Alauda 2025.1.0

.tekton/build-image.yaml

@@ -10,7 +10,7 @@ metadata:
       (
         "source/**".pathChanged() ||
         "image/**".pathChanged() ||
-        ".tekton/sonar-image.yaml".pathChanged() ||
+        ".tekton/build-image.yaml".pathChanged() ||
         ".tekton/pipeline/sonar-image-build".pathChanged()
       )
     pipelinesascode.tekton.dev/max-keep-runs: "5"
@@ -27,6 +27,9 @@ spec:
         url: "{{ repo_url }}"
         branch: "{{ source_branch }}"
         commit: "{{ revision }}"
+        pull-request-number: "{{ pull_request_number }}"
+        pull-request-source: "{{ source_branch }}"
+        pull-request-target: "{{ target_branch }}"
     - name: clean-cache
       value: "{{ clean-cache }}"
 
@@ -77,4 +80,4 @@ spec:
       computeResources:
         limits:
           cpu: "4"
-          memory: 4Gi
+          memory: 4Gi

.tekton/build-testing-base-image.yaml

@@ -0,0 +1,77 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: sonar-testing-base-image
+  annotations:
+    pipelinesascode.tekton.dev/on-comment: "^((/test-all)|(/build-testing-base-image))$"
+    pipelinesascode.tekton.dev/max-keep-runs: "5"
+spec:
+  pipelineRef:
+    resolver: hub
+    params:
+      - name: catalog
+        value: alauda
+      - name: type
+        value: tekton
+      - name: kind
+        value: pipeline
+      - name: name
+        value: clone-image-build-test-scan
+      - name: version
+        value: "0.2"
+
+  params:
+    - name: git-url
+      value: "{{ repo_url }}"
+    - name: git-revision
+      value: "{{ source_branch }}"
+    - name: git-commit
+      value: "{{ revision }}"
+    - name: pull-request-number
+      value: "{{ pull_request_number }}"
+
+    - name: image-repository
+      value: build-harbor.alauda.cn/devops/sonarqube-ce-test-base
+
+    - name: tags
+      value:
+        - latest
+
+    - name: dockerfile-path
+      value: .tekton/dockerfile/Dockerfile.base
+
+    - name: context
+      value: ".tekton/dockerfile"
+
+    - name: file-list-for-commit-sha
+      value:
+        - .tekton/dockerfile/Dockerfile.base
+
+    - name: ignore-trivy-scan
+      value: "true"
+  workspaces:
+    - name: source
+      volumeClaimTemplate:
+        spec:
+          accessModes:
+            - ReadWriteMany
+          resources:
+            requests:
+              storage: 1Gi
+    - name: dockerconfig
+      secret:
+        secretName: build-harbor.kauto.docfj
+    - name: basic-auth
+      secret:
+        secretName: "{{ git_auth_secret }}"
+    - name: gitversion-config
+      configMap:
+        name: gitversion-config
+
+  taskRunTemplate:
+    podTemplate:
+      securityContext:
+        runAsUser: 65532
+        runAsGroup: 65532
+        fsGroup: 65532
+        fsGroupChangePolicy: "OnRootMismatch"

.tekton/dockerfile/Dockerfile.base

@@ -0,0 +1,37 @@
+FROM docker-mirrors.alauda.cn/library/openjdk:26-ea-17-jdk-slim-bookworm
+
+WORKDIR /app
+
+ARG SONAR_SCANNER_VERSION=7.1.0.4889
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y nodejs unzip maven curl ca-certificates tzdata bash locales make wget git jq; \
+    curl -O https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip; \
+    unzip sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip; \
+    mv sonar-scanner-${SONAR_SCANNER_VERSION}-linux-x64 sonar-scanner; \
+    rm sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip; \
+    rm -rf /var/lib/apt/lists/*
+
+ARG YQ_VERSION=4.25.2
+ARG KUBECTL_VERSION=1.28.2
+ARG HELM_VERSION=3.12.3
+
+RUN set -eux; \
+    if [ "$(arch)" = "arm64" ] || [ "$(arch)" = "aarch64" ]; then \
+    export ARCH="arm64"; \
+    export ARCH_ALIAS="arm64"; \
+    else \
+    export ARCH="amd64"; \
+    export ARCH_ALIAS="x86_64"; \
+    fi; \
+    mkdir -p tmp; \
+    mkdir -p bin; \
+    curl -sfL https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_${ARCH} -o ./bin/yq && \
+    curl -sfL https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${ARCH}/kubectl -o ./bin/kubectl && \
+    curl -sfL https://get.helm.sh/helm-v${HELM_VERSION}-linux-${ARCH}.tar.gz | tar xzf - -C tmp 2>&1 && mv tmp/linux-${ARCH}/helm ./bin && \
+    chmod +x ./bin/* && \
+    rm -rf tmp && \
+    ./bin/yq --version && \
+    ./bin/kubectl version --client && \
+    ./bin/helm version && \
+    jq --version

