{ "apiVersion": "v1", "items": [ { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.redhat.com/nudged-components": "gh-multi-component-child-ditl", "build.appstudio.redhat.com/nudging-commit": "build-nudge-parent-rwxwia?rev=9437d93ac1d888c42220f19ccb08ed7fbc5ce586", "build.appstudio.redhat.com/nudging-component": "gh-multi-component-parent-ditl", "build.appstudio.redhat.com/nudging-image": "quay.io/redhat-appstudio-qe/build-e2e-dgcl/gh-multi-component-parent-ditl:9437d93ac1d888c42220f19ccb08ed7fbc5ce586", "build.appstudio.redhat.com/nudging-pipeline": "gh-multi-component-parent-ditl-on-push-79jbr", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-dgcl/results/22a84d01-732b-4006-bcac-a33ad1ceaeba/records/3325ebed-f9f6-4604-8f6e-dc4b0f599b42", "results.tekton.dev/result": "build-e2e-dgcl/results/22a84d01-732b-4006-bcac-a33ad1ceaeba", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-16T07:58:57Z", "finalizers": [ "chains.tekton.dev/taskrun", "results.tekton.dev/taskrun" ], "generation": 1, "labels": { "app.kubernetes.io/managed-by": "tekton-pipelines", "build.appstudio.redhat.com/type": "nudge", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "renovate-pipeline-1778918337-e6270", "tekton.dev/pipelineRun": "renovate-pipeline-1778918337-e6270", "tekton.dev/pipelineRunUID": "22a84d01-732b-4006-bcac-a33ad1ceaeba", "tekton.dev/pipelineTask": "renovate" }, "name": "renovate-pipeline-1778918337-e6270-renovate", "namespace": "build-e2e-dgcl", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "renovate-pipeline-1778918337-e6270", "uid": "22a84d01-732b-4006-bcac-a33ad1ceaeba" } ], "resourceVersion": "29764", "uid": "3325ebed-f9f6-4604-8f6e-dc4b0f599b42" }, "spec": { "serviceAccountName": "build-pipeline-gh-multi-component-parent-ditl", "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_96abaabd39 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-ditl-1f4a8.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_dgcl_gh_multi_component_parent_ditl_fa1046dc8b','password':'${TOKEN_8f3c39b850}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778918337-e6270" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778918337-e6270" } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778918337-e6270" }, "name": "renovate-pipeline-1778918337-e6270" } ] }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:04:26Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:04:26Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "renovate-pipeline-1778918337-e6270-renovate-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" } }, "startTime": "2026-05-16T07:58:57Z", "steps": [ { "container": "step-renovate", "imageID": "quay.io/konflux-ci/mintmaker-renovate-image@sha256:67d26b20533790565a2949a3f732d595dda9378fea506f1cba88ca17cef13873", "name": "renovate", "provenance": {}, "terminated": { "containerID": "containerd://ea01ad2c21f86955a8908eb016752e5d5d4312064feb8474c56f686790ab0cc1", "exitCode": 0, "finishedAt": "2026-05-16T08:04:25Z", "reason": "Completed", "startedAt": "2026-05-16T08:04:14Z" }, "terminationReason": "Completed" } ], "taskSpec": { "steps": [ { "command": [ "bash", "-c", "RENOVATE_X_GITLAB_MERGE_REQUEST_DELAY=5000 RENOVATE_X_GITLAB_AUTO_MERGEABLE_CHECK_ATTEMPS=11 RENOVATE_PR_HOURLY_LIMIT=0 RENOVATE_PR_CONCURRENT_LIMIT=0 RENOVATE_TOKEN=$TOKEN_96abaabd39 RENOVATE_CONFIG_FILE=/configs/gh-multi-component-child-ditl-1f4a8.json RENOVATE_HOST_RULES=\"[{'matchHost':'quay.io','username':'redhat-appstudio-qe+build_e2e_dgcl_gh_multi_component_parent_ditl_fa1046dc8b','password':'${TOKEN_8f3c39b850}'}]\" renovate" ], "computeResources": {}, "env": [ { "name": "LOG_LEVEL", "value": "debug" } ], "envFrom": [ { "prefix": "TOKEN_", "secretRef": { "name": "renovate-pipeline-1778918337-e6270" } } ], "image": "quay.io/konflux-ci/mintmaker-renovate-image:29a2f31", "name": "renovate", "securityContext": { "allowPrivilegeEscalation": false, "capabilities": { "drop": [ "ALL" ] }, "runAsNonRoot": true, "seccompProfile": { "type": "RuntimeDefault" } }, "volumeMounts": [ { "mountPath": "/configs", "name": "renovate-pipeline-1778918337-e6270" } ] } ], "volumes": [ { "configMap": { "name": "renovate-pipeline-1778918337-e6270" }, "name": "renovate-pipeline-1778918337-e6270" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/afdae115-d1b5-4b8e-a498-6fe5692cb07c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan" }, "name": "gh-test-custom-branch-drhneu-on-push-9qsss-clair-scan", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "34980", "uid": "afdae115-d1b5-4b8e-a498-6fe5692cb07c" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "clair-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:24Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:24Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhneu-on-push-9qsss-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, "entryPoint": "clair-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\", \"digests\": [\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\":\"sha256:6e3b9c7ec0791b40540adb6ef4d54bb7022bd571c98c0f1d593d0f78df0b329b\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":0,\"medium\":0,\"low\":0,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:09:24+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:07Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "provenance": {}, "terminated": { "containerID": "containerd://98e276b61419c936e034d9a1aa647aca5a413789080182305816fd8f284c1678", "exitCode": 0, "finishedAt": "2026-05-16T08:08:13Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:57Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:2c6327a915e868116ecf2519a658c12c741f8d1c7178856758ddc64f9d5ba682", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://690bb02b6ef82b606e8d7b07d89ebdc1581d7452c92729767deb382bde8df014", "exitCode": 0, "finishedAt": "2026-05-16T08:09:19Z", "reason": "Completed", "startedAt": "2026-05-16T08:08:13Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "containerd://38f086dd39298e5228d0bb557850e78b8b5d082c8450601ccaf2c8a10d69fcc4", "exitCode": 0, "finishedAt": "2026-05-16T08:09:23Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:19Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://05a03dd0eba2a303f96e43f5bb6d0d1c4e94d6434240d459b2ced947e2b50ba0", "exitCode": 0, "finishedAt": "2026-05-16T08:09:24Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\\\", \\\"digests\\\": [\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\":\\\"sha256:6e3b9c7ec0791b40540adb6ef4d54bb7022bd571c98c0f1d593d0f78df0b329b\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":0,\\\"medium\\\":0,\\\"low\\\":0,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:24+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:23Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "800m", "memory": "7Gi" }, "requests": { "cpu": "800m", "memory": "7Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/6c52e18f-3140-4316-9097-2b6aa1631a7f", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:01Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan" }, "name": "gh-test-custom-branch-drhneu-on-push-9qsss-clamav-scan", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "35016", "uid": "6c52e18f-3140-4316-9097-2b6aa1631a7f" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:24Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:24Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhneu-on-push-9qsss-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\", \"digests\": [\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778918960\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-05-16T08:07:09Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:0ef3528c5e838e1174bcfaf5d2a58f557dccdd50a58a844929a1eb0a307c957d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "containerd://e50d6c2a73aa6d5b8c772a5fa96b7be1271b5707ea3d9985c9a3bc250e4b90b1", "exitCode": 0, "finishedAt": "2026-05-16T08:09:20Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\\\", \\\"digests\\\": [\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778918960\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:47Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://f3b19fd273e9e43cfa565cd161a6ec01e5f36cf59e7ee25ae45b982807780944", "exitCode": 0, "finishedAt": "2026-05-16T08:09:23Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\\\", \\\"digests\\\": [\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778918960\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:21Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/feff31bd-175f-453b-a16e-8e99567eecb2", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan" }, "name": "gh-test-custom-branch-drhneu-on-push-9qsss-rpms-signature-scan", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "34975", "uid": "feff31bd-175f-453b-a16e-8e99567eecb2" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "image-digest", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:12Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:12Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhne8508500cbd6dbd8cbc7203c5e96201ea-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\", \"digests\": [\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:08:08+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:12Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "containerd://43025b1872d8a75bfdc773b981b28189fd906863c2fab6eefc4c6f54cfb7311f", "exitCode": 0, "finishedAt": "2026-05-16T08:08:08Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:52Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "containerd://18754002028fed0338da8c192abb5f93984dd0fc9572f865ef636abc5b21da50", "exitCode": 0, "finishedAt": "2026-05-16T08:08:13Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\\\", \\\"digests\\\": [\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:08:08+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:08Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/c2cb6b5e-1cfb-451d-a1c3-66445c0db06b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:01Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta" }, "name": "gh-test-custom-branch-drhneu-on-push-9qsss-sast-shell-check", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "35004", "uid": "c2cb6b5e-1cfb-451d-a1c3-66445c0db06b" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu@sha256:3aea45ba03030bba4bc035e81ea2d6b0a02c0c8af5aed0b02fea029bfcf9f3f4" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:16Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhneu-on-push-9qsss-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, "entryPoint": "sast-shell-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:08:11+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:10Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://e5663ba1aa9fec3bd5814442dde5dcf60b83f9945b77bd33a224bf541f9fca12", "exitCode": 0, "finishedAt": "2026-05-16T08:08:07Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:59Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "containerd://99d8eaac7ed9a73e9f398dd74ffccb2e8c893fd9eb31dc30379651546e374a40", "exitCode": 0, "finishedAt": "2026-05-16T08:08:13Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:08:11+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:07Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://ebe941206255fc4a926845a6c3a1cbd7c4e19d758487cb3e16b6d07b5a82f041", "exitCode": 0, "finishedAt": "2026-05-16T08:08:16Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:08:11+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:13Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu@sha256:3aea45ba03030bba4bc035e81ea2d6b0a02c0c8af5aed0b02fea029bfcf9f3f4=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "8", "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/ecbad303-baa4-4828-b4f8-c22c0ad200ca", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta" }, "name": "gh-test-custom-branch-drhneu-on-push-9qsss-sast-unicode-check", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "34993", "uid": "ecbad303-baa4-4828-b4f8-c22c0ad200ca" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu@sha256:3aea45ba03030bba4bc035e81ea2d6b0a02c0c8af5aed0b02fea029bfcf9f3f4" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:16Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhne24bb32e14851f117f43d817ae8d4ab7a-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, "entryPoint": "sast-unicode-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:08:09+00:00\",\"note\":\"Task sast-unicode-check-oci-ta success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:10Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://6140d94b20916405c4904eb6a3a339e7c893e9a6b5fc86e681fe97124d69da9c", "exitCode": 0, "finishedAt": "2026-05-16T08:08:07Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:54Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "containerd://3318be40fd36c9d964df9aacd35e5c96989ef6c8c7a4583cde4b78e3bf36cc80", "exitCode": 0, "finishedAt": "2026-05-16T08:08:09Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:08:09+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:08Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://a8f4e616aa905275b9845912a322aac302fe1fc3ae8c26d4b8a0a06db6449b43", "exitCode": 0, "finishedAt": "2026-05-16T08:08:15Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:08:09+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:09Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu@sha256:3aea45ba03030bba4bc035e81ea2d6b0a02c0c8af5aed0b02fea029bfcf9f3f4=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "IMAGE_DIGEST", "value": "sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul?rev=605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/commit_sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "build.appstudio.redhat.com/target_branch": "base-xzbgsx", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "base-xzbgsx", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-jmizgj", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pcxf/pipelinerun/gh-test-custom-branch-drhneu-on-push-9qsss", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"base-xzbgsx\"", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "incoming", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #2 from redhat-appstudio-qe/konflux-gh-test-custom-branch-drhneu", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/devfile-sample-hello-world-iqrkul/commit/605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/source-branch": "base-xzbgsx", "pipelinesascode.tekton.dev/source-repo-url": "", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7/records/0a957b11-53fb-43d7-a5f4-849409176c7b", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"devfile-sample-hello-world-iqrkul\",\"commit\":\"605704b85dafde7f7c1070c9c4bf1dfc588e57b0\",\"eventType\":\"incoming\"}", "results.tekton.dev/result": "build-e2e-pcxf/results/c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "results.tekton.dev/stored": "true" }, "creationTimestamp": "2026-05-16T08:07:07Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:00Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-test-application-uzyr", "appstudio.openshift.io/component": "gh-test-custom-branch-drhneu", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76305002164", "pipelinesascode.tekton.dev/event-type": "incoming", "pipelinesascode.tekton.dev/original-prname": "gh-test-custom-branch-drhneu-on-push", "pipelinesascode.tekton.dev/repository": "thub-com-redhat-appstudio-qe-devfile-sample-hello-world-iqrkul", "pipelinesascode.tekton.dev/sha": "605704b85dafde7f7c1070c9c4bf1dfc588e57b0", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "devfile-sample-hello-world-iqrkul", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRun": "gh-test-custom-branch-drhneu-on-push-9qsss", "tekton.dev/pipelineRunUID": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7", "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks", "tekton.dev/task": "ecosystem-cert-preflight-checks" }, "name": "gh-test-custom-branch-drhneu-ond5005897d8d13570fd3164889d6fa691", "namespace": "build-e2e-pcxf", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "gh-test-custom-branch-drhneu-on-push-9qsss", "uid": "c2527ec3-0a6a-4bfb-81e8-112caaa49ee7" } ], "resourceVersion": "34999", "uid": "0a957b11-53fb-43d7-a5f4-849409176c7b" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "serviceAccountName": "build-pipeline-gh-test-custom-branch-drhneu", "taskRef": { "params": [ { "name": "name", "value": "ecosystem-cert-preflight-checks" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:25Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:25Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "gh-test-custom-branch-drhne46d47e38c4edd593fb47d9b78ddfb5ea-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799" }, "entryPoint": "ecosystem-cert-preflight-checks", "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks" } }, "results": [ { "name": "ARTIFACT_TYPE", "type": "string", "value": "application" }, { "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "introspection" }, { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\", \"digests\": [\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\"]}}" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778918963\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "startTime": "2026-05-16T08:07:07Z", "steps": [ { "container": "step-introspect", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "introspect", "provenance": {}, "results": [ { "name": "artifact-type", "type": "string", "value": "application" }, { "name": "artifact-type-set-by", "type": "string", "value": "introspection" } ], "terminated": { "containerID": "containerd://14ce5196c42746aa7acd74c5c98da8170fe5dceeacef40a90b6fc9efaba7c521", "exitCode": 0, "finishedAt": "2026-05-16T08:08:52Z", "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:13Z" }, "terminationReason": "Completed" }, { "container": "step-generate-container-auth", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "generate-container-auth", "provenance": {}, "results": [ { "name": "auth-json-path", "type": "string", "value": "/auth/auth.json" } ], "terminated": { "containerID": "containerd://70aad2737a87412573aba462d0d7b364a46b14dcfaacba3119d544cdf9ed33b9", "exitCode": 0, "finishedAt": "2026-05-16T08:09:05Z", "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:48Z" }, "terminationReason": "Completed" }, { "container": "step-set-skip-for-bundles", "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "provenance": {}, "terminated": { "containerID": "containerd://46a310a7641876374258bb262432b3207acb0487ad03f7f03e281f3193c05fec", "exitCode": 0, "finishedAt": "2026-05-16T08:09:05Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:04Z" }, "terminationReason": "Skipped" }, { "container": "step-app-check", "imageID": "quay.io/opdev/preflight@sha256:6dc9402d20c330e693e6a949ab42c8721e385f012379ff99d51310ec1cbef576", "name": "app-check", "provenance": {}, "terminated": { "containerID": "containerd://77b0457304c71cf7f2403c117b0ec9f42127ae1fde394be6b6084d0d679a74c5", "exitCode": 0, "finishedAt": "2026-05-16T08:09:22Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:04Z" }, "terminationReason": "Completed" }, { "container": "step-app-set-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "app-set-outcome", "provenance": {}, "results": [ { "name": "images-processed", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\", \"digests\": [\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\"]}}" }, { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778918963\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://f7bb6f45282d6ecf8ae6f5eeab283d9aa656901e976ace70b5b42f1ded3dc087", "exitCode": 0, "finishedAt": "2026-05-16T08:09:24Z", "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0\\\", \\\"digests\\\": [\\\"sha256:a706ef43b802f80aa48d7d3eb60cd761d7930d6bf9e142ffab42f74a6070ee5f\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778918963\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":4,\\\"failures\\\":3,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:23Z" }, "terminationReason": "Completed" }, { "container": "step-final-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "final-outcome", "provenance": {}, "results": [ { "name": "test-output", "type": "string", "value": "{\"result\":\"ERROR\",\"timestamp\":\"1778918963\",\"note\":\"Task preflight is a ERROR: Refer to Tekton task logs for more information\",\"successes\":4,\"failures\":3,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://8510c40c5f35e38dc2c39f5c9273431d3a9428d891729f805b552db12862c1b6", "exitCode": 0, "finishedAt": "2026-05-16T08:09:25Z", "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"ERROR\\\",\\\"timestamp\\\":\\\"1778918963\\\",\\\"note\\\":\\\"Task preflight is a ERROR: Refer to Tekton task logs for more information\\\",\\\"successes\\\":4,\\\"failures\\\":3,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:25Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.", "params": [ { "description": "Image url to scan.", "name": "image-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "introspect", "description": "The type of artifact. Select from application, operatorbundle, or introspect.", "name": "artifact-type", "type": "string" }, { "default": "", "description": "The platform the image is built on.", "name": "platform", "type": "string" } ], "results": [ { "description": "Ecosystem checks pass or fail outcome.", "name": "TEST_OUTPUT", "type": "string", "value": "$(steps.final-outcome.results.test-output)" }, { "description": "The artifact type, either introspected or set.", "name": "ARTIFACT_TYPE", "type": "string", "value": "$(steps.introspect.results.artifact-type)" }, { "description": "How the artifact type was set.", "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "$(steps.introspect.results.artifact-type-set-by)" }, { "description": "Collected image digests", "name": "IMAGES_PROCESSED", "type": "string", "value": "$(steps.app-set-outcome.results.images-processed)" } ], "steps": [ { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "PARAM_ARTIFACT_TYPE", "value": "introspect" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "introspect", "results": [ { "description": "The type of artifact this task is considering.", "name": "artifact-type" }, { "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n", "name": "artifact-type-set-by" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n echo \"Artifact type will be determined by introspection.\"\n _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n # short circuit if the artifact type was set via parameter.\n echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n _CURRENT_ARCH=$(uname -m)\n _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n # to map them.\n case ${_CURRENT_ARCH} in\n \"aarch64\")\n _CURRENT_ARCH=\"arm64\"\n ;;\n \"x86_64\")\n _CURRENT_ARCH=\"amd64\"\n ;;\n *)\n ;;\n esac\n\n # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n else\n # If there is no image for the current OS and architecture, just use the first one in the list.\n _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n | jq '.Labels | keys | .[]' -r \\\n | { grep operators.operatorframework.io.bundle || true ;} \\\n | tee /tmp/ecosystem-image-labels\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "generate-container-auth", "results": [ { "description": "Path to auth.json", "name": "auth-json-path" } ], "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n", "volumeMounts": [ { "mountPath": "/auth", "name": "auth" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "results": [ { "description": "A skipped tekton result for bundles.", "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/bundle", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "operatorbundle" ] } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "PFLT_DOCKERCONFIG", "value": "$(steps.generate-container-auth.results.auth-json-path)" }, { "name": "PFLT_KONFLUX", "value": "true" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" }, { "name": "PARAM_PLATFORM" } ], "image": "quay.io/opdev/preflight:stable@sha256:6dc9402d20c330e693e6a949ab42c8721e385f012379ff99d51310ec1cbef576", "name": "app-check", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n # Extract part after slash if present\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n\n # Validate against supported arch list. If it's not a known arch, return an error result\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n /usr/local/bin/preflight check container \"$image_url\"\nfi\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/auth", "name": "auth", "readOnly": true } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pcxf/gh-test-custom-branch-drhneu:605704b85dafde7f7c1070c9c4bf1dfc588e57b0" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "app-set-outcome", "results": [ { "description": "The overall outcome of this task.", "name": "test-output" }, { "description": "Processed image digests.", "name": "images-processed" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n # Check if results directory exits\n RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n continue\n fi\n # Process results\n if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{ result: $result,\n timestamp: $date,\n note: $note,\n successes: $successes|tonumber,\n failures: $failures|tonumber,\n warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nretry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" \u003e /tmp/raw-manifest.json\nimage_digest=\"sha256:$(sha256sum \u003c /tmp/raw-manifest.json | awk '{print $1}')\"\nif [[ ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "final-outcome", "results": [ { "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/mount", "name": "pfltoutputdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "pfltoutputdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "auth" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/commit_sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yvbibh", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/go-component-caryjw-on-push-tw8mm", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-caryjw-push.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "redhat-appstudio-qe-bot", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #33438 from redhat-appstudio-qe/konflux-go-component-caryjw\n\nkonflux-ci e2e-tests update go-component-caryjw", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-base-grczrd", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80/records/54267902-a1bd-45b6-a445-6f8995a30775", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:09:30Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:09Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "go-component-caryjw", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRun": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRunUID": "4ac11663-9944-4d45-a003-dd500e45eb80", "tekton.dev/pipelineTask": "apply-tags", "tekton.dev/task": "apply-tags" }, "name": "go-component-caryjw-on-push-tw8mm-apply-tags", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-caryjw-on-push-tw8mm", "uid": "4ac11663-9944-4d45-a003-dd500e45eb80" } ], "resourceVersion": "35406", "uid": "54267902-a1bd-45b6-a445-6f8995a30775" }, "spec": { "params": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "IMAGE_DIGEST", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" } ], "serviceAccountName": "build-pipeline-go-component-caryjw", "taskRef": { "params": [ { "name": "name", "value": "apply-tags" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-apply-tags:0.3@sha256:a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:47Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:47Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-caryjw-on-push-tw8mm-apply-tags-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "a291081de7fb27f832c6fc3c4b078acf7e6162ca4c085db38b118ca87e8b5b66" }, "entryPoint": "apply-tags", "uri": "quay.io/konflux-ci/tekton-catalog/task-apply-tags" } }, "startTime": "2026-05-16T08:09:33Z", "steps": [ { "container": "step-apply-additional-tags", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "apply-additional-tags", "provenance": {}, "terminated": { "containerID": "containerd://3f73bb5cf3a111522759784c29ed0304b4dba17b146e84a63c0d5b9c7a590569", "exitCode": 0, "finishedAt": "2026-05-16T08:09:47Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:44Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Applies additional tags to the built image.", "params": [ { "description": "Image repository and tag reference of the the built image.", "name": "IMAGE_URL", "type": "string" }, { "description": "Image digest of the built image.", "name": "IMAGE_DIGEST", "type": "string" }, { "default": [], "description": "Additional tags that will be applied to the image in the registry.", "name": "ADDITIONAL_TAGS", "type": "array" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "CA_TRUST_CONFIG_MAP_NAME", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "CA_TRUST_CONFIG_MAP_KEY", "type": "string" }, { "default": "info", "description": "Log level to use in the task. See golang logrus docs for available levels.", "name": "LOG_LEVEL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "args": [ "--image-url", "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093", "--digest", "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9", "--tags", "--tags-from-image-label", "konflux.additional-tags" ], "command": [ "konflux-build-cli", "image", "apply-tags" ], "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "KBC_LOG_LEVEL", "value": "info" } ], "image": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "apply-additional-tags" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/commit_sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yvbibh", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/go-component-caryjw-on-push-tw8mm", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-caryjw-push.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "redhat-appstudio-qe-bot", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #33438 from redhat-appstudio-qe/konflux-go-component-caryjw\n\nkonflux-ci e2e-tests update go-component-caryjw", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-base-grczrd", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80/records/54fef8fd-3ee7-4886-92f6-accd3921aa35", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "image-build, konflux" }, "creationTimestamp": "2026-05-16T08:07:41Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:08Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "go-component-caryjw", "build.appstudio.redhat.com/build_type": "docker", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRun": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRunUID": "4ac11663-9944-4d45-a003-dd500e45eb80", "tekton.dev/pipelineTask": "build-image-index", "tekton.dev/task": "build-image-index" }, "name": "go-component-caryjw-on-push-tw8mm-build-image-index", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-caryjw-on-push-tw8mm", "uid": "4ac11663-9944-4d45-a003-dd500e45eb80" } ], "resourceVersion": "35271", "uid": "54fef8fd-3ee7-4886-92f6-accd3921aa35" }, "spec": { "params": [ { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "IMAGES", "value": [ "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" ] }, { "name": "BUILDAH_FORMAT", "value": "docker" } ], "serviceAccountName": "build-pipeline-go-component-caryjw", "taskRef": { "params": [ { "name": "name", "value": "build-image-index" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-build-image-index:0.3@sha256:550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:27Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-caryjw-on-push-tw8mm-build-image-index-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "550afde50349e22ec11191ea0db9a49395ab46fef4e8317d820b6e946677ebeb" }, "entryPoint": "build-image-index", "uri": "quay.io/konflux-ci/tekton-catalog/task-build-image-index" } }, "results": [ { "name": "IMAGES", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "IMAGE_DIGEST", "type": "string", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "IMAGE_REF", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "IMAGE_URL", "type": "string", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" } ], "startTime": "2026-05-16T08:07:41Z", "steps": [ { "container": "step-build", "imageID": "quay.io/konflux-ci/konflux-build-cli@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "provenance": {}, "terminated": { "containerID": "containerd://c9146d228fbf95ac49c08e5e2f2020ca6a53f3e8081ec053dd0d84af8d809ff4", "exitCode": 0, "finishedAt": "2026-05-16T08:09:23Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:21Z" }, "terminationReason": "Completed" }, { "container": "step-create-sbom", "imageID": "quay.io/konflux-ci/mobster@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "provenance": {}, "terminated": { "containerID": "containerd://3b3af8f654816819e60f6b9f857ac0c83288c9235e241dccc6a484f0d969dfc0", "exitCode": 0, "finishedAt": "2026-05-16T08:09:24Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:23Z" }, "terminationReason": "Completed" }, { "container": "step-upload-sbom", "imageID": "quay.io/konflux-ci/task-runner@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "provenance": {}, "terminated": { "containerID": "containerd://f8e37d80bb9de69c0afec6a7e97e7e16041d694372242fbaa187814d2ed4f5d0", "exitCode": 0, "finishedAt": "2026-05-16T08:09:26Z", "message": "[{\"key\":\"IMAGES\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_DIGEST\",\"value\":\"sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_REF\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9\",\"type\":1},{\"key\":\"IMAGE_URL\",\"value\":\"quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:24Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "This takes existing Image Manifests and combines them in an Image Index.", "params": [ { "description": "The target image and tag where the image will be pushed to.", "name": "IMAGE", "type": "string" }, { "default": "true", "description": "Verify the TLS on the registry endpoint (for push/pull to a non-TLS registry)", "name": "TLSVERIFY", "type": "string" }, { "description": "List of Image Manifests to be referenced by the Image Index", "name": "IMAGES", "type": "array" }, { "default": "true", "description": "Build an image index even if IMAGES is of length 1. Default true. If the image index generation is skipped, the task will forward values for params.IMAGES[0] to results.IMAGE_*. In order to properly set all results, use the repository:tag@sha256:digest format for the IMAGES parameter.", "name": "ALWAYS_BUILD_INDEX", "type": "string" }, { "default": "vfs", "description": "Storage driver to configure for buildah", "name": "STORAGE_DRIVER", "type": "string" }, { "default": "oci", "description": "The format for the resulting image's mediaType. Valid values are oci (default) or docker.", "name": "BUILDAH_FORMAT", "type": "string" }, { "default": "false", "description": "Flag to enable or disable SBOM validation before save. Validation is optional - use this if you are experiencing performance issues.", "name": "SBOM_SKIP_VALIDATION", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from", "name": "caTrustConfigMapName", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data", "name": "caTrustConfigMapKey", "type": "string" } ], "results": [ { "description": "Digest of the image just built", "name": "IMAGE_DIGEST", "type": "string" }, { "description": "Image repository and tag where the built image was pushed", "name": "IMAGE_URL", "type": "string" }, { "description": "List of all referenced image manifests", "name": "IMAGES", "type": "string" }, { "description": "Image reference of the built image containing both the repository and the digest", "name": "IMAGE_REF", "type": "string" }, { "description": "Reference of SBOM blob digest to enable digest-based verification from provenance", "name": "SBOM_BLOB_URL", "type": "string" } ], "stepTemplate": { "computeResources": {}, "env": [ { "name": "BUILDAH_FORMAT", "value": "docker" }, { "name": "IMAGE", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "TLSVERIFY", "value": "true" }, { "name": "ALWAYS_BUILD_INDEX", "value": "false" }, { "name": "STORAGE_DRIVER", "value": "vfs" } ], "volumeMounts": [ { "mountPath": "/index-build-data", "name": "shared-dir" }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ] }, "steps": [ { "args": [ "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093@sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "250m", "memory": "4Gi" } }, "image": "quay.io/konflux-ci/konflux-build-cli:latest@sha256:b296232c9b0d478c0bd1f48911ead97cd786eebdc737b877797564567fda8eae", "name": "build", "script": "#!