{{- if .Values.pipeline.enabled }} apiVersion: argoproj.io/v1alpha1 kind: ClusterWorkflowTemplate metadata: name: {{ .Values.pipeline.name }} spec: serviceAccountName: {{ .Values.pipeline.serviceAccountName }} entrypoint: security-pipeline onExit: pipeline-exit-hook volumeClaimTemplates: - metadata: name: workspace spec: accessModes: - ReadWriteOnce resources: requests: storage: {{ .Values.pipeline.workspace.storage }} arguments: parameters: - name: working-dir value: {{ .Values.pipeline.workingDir | quote }} - name: fail-on-cvss value: {{ .Values.pipeline.failOnCvss | quote }} - name: repo-url - name: git-revision value: {{ .Values.pipeline.gitRevision | quote }} templates: # Top-level DAG wiring lives here so the workflow flow stays readable. - name: security-pipeline dag: tasks: {{ include "template.workflow.security-pipeline.tasks" . | nindent 10 }} # Concrete task implementations stay below. - name: clone-repo inputs: parameters: - name: repo-url - name: git-revision container: image: {{ .Values.images.git }} command: - sh - -c args: - git clone --branch {{ `{{inputs.parameters.git-revision}}` | quote }} --single-branch {{ `{{inputs.parameters.repo-url}}` | quote }} /workspace volumeMounts: - name: workspace mountPath: /workspace - name: parallel-scanners inputs: parameters: - name: working-dir dag: tasks: {{ include "template.workflow.parallel-scanners.tasks" . | nindent 10 }} - name: pipeline-exit-hook container: image: {{ .Values.images.curl }} command: - sh - -c args: - | set -eu echo "Pipeline completed with status: {{ `{{workflow.status}}` }}" {{ include "template.workflow.named-templates" . | nindent 4 }} {{- end }}