ROX-27350: Use trusted tasks (#1742)

.konflux/README.md

@@ -0,0 +1,4 @@
+# .konflux
+
+This directory is for files supporting ACS builds in Konflux.
+There's no Konflux convention to use it. Rather, we organize our scripts and tools here ourselves.

.konflux/scanner-data/.gitignore

@@ -0,0 +1,3 @@
+# scanner-data is for blobs downloaded and included in Scanner V2 containers during build.
+*
+!.gitignore

.tekton/scanner-component-pipeline.yaml

@@ -196,20 +196,36 @@ spec:
     - name: SOURCE_ARTIFACT
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     taskRef:
-      name: determine-image-tag
+      params:
+      - name: name
+        value: determine-image-tag
+      - name: bundle
+        value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:886e1482c717078d11ba7c5d6fc4e8013e3740b4d1282ebe5534db62c9f19428
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: fetch-scanner-data
     params:
-    - name: blobs-to-fetch
+    - name: BLOBS_TO_FETCH
       value: [ "$(params.blobs-to-fetch[*])" ]
+    - name: TARGET_DIR
+      value: .konflux/scanner-data
     - name: SOURCE_ARTIFACT
       value: $(tasks.clone-repository.results.SOURCE_ARTIFACT)
     - name: ociStorage
       value: $(params.output-image-repo):konflux-$(params.revision).prefetch
     - name: ociArtifactExpiresAfter
       value: $(params.oci-artifact-expires-after)
     taskRef:
-      name: fetch-scanner-data
+      params:
+      - name: name
+        value: fetch-scanner-v2-data
+      - name: bundle
+        value: quay.io/rhacs-eng/konflux-tasks:latest@sha256:886e1482c717078d11ba7c5d6fc4e8013e3740b4d1282ebe5534db62c9f19428
+      - name: kind
+        value: task
+      resolver: bundles
 
   - name: prefetch-dependencies
     params:

image/db/rhel/konflux.Dockerfile

@@ -69,5 +69,5 @@ LABEL \
     io.k8s.display-name="scanner-db" \
     name="rhacs-scanner-db-rhel8"
 
-COPY --chown=0:0 blob-pg-definitions.sql.gz \
+COPY --chown=0:0 .konflux/scanner-data/blob-pg-definitions.sql.gz \
      /docker-entrypoint-initdb.d/definitions.sql.gz

image/scanner/rhel/konflux.Dockerfile

@@ -16,19 +16,19 @@ ENV CI=1
 COPY . /src
 WORKDIR /src
 
-RUN scripts/konflux/fail-build-if-git-is-dirty.sh
+RUN .konflux/scripts/fail-build-if-git-is-dirty.sh
 
-RUN unzip -j blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
-    unzip -j blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
-    unzip -j blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
+RUN unzip -j .konflux/scanner-data/blob-repo2cpe.zip -d image/scanner/dump/repo2cpe && \
+    unzip -j .konflux/scanner-data/blob-k8s-definitions.zip -d image/scanner/dump/k8s_definitions && \
+    unzip -j .konflux/scanner-data/blob-nvd-definitions.zip -d image/scanner/dump/nvd_definitions
 
 RUN echo -n "version: " && make --quiet --no-print-directory tag && \
     make CGO_ENABLED=1 scanner-build-nodeps
 
 # Replace genesis manifests file in the source code with the one generated at
 # the point when the dump was taken.  This is to avoid discrepancy between other
 # files of the dump and the manifest.
-COPY ./blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
+COPY .konflux/scanner-data/blob-genesis_manifests.json image/scanner/dump/genesis_manifests.json
 
 
 # Common base for scanner slim and full