/bin/bash\n# Fixing group permission on /var/lib/containers\nset -eu\nset -o pipefail\nchown root:root /var/lib/containers\n\nsed -i 's/^\\s*short-name-mode\\s*=\\s*.*/short-name-mode = \"disabled\"/' /etc/containers/registries.conf\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\n\necho \"Running konflux-build-cli\"\nif ! konflux-build-cli image build-image-index \\\n --image \"$IMAGE\" \\\n --tls-verify=\"$TLSVERIFY\" \\\n --buildah-format \"$BUILDAH_FORMAT\" \\\n --always-build-index=\"$ALWAYS_BUILD_INDEX\" \\\n --additional-tags \"go-component-caryjw-on-push-tw8mm-build-image-index\" \\\n --output-manifest-path \"$MANIFEST_DATA_FILE\" \\\n --result-path-image-digest \"/tekton/results/IMAGE_DIGEST\" \\\n --result-path-image-url \"/tekton/results/IMAGE_URL\" \\\n --result-path-image-ref \"/tekton/results/IMAGE_REF\" \\\n --result-path-images \"/tekton/results/IMAGES\" \\\n --images \"$@\"; then\n echo \"Failed to build image index\"\n exit 1\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] }, "runAsUser": 0 } }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/mobster:1.1.0-1770046049@sha256:7415f55121f5580ac79dc6e6567383574ee5f94f97736f235a141688f02e6094", "name": "create-sbom", "script": "#!/bin/bash\nset -e\n\nMANIFEST_DATA_FILE=\"/index-build-data/manifest_data.json\"\nif [ ! -f \"$MANIFEST_DATA_FILE\" ]; then\n echo \"The manifest_data.json file does not exist. Skipping the SBOM creation...\"\n exit 0\nfi\n\nIMAGE_URL=\"$(cat \"/tekton/results/IMAGE_URL\")\"\nIMAGE_DIGEST=\"$(cat \"/tekton/results/IMAGE_DIGEST\")\"\necho \"Creating SBOM result file...\"\nmobster_args=(generate --output /index-build-data/index.spdx.json)\n\nif [ \"${SBOM_SKIP_VALIDATION}\" == \"true\" ]; then\n echo \"Skipping SBOM validation\"\n mobster_args+=(--skip-validation)\nfi\n\nmobster_args+=(\n oci-index\n --index-image-pullspec \"$IMAGE_URL\"\n --index-image-digest \"$IMAGE_DIGEST\"\n --index-manifest-path \"$MANIFEST_DATA_FILE\"\n)\nmobster \"${mobster_args[@]}\"\n" }, { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.6.0@sha256:1abfe4e50d4e961d0fd9790202565f93ee650fe8dfc50932c94989acba10485f", "name": "upload-sbom", "script": "#!/bin/bash\nset -e\n\necho \"[$(date --utc -Ins)] Update CA trust\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSBOM_RESULT_FILE=\"/index-build-data/index.spdx.json\"\nif [ ! -f \"$SBOM_RESULT_FILE\" ]; then\n echo \"The index.spdx.json file does not exists. Skipping the SBOM upload...\"\n exit 0\nfi\n\n# Pre-select the correct credentials to work around cosign not supporting the containers-auth.json spec\nmkdir -p /tmp/auth \u0026\u0026 select-oci-auth \"$(cat \"/tekton/results/IMAGE_REF\")\" \u003e /tmp/auth/config.json\nexport DOCKER_CONFIG=/tmp/auth\n\necho \"Pushing sbom to registry\"\nif ! retry cosign attach sbom --sbom \"$SBOM_RESULT_FILE\" --type spdx \"$(cat \"/tekton/results/IMAGE_REF\")\"\nthen\n echo \"Failed to push sbom to registry\"\n exit 1\nfi\n\n# Remove tag from IMAGE while allowing registry to contain a port number.\nsbom_repo=\"${IMAGE%:*}\"\nsbom_digest=\"$(sha256sum \"$SBOM_RESULT_FILE\" | cut -d' ' -f1)\"\n# The SBOM_BLOB_URL is created by `cosign attach sbom`.\necho -n \"${sbom_repo}@sha256:${sbom_digest}\" | tee \"/tekton/results/SBOM_BLOB_URL\"\n", "securityContext": { "runAsNonRoot": false, "runAsUser": 0 } } ], "volumes": [ { "emptyDir": {}, "name": "shared-dir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/commit_sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yvbibh", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/go-component-caryjw-on-push-tw8mm", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-caryjw-push.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "redhat-appstudio-qe-bot", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #33438 from redhat-appstudio-qe/konflux-go-component-caryjw\n\nkonflux-ci e2e-tests update go-component-caryjw", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-base-grczrd", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80/records/3cd8a580-174d-4259-b3d9-fa9bb24a9f50", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:09:30Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:09Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "go-component-caryjw", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRun": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRunUID": "4ac11663-9944-4d45-a003-dd500e45eb80", "tekton.dev/pipelineTask": "sast-shell-check", "tekton.dev/task": "sast-shell-check-oci-ta" }, "name": "go-component-caryjw-on-push-tw8mm-sast-shell-check", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-caryjw-on-push-tw8mm", "uid": "4ac11663-9944-4d45-a003-dd500e45eb80" } ], "resourceVersion": "35316", "uid": "3cd8a580-174d-4259-b3d9-fa9bb24a9f50" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-go-component-caryjw", "taskRef": { "params": [ { "name": "name", "value": "sast-shell-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta:0.1@sha256:c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:50Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-caryjw-on-push-tw8mm-sast-shell-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "c4ef47e3b4e0508572d266fb745be7e374c29dc02580328cbe9f4d472a8aca57" }, "entryPoint": "sast-shell-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-shell-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:09:47+00:00\",\"note\":\"For details, check Tekton task log.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:09:31Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://76fd7ed872e11b049af526db6cacfb23ed540983df4b34d585b7ca19fbe70507", "exitCode": 0, "finishedAt": "2026-05-16T08:09:46Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:45Z" }, "terminationReason": "Completed" }, { "container": "step-sast-shell-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "provenance": {}, "terminated": { "containerID": "containerd://cc828400642b90d6c2a9ccc6e021ffad506c49ff1a2e27bfd91a4f23b9e2ab60", "exitCode": 0, "finishedAt": "2026-05-16T08:09:47Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:47+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:47Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://b9fb4a58ca8563717e1fcb2dee7cd506e39de36f1fa7d8eee38a190f9968bade", "exitCode": 0, "finishedAt": "2026-05-16T08:09:49Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:47+00:00\\\",\\\"note\\\":\\\"For details, check Tekton task log.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:48Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "The sast-shell-check task uses [shellcheck](https://www.shellcheck.net/) tool to perform Static Application Security Testing (SAST), a popular cloud-native application security platform. This task leverages the shellcheck wrapper (csmock-plugin-shellcheck-core) to run shellcheck on a directory tree.\nShellCheck is a static analysis tool, gives warnings and suggestions for bash/sh shell scripts. This task can run on x86 and arm.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "true", "description": "Whether to include important findings only", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (default to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "default": "", "description": "Image digest to report findings for.", "name": "image-digest", "type": "string" }, { "default": "", "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "8", "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-shell-check", "script": "#!/usr/bin/env bash\nset -x\n# shellcheck source=/dev/null\nsource /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nPACKAGE_VERSION=$(rpm -q --queryformat '%{NAME}-%{VERSION}-%{RELEASE}\\n' ShellCheck)\n\nOUTPUT_FILE=\"shellcheck-results.json\"\nSOURCE_CODE_DIR=/var/workdir/source\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nIFS=\",\" read -ra TARGET_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGET_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n\n resolved_path=$(realpath -m \"$potential_path\")\n\n # ensure resolved path is still within SOURCE_CODE_DIR\n if [[ \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n ALL_TARGETS+=(\"$resolved_path\")\n else\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\ndone\n\n# determine number of available CPU cores for shellcheck based on container cgroup v2 CPU limits\n# this calculates the ceiling, so if the cpu limit is 0.5, the number of jobs will be 1.\nif [ -z \"$SC_JOBS\" ] \u0026\u0026 [ -r \"/sys/fs/cgroup/cpu.max\" ]; then\n read -r quota period \u003c/sys/fs/cgroup/cpu.max\n if [ \"$quota\" != \"max\" ] \u0026\u0026 [ -n \"$period\" ] \u0026\u0026 [ \"$period\" -gt 0 ]; then\n export SC_JOBS=$(((quota + period - 1) / period))\n echo \"INFO: Setting SC_JOBS=${SC_JOBS} based on cgroups v2 max for run-shellcheck.sh\"\n fi\nfi\n\n# generate all shellcheck result JSON files to $SC_RESULTS_DIR, which defaults to ./shellcheck-results/\n/usr/share/csmock/scripts/run-shellcheck.sh \"${ALL_TARGETS[@]}\"\n\nCSGREP_OPTS=(\n --mode=json\n --strip-path-prefix=\"$SOURCE_CODE_DIR\"/\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"ShellCheck:${PACKAGE_VERSION}\"\n)\nif [[ \"$IMP_FINDINGS_ONLY\" == \"true\" ]]; then\n # predefined list of shellcheck important findings\n CSGREP_EVENT_FILTER='\\[SC(1020|1035|1054|1066|1068|1073|1080|1083|1099|1113|1115|1127|1128|1143|2043|2050|'\n CSGREP_EVENT_FILTER+='2055|2057|2066|2069|2071|2077|2078|2091|2092|2157|2171|2193|2194|2195|2215|2216|'\n CSGREP_EVENT_FILTER+='2218|2224|2225|2242|2256|2258|2261)\\]$'\n CSGREP_OPTS+=(\n --event=\"$CSGREP_EVENT_FILTER\"\n )\nelse\n CSGREP_OPTS+=(\n --event=\"error|warning\"\n )\nfi\n\nif ! csgrep \"${CSGREP_OPTS[@]}\" ./shellcheck-results/*.json \u003e\"$OUTPUT_FILE\"; then\n echo \"Error occurred while running 'run-shellcheck.sh'\"\n note=\"Task sast-shell-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" \"${OUTPUT_FILE}\" \u003e\"${OUTPUT_FILE}.filtered\" 2\u003e\"${OUTPUT_FILE}.error\"\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n mv \"${OUTPUT_FILE}.filtered\" \"$OUTPUT_FILE\"\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\necho \"ShellCheck results have been saved to $OUTPUT_FILE\"\n\ncsgrep --mode=evtstat \"$OUTPUT_FILE\"\ncsgrep --mode=sarif \"$OUTPUT_FILE\" \u003eshellcheck-results.sarif\n\nTEST_OUTPUT=\nparse_test_output \"sast-shell-check-oci-ta\" sarif shellcheck-results.sarif || true\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "IMAGE_DIGEST", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\nif [ -z \"${IMAGE_URL}\" ] || [ -z \"${IMAGE_DIGEST}\" ]; then\n echo 'No image-url or image-digest param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"shellcheck-results.sarif excluded-findings.json\"\n\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n # Determine the media type based on the file extension\n if [[ \"${UPLOAD_FILE}\" == *.json ]]; then\n MEDIA_TYPE=\"application/json\"\n else\n MEDIA_TYPE=\"application/sarif+json\"\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"$IMAGE_URL\" \u003e\"$HOME/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach ${UPLOAD_FILE} to ${IMAGE_URL}\"\n exit 1\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/commit_sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yvbibh", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/go-component-caryjw-on-push-tw8mm", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-caryjw-push.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "redhat-appstudio-qe-bot", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #33438 from redhat-appstudio-qe/konflux-go-component-caryjw\n\nkonflux-ci e2e-tests update go-component-caryjw", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-base-grczrd", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80/records/082213a4-70fd-4e0c-a2d1-efe271b3a1d1", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:09:30Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:08Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "go-component-caryjw", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRun": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRunUID": "4ac11663-9944-4d45-a003-dd500e45eb80", "tekton.dev/pipelineTask": "sast-snyk-check", "tekton.dev/task": "sast-snyk-check-oci-ta" }, "name": "go-component-caryjw-on-push-tw8mm-sast-snyk-check", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-caryjw-on-push-tw8mm", "uid": "4ac11663-9944-4d45-a003-dd500e45eb80" } ], "resourceVersion": "35288", "uid": "082213a4-70fd-4e0c-a2d1-efe271b3a1d1" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-go-component-caryjw", "taskRef": { "params": [ { "name": "name", "value": "sast-snyk-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta:0.4@sha256:8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:50Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-caryjw-on-push-tw8mm-sast-snyk-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "8f3ecbeaff579e41b8278f82d7fabac27845db17a8e687ea6c510c0c9aceabbb" }, "entryPoint": "sast-snyk-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-snyk-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SKIPPED\",\"timestamp\":\"2026-05-16T08:09:48+00:00\",\"note\":\"Task sast-snyk-check-oci-ta skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:09:30Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://4261681a11310831141e9fe5083ce10de27a1b3c746f9d1dbfbddc6003291470", "exitCode": 0, "finishedAt": "2026-05-16T08:09:48Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:47Z" }, "terminationReason": "Completed" }, { "container": "step-sast-snyk-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-snyk-check", "provenance": {}, "terminated": { "containerID": "containerd://85d41d2d13e359170e2f4fb0e5247bd93a617804daed1f3f4b0f245a653020c6", "exitCode": 0, "finishedAt": "2026-05-16T08:09:48Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:48+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check-oci-ta skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:48Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://daf76b9c6dcd762b80c31ac0d651115705991605128edba494cce30d3b2d1646", "exitCode": 0, "finishedAt": "2026-05-16T08:09:49Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SKIPPED\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:48+00:00\\\",\\\"note\\\":\\\"Task sast-snyk-check-oci-ta skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/)\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:49Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for security vulnerabilities, including common issues such as SQL injection, cross-site scripting (XSS), and code injection attacks using Snyk Code, a Static Application Security Testing (SAST) tool.\n\nFollow the steps given [here](https://konflux-ci.dev/docs/testing/build/snyk/) to obtain a snyk-token and to enable the snyk task in a Pipeline.\n\nThe snyk binary used in this Task comes from a container image defined in https://github.com/konflux-ci/konflux-test\n\nSee https://snyk.io/product/snyk-code/ and https://snyk.io/ for more information about the snyk tool.", "params": [ { "default": "", "description": "Append arguments.", "name": "ARGS", "type": "string" }, { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "", "description": "Directories or files to be excluded from Snyk scan (Comma-separated). Useful to split the directories of a git repo across multiple components.", "name": "IGNORE_FILE_PATHS", "type": "string" }, { "default": "true", "description": "Report only important findings in task result. Default is \"true\". To report all findings in task result, specify \"false\". Uploaded SARIF report to remote registry always includes all findings, regardless of severity level.", "name": "IMP_FINDINGS_ONLY", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Write excluded records in file. Useful for auditing (defaults to false).", "name": "RECORD_EXCLUDED", "type": "string" }, { "default": "snyk-secret", "description": "Name of secret which contains Snyk token.", "name": "SNYK_SECRET", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Digest of the image to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "6Gi" }, "requests": { "cpu": "1", "memory": "6Gi" } }, "env": [ { "name": "SNYK_SECRET", "value": "snyk-secret" }, { "name": "ARGS" }, { "name": "IGNORE_FILE_PATHS" }, { "name": "IMP_FINDINGS_ONLY", "value": "true" }, { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } }, { "name": "TARGET_DIRS", "value": "." } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-snyk-check", "script": "#!/usr/bin/env bash\n\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\n# Installation of Red Hat certificates for cloning Red Hat internal repositories\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSNYK_TOKEN_PATH=\"/etc/secrets/snyk_token\"\nif [ -f \"${SNYK_TOKEN_PATH}\" ] \u0026\u0026 [ -s \"${SNYK_TOKEN_PATH}\" ]; then\n # SNYK token is provided\n SNYK_TOKEN=\"$(cat ${SNYK_TOKEN_PATH})\"\n export SNYK_TOKEN\nelse\n # According to shellcheck documentation, the following error can be ignored as it is ignored through indirection: https://www.shellcheck.net/wiki/SC2034\n # shellcheck disable=SC2034\n to_enable_snyk='[here](https://konflux-ci.dev/docs/testing/build/snyk/)'\n note=\"Task sast-snyk-check-oci-ta skipped: If you wish to use the Snyk code SAST task, please create a secret name snyk-secret with the key 'snyk_token' containing the Snyk token by following the steps given ${to_enable_snyk}\"\n TEST_OUTPUT=$(make_result_json -r SKIPPED -t \"$note\")\n echo \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n\n# Wrapper around snyk code test that maps valid non-zero exit codes (1, 3)\n# to 0 so the existing retry function only retries on exit code 2 (error).