chore: Update git-clone task location

*   Updated the `git-clone` task source URL in all `.tekton` configuration
files to the new repository location at `tektoncd-catalog/git-clone`.
*   Migrated documentation links to point to the new
`tektoncd-catalog/git-clone` repository.
*   Pinned `git-clone` task usage to a specific commit hash for improved
stability.
- Vendored the git-clone Tekton StepAction into the repository.
- Updated all Tekton pipelines to use the local version of the StepAction.
- This change removes the dependency on the external tektoncd-catalog
repository.
- Using a local copy improves the reliability and stability of the CI
  pipelines.

Signed-off-by: Chmouel Boudjnah <chmouel@redhat.com>

Author: chmouel

.tekton/doc.yaml

@@ -33,7 +33,7 @@ spec:
                 resolver: http
                 params:
                   - name: url
-                    value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+                    value: https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/refs/heads/main/.tekton/stepactions/git-clone.yaml
               params:
                 - name: output-path
                   value: $(workspaces.source.path)

.tekton/generate-coverage-release.yaml

@@ -33,7 +33,7 @@ spec:
                 resolver: http
                 params:
                   - name: url
-                    value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+                    value: https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/refs/heads/main/.tekton/stepactions/git-clone.yaml
               params:
                 - name: output-path
                   value: $(workspaces.source.path)

.tekton/go.yaml

@@ -30,7 +30,7 @@ spec:
                 resolver: http
                 params:
                   - name: url
-                    value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+                    value: https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/refs/heads/main/.tekton/stepactions/git-clone.yaml
               params:
                 - name: output-path
                   value: $(workspaces.source.path)

.tekton/linter.yaml

@@ -29,7 +29,7 @@ spec:
                 resolver: http
                 params:
                   - name: url
-                    value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+                    value: https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/refs/heads/main/.tekton/stepactions/git-clone.yaml
               params:
                 - name: output-path
                   value: $(workspaces.source.path)

