cloudbuild.yaml

timeout: 3600s  # 60 minutes

options:
  machineType: N1_HIGHCPU_8

steps:

# Unfortunately gcr.io/cloud-marketplace-containers/google/bazel is
# no longer maintained. The cloud-build project is, but does not tag
# images with bazel versions. The SHA hash was found manually and
# verified with:
#
#   docker pull gcr.io/cloud-builders/bazel
#   docker run --rm -ti gcr.io/cloud-builders/bazel version
#   docker image inspect gcr.io/cloud-builders/bazel --format '{{.Id}}'
#
# See: https://github.com/GoogleCloudPlatform/cloud-builders/issues/667
- name: gcr.io/cloud-builders/bazel@sha256:a7ab9f3abba94aad648d5fa9f690d285c0f55d8b20a411a3d53ca22a2ab9ad50
  env:
  - PROJECT_ID=${PROJECT_ID}
  - COMMIT_SHA=${COMMIT_SHA}
  - REGISTRY=gcr.io
  entrypoint: sh
  args:
  - -c
  - |
    #!/bin/sh
    set -o errexit
    set -o xtrace

    # package manager needs wget
    apt-get install wget

    # Make sure python points to python3
    update-alternatives --install /usr/bin/python python /usr/bin/python3 0

    bazel build //package_manager:dpkg_parser.par

    # Optional: trigger building package bundles without concurrency to avoid
    # flakiness: https://github.com/GoogleContainerTools/distroless/issues/646
    bazel build --jobs=1 @package_bundle_amd64_debian10//file:packages.bzl
    bazel build --jobs=1 @package_bundle_arm_debian10//file:packages.bzl
    bazel build --jobs=1 @package_bundle_arm64_debian10//file:packages.bzl
    bazel build --jobs=1 @package_bundle_s390x_debian10//file:packages.bzl
    bazel build --jobs=1 @package_bundle_ppc64le_debian10//file:packages.bzl

    bazel build --jobs=1 @package_bundle_amd64_debian11//file:packages.bzl
    bazel build --jobs=1 @package_bundle_arm_debian11//file:packages.bzl
    bazel build --jobs=1 @package_bundle_arm64_debian11//file:packages.bzl
    bazel build --jobs=1 @package_bundle_s390x_debian11//file:packages.bzl
    bazel build --jobs=1 @package_bundle_ppc64le_debian11//file:packages.bzl

    bazel run //:publish
    bazel build all.tar

- name: docker
  env:
  - PROJECT_ID=${PROJECT_ID}
  - COMMIT_SHA=${COMMIT_SHA}
  - REGISTRY=gcr.io
  entrypoint: ./cloudbuild_docker.sh

- name: ubuntu
  entrypoint: ./cloudbuild_jq.sh

- name: gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fdea547f4c9a27139276cc373165c26842bc594b8bd
  env:
  - PROJECT_ID=${PROJECT_ID}
  - COMMIT_SHA=${COMMIT_SHA}
  - REGISTRY=gcr.io
  entrypoint: sh
  args:
  - -c
  - ./cloudbuild_cosign.sh --key $_KMS_VAL

- name: gcr.io/projectsigstore/cosign:v1.3.1@sha256:3cd9b3a866579dc2e0cf2fdea547f4c9a27139276cc373165c26842bc594b8bd
  env:
  - PROJECT_ID=${PROJECT_ID}
  - COMMIT_SHA=${COMMIT_SHA}
  - REGISTRY=gcr.io
  - COSIGN_EXPERIMENTAL=true
  - GOOGLE_SERVICE_ACCOUNT_NAME=keyless@${PROJECT_ID}.iam.gserviceaccount.com
  entrypoint: sh
  args:
  - -c
  - ./cloudbuild_cosign.sh

# Start task in k8s to generate provenance
- name: gcr.io/cloud-builders/gcloud
  entrypoint: sh
  args:
  - -c
  - |
    #!/bin/sh
    set -o errexit
    set -o xtrace

    gcloud container clusters get-credentials provenance --zone=us-central1-c --project=${PROJECT_ID}

    # Install tkn
    curl -Lo tkn_${_TKN_VERSION}_Linux_arm64.tar.gz  https://github.com/tektoncd/cli/releases/download/v${_TKN_VERSION}/tkn_${_TKN_VERSION}_Linux_x86_64.tar.gz
    tar -xvzf tkn_${_TKN_VERSION}_Linux_arm64.tar.gz -C /usr/local/bin/ tkn

    # Start provenance pipeline
    kubectl apply -f provenance
    tkn pipeline start -f=provenance/provenance-pipeline.yaml --param CHAINS-GIT_COMMIT=${COMMIT_SHA} --use-param-defaults --workspace name=workarea,volumeClaimTemplateFile=provenance/tekton/workspace-template.yaml