\n# Exit codes: 0 = success, 1 = vulnerabilities found, 2 = error, 3 = no supported files\n# The real exit code is always preserved in SNYK_EXIT_CODE.\n# Error codes (2+) always override, valid codes (0, 1, 3) only if no previous error.\n_snyk_code_test() {\n snyk code test \"$@\" 1\u003e\u00262 \u003e\u003estdout.txt\n local ec=$?\n if [[ \"$ec\" -ne 0 ]] \u0026\u0026 [[ \"$ec\" -ne 1 ]] \u0026\u0026 [[ \"$ec\" -ne 3 ]]; then\n SNYK_EXIT_CODE=$ec\n fi\n if [[ \"$ec\" -eq 1 ]] || [[ \"$ec\" -eq 3 ]]; then\n return 0\n fi\n return \"$ec\"\n}\n\nSNYK_EXIT_CODE=0\nSOURCE_CODE_DIR=/var/workdir\n\n# We ignore files using snyk ignore if the user set up the IGNORE_FILE_PATHS variable.\n(cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 IFS=\",\" \u0026\u0026 for path in $IGNORE_FILE_PATHS; do\n snyk ignore --file-path=\"source/${path}\"\ndone)\n\nset +e\necho \"INFO: Running 'snyk code test'..\"\n# We do want to expand ARGS (it can be multiple CLI flags, not just one)\n# shellcheck disable=SC2086\n\n# Generate full paths for each directory in TARGET_DIRS\nIFS=\",\" read -ra TARGETS_ARRAY \u003c\u003c\u003c\"$TARGET_DIRS\"\nfor d in \"${TARGETS_ARRAY[@]}\"; do\n potential_path=\"${SOURCE_CODE_DIR}/${d}\"\n resolved_path=$(realpath -m \"$potential_path\")\n\n # Ensure resolved path is still within SOURCE_CODE_DIR\n if [[ ! \"$resolved_path\" == \"$SOURCE_CODE_DIR\"* ]]; then\n echo \"Error: path traversal attempt, '$potential_path' is outside '$SOURCE_CODE_DIR'\"\n exit 1\n fi\n\n # Ensure directory exists\n if [ ! -d \"$resolved_path\" ]; then\n echo \"Warning: Directory $resolved_path does not exist, skipping\"\n continue\n fi\n\n echo \"INFO: Scanning directory: $resolved_path\"\n # We do want to expand ARGS (it can be multiple CLI flags, not just one)\n # shellcheck disable=SC2086\n RETRY_INTERVAL=30 retry _snyk_code_test $ARGS \"$resolved_path\" --max-depth=1 --sarif-file-output=\"${resolved_path}/sast_snyk_check_out_${d//\\//_}.json\"\n\ndone\n\n# Merge all SARIF outputs\nfind \"$SOURCE_CODE_DIR\" -name \"sast_snyk_check_out_*.json\" -exec cat {} + \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\nset -e\ntest_not_skipped=0\nSKIP_MSG=\"We found 0 supported files\"\ngrep -q \"$SKIP_MSG\" stdout.txt || test_not_skipped=$?\n\nif [[ \"$SNYK_EXIT_CODE\" -eq 0 ]] || [[ \"$SNYK_EXIT_CODE\" -eq 1 ]]; then\n # Check if the merged SARIF file has content - this could happen if the snyk scan found no findings\n if [ ! -s \"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\" ]; then\n echo \"WARN: No JSON output files were generated by snyk scan\"\n # Get snyk version for proper SARIF metadata\n SNYK_VERSION=$(snyk --version 2\u003e/dev/null | head -1 | tr -d '\\n' || echo \"unknown\")\n # Create a valid minimal SARIF structure using jq\n # Note: coverage array is required even when empty because downstream jq commands expect it\n jq -n --arg version \"$SNYK_VERSION\" '{\n \"$schema\": \"https://json.schemastore.org/sarif-2.1.0.json\",\n \"version\": \"2.1.0\",\n \"runs\": [{\n \"tool\": {\n \"driver\": {\n \"name\": \"snyk\",\n \"version\": $version,\n \"informationUri\": \"https://snyk.io\"\n }\n },\n \"results\": [],\n \"properties\": {\n \"coverage\": []\n }\n }]\n }' \u003e\"${SOURCE_CODE_DIR}/sast_snyk_check_out.json\"\n fi\n\n # In order to generate csdiff/v1, we need to add the whole path of the source code as Snyk only provides an URI to embed the context\n (cd \"${SOURCE_CODE_DIR}\" \u0026\u0026 csgrep --mode=json --embed-context=3 \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json) |\n csgrep --mode=json --strip-path-prefix=\"source/\" \\\n \u003esast_snyk_check_out_all_findings.json\n\n echo \"INFO: Initial results:\"\n csgrep --mode=evtstat sast_snyk_check_out_all_findings.json\n\n if [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\n fi\n PROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n # create the KFP clone directory regardless\n KFP_DIR=\"known-false-positives\"\n KFP_CLONED=\"0\"\n mkdir \"${KFP_DIR}\"\n\n # We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\n if [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\n fi\n\n if [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone know-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv sast_snyk_check_out_all_findings.json filtered_sast_snyk_check_out.json\n else\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n CMD=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n if [ \"${RECORD_EXCLUDED}\" == \"true\" ]; then\n CMD+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n set +e\n \"${CMD[@]}\" sast_snyk_check_out_all_findings.json \u003efiltered_sast_snyk_check_out.json\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\n echo \"INFO: Results after filtering:\"\n (set -x \u0026\u0026 csgrep --mode=evtstat filtered_sast_snyk_check_out.json)\n fi\n\n # Generation of scan stats\n\n total_files=$(jq '[.runs[0].properties.coverage[].files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n supported_files=$(jq '[.runs[0].properties.coverage[] | select(.type == \"SUPPORTED\") | .files] | add' \"${SOURCE_CODE_DIR}\"/sast_snyk_check_out.json)\n\n # We make sure the values are 0 if no supported/total files are found\n if [ \"$total_files\" = \"null\" ] || [ -z \"$total_files\" ]; then\n total_files=0\n fi\n\n if [ \"$supported_files\" = \"null\" ] || [ -z \"$supported_files\" ]; then\n supported_files=0\n fi\n\n coverage_ratio=0\n if ((total_files \u003e 0)); then\n coverage_ratio=$((supported_files * 100 / total_files))\n fi\n\n # embed stats in results file and convert to SARIF\n csgrep --mode=sarif --set-scan-prop snyk-scanned-files-coverage:\"${coverage_ratio}\" \\\n --set-scan-prop snyk-scanned-files-success:\"${supported_files}\" \\\n --set-scan-prop snyk-scanned-files-total:\"${total_files}\" \\\n filtered_sast_snyk_check_out.json \u003esast_snyk_check_out.sarif\n\n # Create filtered SARIF for Tekton task result based on IMP_FINDINGS_ONLY parameter\n if [ \"${IMP_FINDINGS_ONLY}\" == \"true\" ]; then\n # Filter to only \"error\" level or higher (high/critical severity) for Tekton task result\n # In SARIF, defects are given a level like \"error\" or \"warning\". Snyk maps \"high\" level findings to \"error\".\n # - \"error\" → importance level 1\n # - \"warning\" (or missing level) → importance level 0\n RESULT_SARIF=\"result_sast_snyk_check_out.sarif\"\n csgrep --mode=sarif --imp-level 1 sast_snyk_check_out.sarif \u003e\"$RESULT_SARIF\"\n else\n # Use all findings for Tekton task result\n RESULT_SARIF=\"sast_snyk_check_out.sarif\"\n fi\n\n TEST_OUTPUT=\n parse_test_output \"sast-snyk-check-oci-ta\" sarif \"$RESULT_SARIF\" || true\n\n# When the test is skipped, the \"SNYK_EXIT_CODE\" is 3 and it can also be 3 in some other situation\nelif [[ \"$test_not_skipped\" -eq 0 ]]; then\n note=\"Task sast-snyk-check-oci-ta success: Snyk code test found zero supported files.\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-snyk-check test failed because of the following issues:\"\n cat stdout.txt\n note=\"Task sast-snyk-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/etc/secrets", "name": "snyk-secret", "readOnly": true }, { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "IMAGE_DIGEST", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_snyk_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n if [ \"${UPLOAD_FILES}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n if ! retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"; then\n echo \"Failed to attach to ${IMAGE_URL}\"\n fi\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "name": "snyk-secret", "secret": { "optional": true, "secretName": "snyk-secret" } }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/commit_sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yvbibh", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/go-component-caryjw-on-push-tw8mm", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"push\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"go-component/***\".pathChanged() || \".tekton/go-component-caryjw-push.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "redhat-appstudio-qe-bot", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/sha-title": "Merge pull request #33438 from redhat-appstudio-qe/konflux-go-component-caryjw\n\nkonflux-ci e2e-tests update go-component-caryjw", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/source-branch": "refs/heads/multi-component-base-grczrd", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80/records/1b602b81-e1df-43ad-bfca-75105caa6bdc", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"2b300e6ccd54192a909ffd3413e3ffaa969ed093\",\"eventType\":\"push\"}", "results.tekton.dev/result": "build-e2e-pggh/results/4ac11663-9944-4d45-a003-dd500e45eb80", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux" }, "creationTimestamp": "2026-05-16T08:09:30Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:10Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "go-component-caryjw", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "false", "pipelinesascode.tekton.dev/check-run-id": "76304882592", "pipelinesascode.tekton.dev/event-type": "push", "pipelinesascode.tekton.dev/original-prname": "go-component-caryjw-on-push", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "2b300e6ccd54192a909ffd3413e3ffaa969ed093", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRun": "go-component-caryjw-on-push-tw8mm", "tekton.dev/pipelineRunUID": "4ac11663-9944-4d45-a003-dd500e45eb80", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta" }, "name": "go-component-caryjw-on-push-tw8mm-sast-unicode-check", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "go-component-caryjw-on-push-tw8mm", "uid": "4ac11663-9944-4d45-a003-dd500e45eb80" } ], "resourceVersion": "35310", "uid": "1b602b81-e1df-43ad-bfca-75105caa6bdc" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-go-component-caryjw", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:50Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:50Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "go-component-caryjw-on-push-tw8mm-sast-unicode-check-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, "entryPoint": "sast-unicode-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:09:48+00:00\",\"note\":\"Task sast-unicode-check-oci-ta success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:09:31Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://e5b8b76d1f9fdf45e0f53dca761b721f20d45c77a381d06c6850b8de13cb7090", "exitCode": 0, "finishedAt": "2026-05-16T08:09:47Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:46Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "containerd://d899d660a1fe28cf596936b89e461aed7a2f04486d3027537d2611085c57a30f", "exitCode": 0, "finishedAt": "2026-05-16T08:09:48Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:48+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:47Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://8b330518b44a36140d8e650795a81842d28b90818ee361ccf208e09dbc6b856c", "exitCode": 0, "finishedAt": "2026-05-16T08:09:49Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:48+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:48Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw@sha256:521ec2ee0354649bea641963011b20fed4d1e6bba0b41450b9d05cabf73006dd=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/go-component-caryjw:2b300e6ccd54192a909ffd3413e3ffaa969ed093" }, { "name": "IMAGE_DIGEST", "value": "sha256:058912bd5e18b018d33359ee4800ce4488c27bdecd84a9d16abaf10b00fdb8f9" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/commit_sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/pull_request_number": "33439", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yuieiy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/python-component-jcfgzj-on-pull-request-gjbg4", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-jcfgzj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-jcfgzj", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-jcfgzj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8/records/f83bbe01-90ab-41c2-a40b-fdc5a1965cea", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"735c8fefbb578110d14b7015c6d36e3e253c98e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33439}", "results.tekton.dev/result": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8", "results.tekton.dev/stored": "true", "test.appstudio.openshift.io/pr-group": "konflux-python-component-jcfgzj" }, "creationTimestamp": "2026-05-16T08:07:00Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:11Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "python-component-jcfgzj", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRun": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRunUID": "c605d253-49d1-4423-9427-c0e562626ee8", "tekton.dev/pipelineTask": "rpms-signature-scan", "tekton.dev/task": "rpms-signature-scan", "test.appstudio.openshift.io/pr-group-sha": "2292cf5420b5f77b40010398c22593f4b778f6340503c2ecc7b8bc3da80edc" }, "name": "python-comp429728782b5fcd9dea7ba8788a3f82fc-rpms-signature-scan", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "python-component-jcfgzj-on-pull-request-gjbg4", "uid": "c605d253-49d1-4423-9427-c0e562626ee8" } ], "resourceVersion": "35403", "uid": "f83bbe01-90ab-41c2-a40b-fdc5a1965cea" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "image-digest", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" } ], "serviceAccountName": "build-pipeline-python-component-jcfgzj", "taskRef": { "params": [ { "name": "name", "value": "rpms-signature-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan:0.2@sha256:d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:07:44Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:07:44Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "python-comp429728782b5fcd9dac0207a7c5d18e2f5885ad3a2c3942f3-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "d4e3499ad4af6869470233bef6faaa1bdd69ef56276841eeec93ce6e62deeb93" }, "entryPoint": "rpms-signature-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-rpms-signature-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\", \"digests\": [\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\"]}}\n" }, { "name": "RPMS_DATA", "type": "string", "value": "{\"keys\": {\"199e2f91fd431d51\": 116, \"unsigned\": 0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:07:41+00:00\",\"note\":\"Task rpms-signature-scan completed successfully\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:03Z", "steps": [ { "container": "step-rpms-signature-scan", "imageID": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe", "name": "rpms-signature-scan", "provenance": {}, "terminated": { "containerID": "containerd://abeb260e9c0c29430be37722cfbcefbd4e8dca8bbd60b9bf38af61eff3886a74", "exitCode": 0, "finishedAt": "2026-05-16T08:07:40Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:29Z" }, "terminationReason": "Completed" }, { "container": "step-output-results", "imageID": "quay.io/konflux-ci/konflux-test@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "provenance": {}, "terminated": { "containerID": "containerd://a6a6d5b9505732c5918998f7c2aac4210b9877750ec09679a492cf8b595de8cb", "exitCode": 0, "finishedAt": "2026-05-16T08:07:42Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\\\", \\\"digests\\\": [\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\"]}}\\n\",\"type\":1},{\"key\":\"RPMS_DATA\",\"value\":\"{\\\"keys\\\": {\\\"199e2f91fd431d51\\\": 116, \\\"unsigned\\\": 0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:07:41+00:00\\\",\\\"note\\\":\\\"Task rpms-signature-scan completed successfully\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:40Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans RPMs in an image and provide information about RPMs signatures.", "params": [ { "description": "Image URL", "name": "image-url", "type": "string" }, { "description": "Image digest to scan", "name": "image-digest", "type": "string" }, { "default": "/tmp", "description": "Directory that will be used for storing temporary\nfiles produced by this task.\n", "name": "workdir", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Information about signed and unsigned RPMs", "name": "RPMS_DATA", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "200m", "memory": "256Mi" }, "requests": { "cpu": "200m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/tools@sha256:5d29650b47acbdf728013c6f738dd0df6844a06e2001d3e1fb9f7941df7a0abe", "name": "rpms-signature-scan", "script": "#!/bin/bash\nset -ex\nset -o pipefail\n\nrpm_verifier \\\n --image-url \"${IMAGE_URL}\" \\\n --image-digest \"${IMAGE_DIGEST}\" \\\n --workdir \"${WORKDIR}\" \\\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "cpu": "50m", "memory": "32Mi" }, "requests": { "cpu": "50m", "memory": "32Mi" } }, "env": [ { "name": "WORKDIR", "value": "/tmp" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.53@sha256:724ecf16a1fc9b51a1b20c91c5125556c53d471d0d8db1648d2404e4715f204e", "name": "output-results", "script": "#!