.tekton/stepactions/git-clone.yaml

@@ -0,0 +1,223 @@
+apiVersion: tekton.dev/v1alpha1
+kind: StepAction
+metadata:
+  name: git-clone
+  labels:
+    app.kubernetes.io/version: "0.1"
+  annotations:
+    tekton.dev/pipelines.minVersion: "0.54.0"
+    tekton.dev/categories: Git
+    tekton.dev/tags: git
+    tekton.dev/displayName: "git clone"
+    tekton.dev/platforms: "linux/amd64,linux/s390x,linux/ppc64le,linux/arm64"
+spec:
+  params:
+    - name: output-path
+      description: The git repo will be cloned onto this path
+    - name: ssh-directory-path
+      description: |
+        A .ssh directory with private key, known_hosts, config, etc. Copied to
+        the user's home before git commands are executed. Used to authenticate
+        with the git remote when performing the clone. We recommend providing this
+        path from a workspace that is bound by a Secret over other volume types.
+      default: "no-path"
+    - name: basic-auth-path
+      description: |
+        A directory path containing a .gitconfig and .git-credentials file. These
+        will be copied to the user's home before any git commands are run. Any
+        other files in this directory are ignored. It is strongly recommended
+        to use ssh-directory over basic-auth whenever possible and to bind a
+        Secret to the Workspace providing this path over other volume types.
+      default: "no-path"
+    - name: ssl-ca-directory-path
+      description: |
+        A directory containing CA certificates, this will be used by Git to
+        verify the peer with when fetching or pushing over HTTPS.
+      default: "no-path"
+    - name: url
+      description: Repository URL to clone from.
+      type: string
+    - name: revision
+      description: Revision to checkout. (branch, tag, sha, ref, etc...)
+      type: string
+      default: ""
+    - name: refspec
+      description: Refspec to fetch before checking out revision.
+      default: ""
+    - name: submodules
+      description: Initialize and fetch git submodules.
+      type: string
+      default: "true"
+    - name: depth
+      description: Perform a shallow clone, fetching only the most recent N commits.
+      type: string
+      default: "1"
+    - name: sslVerify
+      description: Set the `http.sslVerify` global git config. Setting this to `false` is not advised unless you are sure that you trust your git remote.
+      type: string
+      default: "true"
+    - name: crtFileName
+      description: file name of mounted crt using ssl-ca-directory workspace. default value is ca-bundle.crt.
+      type: string
+      default: "ca-bundle.crt"
+    - name: subdirectory
+      description: Subdirectory inside the `output` Workspace to clone the repo into.
+      type: string
+      default: ""
+    - name: sparseCheckoutDirectories
+      description: Define the directory patterns to match or exclude when performing a sparse checkout.
+      type: string
+      default: ""
+    - name: deleteExisting
+      description: Clean out the contents of the destination directory if it already exists before cloning.
+      type: string
+      default: "true"
+    - name: httpProxy
+      description: HTTP proxy server for non-SSL requests.
+      type: string
+      default: ""
+    - name: httpsProxy
+      description: HTTPS proxy server for SSL requests.
+      type: string
+      default: ""
+    - name: noProxy
+      description: Opt out of proxying HTTP/HTTPS requests.
+      type: string
+      default: ""
+    - name: verbose
+      description: Log the commands that are executed during `git-clone`'s operation.
+      type: string
+      default: "true"
+    - name: gitInitImage
+      description: The image providing the git-init binary that this StepAction runs.
+      type: string
+      default: "ghcr.io/tektoncd/github.com/tektoncd/pipeline/cmd/git-init:v0.40.2"
+    - name: userHome
+      description: |
+        Absolute path to the user's home directory.
+      type: string
+      default: "/home/git"
+  results:
+    - name: commit
+      description: The precise commit SHA that was fetched by this StepAction.
+    - name: url
+      description: The precise URL that was fetched by this StepAction.
+    - name: committer-date
+      description: The epoch timestamp of the commit that was fetched by this StepAction.
+  image: "$(params.gitInitImage)"
+  env:
+  - name: HOME
+    value: "$(params.userHome)"
+  - name: PARAM_URL
+    value: $(params.url)
+  - name: PARAM_REVISION
+    value: $(params.revision)
+  - name: PARAM_REFSPEC
+    value: $(params.refspec)
+  - name: PARAM_SUBMODULES
+    value: $(params.submodules)
+  - name: PARAM_DEPTH
+    value: $(params.depth)
+  - name: PARAM_SSL_VERIFY
+    value: $(params.sslVerify)
+  - name: PARAM_CRT_FILENAME
+    value: $(params.crtFileName)
+  - name: PARAM_SUBDIRECTORY
+    value: $(params.subdirectory)
+  - name: PARAM_DELETE_EXISTING
+    value: $(params.deleteExisting)
+  - name: PARAM_HTTP_PROXY
+    value: $(params.httpProxy)
+  - name: PARAM_HTTPS_PROXY
+    value: $(params.httpsProxy)
+  - name: PARAM_NO_PROXY
+    value: $(params.noProxy)
+  - name: PARAM_VERBOSE
+    value: $(params.verbose)
+  - name: PARAM_SPARSE_CHECKOUT_DIRECTORIES
+    value: $(params.sparseCheckoutDirectories)
+  - name: PARAM_USER_HOME
+    value: $(params.userHome)
+  - name: PARAM_OUTPUT_PATH
+    value: $(params.output-path)
+  - name: PARAM_SSH_DIRECTORY_PATH
+    value: $(params.ssh-directory-path)
+  - name: PARAM_BASIC_AUTH_DIRECTORY_PATH
+    value: $(params.basic-auth-path)
+  - name: PARAM_SSL_CA_DIRECTORY_PATH
+    value: $(params.ssl-ca-directory-path)
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 65532
+  script: |
+    #!/usr/bin/env sh
+    set -eu
+
+    if [ "${PARAM_VERBOSE}" = "true" ] ; then
+      set -x
+    fi
+
+    if [ "${PARAM_BASIC_AUTH_DIRECTORY_PATH}" != "no-path" ] ; then
+      cp "${PARAM_BASIC_AUTH_DIRECTORY_PATH}/.git-credentials" "${PARAM_USER_HOME}/.git-credentials"
+      cp "${PARAM_BASIC_AUTH_DIRECTORY_PATH}/.gitconfig" "${PARAM_USER_HOME}/.gitconfig"
+      chmod 400 "${PARAM_USER_HOME}/.git-credentials"
+      chmod 400 "${PARAM_USER_HOME}/.gitconfig"
+    fi
+
+    if [ "${PARAM_SSH_DIRECTORY_PATH}" != "no-path" ] ; then
+      cp -R "${PARAM_SSH_DIRECTORY_PATH}" "${PARAM_USER_HOME}"/.ssh
+      chmod 700 "${PARAM_USER_HOME}"/.ssh
+      chmod -R 400 "${PARAM_USER_HOME}"/.ssh/*
+    fi
+
+    if [ "${PARAM_SSL_CA_DIRECTORY_PATH}" != "no-path" ] ; then
+       export GIT_SSL_CAPATH="${PARAM_SSL_CA_DIRECTORY_PATH}"
+       if [ "${PARAM_CRT_FILENAME}" != "" ] ; then
+          export GIT_SSL_CAINFO="${PARAM_SSL_CA_DIRECTORY_PATH}/${PARAM_CRT_FILENAME}"
+       fi
+    fi
+    CHECKOUT_DIR="${PARAM_OUTPUT_PATH}/${PARAM_SUBDIRECTORY}"
+
+    cleandir() {
+      # Delete any existing contents of the repo directory if it exists.
+      #
+      # We don't just "rm -rf ${CHECKOUT_DIR}" because ${CHECKOUT_DIR} might be "/"
+      # or the root of a mounted volume.
+      if [ -d "${CHECKOUT_DIR}" ] ; then
+        # Delete non-hidden files and directories
+        rm -rf "${CHECKOUT_DIR:?}"/*
+        # Delete files and directories starting with . but excluding ..
+        rm -rf "${CHECKOUT_DIR}"/.[!.]*
+        # Delete files and directories starting with .. plus any other character
+        rm -rf "${CHECKOUT_DIR}"/..?*
+      fi
+    }
+
+    if [ "${PARAM_DELETE_EXISTING}" = "true" ] ; then
+      cleandir || true
+    fi
+
+    test -z "${PARAM_HTTP_PROXY}" || export HTTP_PROXY="${PARAM_HTTP_PROXY}"
+    test -z "${PARAM_HTTPS_PROXY}" || export HTTPS_PROXY="${PARAM_HTTPS_PROXY}"
+    test -z "${PARAM_NO_PROXY}" || export NO_PROXY="${PARAM_NO_PROXY}"
+
+    git config --global --add safe.directory "${PARAM_OUTPUT_PATH}"
+    /ko-app/git-init \
+      -url="${PARAM_URL}" \
+      -revision="${PARAM_REVISION}" \
+      -refspec="${PARAM_REFSPEC}" \
+      -path="${CHECKOUT_DIR}" \
+      -sslVerify="${PARAM_SSL_VERIFY}" \
+      -submodules="${PARAM_SUBMODULES}" \
+      -depth="${PARAM_DEPTH}" \
+      -sparseCheckoutDirectories="${PARAM_SPARSE_CHECKOUT_DIRECTORIES}"
+    cd "${CHECKOUT_DIR}"
+    RESULT_SHA="$(git rev-parse HEAD)"
+    EXIT_CODE="$?"
+    if [ "${EXIT_CODE}" != 0 ] ; then
+      exit "${EXIT_CODE}"
+    fi
+    RESULT_COMMITTER_DATE="$(git log -1 --pretty=%ct)"
+    printf "%s" "${RESULT_COMMITTER_DATE}" > "$(step.results.committer-date.path)"
+    printf "%s" "${RESULT_SHA}" > "$(step.results.commit.path)"
+    printf "%s" "${PARAM_URL}" > "$(step.results.url.path)"

