Reuse prefetched pip dependencies in Konflux integration tests (#308)

* Add Tekton task for prefetching dependencies

- Adds `prefetch-get-refs` Tekton task to retrieve prefetched dependencies
- Integrates the task into the run-e2e-tests integration test pipeline
- Integrates the task into the run-e2e-tests-nessus integration test pipeline
- Explicitly install setuptools for Python 3.12 compatibility

See: #308

.tekton/integration-test.yaml

@@ -108,20 +108,45 @@ spec:
         - name: ownerUid
           value: $(context.pipelineRun.uid)
 
+    - name: prefetch-get-refs
+      onError: continue
+      taskRef:
+        resolver: git
+        params:
+        - name: url
+          value: https://github.com/RedHatProductSecurity/rapidast
+        - name: revision
+          value: prefetch-pip-deps-e2e-konflux
+        - name: pathInRepo
+          value: .tekton/tasks/prefetch-get-refs.yaml
+      params:
+        - name: SNAPSHOT
+          value: $(params.SNAPSHOT)
+
     # XXX integrations tests can't reference Tasks in the same PR AFAICT
     # so need to repeat them inline, rather than define in a separate file
     - name: run-e2e-tests
       runAfter:
         - provision-eaas-space
+        - prefetch-get-refs
       taskSpec:
+        stepTemplate:
+          volumeMounts:
+            - mountPath: /cachi2
+              name: cachi2
+            - mountPath: /workspace
+              name: workspace
         volumes:
           - name: credentials
             emptyDir: {}
+          - name: cachi2
+            emptyDir: {}
+          - name: workspace
+            emptyDir: {}
         results:
           - name: TEST_OUTPUT
             description: e2e test results
         steps:
-
           # XXX not supported to use workspaces in integration tests
           - name: clone-repository
             image: quay.io/konflux-ci/git-clone:latest
@@ -130,7 +155,25 @@ spec:
               git clone "$(tasks.parse-metadata.results.source-git-url)" /workspace
               pushd /workspace
               git checkout "$(tasks.parse-metadata.results.source-git-revision)"
-
+          - name: use-trusted-artifact
+            image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:8391272c4e5011120e9e7fee2c1f339e9405366110bf239dadcbc21e953ce099
+            args:
+              - use
+              - $(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)=/cachi2
+            when:
+              - input: "$(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)"
+                operator: notin
+                values: [""]
+          - name: inject-cachi2-files
+            image: quay.io/konflux-ci/cachi2:0.20.0@sha256:80402886bbc0f6b4deba65cf5f66dfe9a2c01ae0b57bf3454e3ea58e1a395720
+            workingDir: /workspace
+            script: |
+              #!/bin/bash
+              source /workspace/.tekton/scripts/inject-cachi2-files.sh
+            when:
+              - input: "$(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)"
+                operator: notin
+                values: [""]
           - name: test
             image: registry.redhat.io/openshift4/ose-cli:latest
             env:
@@ -159,17 +202,31 @@ spec:
 
               yum install -y python3.12 git
               python3.12 -m ensurepip
+
+              source /workspace/.tekton/scripts/setup-cachi2-env.sh
+
               pip3 install -r requirements-dev.txt
               pytest -s e2e-tests/test_integration.py --json-report --json-report-summary --json-report-file $(results.TEST_OUTPUT.path)
               cat $(results.TEST_OUTPUT.path)
 
     - name: run-e2e-tests-nessus
       runAfter:
         - copy-nessus-secret
+        - prefetch-get-refs
       taskSpec:
+        stepTemplate:
+          volumeMounts:
+            - mountPath: /cachi2
+              name: cachi2
+            - mountPath: /workspace
+              name: workspace
         volumes:
           - name: credentials
             emptyDir: {}
+          - name: cachi2
+            emptyDir: {}
+          - name: workspace
+            emptyDir: {}
         results:
           - name: TEST_OUTPUT
             description: e2e test results
@@ -184,7 +241,25 @@ spec:
               git clone "$(tasks.parse-metadata.results.source-git-url)" /workspace
               pushd /workspace
               git checkout "$(tasks.parse-metadata.results.source-git-revision)"
-
+          - name: use-trusted-artifact
+            image: quay.io/redhat-appstudio/build-trusted-artifacts:latest@sha256:8391272c4e5011120e9e7fee2c1f339e9405366110bf239dadcbc21e953ce099
+            args:
+              - use
+              - $(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)=/cachi2
+            when:
+              - input: "$(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)"
+                operator: notin
+                values: [""]
+          - name: inject-cachi2-files
+            image: quay.io/konflux-ci/cachi2:0.20.0@sha256:80402886bbc0f6b4deba65cf5f66dfe9a2c01ae0b57bf3454e3ea58e1a395720
+            workingDir: /workspace
+            script: |
+              #!/bin/bash
+              source /workspace/.tekton/scripts/inject-cachi2-files.sh
+            when:
+              - input: "$(tasks.prefetch-get-refs.results.PREFETCH_CACHI2_ARTIFACT)"
+                operator: notin
+                values: [""]
           - name: test
             image: registry.redhat.io/openshift4/ose-cli:latest
             env:
@@ -213,6 +288,9 @@ spec:
 
               yum install -y python3.12 git
               python3.12 -m ensurepip
+
+              source /workspace/.tekton/scripts/setup-cachi2-env.sh
+
               pip3 install -r requirements-dev.txt
               pytest -sv e2e-tests/test_nessus.py --json-report --json-report-summary --json-report-file $(results.TEST_OUTPUT.path)
               cat $(results.TEST_OUTPUT.path)