/bin/bash\nset -ex\n\nsource /utils.sh\nstatus=$(cat \"${WORKDIR}\"/status)\nrpms_data=$(cat \"${WORKDIR}\"/results)\nimages_processed=$(cat \"${WORKDIR}\"/images_processed)\n\nif [ \"$status\" == \"ERROR\" ]; then\n note=\"Task rpms-signature-scan failed to scan images. Refer to Tekton task output for details\"\nelse\n note=\"Task rpms-signature-scan completed successfully\"\nfi\n\nTEST_OUTPUT=$(make_result_json -r \"$status\" -t \"$note\")\n\necho \"${TEST_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\necho \"${rpms_data}\" | tee \"/tekton/results/RPMS_DATA\"\necho \"${images_processed}\" | tee \"/tekton/results/IMAGES_PROCESSED\"\n", "volumeMounts": [ { "mountPath": "/tmp", "name": "workdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "workdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/commit_sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/pull_request_number": "33439", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yuieiy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/python-component-jcfgzj-on-pull-request-gjbg4", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-jcfgzj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-jcfgzj", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-jcfgzj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8/records/8672b53a-191d-4dbe-aab8-6f64754680fe", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"735c8fefbb578110d14b7015c6d36e3e253c98e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33439}", "results.tekton.dev/result": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-python-component-jcfgzj" }, "creationTimestamp": "2026-05-16T08:06:59Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:11Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "python-component-jcfgzj", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRun": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRunUID": "c605d253-49d1-4423-9427-c0e562626ee8", "tekton.dev/pipelineTask": "sast-unicode-check", "tekton.dev/task": "sast-unicode-check-oci-ta", "test.appstudio.openshift.io/pr-group-sha": "2292cf5420b5f77b40010398c22593f4b778f6340503c2ecc7b8bc3da80edc" }, "name": "python-compo429728782b5fcd9dea7ba8788a3f82fc-sast-unicode-check", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "python-component-jcfgzj-on-pull-request-gjbg4", "uid": "c605d253-49d1-4423-9427-c0e562626ee8" } ], "resourceVersion": "35404", "uid": "8672b53a-191d-4dbe-aab8-6f64754680fe" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_ARTIFACT", "value": "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj@sha256:69098e31b711f622a192b5a0e6c2da9f753877368e4b1bff2962dea7de3123ee" }, { "name": "CACHI2_ARTIFACT", "value": "" } ], "serviceAccountName": "build-pipeline-python-component-jcfgzj", "taskRef": { "params": [ { "name": "name", "value": "sast-unicode-check-oci-ta" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta:0.4@sha256:90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:07:49Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:07:49Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "python-compo429728782b5fcd96d6324c14b8689d5d82761e33a533eff-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "90efa582de7770d55102b74014a765cd16a25a56f2cf644b56a788c70c4dc749" }, "entryPoint": "sast-unicode-check-oci-ta", "uri": "quay.io/konflux-ci/tekton-catalog/task-sast-unicode-check-oci-ta" } }, "results": [ { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:07:42+00:00\",\"note\":\"Task sast-unicode-check-oci-ta success: No finding was detected\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:07:01Z", "steps": [ { "container": "step-use-trusted-artifact", "imageID": "quay.io/konflux-ci/build-trusted-artifacts@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "provenance": {}, "terminated": { "containerID": "containerd://3f81b03f56f22a3c002414fc0d6a47b62fa0e79a87bd6f3ef66338ad3f1739cb", "exitCode": 0, "finishedAt": "2026-05-16T08:07:37Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:36Z" }, "terminationReason": "Completed" }, { "container": "step-sast-unicode-check", "imageID": "quay.io/konflux-ci/konflux-test@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "provenance": {}, "terminated": { "containerID": "containerd://bdc68560baf0c2c6fca2943a8e9c6793612b5cffbcbecbca608c47434f0b783f", "exitCode": 0, "finishedAt": "2026-05-16T08:07:42Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:07:42+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:38Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://7d8ae9a1ba18e173236f139f55de29a80d28af06778e25073f07ee509ae21843", "exitCode": 0, "finishedAt": "2026-05-16T08:07:45Z", "message": "[{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:07:42+00:00\\\",\\\"note\\\":\\\"Task sast-unicode-check-oci-ta success: No finding was detected\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:42Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans source code for non-printable unicode characters in all text files.", "params": [ { "default": "", "description": "The Trusted Artifact URI pointing to the artifact with the prefetched dependencies.", "name": "CACHI2_ARTIFACT", "type": "string" }, { "default": "-p bidi -v -d -t", "description": "arguments for find-unicode-control command.", "name": "FIND_UNICODE_CONTROL_ARGS", "type": "string" }, { "default": "SITE_DEFAULT", "description": "Known False Positives (KFP) git URL (optionally taking a revision delimited by \\#). Defaults to \"SITE_DEFAULT\", which means the default value \"https://gitlab.cee.redhat.com/osh/known-false-positives.git\" for internal Konflux instance and empty string for external Konflux instance. If set to an empty string, the KFP filtering is disabled.", "name": "KFP_GIT_URL", "type": "string" }, { "default": "", "description": "Name of the scanned project, used to find path exclusions. By default, the Konflux component name will be used.", "name": "PROJECT_NAME", "type": "string" }, { "default": "false", "description": "Whether to record the excluded findings (defaults to false).\nIf `true`, the excluded findings will be stored in `excluded-findings.json`.\n", "name": "RECORD_EXCLUDED", "type": "string" }, { "description": "The Trusted Artifact URI pointing to the artifact with the application source code.", "name": "SOURCE_ARTIFACT", "type": "string" }, { "default": ".", "description": "Target directories in component's source code. Multiple values should be separated with commas.", "name": "TARGET_DIRS", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "caTrustConfigMapKey", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "caTrustConfigMapName", "type": "string" }, { "description": "Image digest used for ORAS upload.", "name": "image-digest", "type": "string" }, { "description": "Image URL used for ORAS upload.", "name": "image-url", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/var/workdir", "name": "workdir" } ] }, "steps": [ { "args": [ "use", "oci:quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj@sha256:69098e31b711f622a192b5a0e6c2da9f753877368e4b1bff2962dea7de3123ee=/var/workdir/source", "=/var/workdir/cachi2" ], "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "memory": "4Gi" } }, "image": "quay.io/konflux-ci/build-trusted-artifacts:latest@sha256:d6d6048bdb5a73697ff88734a3f33c54193405b901d3f5192b8251a878623906", "name": "use-trusted-artifact", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "100m", "memory": "4Gi" } }, "env": [ { "name": "KFP_GIT_URL", "value": "SITE_DEFAULT" }, { "name": "PROJECT_NAME" }, { "name": "FIND_UNICODE_CONTROL_ARGS", "value": "-p bidi -v -d -t" }, { "name": "RECORD_EXCLUDED", "value": "false" }, { "name": "TARGET_DIRS", "value": "." }, { "name": "SOURCE_CODE_DIR", "value": "/var/workdir" }, { "name": "COMPONENT_LABEL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.labels['appstudio.openshift.io/component']" } } }, { "name": "BUILD_PLR_LOG_URL", "valueFrom": { "fieldRef": { "fieldPath": "metadata.annotations['pipelinesascode.tekton.dev/log-url']" } } } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.52@sha256:deabe80a01dca3a8a0edb709324e30cbf0baa176f7a181bbb695323f506f7aac", "name": "sast-unicode-check", "script": "#!/usr/bin/env bash\nset -exuo pipefail\n\n# shellcheck source=/dev/null\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nif [[ -z \"${PROJECT_NAME}\" ]]; then\n PROJECT_NAME=${COMPONENT_LABEL}\nfi\n\necho \"INFO: The PROJECT_NAME used is: ${PROJECT_NAME}\"\n\nca_bundle=/mnt/trusted-ca/ca-bundle.crt\nif [ -f \"$ca_bundle\" ]; then\n echo \"INFO: Using mounted CA bundle: $ca_bundle\"\n cp -vf $ca_bundle /etc/pki/ca-trust/source/anchors\n update-ca-trust\nfi\n\nSCAN_PROP=\"https://github.com/siddhesh/find-unicode-control.git#c2accbfbba7553a8bc1ebd97089ae08ad8347e58\"\nFUC_EXIT_CODE=0\n\n# generate full path for each dirname separated by comma\ndeclare -a ALL_TARGETS\nOLD_IFS=\"$IFS\"\nIFS=\",\"\nfor d in $TARGET_DIRS; do\n ALL_TARGETS+=(\"${SOURCE_CODE_DIR}/source/${d}\")\ndone\nIFS=\"$OLD_IFS\"\n\n# shellcheck disable=SC2086\nLANG=en_US.utf8 find_unicode_control.py ${FIND_UNICODE_CONTROL_ARGS} \"${ALL_TARGETS[@]}\" \\\n \u003eraw_sast_unicode_check_out.txt \\\n 2\u003eraw_sast_unicode_check_out.log ||\n FUC_EXIT_CODE=$?\nif [[ \"${FUC_EXIT_CODE}\" -ne 0 ]] \u0026\u0026 [[ \"${FUC_EXIT_CODE}\" -ne 1 ]]; then\n echo \"Failed to run find-unicode-control command\" \u003e\u00262\n cat raw_sast_unicode_check_out.log\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Translate the output format\nif ! sed -i raw_sast_unicode_check_out.txt -E -e 's|(.*:[0-9]+)(.*)|\\1: warning:\\2|' -e 's|^|Error: UNICONTROL_WARNING:\\n|'; then\n echo \"Error: failed to translate the unicontrol output format\" \u003e\u00262\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\n# Process all results as configured with CSGERP_OPTS\nCSGERP_OPTS=(\n --mode=json\n --remove-duplicates\n --embed-context=3\n --set-scan-prop=\"${SCAN_PROP}\"\n --strip-path-prefix=\"${SOURCE_CODE_DIR}\"/source/\n)\n# In order to generate csdiff/v1, we need to add the whole path of the source code as\n# sast-unicode-check only provides an URI to embed the context\nif ! csgrep \"${CSGERP_OPTS[@]}\" raw_sast_unicode_check_out.txt \u003eprocessed_sast_unicode_check_out.json 2\u003eprocessed_sast_unicode_check_out.err; then\n echo \"Error occurred while running csgrep with CSGERP_OPTS:\"\n cat processed_sast_unicode_check_out.err\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 1\nfi\n\ncsgrep --mode=evtstat processed_sast_unicode_check_out.json\n\nif [[ \"${KFP_GIT_URL}\" == \"SITE_DEFAULT\" ]]; then\n KFP_GIT_URL=\"https://gitlab.cee.redhat.com/osh/known-false-positives.git\"\nfi\nPROBE_URL=\"${KFP_GIT_URL%.git}\" # trims '.git' suffix\n\n# create the KFP clone directory regardless\nKFP_DIR=\"known-false-positives\"\nKFP_CLONED=\"0\"\nmkdir \"${KFP_DIR}\"\n\n# We check if the KFP_GIT_URL variable is set to clone and apply the filters or not\nif [[ -n \"${KFP_GIT_URL}\" ]]; then\n # Default location only reachable from internal Konflux instances, check reachable first\n echo -n \"INFO: Probing ${PROBE_URL}... \"\n if curl --fail --head --max-time 60 --no-progress-meter \"${PROBE_URL}\" \u003e \u003e(head -1); then\n echo \"INFO: Trying to clone known-false-positives..\"\n git clone \"${KFP_GIT_URL}\" \"${KFP_DIR}\" \u0026\u0026 KFP_CLONED=\"1\"\n fi\nfi\n\n# If KFP clone failed, use the unfiltered results\nif [[ \"${KFP_CLONED}\" -eq \"0\" ]]; then\n echo \"WARN: Failed to clone known-false-positives at ${KFP_GIT_URL}, scan results will not be filtered\"\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\nelse\n echo \"INFO: Filtering false positives in results files using csfilter-kfp...\"\n\n # Build initial csfilter-kfp command\n csfilter_kfp_cmd=(\n csfilter-kfp\n --verbose\n --kfp-dir=\"${KFP_DIR}\"\n --project-nvr=\"${PROJECT_NAME}\"\n )\n\n # Append --record-excluded option if RECORD_EXCLUDED is true\n if [[ \"${RECORD_EXCLUDED}\" == \"true\" ]]; then\n csfilter_kfp_cmd+=(--record-excluded=\"excluded-findings.json\")\n fi\n\n # Execute the command and capture any errors\n set +e\n \"${csfilter_kfp_cmd[@]}\" processed_sast_unicode_check_out.json \u003esast_unicode_check_out.json 2\u003esast_unicode_check_out.error\n status=$?\n set -e\n if [ \"$status\" -ne 0 ]; then\n echo \"WARN: failed to filter known false positives\" \u003e\u00262\n mv processed_sast_unicode_check_out.json sast_unicode_check_out.json\n else\n echo \"INFO: Succeeded filtering known false positives\" \u003e\u00262\n fi\nfi\n\n# Generate sarif report\ncsgrep --mode=sarif sast_unicode_check_out.json \u003esast_unicode_check_out.sarif\nif [[ \"${FUC_EXIT_CODE}\" -eq 0 ]]; then\n note=\"Task sast-unicode-check-oci-ta success: No finding was detected\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelif [[ \"${FUC_EXIT_CODE}\" -eq 1 ]] \u0026\u0026 [[ ! -s sast_unicode_check_out.sarif ]]; then\n note=\"Task sast-unicode-check-oci-ta success: Some findings were detected, but filtered by known false positive\"\n ERROR_OUTPUT=$(make_result_json -r SUCCESS -t \"$note\")\nelse\n echo \"sast-unicode-check test failed because of the following issues:\"\n cat sast_unicode_check_out.json\n TEST_OUTPUT=\n parse_test_output \"sast-unicode-check-oci-ta\" sarif sast_unicode_check_out.sarif || true\n note=\"Task sast-unicode-check-oci-ta failed: For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r ERROR -t \"$note\")\nfi\necho \"${TEST_OUTPUT:-${ERROR_OUTPUT}}\" | tee \"/tekton/results/TEST_OUTPUT\"\n", "volumeMounts": [ { "mountPath": "/mnt/trusted-ca", "name": "trusted-ca", "readOnly": true } ], "workingDir": "/var/workdir/source" }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:da693a7dcbadafc9f4422ae6600b41b2847944f7f14c5622827d6f58c727cf08", "name": "upload", "script": "#!/usr/bin/env bash\n\nif [ -z \"${IMAGE_URL}\" ]; then\n echo 'No image-url param provided. Skipping upload.'\n exit 0\nfi\n\nUPLOAD_FILES=\"sast_unicode_check_out.sarif excluded-findings.json\"\nfor UPLOAD_FILE in ${UPLOAD_FILES}; do\n if [ ! -f \"${UPLOAD_FILE}\" ]; then\n echo \"No ${UPLOAD_FILE} exists. Skipping upload.\"\n continue\n fi\n\n if [ \"${UPLOAD_FILE}\" == \"excluded-findings.json\" ]; then\n MEDIA_TYPE=application/json\n else\n MEDIA_TYPE=application/sarif+json\n fi\n\n echo \"Selecting auth\"\n select-oci-auth \"${IMAGE_URL}\" \u003e\"${HOME}/auth.json\"\n echo \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${UPLOAD_FILE}:${MEDIA_TYPE}\"\ndone\n", "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/var/workdir/source" } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "workdir" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/commit_sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/pull_request_number": "33439", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yuieiy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/python-component-jcfgzj-on-pull-request-gjbg4", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-jcfgzj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-jcfgzj", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-jcfgzj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8/records/416b6341-2e79-4e60-b38e-ce40d3ceb26c", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"735c8fefbb578110d14b7015c6d36e3e253c98e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33439}", "results.tekton.dev/result": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "konflux", "test.appstudio.openshift.io/pr-group": "konflux-python-component-jcfgzj" }, "creationTimestamp": "2026-05-16T08:06:59Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:10Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "python-component-jcfgzj", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRun": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRunUID": "c605d253-49d1-4423-9427-c0e562626ee8", "tekton.dev/pipelineTask": "clair-scan", "tekton.dev/task": "clair-scan", "test.appstudio.openshift.io/pr-group-sha": "2292cf5420b5f77b40010398c22593f4b778f6340503c2ecc7b8bc3da80edc" }, "name": "python-component-jcfgzj-on-pull-request-gjbg4-clair-scan", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "python-component-jcfgzj-on-pull-request-gjbg4", "uid": "c605d253-49d1-4423-9427-c0e562626ee8" } ], "resourceVersion": "35341", "uid": "416b6341-2e79-4e60-b38e-ce40d3ceb26c" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "serviceAccountName": "build-pipeline-python-component-jcfgzj", "taskRef": { "params": [ { "name": "name", "value": "clair-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clair-scan:0.3@sha256:9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:27Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:27Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "python-component-jcfgzj-on-pull-request-gjbg4-clair-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9397d3eb9f1cbebaa15e93256e0ca9eaca148baa674be72f07f4a00df63c4609" }, "entryPoint": "clair-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clair-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\", \"digests\": [\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\"]}}\n" }, { "name": "REPORTS", "type": "string", "value": "{\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\":\"sha256:da106d4a3a9932e9d18f0e5f20b7234da18d21b11c64db8633a9677960b148e3\"}\n" }, { "name": "SCAN_OUTPUT", "type": "string", "value": "{\"vulnerabilities\":{\"critical\":0,\"high\":1,\"medium\":3,\"low\":0,\"unknown\":0},\"unpatched_vulnerabilities\":{\"critical\":0,\"high\":4,\"medium\":106,\"low\":65,\"unknown\":0}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"SUCCESS\",\"timestamp\":\"2026-05-16T08:09:25+00:00\",\"note\":\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\",\"namespace\":\"default\",\"successes\":0,\"failures\":0,\"warnings\":0}\n" } ], "startTime": "2026-05-16T08:06:59Z", "steps": [ { "container": "step-get-image-manifests", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "provenance": {}, "terminated": { "containerID": "containerd://a792dd170be9687bf637437884f47da18f7f738e21ed9121e1b9488b383df429", "exitCode": 0, "finishedAt": "2026-05-16T08:07:28Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:24Z" }, "terminationReason": "Completed" }, { "container": "step-get-vulnerabilities", "imageID": "quay.io/konflux-ci/clair-in-ci@sha256:2c6327a915e868116ecf2519a658c12c741f8d1c7178856758ddc64f9d5ba682", "name": "get-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://fbebb1603a4a6686c712f63a8a136fee147138dc0d157578ab3ec402afc82b8d", "exitCode": 0, "finishedAt": "2026-05-16T08:09:20Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:29Z" }, "terminationReason": "Completed" }, { "container": "step-oci-attach-report", "imageID": "quay.io/konflux-ci/oras@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "provenance": {}, "terminated": { "containerID": "containerd://c0b18bee87156e3a3fcbc7e5a59fe592f7f42b29c2e301aec011cac3af08dcf6", "exitCode": 0, "finishedAt": "2026-05-16T08:09:23Z", "reason": "Completed", "startedAt": "2026-05-16T08:09:20Z" }, "terminationReason": "Completed" }, { "container": "step-conftest-vulnerabilities", "imageID": "quay.io/konflux-ci/konflux-test@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "provenance": {}, "terminated": { "containerID": "containerd://e5d9b7ffa285d0c20360a52dd1f18d5bddb7fcbdb570356212e5a31e57baf0a0", "exitCode": 0, "finishedAt": "2026-05-16T08:09:25Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\\\", \\\"digests\\\": [\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\"]}}\\n\",\"type\":1},{\"key\":\"REPORTS\",\"value\":\"{\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\":\\\"sha256:da106d4a3a9932e9d18f0e5f20b7234da18d21b11c64db8633a9677960b148e3\\\"}\\n\",\"type\":1},{\"key\":\"SCAN_OUTPUT\",\"value\":\"{\\\"vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":1,\\\"medium\\\":3,\\\"low\\\":0,\\\"unknown\\\":0},\\\"unpatched_vulnerabilities\\\":{\\\"critical\\\":0,\\\"high\\\":4,\\\"medium\\\":106,\\\"low\\\":65,\\\"unknown\\\":0}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"result\\\":\\\"SUCCESS\\\",\\\"timestamp\\\":\\\"2026-05-16T08:09:25+00:00\\\",\\\"note\\\":\\\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\\\",\\\"namespace\\\":\\\"default\\\",\\\"successes\\\":0,\\\"failures\\\":0,\\\"warnings\\\":0}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:09:23Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for vulnerabilities using Clair, by comparing the components of container image against Clair's vulnerability databases.