.tekton/integration-test.yaml

@@ -46,6 +46,9 @@ spec:
         url: "{{ repo_url }}"
         branch: "{{ source_branch }}"
         commit: "{{ revision }}"
+        pull-request-number: "{{ pull_request_number }}"
+        pull-request-source: "{{ source_branch }}"
+        pull-request-target: "{{ target_branch }}"
     - name: build-test-image
       value:
         image-repository: build-harbor.alauda.cn/devops/sonarqube-ce-test

.tekton/pipeline/sonar-image-build.yaml

@@ -14,12 +14,26 @@ spec:
       description: "Workspace for cache files"
   params:
     - name: git-revision
-      description: Git revision object with url, branch, commit, and pull-request-number.
+      description: |
+        Git revision object with url, branch, commit, and pull request information.
+        * url: The url of the git repository
+        * branch: The source branch of the git repository
+        * commit: The commit of the git repository
+        * pull-request-number: The pull request number
+        * pull-request-source: The source branch of the pull request
+        * pull-request-target: The target branch of the pull request
       type: object
       properties:
-        url: {}
-        branch: {}
-        commit: {}
+        url: { type: string }
+        branch: { type: string }
+        commit: { type: string }
+        pull-request-number: {} # Pull request number.
+        pull-request-source: {} # Pull request source.
+        pull-request-target: {} # Pull request target branch.
+      default:
+        pull-request-number: ""
+        pull-request-source: ""
+        pull-request-target: ""
     - name: image-scan-gate-enabled
       description: Determine whether to skip the image scan step
       type: string
@@ -40,6 +54,8 @@ spec:
           value: $(params.git-revision.branch)
         - name: depth
           value: 1
+        - name: pr-number
+          value: $(params.git-revision.pull-request-number)
       taskRef:
         resolver: hub
         params:
@@ -327,6 +343,12 @@ spec:
           workspace: source
         - name: basic-auth
           workspace: basic-auth
+      when:
+        - input: $(params.git-revision.pull-request-number)
+          operator: in
+          values:
+            - ""
+            - " "
       params:
         - name: BASE_IMAGE
           value: registry.alauda.cn:60080/devops/nonroot/chainguard/git:latest

.tekton/pr-manage.yaml

@@ -0,0 +1,72 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: pr-manage
+  annotations:
+    pipelinesascode.tekton.dev/pipeline: "https://raw.githubusercontent.com/AlaudaDevops/toolbox/main/pr-cli/pipeline/pr-manage.yaml"
+    pipelinesascode.tekton.dev/on-comment: "^/(help|rebase|lgtm|remove-lgtm|cherry-?pick|assign|merge|ready|unassign|label|unlabel|check|retest|close|batch)($|\\s.*)"
+    pipelinesascode.tekton.dev/max-keep-runs: "5"
+spec:
+  pipelineRef:
+    name: pr-manage
+  params:
+    - name: trigger_comment
+      value: "{{ trigger_comment }}"
+    - name: repo_owner
+      value: "{{ repo_owner }}"
+    - name: repo_name
+      value: "{{ repo_name }}"
+    - name: pull_request_number
+      value: "{{ pull_request_number }}"
+    - name: comment_sender
+      value: "{{ sender }}"
+    - name: git_auth_secret
+      value: "{{ git_auth_secret }}"
+    #
+    # Optional parameters (value is the default):
+    #
+    # The key in git_auth_secret that contains the token (default: git-provider-token)
+    # - name: git_auth_secret_key
+    #   value: "git-provider-token"
+    #
+    # Container image for pr-cli tool (default: registry.alauda.cn:60070/devops/toolbox/pr-cli:latest)
+    # - name: image
+    #   value: "registry.alauda.cn:60070/devops/toolbox/pr-cli:latest"
+    #
+    # The /lgtm threshold needed of approvers for a PR to be approved (default: 1)
+    # - name: lgtm_threshold
+    #   value: "1"
+    #
+    # The permissions the user need to trigger a lgtm (default: admin,write)
+    # - name: lgtm_permissions
+    #   value: "admin,write"
+    #
+    # The review event when lgtm is triggered, can be APPROVE,
+    # REQUEST_CHANGES, or COMMENT if setting to empty string it will be set as
+    # PENDING (default: APPROVE)
+    # - name: lgtm_review_event
+    #   value: "APPROVE"
+    #
+    # The merge method to use. Can be one of: merge, squash, rebase (default: squash)
+    # - name: merge_method
+    #   value: "squash"
+    #
+    # The name used for self-check status (default: pr-manage)
+    # - name: self_check_name
+    #   value: "pr-manage"
+    #
+    # Enable debug mode (skip validation, allow PR creator self-approval) (default: false)
+    # - name: debug
+    #   value: "false"
+    #
+    # Enable verbose logging (debug level logs) (default: false)
+    # - name: verbose
+    #   value: "false"
+    #
+    # The platform to use, can be one of: github, gitlab, gitee (default: github)
+    # - name: platform
+    #   value: "github"
+    #
+    # The robot accounts for managing bot approval reviews.
+    # - name: robot_accounts
+    #   value: "alaudabot,dependabot,renovate"