.tekton/rapidast-pull-request.yaml

@@ -33,7 +33,7 @@ spec:
     value:
     - {"type": "generic", "path": "."}
     - {"type": "npm", "path": "."}
-    - {"type": "pip", "path": ".", "allow_binary": "true"}
+    - {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements-dev.txt"]}
   - name: build-args
     value: [PREFETCH=true]
   taskRunSpecs:

.tekton/rapidast-push.yaml

@@ -28,7 +28,7 @@ spec:
     value:
     - {"type": "generic", "path": "."}
     - {"type": "npm", "path": "."}
-    - {"type": "pip", "path": ".", "allow_binary": "true"}
+    - {"type": "pip", "path": ".", "allow_binary": "true", "requirements_files": ["requirements-dev.txt"]}
   - name: build-args
     value: [PREFETCH=true]
   taskRunSpecs:

.tekton/scripts/inject-cachi2-files.sh

@@ -0,0 +1,10 @@
+#!/bin/bash -e
+
+# The file cachi2/output/.build-config.json specifies where cachi2 expects to find
+# the project sources. By default, Konflux points them to /var/workdir/source.
+# Create a symbolic link from /workspace to /var/workdir/source
+
+mkdir -p /var/workdir/
+ln -s /workspace /var/workdir/source
+echo "Symbolic link created: /workspace to /var/workdir/source"
+cachi2 --log-level="debug" inject-files /cachi2/output

.tekton/scripts/setup-cachi2-env.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -e
+
+if [ -f "/cachi2/cachi2.env" ]; then
+    echo "Sourcing Cachi2 environment"
+    source /cachi2/cachi2.env
+
+    # Python 3.12 doesn't include setuptools and wheel by default in 'ensurepip',
+    # so we manually install them to make them available for building
+    # prefetched dependencies
+    PIP_NO_INDEX=  pip3 download setuptools wheel --dest "$PIP_FIND_LINKS"
+fi

.tekton/tasks/prefetch-get-refs.yaml

@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/yamllint.json
+apiVersion: tekton.dev/v1
+kind: Task
+metadata:
+  name: prefetch-get-refs
+spec:
+  description: Fetches references for Cachi2 prefetch dependencies
+  results:
+    - name: PREFETCH_CACHI2_ARTIFACT
+      description: The OCI artifact containing the Cachi2 prefetched dependencies
+  params:
+    - name: SNAPSHOT
+      description: The JSON string of the Snapshot
+  steps:
+    - name: prefetch-get-refs
+      image: quay.io/konflux-qe-incubator/konflux-qe-tools:latest
+      env:
+        - name: SNAPSHOT
+          value: $(params.SNAPSHOT)
+        - name: KONFLUX_COMPONENT_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.labels['appstudio.openshift.io/component']
+        - name: PREFETCH_CACHI2_ARTIFACT_FILE
+          value: $(results.PREFETCH_CACHI2_ARTIFACT.path)
+      script: |
+        #!/bin/bash
+        set -euo pipefail
+
+        echo "Starting prefetch-get-refs task..."
+
+        # Extract the container image for the specified component from the snapshot
+        COMPONENT_CONTAINER_IMAGE=$(jq -r --arg COMPONENT_NAME "$KONFLUX_COMPONENT_NAME" '
+          .components[] | select(.name == $COMPONENT_NAME) | .containerImage' <<< "$SNAPSHOT")
+
+        if [[ -z "$COMPONENT_CONTAINER_IMAGE" || "$COMPONENT_CONTAINER_IMAGE" == "null" ]]; then
+            echo "Error: Could not determine container image for component: $KONFLUX_COMPONENT_NAME"
+            exit 1
+        fi
+
+        echo "Component container image: $COMPONENT_CONTAINER_IMAGE"
+
+        echo "Downloading Cosign metadata..."
+        cosign download attestation "$COMPONENT_CONTAINER_IMAGE" > cosign_metadata.json || {
+            echo "Error: Failed to download Cosign metadata"
+            exit 1
+        }
+
+        CACHI2_SOURCE_ARTIFACT="$(jq -r \
+          '.payload | @base64d | fromjson | .predicate.buildConfig.tasks[] |
+          select(.name == "prefetch-dependencies") | .results[] | select(.name == "CACHI2_ARTIFACT") | .value' \
+          cosign_metadata.json)"
+
+        echo "Cachi2 source artifact: $CACHI2_SOURCE_ARTIFACT"
+
+        # Write the result to Tekton results file
+        echo -n "$CACHI2_SOURCE_ARTIFACT" > "$PREFETCH_CACHI2_ARTIFACT_FILE"