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "The platform built by.", "name": "image-platform", "type": "string" }, { "default": "", "description": "unused, should be removed in next task version.", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-oci-attach-report", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Clair scan result.", "name": "SCAN_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" }, { "description": "Mapping of image digests to report digests", "name": "REPORTS", "type": "string" } ], "stepTemplate": { "computeResources": {}, "volumeMounts": [ { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ] }, "steps": [ { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" } ], "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "get-image-manifests", "script": "#!/usr/bin/env bash\nset -euo pipefail\n# shellcheck source=/dev/null\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\necho \"Inspecting raw image manifest $imageanddigest.\"\n\n# Get the arch and image manifests by inspecting the image. This is mainly for identifying image indexes\nimage_manifests=$(get_image_manifests -i \"${imageanddigest}\")\nif [ -n \"$image_manifests\" ]; then\n echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"' | while read -r arch arch_sha; do\n echo \"$arch_sha\" \u003e /tekton/home/image-manifest-$arch.sha\n done\nelse\n echo \"Failed to get image manifests from image \\\"$imageanddigest\\\"\"\n note=\"Task clair-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\nfi\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } }, { "computeResources": { "limits": { "cpu": "800m", "memory": "7Gi" }, "requests": { "cpu": "800m", "memory": "7Gi" } }, "env": [ { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "IMAGE_PLATFORM" } ], "image": "quay.io/konflux-ci/clair-in-ci:v1", "imagePullPolicy": "Always", "name": "get-vulnerabilities", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n# shellcheck source=/utils.sh\n. /utils.sh\n\nimagewithouttag=$(echo -n $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\")\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\n\n# the quay report format used by the Conftest rules in the\n# conftest-vulnerabilities step doesn't contain the \"issued\" date which\n# we require in the policy rules, so we resort to running clair-action\n# twice to produce both quay and clair formatted output\nclair_report() {\n { retry clair-action report --image-ref=\"$1\" --db-path=/tmp/matcher.db --format=clair | tee \"clair-report-$2.json\"; } \u0026\u0026 \\\n { retry clair-action convert --file-path=\"clair-report-$2.json\" --format=quay \u003e \"clair-result-$2.json\"; }\n}\n\nrun_clair_on_arch() {\n local arch=\"$1\"\n local sha_file=\"image-manifest-$arch.sha\"\n\n if [ -e \"$sha_file\" ]; then\n local arch_sha\n arch_sha=$(\u003c\"$sha_file\")\n local digest=\"${imagewithouttag}@${arch_sha}\"\n\n echo \"Running clair-action on $arch image manifest...\"\n clair_report \"$digest\" \"$arch\" || true\n\n digests_processed+=(\"\\\"$arch_sha\\\"\")\n fi\n}\n\nplatform=\"${IMAGE_PLATFORM}\"\n\n# If a platform is specified, extract the architecture and run clair-action on the corresponding image manifest\nif [ -n \"$platform\" ]; then\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n # Validate against supported arch list. If it's not a known arch, fallback to amd64\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n run_clair_on_arch \"$arch\"\n\n# If no platform is specified, run clair-action on all available image manifests\nelse\n for sha_file in image-manifest-*.sha; do\n if [ -e \"$sha_file\" ]; then\n arch=$(basename \"$sha_file\" | sed 's/image-manifest-//;s/.sha//')\n run_clair_on_arch \"$arch\"\n fi\n done\nfi\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\n\nimages_processed=$(echo \"${images_processed_template/\\[%s]/[$digests_processed_string]}\")\necho \"$images_processed\" \u003e images-processed.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_OCI_ATTACH_REPORT", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:d126f98e16bfad71aab782eb212a5be701e2cde915d294a7bd6423a4ab448705", "name": "oci-attach-report", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nif [ \"$SKIP_OCI_ATTACH_REPORT\" = \"true\" ]; then\n echo 'OCI attach report skipped by parameter.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\nif ! compgen -G \"clair-report-*.json\" \u003e /dev/null; then\n echo 'No Clair reports generated. Skipping upload.'\n echo '{}' \u003e reports.json\n exit 0\nfi\n\necho \"Selecting auth\"\nselect-oci-auth \"$IMAGE_URL\" \u003e \"$HOME/auth.json\"\n\nrepository=\"${IMAGE_URL/:*/}\"\n\narch() {\n report_file=\"$1\"\n arch=\"${report_file/*-}\"\n echo \"${arch/.json/}\"\n}\n\nMEDIA_TYPE='application/vnd.redhat.clair-report+json'\n\nreports_json=\"\"\nfor f in clair-report-*.json; do\n digest=$(cat \"image-manifest-$(arch \"$f\").sha\")\n image_ref=\"${repository}@${digest}\"\n echo \"Attaching $f to ${image_ref}\"\n if ! report_digest=\"$(retry oras attach --no-tty --format go-template='{{.digest}}' --registry-config \\\n \"$HOME/auth.json\" --artifact-type \"${MEDIA_TYPE}\" \"${image_ref}\" \"$f:${MEDIA_TYPE}\")\"\n then\n echo \"Failed to attach ${f} to ${image_ref}\"\n exit 1\n fi\n # shellcheck disable=SC2016\n reports_json=\"$(yq --output-format json --indent=0 eval-all '. as $i ireduce ({}; . * $i)' \u003c(echo \"${reports_json}\") \u003c(echo \"${digest}: ${report_digest}\"))\"\ndone\necho \"${reports_json}\" \u003e reports.json\n", "workingDir": "/tekton/home" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/konflux-test:v1.4.48@sha256:9b815268fb2bf10b5d745518da1c6568944f15816efe51adc192972b42a6e74d", "name": "conftest-vulnerabilities", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\nclair_result_files=$(ls /tekton/home/clair-result-*.json)\nif [ -z \"$clair_result_files\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: No clair-result files found in /tekton/home.\"\nfi\n\nmissing_vulnerabilities_files=\"\"\nfor file in $clair_result_files; do\n file_suffix=$(basename \"$file\" | sed 's/clair-result-//;s/.json//')\n if [ ! -s \"$file\" ]; then\n echo \"Previous step [get-vulnerabilities] failed: $file is empty.\"\n else\n /usr/bin/conftest test --no-fail $file \\\n --policy /project/clair/vulnerabilities-check.rego --namespace required_checks \\\n --output=json | tee /tekton/home/clair-vulnerabilities-$file_suffix.json || true\n fi\n\n #check for missing \"clair-vulnerabilities-\u003carch\u003e/image-index\" file and create a string\n if [ ! -f \"/tekton/home/clair-vulnerabilities-$file_suffix.json\" ]; then\n missing_vulnerabilities_files+=\"${missing_vulnerabilities_files:+, }/tekton/home/clair-vulnerabilities-$file_suffix.json\"\n fi\ndone\n\nif [ -n \"$missing_vulnerabilities_files\" ]; then\n note=\"Task clair-scan failed: $missing_vulnerabilities_files did not generate. For details, check Tekton task log.\"\n TEST_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"$missing_vulnerabilities_files did not generate correctly. For details, check conftest command in Tekton task log.\"\n echo \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n exit 0\nfi\n\nscan_result='{\"vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}, \"unpatched_vulnerabilities\":{\"critical\":0, \"high\":0, \"medium\":0, \"low\":0, \"unknown\":0}}'\nfor file in /tekton/home/clair-vulnerabilities-*.json; do\n result=$(jq -rce \\\n '{\n vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n },\n unpatched_vulnerabilities:{\n critical: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_critical_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n high: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_high_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n medium: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_medium_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n low: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_low_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0),\n unknown: (.[] | .warnings? // [] | map(select(.metadata.details.name==\"clair_unpatched_unknown_vulnerabilities\").metadata.\"vulnerabilities_number\" // 0)| add // 0)\n }\n }' \"$file\")\n\n scan_result=$(jq -s -rce \\\n '.[0].vulnerabilities.critical += .[1].vulnerabilities.critical |\n .[0].vulnerabilities.high += .[1].vulnerabilities.high |\n .[0].vulnerabilities.medium += .[1].vulnerabilities.medium |\n .[0].vulnerabilities.low += .[1].vulnerabilities.low |\n .[0].vulnerabilities.unknown += .[1].vulnerabilities.unknown |\n .[0].unpatched_vulnerabilities.critical += .[1].unpatched_vulnerabilities.critical |\n .[0].unpatched_vulnerabilities.high += .[1].unpatched_vulnerabilities.high |\n .[0].unpatched_vulnerabilities.medium += .[1].unpatched_vulnerabilities.medium |\n .[0].unpatched_vulnerabilities.low += .[1].unpatched_vulnerabilities.low |\n .[0].unpatched_vulnerabilities.unknown += .[1].unpatched_vulnerabilities.unknown |\n .[0]' \u003c\u003c\u003c\"$scan_result $result\")\ndone\n\necho \"$scan_result\" | tee \"/tekton/results/SCAN_OUTPUT\"\n\ncat /tekton/home/images-processed.json | tee /tekton/results/IMAGES_PROCESSED\n# shellcheck disable=SC2154\ncat /tekton/home/reports.json \u003e \"/tekton/results/REPORTS\"\n\nnote=\"Task clair-scan completed: Refer to Tekton task result SCAN_OUTPUT for vulnerabilities scanned by Clair.\"\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"$note\")\necho \"${TEST_OUTPUT}\" | tee /tekton/results/TEST_OUTPUT\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } } } ], "volumes": [ { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/commit_sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/pull_request_number": "33439", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yuieiy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/python-component-jcfgzj-on-pull-request-gjbg4", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-jcfgzj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-jcfgzj", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-jcfgzj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8/records/01b74006-b565-4e94-aae8-6908ab49b161", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"735c8fefbb578110d14b7015c6d36e3e253c98e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33439}", "results.tekton.dev/result": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8", "results.tekton.dev/stored": "true", "tekton.dev/pipelines.minVersion": "0.12.1", "tekton.dev/tags": "virus, konflux", "test.appstudio.openshift.io/pr-group": "konflux-python-component-jcfgzj" }, "creationTimestamp": "2026-05-16T08:06:59Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:11Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "python-component-jcfgzj", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRun": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRunUID": "c605d253-49d1-4423-9427-c0e562626ee8", "tekton.dev/pipelineTask": "clamav-scan", "tekton.dev/task": "clamav-scan", "test.appstudio.openshift.io/pr-group-sha": "2292cf5420b5f77b40010398c22593f4b778f6340503c2ecc7b8bc3da80edc" }, "name": "python-component-jcfgzj-on-pull-request-gjbg4-clamav-scan", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "python-component-jcfgzj-on-pull-request-gjbg4", "uid": "c605d253-49d1-4423-9427-c0e562626ee8" } ], "resourceVersion": "35398", "uid": "01b74006-b565-4e94-aae8-6908ab49b161" }, "spec": { "params": [ { "name": "image-digest", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "serviceAccountName": "build-pipeline-python-component-jcfgzj", "taskRef": { "params": [ { "name": "name", "value": "clamav-scan" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan:0.3@sha256:9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:13Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:13Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "python-component-jcfgzj-on-pull-request-gjbg4-clamav-scan-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9f18b216ce71a66909e7cb17d9b34526c02d73cf12884ba32d1f10614f7b9f5a" }, "entryPoint": "clamav-scan", "uri": "quay.io/konflux-ci/tekton-catalog/task-clamav-scan" } }, "results": [ { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\", \"digests\": [\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\"]}}\n" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"timestamp\":\"1778918892\",\"namespace\":\"required_checks\",\"successes\":2,\"failures\":0,\"warnings\":0,\"result\":\"SUCCESS\",\"note\":\"All checks passed successfully\"}\n" } ], "startTime": "2026-05-16T08:07:00Z", "steps": [ { "container": "step-extract-and-scan-image", "imageID": "quay.io/konflux-ci/clamav-db@sha256:0ef3528c5e838e1174bcfaf5d2a58f557dccdd50a58a844929a1eb0a307c957d", "name": "extract-and-scan-image", "provenance": {}, "terminated": { "containerID": "containerd://f26d398c92c00c31f5d4dd3b7e80198c7e1893de7d4b5663dbe19703c2851f63", "exitCode": 0, "finishedAt": "2026-05-16T08:08:13Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\\\", \\\"digests\\\": [\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778918892\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:28Z" }, "terminationReason": "Completed" }, { "container": "step-upload", "imageID": "quay.io/konflux-ci/oras@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "provenance": {}, "terminated": { "containerID": "containerd://04ed112c1fbdfc65c95f2fd2278111b0bd8fb2571a8de4f37807e18914178880", "exitCode": 0, "finishedAt": "2026-05-16T08:08:26Z", "message": "[{\"key\":\"IMAGES_PROCESSED\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\\\", \\\"digests\\\": [\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\"]}}\\n\",\"type\":1},{\"key\":\"TEST_OUTPUT\",\"value\":\"{\\\"timestamp\\\":\\\"1778918892\\\",\\\"namespace\\\":\\\"required_checks\\\",\\\"successes\\\":2,\\\"failures\\\":0,\\\"warnings\\\":0,\\\"result\\\":\\\"SUCCESS\\\",\\\"note\\\":\\\"All checks passed successfully\\\"}\\n\",\"type\":1}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:13Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans the content of container images and OCI artifacts for viruses, malware, and other malicious content using ClamAV antivirus scanner.", "params": [ { "description": "Image digest to scan.", "name": "image-digest", "type": "string" }, { "description": "Image URL.", "name": "image-url", "type": "string" }, { "default": "", "description": "Image arch.", "name": "image-arch", "type": "string" }, { "default": "", "description": "unused", "name": "docker-auth", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "8", "description": "Maximum number of threads clamd runs.", "name": "clamd-max-threads", "type": "string" }, { "default": "false", "description": "If true, skips uploading the results to the image registry. Useful for read-only tests.", "name": "skip-upload", "type": "string" } ], "results": [ { "description": "Tekton task test output.", "name": "TEST_OUTPUT", "type": "string" }, { "description": "Images processed in the task.", "name": "IMAGES_PROCESSED", "type": "string" } ], "steps": [ { "computeResources": { "limits": { "cpu": "7300m", "memory": "12Gi" }, "requests": { "cpu": "7300m", "memory": "12Gi" } }, "env": [ { "name": "HOME", "value": "/work" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" }, { "name": "IMAGE_ARCH" }, { "name": "MAX_THREADS", "value": "8" } ], "image": "quay.io/konflux-ci/clamav-db:latest", "name": "extract-and-scan-image", "script": "#!/usr/bin/env bash\nset -euo pipefail\n. /utils.sh\ntrap 'handle_error /tekton/results/TEST_OUTPUT' EXIT\n\n# Start clamd in background\n/start-clamd.sh\n\n# Bootstrap .docker config in overridden HOME.\n# This prevents 'oc' CLI failures in clean environments where ~/.docker does not exist.\nif [ ! -d ~/.docker ]; then\n mkdir -p ~/.docker\n echo '{}' \u003e ~/.docker/config.json\nfi\n\nimagewithouttag=$(echo $IMAGE_URL | sed \"s/\\(.*\\):.*/\\1/\" | tr -d '\\n')\n\n# strip new-line escape symbol from parameter and save it to variable\nimageanddigest=$(echo $imagewithouttag@$IMAGE_DIGEST)\n\n# check if image is attestation one, skip the clamav scan in such case\nif [[ $imageanddigest == *.att ]]\nthen\n echo \"$imageanddigest is an attestation image. Skipping ClamAV scan.\"\n exit 0\nfi\n\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$IMAGE_URL\"'\", \"digests\": [%s]}}'\ndigests_processed=()\nmkdir logs\nmkdir content\ncd content\necho \"Detecting artifact type for ${imageanddigest}.