ops-demo/manifests/ci/pipeline/pipeline.yaml

apiVersion: tekton.dev/v1
kind: Pipeline
metadata:
  name: gitops-image-bump
  namespace: tekton-pipelines
spec:
  description: |
    Validates manifests, bumps the podinfo image tag in deployment.yaml,
    and pushes the commit back to the ops-demo repo.
    ArgoCD then detects the change and rolls out the new image.

  params:
    - name: repo-url
      type: string
      description: URL of the ops-demo git repository
      default: https://github.com/paulharkink/ops-demo.git
    - name: new-tag
      type: string
      description: New podinfo image tag to set (e.g. 6.7.0)
      default: "6.7.0"
    - name: git-user-name
      type: string
      description: Git author name for the bump commit
      default: "Workshop Pipeline"
    - name: git-user-email
      type: string
      description: Git author email for the bump commit
      default: "pipeline@workshop.local"

  workspaces:
    - name: source
      description: Workspace for cloning the repo
    - name: git-credentials
      description: Secret with GitHub username + PAT (basic-auth)

  tasks:
    # ── Task 1: Clone the repo ─────────────────────────────────────────────
    - name: clone
      taskSpec:
        workspaces:
          - name: source
          - name: git-credentials
        params:
          - name: repo-url
          - name: git-user-name
          - name: git-user-email
        steps:
          - name: clone
            image: alpine/git:latest
            workingDir: /workspace/source
            env:
              - name: GIT_USERNAME
                valueFrom:
                  secretKeyRef:
                    name: git-credentials
                    key: username
              - name: GIT_PASSWORD
                valueFrom:
                  secretKeyRef:
                    name: git-credentials
                    key: password
            script: |
              #!/bin/sh
              set -eu
              # Inject credentials into the clone URL
              REPO=$(echo "$(params.repo-url)" | sed "s|https://|https://${GIT_USERNAME}:${GIT_PASSWORD}@|")
              git clone "${REPO}" .
              git config user.name "$(params.git-user-name)"
              git config user.email "$(params.git-user-email)"
              echo "Cloned $(git log --oneline -1)"
      workspaces:
        - name: source
          workspace: source
        - name: git-credentials
          workspace: git-credentials
      params:
        - name: repo-url
          value: $(params.repo-url)
        - name: git-user-name
          value: $(params.git-user-name)
        - name: git-user-email
          value: $(params.git-user-email)

    # ── Task 2: Validate manifests (dry-run) ──────────────────────────────
    - name: validate
      runAfter: [clone]
      taskSpec:
        workspaces:
          - name: source
        steps:
          - name: dry-run
            image: bitnami/kubectl:latest
            workingDir: /workspace/source
            script: |
              #!/bin/sh
              set -eu
              echo "Running kubectl dry-run on manifests/apps/podinfo/"
              kubectl apply --dry-run=client -f manifests/apps/podinfo/
              echo "Validation passed."
      workspaces:
        - name: source
          workspace: source

    # ── Task 3: Bump image tag ─────────────────────────────────────────────
    - name: bump-image-tag
      runAfter: [validate]
      taskSpec:
        workspaces:
          - name: source
        params:
          - name: new-tag
        steps:
          - name: bump
            image: mikefarah/yq:4.44.3
            workingDir: /workspace/source
            script: |
              #!/bin/sh
              set -eu
              FILE="manifests/apps/podinfo/deployment.yaml"
              CURRENT=$(yq '.spec.template.spec.containers[0].image' "${FILE}")
              echo "Current image: ${CURRENT}"
              yq -i '.spec.template.spec.containers[0].image = "ghcr.io/stefanprodan/podinfo:$(params.new-tag)"' "${FILE}"
              UPDATED=$(yq '.spec.template.spec.containers[0].image' "${FILE}")
              echo "Updated image: ${UPDATED}"
      workspaces:
        - name: source
          workspace: source
      params:
        - name: new-tag
          value: $(params.new-tag)

    # ── Task 4: Commit and push ────────────────────────────────────────────
    - name: git-commit-push
      runAfter: [bump-image-tag]
      taskSpec:
        workspaces:
          - name: source
          - name: git-credentials
        params:
          - name: new-tag
        steps:
          - name: push
            image: alpine/git:latest
            workingDir: /workspace/source
            env:
              - name: GIT_USERNAME
                valueFrom:
                  secretKeyRef:
                    name: git-credentials
                    key: username
              - name: GIT_PASSWORD
                valueFrom:
                  secretKeyRef:
                    name: git-credentials
                    key: password
            script: |
              #!/bin/sh
              set -eu
              git add manifests/apps/podinfo/deployment.yaml
              git commit -m "chore(pipeline): bump podinfo to $(params.new-tag)"

              # Inject credentials for push
              REMOTE_URL=$(git remote get-url origin | sed "s|https://|https://${GIT_USERNAME}:${GIT_PASSWORD}@|")
              git push "${REMOTE_URL}" HEAD:main
              echo "Pushed commit: $(git log --oneline -1)"
      workspaces:
        - name: source
          workspace: source
        - name: git-credentials
          workspace: git-credentials
      params:
        - name: new-tag
          value: $(params.new-tag)