docs/content/docs/guide/authoringprs.md

@@ -22,8 +22,8 @@ weight: 3
 - Inside your pipeline, you need to be able to check out the commit as
   received from the webhook by checking out the repository from that ref. Most of the time
   you want to reuse the
-  [git-clone](https://github.com/tektoncd/catalog/blob/main/task/git-clone/)
-  task from the [tektoncd/catalog](https://github.com/tektoncd/catalog).
+  [git-clone](https://github.com/tektoncd-catalog/git-clone/tree/main/task/git-clone)
+  task from the [tektoncd/catalog](https://github.com/tektoncd-catalog/git-clone/tree/main/task/git-clone).
 
 - To be able to specify parameters of your commit and URL, Pipelines-as-Code
   gives you some “dynamic” variables that are defined according to the execution

docs/content/docs/guide/privaterepo.md

@@ -40,7 +40,7 @@ depending on your requirements.
 ## Using the generated token in your PipelineRun
 
 The git-clone task documentation, which is available at
-<https://github.com/tektoncd/catalog/blob/main/task/git-clone/0.4/README.md>,
+<https://github.com/tektoncd-catalog/git-clone/tree/main/task/git-clone>,
 states that the secret needs to be referred to as a workspace named
 "basic-auth" inside your PipelineRun so that it can be passed to
 the `git-clone` task.

docs/content/docs/guide/resolver.md

@@ -84,7 +84,7 @@ pipelinesascode.tekton.dev/task: "git-clone"
 ```
 
 The syntax above installs the
-[git-clone](https://github.com/tektoncd/catalog/tree/main/task/git-clone) task
+[git-clone](https://github.com/tektoncd-catalog/git-clone/tree/main/task/git-clone) task
 from the [tekton hub](https://hub.tekton.dev) repository querying for the latest
 version with the tekton hub API.
 

test/testdata/pipelinerun-stepactions.yaml

@@ -18,7 +18,7 @@ spec:
                 resolver: http
                 params:
                   - name: url
-                    value: https://raw.githubusercontent.com/tektoncd/catalog/main/stepaction/git-clone/0.1/git-clone.yaml
+                    value: https://raw.githubusercontent.com/openshift-pipelines/pipelines-as-code/refs/heads/main/.tekton/stepactions/git-clone.yaml
               params:
                 - name: output-path
                   value: "/tmp/output"