\"\necho '{\"artifact\":{\"pullspec\":\"'\"${imageanddigest}\"'\",\"type\":\"unknown\",\"mediaType\":\"\"}}' \u003e /work/logs/artifact-meta.json\n\n# Function to scan content and process results with ClamAV and EC\n# Parameters:\n# $1: destination - path to the content to scan\n# $2: suffix - suffix for log file names (e.g., \"oci\", \"amd64\")\n# $3: digest - digest to add to digests_processed array\n# $4: scan_message - optional message describing what is being scanned\nscan_and_process() {\n local destination=\"$1\"\n local suffix=\"$2\"\n local digest=\"$3\"\n local scan_message=\"${4:-Scanning content}\"\n\n db_version=$(clamdscan --version | sed 's|.*/\\(.*\\)/.*|\\1|')\n\n echo \"$scan_message. This operation may take a while.\"\n clamdscan \"${destination}\" -vi --multiscan --fdpass \\\n | tee \"/work/logs/clamscan-result-${suffix}.log\" || true\n\n echo \"Executed-on: Scan was executed on clamsdcan version - $(clamdscan --version) Database version: $db_version\" | tee -a \"/work/logs/clamscan-result-${suffix}.log\"\n\n digests_processed+=(\"\\\"$digest\\\"\")\n\n if [[ -e \"/work/logs/clamscan-result-${suffix}.log\" ]]; then\n # OPA/EC requires structured data input, add clamAV log into json\n jq -Rs '{ output: . }' \"/work/logs/clamscan-result-${suffix}.log\" \u003e \"/work/logs/clamscan-result-log-${suffix}.json\"\n\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o json \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" || true\n\n # workaround: due to a bug in ec-cli, we cannot generate json and appstudio output at the same time, running it again\n EC_EXPERIMENTAL=1 ec test \\\n --namespace required_checks \\\n --policy /project/clamav/virus-check.rego \\\n -o appstudio \\\n \"/work/logs/clamscan-result-log-${suffix}.json\" | tee \"/work/logs/clamscan-ec-test-${suffix}.json\" || true\n\n cat \"/work/logs/clamscan-ec-test-${suffix}.json\"\n fi\n}\n\n# Detect artifact type: container image vs OCI artifact\n# First, try to get image manifests (works for container images)\n# Use subshell to prevent get_image_manifests() from exiting the main script if it fails\n# (get_image_manifests uses exit 1 when Architecture field is missing, which happens for OCI artifacts)\nimage_manifests=$(bash -c '. /utils.sh; get_image_manifests -i \"'\"${imageanddigest}\"'\"' 2\u003e/dev/null || echo \"\")\n\n# If get_image_manifests failed, check if it's an OCI artifact by inspecting manifest media type\nif [ -z \"$image_manifests\" ]; then\n echo \"get_image_manifests returned empty, checking if this is an OCI artifact...\"\n raw_manifest=$(skopeo inspect --raw --authfile ~/.docker/config.json \"docker://${imageanddigest}\" 2\u003e/dev/null || true)\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"inspected\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n\n if [ -n \"$raw_manifest\" ]; then\n media_type=$(echo \"$raw_manifest\" | jq -r '.mediaType // .config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n artifact_type=$(echo \"$raw_manifest\" | jq -r '.artifactType // empty' 2\u003e/dev/null || echo \"\")\n config_media_type=$(echo \"$raw_manifest\" | jq -r '.config.mediaType // empty' 2\u003e/dev/null || echo \"\")\n\n # Determine if this is an OCI artifact (not a container image)\n # OCI artifacts typically have:\n # - An empty/scratch config (config.mediaType contains \"empty\" or \"scratch\")\n # - An explicit artifactType field that is not a container image type\n is_oci_artifact=false\n\n # Check if config is empty/scratch (typical for OCI artifacts like python wheels, helm charts, etc.)\n if echo \"$config_media_type\" | grep -qiE \"(empty|scratch)\"; then\n is_oci_artifact=true\n fi\n\n # Check if artifactType is set and is not a container image type\n if [ -n \"$artifact_type\" ] \u0026\u0026 ! echo \"$artifact_type\" | grep -qE \"application/vnd\\.(oci|docker)\\.(image|container)\"; then\n is_oci_artifact=true\n fi\n\n if [ \"$is_oci_artifact\" = true ]; then\n # This is an OCI artifact (e.g., python wheels, helm charts, etc.)\n echo \"Detected OCI artifact (artifactType: ${artifact_type:-unset}, config.mediaType: ${config_media_type:-unset}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.artifactType = '\"\\\"${artifact_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n elif echo \"$media_type\" | grep -qE \"(application/vnd\\.(docker|oci)\\.(distribution|image)\\.manifest|application/vnd\\.docker\\.distribution\\.manifest)\"; then\n # This looks like a container image manifest, but get_image_manifests failed\n echo \"Detected container image manifest type: $media_type, but get_image_manifests failed. This may indicate an error.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"$media_type\\\"\"' | .artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n note=\"Task clamav-scan failed: Failed to get image manifests from image \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n else\n # Likely an OCI artifact with non-standard media type\n echo \"Detected OCI artifact (media type: ${media_type:-unknown}). Downloading for scanning...\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.mediaType = '\"\\\"${media_type:-unknown}\\\"\"' | .artifact.type = \"oci\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n destination=\"content-oci\"\n mkdir -p \"$destination\"\n\n # Download OCI artifact using skopeo copy\n echo \"Downloading OCI artifact using skopeo copy\"\n if ! retry skopeo copy --authfile ~/.docker/config.json \"docker://${imageanddigest}\" \"dir:${destination}\" 2\u003e\u00261; then\n echo \"Failed to download OCI artifact \\\"$imageanddigest\\\". Skipping ClamAV scan!\"\n note=\"Task clamav-scan failed: Failed to download OCI artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\n\n # Scan and process OCI artifact\n scan_and_process \"${destination}\" \"oci\" \"$IMAGE_DIGEST\" \"Scanning OCI artifact\"\n\n # Skip the container image processing path\n image_manifests=\"\"\n fi\n else\n echo \"Failed to inspect artifact \\\"$imageanddigest\\\". Unable to determine type.\"\n note=\"Task clamav-scan failed: Failed to inspect artifact \\\"$imageanddigest\\\". For details, check Tekton task log.\"\n ERROR_OUTPUT=$(make_result_json -r \"ERROR\" -t \"$note\")\n echo \"${ERROR_OUTPUT}\" | tee \"/tekton/results/TEST_OUTPUT\"\n exit 0\n fi\nfi\n\n# Process container images (existing logic)\nif [ -n \"$image_manifests\" ]; then\n echo \"Detected container image. Processing image manifests.\"\n if [ -s /work/logs/artifact-meta.json ]; then\n tmp=$(mktemp)\n if jq '.artifact.type = \"image\"' /work/logs/artifact-meta.json \u003e \"$tmp\"; then\n mv \"$tmp\" /work/logs/artifact-meta.json || true\n fi\n fi\n # Proceed only if a specific arch is provided.\n # This typically occurs when using Tekton Matrix to launch multiple TaskRuns to scan all architectures of a multi-arch image in parallel.\n if [ -n \"$IMAGE_ARCH\" ]; then\n arch=\"${IMAGE_ARCH#*/}\"\n if [ \"${arch}\" = \"x86_64\" ]; then\n arch=\"amd64\"\n fi\n\n # Check if arch is supported; if not (e.g., it's 'local', see link below), default to amd64.\n # https://github.com/redhat-appstudio/infra-deployments/blob/main/components/multi-platform-controller/production/stone-prd-rh01/host-config.yaml#L9-L14\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n arch=\"amd64\"\n ;;\n esac\n\n image_manifests=$(echo \"$image_manifests\" | jq -c --arg arch \"$arch\" '{($arch): .[$arch]}')\n fi\n\n while read -r arch arch_sha; do\n destination=$(echo content-$arch)\n mkdir -p \"$destination\"\n arch_imageanddigest=$(echo $imagewithouttag@$arch_sha)\n\n echo \"Running \\\"oc image extract\\\" on image of arch $arch\"\n retry oc image extract --only-files=true --registry-config ~/.docker/config.json \"$arch_imageanddigest\" --path=\"/:${destination}\" --filter-by-os=\"linux/${arch}\"\n if [ $? -ne 0 ]; then\n echo \"Unable to extract image for arch $arch. Skipping ClamAV scan!\"\n exit 0\n fi\n\n # Scan and process container image for this architecture\n scan_and_process \"${destination}\" \"$arch\" \"$arch_sha\" \"Scanning image for arch $arch\"\n done \u003c \u003c(echo \"$image_manifests\" | jq -r 'to_entries[] | \"\\(.key) \\(.value)\"')\nfi\n\njq -s -rce '\n reduce .[] as $item ({\"timestamp\":\"0\",\"namespace\":\"\",\"successes\":0,\"failures\":0,\"warnings\":0,\"result\":\"\",\"note\":\"\"};\n {\n \"timestamp\" : (if .timestamp \u003c $item.timestamp then $item.timestamp else .timestamp end),\n \"namespace\" : $item.namespace,\n \"successes\" : (.successes + $item.successes),\n \"failures\" : (.failures + $item.failures),\n \"warnings\" : (.warnings + $item.warnings),\n \"result\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.result else .result end),\n \"note\" : (if .result == \"\" or ($item.result == \"SKIPPED\" and .result == \"SUCCESS\") or ($item.result == \"WARNING\" and (.result == \"SUCCESS\" or .result == \"SKIPPED\")) or ($item.result == \"FAILURE\" and .result != \"ERROR\") or $item.result == \"ERROR\" then $item.note else .note end)\n })' /work/logs/clamscan-ec-test-*.json | tee /tekton/results/TEST_OUTPUT\n\n# If the image is an Image Index, also add the Image Index digest to the list.\nif [[ \"${digests_processed[*]}\" != *\"$IMAGE_DIGEST\"* ]]; then\n digests_processed+=(\"\\\"$IMAGE_DIGEST\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\necho \"${images_processed_template/\\[%s]/[$digests_processed_string]}\" | tee /tekton/results/IMAGES_PROCESSED\n", "securityContext": { "capabilities": { "add": [ "SETFCAP" ] } }, "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" }, { "computeResources": { "limits": { "cpu": "100m", "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "SKIP_UPLOAD", "value": "false" }, { "name": "IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "IMAGE_DIGEST", "value": "sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2" } ], "image": "quay.io/konflux-ci/oras:latest@sha256:f322638a8a337f26adda3f72d3fbcf7e1218a6d8d7e2365376487417a05e0f4e", "name": "upload", "script": "#!/usr/bin/env bash\nset -e\n\n# Skip upload if requested e.g. read-only CI tests where push access is denied\nif [ \"$SKIP_UPLOAD\" == \"true\" ]; then\n echo \"Upload skipped by parameter.\"\n exit 0\nfi\n\n# Don't return a glob expression when no matches are found\nshopt -s nullglob\n\ncd logs\n\nfor UPLOAD_FILE in clamscan-result*.log; do\n MEDIA_TYPE=text/vnd.clamav\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\nfor UPLOAD_FILE in clamscan-ec-test*.json; do\n MEDIA_TYPE=application/vnd.konflux.test_output+json\n args+=(\"${UPLOAD_FILE}:${MEDIA_TYPE}\")\ndone\n\nif [ -z \"${args}\" ]; then\n echo \"No files found. Skipping upload.\"\n exit 0;\nfi\n\necho \"Selecting auth\"\nselect-oci-auth $IMAGE_URL \u003e $HOME/auth.json\necho \"Attaching to ${IMAGE_URL}\"\n retry oras attach --no-tty --registry-config \"$HOME/auth.json\" --artifact-type application/vnd.clamav \"${IMAGE_URL}@${IMAGE_DIGEST}\" \"${args[@]}\"\n", "volumeMounts": [ { "mountPath": "/work", "name": "work" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" } ], "workingDir": "/work" } ], "volumes": [ { "emptyDir": {}, "name": "dbfolder" }, { "emptyDir": {}, "name": "work" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" } ] } } }, { "apiVersion": "tekton.dev/v1", "kind": "TaskRun", "metadata": { "annotations": { "build.appstudio.openshift.io/repo": "https://github.com/redhat-appstudio-qe/sample-multi-component?rev=735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/commit_sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "build.appstudio.redhat.com/pull_request_number": "33439", "build.appstudio.redhat.com/target_branch": "multi-component-base-grczrd", "chains.tekton.dev/signed": "true", "pipeline.tekton.dev/release": "9db88e0", "pipelinesascode.tekton.dev/branch": "multi-component-base-grczrd", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/controller-info": "{\"name\":\"default\",\"configmap\":\"pipelines-as-code\",\"secret\":\"pipelines-as-code-secret\", \"gRepo\": \"pipelines-as-code\"}", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/git-auth-secret": "pac-gitauth-yuieiy", "pipelinesascode.tekton.dev/git-provider": "github", "pipelinesascode.tekton.dev/installation-id": "72200095", "pipelinesascode.tekton.dev/log-url": "https://52.41.108.59:9443/ns/build-e2e-pggh/pipelinerun/python-component-jcfgzj-on-pull-request-gjbg4", "pipelinesascode.tekton.dev/max-keep-runs": "3", "pipelinesascode.tekton.dev/on-cel-expression": "event == \"pull_request\" \u0026\u0026 target_branch == \"multi-component-base-grczrd\" \u0026\u0026 ( \"python-component/***\".pathChanged() || \".tekton/python-component-jcfgzj-pull-request.yaml\".pathChanged() )", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/scm-reporting-plr-started": "true", "pipelinesascode.tekton.dev/sender": "konflux-ci-e2e-tests[bot]", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/sha-title": "konflux-ci e2e-tests update python-component-jcfgzj", "pipelinesascode.tekton.dev/sha-url": "https://github.com/redhat-appstudio-qe/sample-multi-component/commit/735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/source-branch": "konflux-python-component-jcfgzj", "pipelinesascode.tekton.dev/source-repo-url": "https://github.com/redhat-appstudio-qe/sample-multi-component", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "results.tekton.dev/childReadyForDeletion": "true", "results.tekton.dev/record": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8/records/ce321ca9-5f57-4f38-9a30-9f66c29c96fa", "results.tekton.dev/recordSummaryAnnotations": "{\"repo\":\"sample-multi-component\",\"commit\":\"735c8fefbb578110d14b7015c6d36e3e253c98e5\",\"eventType\":\"pull_request\",\"pull_request-id\":33439}", "results.tekton.dev/result": "build-e2e-pggh/results/c605d253-49d1-4423-9427-c0e562626ee8", "results.tekton.dev/stored": "true", "test.appstudio.openshift.io/pr-group": "konflux-python-component-jcfgzj" }, "creationTimestamp": "2026-05-16T08:06:59Z", "deletionGracePeriodSeconds": 0, "deletionTimestamp": "2026-05-16T08:10:10Z", "finalizers": [ "results.tekton.dev/taskrun" ], "generation": 2, "labels": { "app.kubernetes.io/managed-by": "pipelinesascode.tekton.dev", "app.kubernetes.io/version": "v0.42.0", "appstudio.openshift.io/application": "build-suite-positive-mc-ymqc", "appstudio.openshift.io/component": "python-component-jcfgzj", "pipelines.appstudio.openshift.io/type": "build", "pipelinesascode.tekton.dev/cancel-in-progress": "true", "pipelinesascode.tekton.dev/check-run-id": "76304900448", "pipelinesascode.tekton.dev/event-type": "pull_request", "pipelinesascode.tekton.dev/original-prname": "python-component-jcfgzj-on-pull-request", "pipelinesascode.tekton.dev/pull-request": "33439", "pipelinesascode.tekton.dev/repository": "github-com-redhat-appstudio-qe-sample-multi-component", "pipelinesascode.tekton.dev/sha": "735c8fefbb578110d14b7015c6d36e3e253c98e5", "pipelinesascode.tekton.dev/state": "started", "pipelinesascode.tekton.dev/url-org": "redhat-appstudio-qe", "pipelinesascode.tekton.dev/url-repository": "sample-multi-component", "tekton.dev/memberOf": "tasks", "tekton.dev/pipeline": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRun": "python-component-jcfgzj-on-pull-request-gjbg4", "tekton.dev/pipelineRunUID": "c605d253-49d1-4423-9427-c0e562626ee8", "tekton.dev/pipelineTask": "ecosystem-cert-preflight-checks", "tekton.dev/task": "ecosystem-cert-preflight-checks", "test.appstudio.openshift.io/pr-group-sha": "2292cf5420b5f77b40010398c22593f4b778f6340503c2ecc7b8bc3da80edc" }, "name": "python-component-jcfgzj-on-pull9f76f92e00e1a7e000694bfa1e94d4f6", "namespace": "build-e2e-pggh", "ownerReferences": [ { "apiVersion": "tekton.dev/v1", "blockOwnerDeletion": true, "controller": true, "kind": "PipelineRun", "name": "python-component-jcfgzj-on-pull-request-gjbg4", "uid": "c605d253-49d1-4423-9427-c0e562626ee8" } ], "resourceVersion": "35394", "uid": "ce321ca9-5f57-4f38-9a30-9f66c29c96fa" }, "spec": { "params": [ { "name": "image-url", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "serviceAccountName": "build-pipeline-python-component-jcfgzj", "taskRef": { "params": [ { "name": "name", "value": "ecosystem-cert-preflight-checks" }, { "name": "bundle", "value": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks:0.2@sha256:9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799" }, { "name": "kind", "value": "task" } ], "resolver": "bundles" }, "timeout": "1h0m0s" }, "status": { "artifacts": {}, "completionTime": "2026-05-16T08:09:16Z", "conditions": [ { "lastTransitionTime": "2026-05-16T08:09:16Z", "message": "All Steps have completed executing", "reason": "Succeeded", "status": "True", "type": "Succeeded" } ], "podName": "python-component-jcfgzj-on-8501b26c42c0ed49f9dcb425d2f77810-pod", "provenance": { "featureFlags": { "awaitSidecarReadiness": true, "coschedule": "workspaces", "enableAPIFields": "beta", "enableProvenanceInStatus": true, "enforceNonfalsifiability": "none", "maxResultSize": 4096, "resultExtractionMethod": "termination-message", "runningInEnvWithInjectedSidecars": true, "verificationNoMatchPolicy": "ignore" }, "refSource": { "digest": { "sha256": "9c300728a03f41beee9a689422d66513d32ab5f804664fe561b11cebacd07799" }, "entryPoint": "ecosystem-cert-preflight-checks", "uri": "quay.io/konflux-ci/tekton-catalog/task-ecosystem-cert-preflight-checks" } }, "results": [ { "name": "ARTIFACT_TYPE", "type": "string", "value": "application" }, { "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "introspection" }, { "name": "IMAGES_PROCESSED", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\", \"digests\": [\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\"]}}" }, { "name": "TEST_OUTPUT", "type": "string", "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1778918892\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}" } ], "startTime": "2026-05-16T08:06:59Z", "steps": [ { "container": "step-introspect", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "introspect", "provenance": {}, "results": [ { "name": "artifact-type", "type": "string", "value": "application" }, { "name": "artifact-type-set-by", "type": "string", "value": "introspection" } ], "terminated": { "containerID": "containerd://7199d52f4063629ef9505e92c229bfd881fafb1de9ad85de1e06ab47eb0177f1", "exitCode": 