy server for SSL requests.
    name: httpsProxy
    type: string
  - default: ""
    description: Opt out of proxying HTTP/HTTPS requests.
    name: noProxy
    type: string
  - default: "true"
    description: Log the commands that are executed during `git-clone`'s operation.
    name: verbose
    type: string
  - default: registry.redhat.io/openshift-pipelines/pipelines-git-init-rhel8@sha256:1a50511583fc02a27012d17d942e247813404104ddd282d7e26f99765174392c
    description: The image providing the git-init binary that this Task runs.
    name: gitInitImage
    type: string
  - default: /home/git
    description: |
      Absolute path to the user's home directory.
    name: userHome
    type: string
  results:
  - description: The precise commit SHA that was fetched by this Task.
    name: commit
    type: string
  - description: The precise URL that was fetched by this Task.
    name: url
    type: string
  - description: The epoch timestamp of the commit that was fetched by this Task.
    name: committer-date
    type: string
  steps:
  - env:
    - name: HOME
      value: $(params.userHome)
    - name: PARAM_URL
      value: $(params.url)
    - name: PARAM_REVISION
      value: $(params.revision)
    - name: PARAM_REFSPEC
      value: $(params.refspec)
    - name: PARAM_SUBMODULES
      value: $(params.submodules)
    - name: PARAM_DEPTH
      value: $(params.depth)
    - name: PARAM_SSL_VERIFY
      value: $(params.sslVerify)
    - name: PARAM_CRT_FILENAME
      value: $(params.crtFileName)
    - name: PARAM_SUBDIRECTORY
      value: $(params.subdirectory)
    - name: PARAM_DELETE_EXISTING
      value: $(params.deleteExisting)
    - name: PARAM_HTTP_PROXY
      value: $(params.httpProxy)
    - name: PARAM_HTTPS_PROXY
      value: $(params.httpsProxy)
    - name: PARAM_NO_PROXY
      value: $(params.noProxy)
    - name: PARAM_VERBOSE
      value: $(params.verbose)
    - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
      value: $(params.sparseCheckoutDirectories)
    - name: PARAM_USER_HOME
      value: $(params.userHome)
    - name: WORKSPACE_OUTPUT_PATH
      value: $(workspaces.output.path)
    - name: WORKSPACE_SSH_DIRECTORY_BOUND
      value: $(workspaces.ssh-directory.bound)
    - name: WORKSPACE_SSH_DIRECTORY_PATH
      value: $(workspaces.ssh-directory.path)
    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND
      value: $(workspaces.basic-auth.bound)
    - name: WORKSPACE_BASIC_AUTH_DIRECTORY_PATH
      value: $(workspaces.basic-auth.path)
    - name: WORKSPACE_SSL_CA_DIRECTORY_BOUND
      value: $(workspaces.ssl-ca-directory.bound)
    - name: WORKSPACE_SSL_CA_DIRECTORY_PATH
      value: $(workspaces.ssl-ca-directory.path)
    image: $(params.gitInitImage)
    name: clone
    script: |
      #!/usr/bin/env sh
      set -eu

      if [ "${PARAM_VERBOSE}" = "true" ] ; then
        set -x
      fi

      if [ "${WORKSPACE_BASIC_AUTH_DIRECTORY_BOUND}" = "true" ] ; then
        cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
        cp "${WORKSPACE_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
        chmod 400 "${PARAM_USER_HOME}/.git-credentials"
        chmod 400 "${PARAM_USER_HOME}/.gitconfig"
      fi

      if [ "${WORKSPACE_SSH_DIRECTORY_BOUND}" = "true" ] ; then
        cp -LR "${WORKSPACE_SSH_DIRECTORY_PATH}"/* "${PARAM_USER_HOME}"/.ssh
        chmod 700 "${PARAM_USER_HOME}"/.ssh
        chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
      fi

      if [ "${WORKSPACE_SSL_CA_DIRECTORY_BOUND}" = "true" ] ; then
         export GIT_SSL_CAPATH="${WORKSPACE_SSL_CA_DIRECTORY_PATH}"
         if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
            export GIT_SSL_CAINFO="${WORKSPACE_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
         fi
      fi
      CHECKOUT_DIR="${WORKSPACE_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"

      cleandir() {
        # Delete any existing contents of the repo directory if it exists.
        #
        # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
        # or the root of a mounted volume.
        if [ -d "${CHECKOUT_DIR}" ] ; then
          # Delete non-hidden files and directories
          rm -rf "${CHECKOUT_DIR:?}"/*
          # Delete files and directories starting with . but excluding ..
          rm -rf "${CHECKOUT_DIR}"/.[!.]*
          # Delete files and directories starting with .. plus any other character
          rm -rf "${CHECKOUT_DIR}"/..?*
        fi
      }

      if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
        cleandir || true
      fi

      test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
      test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
      test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"

      git config --global --add safe.directory "${WORKSPACE_OUTPUT_PATH}"
      /ko-app/git-init \
        -url="${PARAM_URL}" \
        -revision="${PARAM_REVISION}" \
        -refspec="${PARAM_REFSPEC}" \
        -path="${CHECKOUT_DIR}" \
        -sslVerify="${PARAM_SSL_VERIFY}" \
        -submodules="${PARAM_SUBMODULES}" \
        -depth="${PARAM_DEPTH}" \
        -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
      cd "${CHECKOUT_DIR}"
      RESULT_SHA="$(git rev-parse HEAD)"
      EXIT_CODE="$?"
      if [ "${EXIT_CODE}" != 0 ] ; then
        exit "${EXIT_CODE}"
      fi
      RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
      printf "%s" "${RESULT_COMMITTER_DATE}" > "$(results.committer-date.path)"
      printf "%s" "${RESULT_SHA}" > "$(results.commit.path)"
      printf "%s" "${PARAM_URL}" > "$(results.url.path)"
    securityContext:
      runAsNonRoot: true
      runAsUser: 65532
  workspaces:
  - description: The git repo will be cloned onto the volume backing this Workspace.
    name: output
  - description: |
      A .ssh directory with private key, known_hosts, config, etc. Copied to
      the user's home before git commands are executed. Used to authenticate
      with the git remote when performing the clone. Binding a Secret to this
      Workspace is strongly recommended over other volume types.
    name: ssh-directory
    optional: true
  - description: |
      A Workspace containing a .gitconfig and .git-credentials file. These
      will be copied to the user's home before any git commands are run. Any
      other files in this Workspace are ignored. It is strongly recommended
      to use ssh-directory over basic-auth whenever possible and to bind a
      Secret to this Workspace over other volume types.
    name: basic-auth
    optional: true
  - description: |
      A workspace containing CA certificates, this will be used by Git to
      verify the peer with when fetching or pushing over HTTPS.
    name: ssl-ca-directory
    optional: true