LICENSE

@@ -0,0 +1,9 @@
+sonarqube-community-build Licensing Summary
+
+This repository contains multiple upstream components with different licenses. Use of the code and distributions from this repository must comply with the license terms applicable to each component:
+
+- Helm chart content in `chart/` is licensed under the MIT License. The full text is available at `chart/LICENSE`.
+- Source code in `source/` is derived from the SonarSource SonarQube project and is licensed under the GNU Lesser General Public License version 3.0. The full text is available at `source/LICENSE.txt`.
+- The source tree depends on Elasticsearch client artifacts (for example `org.elasticsearch.client:elasticsearch-rest-high-level-client` and `org.elasticsearch.plugin:transport-netty4-client`) that are provided under the Elastic License 2.0. A copy of that license is included at `source/ELASTIC-LICENSE-2.0.txt`. These artifacts are not licensed under an OSI-approved open source license.
+
+Unless otherwise noted, files outside `chart/` follow the licensing that applies to the SonarQube source in `source/`. Third-party dependencies remain subject to their own licenses; consult the relevant license files when redistributing.

NOTICE

@@ -0,0 +1,9 @@
+sonarqube-community-build NOTICE
+
+This distribution includes:
+
+- SonarQube source code copyright (C) 2008-2024 SonarSource SA, licensed under GNU Lesser General Public License v3.0 (`source/LICENSE.txt`).
+- Helm chart content originally from Oteemo Inc., licensed under the MIT License (`chart/LICENSE`).
+- Elasticsearch client libraries and related modules (including `org.elasticsearch.client:elasticsearch-rest-high-level-client`, `org.elasticsearch.plugin:transport-netty4-client`, and `org.codelibs.elasticsearch.module` components), licensed under Elastic License 2.0 (`source/ELASTIC-LICENSE-2.0.txt`) and subject to their respective copyright holders (including Elasticsearch B.V. and contributors).
+
+Additional third-party components are distributed under their respective licenses. All required copyright and license notices must be retained when redistributing.

chart/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Oteemo Inc
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

chart/values.yaml

@@ -7,20 +7,20 @@ global:
     sonarqube:
       code: github.com/AlaudaDevops/docker-sonarqube
       repository: devops/sonarqube
-      tag: v2025.1.0-gbe76289
+      tag: v2025.1.0-gb972033
       support_arm: true
       thirdparty: true
       digest: sha256:bd8aa76c68de359ef5495dafa155fe98b12009a82ad01bb10325226fd3f6b4be
     pluginPackage:
       code: github.com/AlaudaDevops/docker-sonarqube
       repository: devops/sonarqube-plugins
-      tag: v2025.1.0-gbe76289
+      tag: v2025.1.0-gb972033
       support_arm: true
       thirdparty: true
       digest: sha256:565500e7f0acfb7da4693eaf49b24629dc1fcd7cc6ca4571809c794959d0c0d8
     busybox:
-      repository: ops/ubuntu
-      tag: "24"
+      repository: ops/debian
+      tag: "12-alauda-202508281100"
       support_arm: true
       thirdparty: true
   labelBaseDomain: alauda.io

image/LICENSE

@@ -0,0 +1,3 @@
+Image Licensing Overview
+
+The Dockerfiles and scripts in this directory build images that contain the SonarQube application binaries produced from the `source/` tree. Those binaries are licensed under the GNU Lesser General Public License v3.0 (see `../source/LICENSE.txt`). The images also bundle Elasticsearch client components that are provided under the Elastic License 2.0 (see `../source/ELASTIC-LICENSE-2.0.txt`). Retain these notices and license files when redistributing images built from this directory.