0, "finishedAt": "2026-05-16T08:07:44Z", "message": "[{\"key\":\"artifact-type\",\"value\":\"application\",\"type\":4},{\"key\":\"artifact-type-set-by\",\"value\":\"introspection\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:41Z" }, "terminationReason": "Completed" }, { "container": "step-generate-container-auth", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "generate-container-auth", "provenance": {}, "results": [ { "name": "auth-json-path", "type": "string", "value": "/auth/auth.json" } ], "terminated": { "containerID": "containerd://c77bf70fe4af7fadf23232e44592f67df32b4bf7fd1d3aee80c2f5a9c9dbaebe", "exitCode": 0, "finishedAt": "2026-05-16T08:07:46Z", "message": "[{\"key\":\"auth-json-path\",\"value\":\"/auth/auth.json\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:07:44Z" }, "terminationReason": "Completed" }, { "container": "step-set-skip-for-bundles", "imageID": "quay.io/redhat-appstudio/konflux-test@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "provenance": {}, "terminated": { "containerID": "containerd://6e2761a6fec801a4a5ea70d2109e757d76becd679d0013409db2944e055a64f1", "exitCode": 0, "finishedAt": "2026-05-16T08:07:47Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:47Z" }, "terminationReason": "Skipped" }, { "container": "step-app-check", "imageID": "quay.io/opdev/preflight@sha256:6dc9402d20c330e693e6a949ab42c8721e385f012379ff99d51310ec1cbef576", "name": "app-check", "provenance": {}, "terminated": { "containerID": "containerd://7d8d8ca56224a953c5aecdeddb9a59eee3abea7ed35e1661ea8d037e1649ed92", "exitCode": 0, "finishedAt": "2026-05-16T08:08:08Z", "reason": "Completed", "startedAt": "2026-05-16T08:07:47Z" }, "terminationReason": "Completed" }, { "container": "step-app-set-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "app-set-outcome", "provenance": {}, "results": [ { "name": "images-processed", "type": "string", "value": "{\"image\": {\"pullspec\": \"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\", \"digests\": [\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\"]}}" }, { "name": "test-output", "type": "string", "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1778918892\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://5d11f76b120bc6264daa1c2afac3c6da73cb2321ffbbf65f1ff423c5051c9e42", "exitCode": 0, "finishedAt": "2026-05-16T08:08:26Z", "message": "[{\"key\":\"images-processed\",\"value\":\"{\\\"image\\\": {\\\"pullspec\\\": \\\"quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5\\\", \\\"digests\\\": [\\\"sha256:2404d5d677802e39b61362db133c4083ac0651fc8d29efdaf1d8fa00031befd2\\\"]}}\",\"type\":4},{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1778918892\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:09Z" }, "terminationReason": "Completed" }, { "container": "step-final-outcome", "imageID": "quay.io/konflux-ci/task-runner@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "final-outcome", "provenance": {}, "results": [ { "name": "test-output", "type": "string", "value": "{\"result\":\"FAILURE\",\"timestamp\":\"1778918892\",\"note\":\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\",\"successes\":7,\"failures\":1,\"warnings\":0}" } ], "terminated": { "containerID": "containerd://3082e36f8e1ebca8c25e5246b35c3fe362dea38ce1fca5d69137520ec9a3324e", "exitCode": 0, "finishedAt": "2026-05-16T08:08:28Z", "message": "[{\"key\":\"test-output\",\"value\":\"{\\\"result\\\":\\\"FAILURE\\\",\\\"timestamp\\\":\\\"1778918892\\\",\\\"note\\\":\\\"Task preflight is a FAILURE: Refer to Tekton task logs for more information\\\",\\\"successes\\\":7,\\\"failures\\\":1,\\\"warnings\\\":0}\",\"type\":4}]", "reason": "Completed", "startedAt": "2026-05-16T08:08:17Z" }, "terminationReason": "Completed" } ], "taskSpec": { "description": "Scans container images for certification readiness. Note that running this against an operatorbundle will result in a skip, as bundle validation is not executed through this task.", "params": [ { "description": "Image url to scan.", "name": "image-url", "type": "string" }, { "default": "trusted-ca", "description": "The name of the ConfigMap to read CA bundle data from.", "name": "ca-trust-config-map-name", "type": "string" }, { "default": "ca-bundle.crt", "description": "The name of the key in the ConfigMap that contains the CA bundle data.", "name": "ca-trust-config-map-key", "type": "string" }, { "default": "introspect", "description": "The type of artifact. Select from application, operatorbundle, or introspect.", "name": "artifact-type", "type": "string" }, { "default": "", "description": "The platform the image is built on.", "name": "platform", "type": "string" } ], "results": [ { "description": "Ecosystem checks pass or fail outcome.", "name": "TEST_OUTPUT", "type": "string", "value": "$(steps.final-outcome.results.test-output)" }, { "description": "The artifact type, either introspected or set.", "name": "ARTIFACT_TYPE", "type": "string", "value": "$(steps.introspect.results.artifact-type)" }, { "description": "How the artifact type was set.", "name": "ARTIFACT_TYPE_SET_BY", "type": "string", "value": "$(steps.introspect.results.artifact-type-set-by)" }, { "description": "Collected image digests", "name": "IMAGES_PROCESSED", "type": "string", "value": "$(steps.app-set-outcome.results.images-processed)" } ], "steps": [ { "computeResources": { "limits": { "memory": "512Mi" }, "requests": { "cpu": "100m", "memory": "512Mi" } }, "env": [ { "name": "PARAM_ARTIFACT_TYPE", "value": "introspect" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "introspect", "results": [ { "description": "The type of artifact this task is considering.", "name": "artifact-type" }, { "description": "The process that sets the artifact type. Informational.\nValues from: introspection, parameter.\n", "name": "artifact-type-set-by" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n_SET_BY=parameter\n# If the parameter is invalid, we'll introspect\nif [[ \"${PARAM_ARTIFACT_TYPE}\" != \"application\" ]] \u0026\u0026 [[ \"${PARAM_ARTIFACT_TYPE}\" != \"operatorbundle\" ]]; then\n echo \"Artifact type will be determined by introspection.\"\n _SET_BY=introspection\nfi\nprintf \"%s\" \"${_SET_BY}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type-set-by\"\n\nif [[ \"${_SET_BY}\" == \"parameter\" ]]; then\n # short circuit if the artifact type was set via parameter.\n echo \"Skipping introspection because the artifact-type parameter is explicitly set to \\\"${PARAM_ARTIFACT_TYPE}\\\".\"\n printf \"%s\" \"${PARAM_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\n exit 0\nfi\n\n# If the image URL points to a manifest list (a multi-arch image), check the labels on any of the child\n# images (don't fail in the case where the list does not include an image for the arch of the system\n# where this pipeline is running).\n\ndeclare -a _SKOPEO_INSPECT_ARGS\n\nskopeo_retries=3\n\necho \"Checking the media type of the OCI artifact...\"\nif ! _RAW_IMAGE_MANIFEST=$(retry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\")\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n_IMAGE_MEDIA_TYPE=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.mediaType')\necho \"The media type of the OCI artifact is ${_IMAGE_MEDIA_TYPE}.\"\n\nif [[ \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.docker.distribution.manifest.list.v2+json\" || \"${_IMAGE_MEDIA_TYPE}\" == \"application/vnd.oci.image.index.v1+json\" ]]; then\n _CURRENT_ARCH=$(uname -m)\n _CURRENT_OS=$(uname -s | tr '[:upper:]' '[:lower:]')\n\n # The archs returned by uname are not always the same as the archs used by OCI manifests, so we need\n # to map them.\n case ${_CURRENT_ARCH} in\n \"aarch64\")\n _CURRENT_ARCH=\"arm64\"\n ;;\n \"x86_64\")\n _CURRENT_ARCH=\"amd64\"\n ;;\n *)\n ;;\n esac\n\n # If the manifest list contains an image for the current OS and architecture, prefer to test that.\n _MATCHING_IMAGE_COUNT=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r \"[.manifests[] | select(.platform.os == \\\"${_CURRENT_OS}\\\" and .platform.architecture == \\\"${_CURRENT_ARCH}\\\")] | length\")\n if [[ \"${_MATCHING_IMAGE_COUNT}\" -gt 0 ]]; then\n echo \"Found an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}).\"\n else\n # If there is no image for the current OS and architecture, just use the first one in the list.\n _INSPECT_OVERRIDE_IMAGE_OS=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.os')\n _INSPECT_OVERRIDE_IMAGE_ARCH=$(printf \"%s\" \"${_RAW_IMAGE_MANIFEST}\" | jq -r '.manifests[0].platform.architecture')\n _SKOPEO_INSPECT_ARGS+=(\"--override-os=${_INSPECT_OVERRIDE_IMAGE_OS}\")\n _SKOPEO_INSPECT_ARGS+=(\"--override-arch=${_INSPECT_OVERRIDE_IMAGE_ARCH}\")\n\n echo \"Could not find an image in the manifests for the current OS and architecture (${_CURRENT_OS}/${_CURRENT_ARCH}), inspecting the image for ${_INSPECT_OVERRIDE_IMAGE_OS}/${_INSPECT_OVERRIDE_IMAGE_ARCH} instead.\"\n fi\nfi\n\n# Introspect based on minimum count of operator-framework related bundle labels.\necho \"Looking for image labels that indicate this might be an operator bundle...\"\n\n# We purposely do not quote the array elements here, so that they are expanded by the shell as separate args.\n# shellcheck disable=SC2068\nif ! retry skopeo inspect --retry-times \"$skopeo_retries\" ${_SKOPEO_INSPECT_ARGS[@]} \"docker://${PARAM_IMAGE_URL}\" \\\n | jq '.Labels | keys | .[]' -r \\\n | { grep operators.operatorframework.io.bundle || true ;} \\\n | tee /tmp/ecosystem-image-labels\nthen\n echo \"Failed to inspect ${PARAM_IMAGE_URL}\"\n exit 1\nfi\n\n_OPFW_LABEL_COUNT=$(grep -c operators.operatorframework.io.bundle /tmp/ecosystem-image-labels || true)\n_MIN_LABELS=3\n\necho \"Found ${_OPFW_LABEL_COUNT} matching labels.\"\necho \"Expecting ${_MIN_LABELS} or more to identify this image as an operator bundle.\"\n\n# If the image has several labels, assume it is an operator\n_ARTIFACT_TYPE=application\n(( _OPFW_LABEL_COUNT \u003e= _MIN_LABELS )) \u0026\u0026 _ARTIFACT_TYPE=operatorbundle\n\nprintf \"%s\" \"${_ARTIFACT_TYPE}\" \u003e \"/tekton/steps/step-introspect/results/artifact-type\"\necho \"Introspection concludes that this artifact is of type \\\"${_ARTIFACT_TYPE}\\\".\"\n" }, { "computeResources": { "limits": { "memory": "64Mi" }, "requests": { "cpu": "50m", "memory": "64Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "generate-container-auth", "results": [ { "description": "Path to auth.json", "name": "auth-json-path" } ], "script": "_AUTH_JSON_PATH=\"/auth/auth.json\"\necho \"Selecting auth for $PARAM_IMAGE_URL\"\n# `select-oci-auth` here assumes the input credentials are at path ~/.docker/config.json\nselect-oci-auth \"$PARAM_IMAGE_URL\" \u003e \"${_AUTH_JSON_PATH}\"\n\nprintf \"%s\" \"${_AUTH_JSON_PATH}\" \u003e \"/tekton/steps/step-generate-container-auth/results/auth-json-path\"\necho \"Auth json written to \\\"${_AUTH_JSON_PATH}\\\".\"\n", "volumeMounts": [ { "mountPath": "/auth", "name": "auth" } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/redhat-appstudio/konflux-test:v1.4.31@sha256:a7cae9e96663e277a3904d0c78630508ddb6cc8eebaa912a840bd20f68dcaad1", "name": "set-skip-for-bundles", "results": [ { "description": "A skipped tekton result for bundles.", "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nNOTE=\"This ecosystem check is not executed for operatorbundles.\"\n\n# shellcheck source=/dev/null\n. /utils.sh # gives us the make_result_json helper used below.\n\n# Generate TEST_OUTPUT\n# We're skipping the test, but don't use status \"SKIPPED\" because\n# it produces unwanted Conforma violations\nTEST_OUTPUT=$(make_result_json -r \"SUCCESS\" -t \"${NOTE}\")\n\nprintf \"%s\" \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-set-skip-for-bundles/results/test-output\" /bundle/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/bundle", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "operatorbundle" ] } ] }, { "computeResources": { "limits": { "memory": "4Gi" }, "requests": { "cpu": "1", "memory": "4Gi" } }, "env": [ { "name": "PFLT_DOCKERCONFIG", "value": "$(steps.generate-container-auth.results.auth-json-path)" }, { "name": "PFLT_KONFLUX", "value": "true" }, { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" }, { "name": "PARAM_PLATFORM" } ], "image": "quay.io/opdev/preflight:stable@sha256:6dc9402d20c330e693e6a949ab42c8721e385f012379ff99d51310ec1cbef576", "name": "app-check", "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\nimage_url=\"${PARAM_IMAGE_URL}\"\nplatform=\"${PARAM_PLATFORM}\"\n\nif [ -n \"$platform\" ]; then\n # Extract part after slash if present\n arch=\"${platform#*/}\"\n if [ \"$arch\" = \"x86_64\" ] || [ \"$arch\" = \"local\" ] || [ \"$arch\" = \"localhost\" ]; then\n arch=\"amd64\"\n fi\n\n # Validate against supported arch list. If it's not a known arch, return an error result\n case \"$arch\" in\n amd64|ppc64le|arm64|s390x)\n ;;\n *)\n echo \"Error: Unsupported or malformed architecture: '$arch' (parsed from platform: '$platform')\"\n exit 0\n ;;\n esac\n\n /usr/local/bin/preflight check container \"$image_url\" --platform \"$arch\"\nelse\n /usr/local/bin/preflight check container \"$image_url\"\nfi\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" }, { "mountPath": "/etc/pki/tls/certs/ca-custom-bundle.crt", "name": "trusted-ca", "readOnly": true, "subPath": "ca-bundle.crt" }, { "mountPath": "/auth", "name": "auth", "readOnly": true } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "env": [ { "name": "PARAM_IMAGE_URL", "value": "quay.io/redhat-appstudio-qe/build-e2e-pggh/python-component-jcfgzj:on-pr-735c8fefbb578110d14b7015c6d36e3e253c98e5" } ], "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "app-set-outcome", "results": [ { "description": "The overall outcome of this task.", "name": "test-output" }, { "description": "Processed image digests.", "name": "images-processed" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\n\n# Declare Supported architectures\ndeclare -a SUPPORTED_ARCHES=(amd64 arm64 ppc64le s390x)\n\nskopeo_retries=3\n\n# Initialize result vars\nPFLT_PASS_COUNT=0\nPFLT_FAIL_COUNT=0\nPFLT_ERROR_COUNT=0\nPFLT_RESULT=\"SUCCESS\"\n\n# Loop over SUPPORTED_ARCHES and process results\nfor ARCH in \"${SUPPORTED_ARCHES[@]}\"\ndo\n # Check if results directory exits\n RESULT_JSON_PATH=/artifacts/${ARCH}/results.json\n if ! [ -f \"${RESULT_JSON_PATH}\" ]; then\n continue\n fi\n # Process results\n if jq -e '.passed == false' \"${RESULT_JSON_PATH}\" \u003e /dev/null; then PFLT_RESULT=\"FAILURE\"; fi\n PFLT_PASS_COUNT=$((PFLT_PASS_COUNT+$(jq -r '.results.passed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_FAIL_COUNT=$((PFLT_FAIL_COUNT+$(jq -r '.results.failed | length' \"${RESULT_JSON_PATH}\")))\n PFLT_ERROR_COUNT=$((PFLT_ERROR_COUNT+$(jq -r '.results.errors | length' \"${RESULT_JSON_PATH}\")))\ndone\n\n# Mark as ERROR if no results were recorded, which can occur when an unsupported or malformed\n# architecture is parsed from the `platform` parameter.\nif [[ $PFLT_FAIL_COUNT -eq 0 ]] \u0026\u0026 [[ $PFLT_PASS_COUNT -eq 0 ]] ; then PFLT_RESULT=\"ERROR\" ; fi\n\nif [[ $PFLT_ERROR_COUNT -gt 0 ]]; then PFLT_RESULT=\"ERROR\" ; fi\nPFLT_NOTE=\"Task preflight is a ${PFLT_RESULT}: Refer to Tekton task logs for more information\"\n\n# Generate TEST_OUTPUT\nTEST_OUTPUT=$(jq -rce \\\n--arg date \"$(date +%s)\" \\\n--arg note \"${PFLT_NOTE}\" \\\n--arg result \"${PFLT_RESULT}\" \\\n--arg successes \"${PFLT_PASS_COUNT}\" \\\n--arg failures \"${PFLT_FAIL_COUNT}\" \\\n--arg warnings \"0\" \\\n--null-input \\\n'{ result: $result,\n timestamp: $date,\n note: $note,\n successes: $successes|tonumber,\n failures: $failures|tonumber,\n warnings: $warnings|tonumber\n}')\necho -n \"${TEST_OUTPUT}\" | tee \"/tekton/steps/step-app-set-outcome/results/test-output\" /artifacts/konflux.results.json\n\n# Generate IMAGES_PROCESSED\nimages_processed_template='{\"image\": {\"pullspec\": \"'\"$PARAM_IMAGE_URL\"'\", \"digests\": [%s]}}'\ndeclare -a digests_processed=()\n\n# Extract processed image digests from \"/artifacts/$arch/cert-image.json\"\nwhile read -r cert_image_file; do\n docker_image_digest=$(jq -r '.docker_image_digest' \"$cert_image_file\")\n if [[ -n \"$docker_image_digest\" \u0026\u0026 ! \" ${digests_processed[*]} \" == *\" \\\"$docker_image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$docker_image_digest\\\"\")\n fi\ndone \u003c \u003c(find /artifacts -type f -name \"cert-image.json\")\n\nretry skopeo inspect --raw --retry-times \"$skopeo_retries\" \"docker://${PARAM_IMAGE_URL}\" \u003e /tmp/raw-manifest.json\nimage_digest=\"sha256:$(sha256sum \u003c /tmp/raw-manifest.json | awk '{print $1}')\"\nif [[ ! \" ${digests_processed[*]} \" == *\" \\\"$image_digest\\\" \"* ]]; then\n digests_processed+=(\"\\\"$image_digest\\\"\")\nfi\n\ndigests_processed_string=$(IFS=,; echo \"${digests_processed[*]}\")\nfinal_output=\"${images_processed_template/\\[%s]/[$digests_processed_string]}\"\necho -n \"${final_output}\" \u003e \"/tekton/steps/step-app-set-outcome/results/images-processed\"\n", "volumeMounts": [ { "mountPath": "/artifacts", "name": "pfltoutputdir" } ], "when": [ { "input": "$(steps.introspect.results.artifact-type)", "operator": "in", "values": [ "application" ] } ] }, { "computeResources": { "limits": { "memory": "256Mi" }, "requests": { "cpu": "100m", "memory": "256Mi" } }, "image": "quay.io/konflux-ci/task-runner:1.7.0@sha256:1c0582a85dae0949f3ec94aca95695c5d7698b371f1b76c5a78822a6249073dc", "name": "final-outcome", "results": [ { "name": "test-output" } ], "script": "#!/usr/bin/env bash\n\nset -o errexit\nset -o nounset\nset -o pipefail\nset -o xtrace\n\nif [[ ! -f /mount/konflux.results.json ]]; then\n printf \"Unable to populate the right test log output because the artifact's type is not recorded correctly. Please file a bug.\" | tee \"/tekton/steps/step-final-outcome/results/test-output\"\n exit 91\nfi\n\ntee \"/tekton/steps/step-final-outcome/results/test-output\" \u003c /mount/konflux.results.json\n", "volumeMounts": [ { "mountPath": "/mount", "name": "pfltoutputdir" } ] } ], "volumes": [ { "emptyDir": {}, "name": "pfltoutputdir" }, { "configMap": { "items": [ { "key": "ca-bundle.crt", "path": "ca-bundle.crt" } ], "name": "trusted-ca", "optional": true }, "name": "trusted-ca" }, { "emptyDir": {}, "name": "auth" } ] } } } ], "kind": "List", "metadata": { "resourceVersion": "" } }